Horizontal Attack Against EC kP Accelerator Under Laser Illumination

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

This article contains 24 references, some of which are of little use to readers. The topic of the article is very much specific, and in my opinion, it refers to rarely published research on reverse engineering. The paper is well structured and contains experimental data.

The main disadvantage of this article is the impossibility of mass application of the described methodology in real life. The costs of such hacking are reasonable only in special cases.

[page 10, line 310] please fix it. (error message)

[page 10, line 320, 327] please fix “table”->”Table”, etc

[page 11, line 334, 346] please fix it. (error message)

I support this article after some revision.

Author Response

Comment 1: This article contains 24 references, some of which are of little use to readers.
Response 1: We significantly improved the list of references. We extended the introduction, and added two subsections to the draft (see text marked in red). Due to these changes, we deleted some references but added the references describing the state-of-the-art, implemented algorithm and analysis. Additionally, we provide references describing the applied experimental and measurement equipment. Currently, the list of references consists of 55 references.

Comment 2: The topic of the article is very much specific, and in my opinion, it refers to rarely published research on reverse engineering.
Response 2: The research refers to a novel threat to semiconductor devices employing cryptographic algorithms. The attack performed is a combination of power analysis attack exploiting dynamic as well as static leakage components with simultaneous laser illumination. To the best of our knowledge we are the first who performed such attack against an elliptic curve cryptosystem, i.e. it is a novel kind of attack against public-key cryptosystem.

In our work, we did not perform reverse engineering.

We extended introduction and state of the art to clarify these aspects. All changes are visible.

Comment 3: The main disadvantage of this article is the impossibility of mass application of the described methodology in real life. The costs of such hacking are reasonable only in special cases.
Response 3: In real world scenarios such attacks can be targeted at critical infrastructure systems, where costs of implementing the attack are negligible compared to the losses caused in case of a successful attack. We extended the introduction with this aspect, too.

Comment 4: 

[page 10, line 310] please fix it. (error message)

[page 10, line 320, 327] please fix “table”->”Table”, etc

[page 11, line 334, 346] please fix it. (error message)

Response 4: Thank you. Error messages and referencing style are fixed. In addition, we checked and improved the grammar.

Reviewer 2 Report

Comments and Suggestions for Authors

The article concerns research about increasing a power consumption of the chip by laser illumination, which influence power analysis attack possibilities. The subject of side-channel attacks is very interesting. The research about influencing general power consumption of the chip by laser illumination falls into category of non invasive attacks, which makes chips security issues quite important. Although I find the subject very interesting, the article lacks scientific soundness. Major shortcomings include:

- there is no description about the implementation of the cryptographic mechanism nor its architecture;

- there is no information about which blocks of the implementation were targeted and how severely;

- there is no knowledge how particular types of subcircuits can be influenced by the laser illumination (laches, RAM/ROM, ALU, gates – we don’t even know if there was microcontroller or full-custom implementation);

- there are many types of side-channel analyses, some may be better, some may be worse, however, we don't know why this analysis was chosen and about its implementation details;

- there is no background and research explaining the leakage characteristic and information analysis.

 

I would agree with such a research architecture if the attacked chip was some commercial and commonly used third-party product (e.g., a cryptographic card), and here the authors attack it without any additional knowledge about its specification. However, if authors want to show some vulnerability of their own implementation, there is complete lack of analysis what is the source of the leakage (and what are the reasons) – scientifically! In real life products there are dozens of countermeasures applied at the implementation level (power balancing and averaging, adding power noise, masking, desynchronisation, dislocation, dummy operations, parallelisation, WDDL, RSL, element C, MDPL, SABL, MCML, DyCML, STTL, etc.) or even more at the algorithm level. Threating the implementation and the analysis as “black boxes” gives us no new knowledge. I understand that the whole set-up and the research took a lot of effort, and I am glad that authors have decided to go in the SCA direction, but without detailed research the results have very little significance. I encourage authors to repeat the research at the more basic level.

Author Response

Comment 1: The article concerns research about increasing a power consumption of the chip by laser illumination, which influence power analysis attack possibilities. The subject of side-channel attacks is very interesting. The research about influencing general power consumption of the chip by laser illumination falls into category of non invasive attacks, which makes chips security issues quite important.
Response 1: In our attack, we illuminated a cryptographic ASIC through its front-side. The chip was decapsulated (without package). We measured the power trace under laser illumination, i.e. we combined a power analysis attack, which is usually non-invasive, with a laser illumination attack which is a semi-invasive attack.

Comment 2: Although I find the subject very interesting, the article lacks scientific soundness. Major shortcomings include:

- there is no description about the implementation of the cryptographic mechanism nor its architecture;

- there is no information about which blocks of the implementation were targeted and how severely;

- there is no knowledge how particular types of subcircuits can be influenced by the laser illumination (laches, RAM/ROM, ALU, gates – we don’t even know if there was microcontroller or full-custom implementation);

- there are many types of side-channel analyses, some may be better, some may be worse, however, we don't know why this analysis was chosen and about its implementation details;

- there is no background and research explaining the leakage characteristic and information analysis.

Response 2: In our attack, we used an ASIC manufactured at IHP, i.e. a custom implementation. We extended our manuscript providing the structure and a description of the attacked ASIC in subsection 3.1. We explained its vulnerabilities and reasons, why we selected this chip for our experiments with laser illumination. Additionally, we explained why we illuminated the block Multiplier and discussed expected results.

We extended our manuscript also with details of the analysis applied to the measured traces and evaluation of the attack’s success, please see subsection 4.1.1.

The extensions are marked in red.

Comment 3: I would agree with such a research architecture if the attacked chip was some commercial and commonly used third-party product (e.g., a cryptographic card), and here the authors attack it without any additional knowledge about its specification. However, if authors want to show some vulnerability of their own implementation, there is complete lack of analysis what is the source of the leakage (and what are the reasons) – scientifically! In real life products there are dozens of countermeasures applied at the implementation level (power balancing and averaging, adding power noise, masking, desynchronisation, dislocation, dummy operations, parallelisation, WDDL, RSL, element C, MDPL, SABL, MCML, DyCML, STTL, etc.) or even more at the algorithm level. Threating the implementation and the analysis as “black boxes” gives us no new knowledge. I understand that the whole set-up and the research took a lot of effort, and I am glad that authors have decided to go in the SCA direction, but without detailed research the results have very little significance. I encourage authors to repeat the research at the more basic level.
Response 3: 

Nowadays, commercial chips are not easy to attack. Security-by-obscurity is a common method to increase the resistance of the designs. Certification process of cryptographic chips is long and expensive. Designers have to describe to certification lab all implemented countermeasures as well other implementation details to reduce the time and costs of the certification process. Any attack against a commercial cryptographic product starts with web search of information about implementation details. This phase is time-consuming. We discuss the complexity of attacks on commercial authentication chips in our early work describing experiments in: https://www.sciencedirect.com/science/article/pii/S0141933120306335.

In our manuscript, we discuss the feasibility of a novel semi-invasive attack. To save the time for attack preparation, we decided to experiment with our cryptographic design, for which the SCA leakage sources are investigated.

We extended our manuscript. We explained the reasons why we selected the custom implementation for our investigations in subsection 3.1 as follows:

Since the major goal of our research is to investigate whether or not illuminating an ASIC under attack improves the attack success, we decided to use our own design as Device Under Test (DUT) due to the following facts. In our earlier works, we analysed simulated power traces as well as traces measured on FPGAs and ASICs manufactured in different technologies and also versions in which we applied different synthesis options, environmental and working parameters [38]. Summarized, the attacked kP design is well-investigated; its vulnerability to horizontal address-bit SCA attacks and SCA leakage sources are known to us. The knowledge about the placement of the security-critical blocks and the well-understood design vulnerability was decisive. This reduced the effort to mount a successful attack. Our cryptographic ASIC is manufactured in IHP’s 250 nm technology. We are aware of the fact that a chip manufactured in a scaled technology, for example an FPGA in 22 nm, would allow to achieve better attack results due to the following two reasons, first its leakage current will be higher than that of a chip manufactured in 250nm technology, second more gates will be illuminated by a laser beam spot of the same size. But in this work, we are not interested in a near optimal attack result but again want to show the feasibility of our new attack approach.

We give implementation details and discuss the implemented countermeasures (parallelisation of operations, use of the field multiplier as source of the noise, etc.) as well as the vulnerabilities of our design. All extensions are marked in red.

In addition, we checked and improved the grammar.

Reviewer 3 Report

Comments and Suggestions for Authors

Dear authors, these are my comments about this paper:

The authors must adequately justify in their experimental phase that using a laser with a high laser beam power can significantly improve the attack's success.
Using only five keywords, use just one or two words per keyword is recommended.
This must be justified in the introduction with references because attacks using lasers are frequently used.
They mention that the laser attack is performed compared with chips manufactured in "old" technologies; it is necessary to reference and mention which old technologies are used.
A thorough comparative study is required in the introduction section.
The reference format is inadequate. There are no references in the introduction.
The testbed in Figure 2 is not clearly visible; the wiring is incorrect. This type of testbed needs to be shown from different angles and described in stages.
Another error appears: "Figure 2 Error! Reference source not found.."
Is the output power controlled by the current^2? On line 161, another error appears: (see Error! Reference source not found..-(a)). This error is frequently repeated, and the authors are required to review the final compiled version to avoid these types of issues.
Describe why the authors believe the potential for attacks exploiting Static Current under Laser Illumination (SCuLI) attacks has not yet been investigated.

Best Regards

Author Response

Comment 1: The authors must adequately justify in their experimental phase that using a laser with a high laser beam power can significantly improve the attack's success.
Response 1: We explicitly showed that using maximum power of the single-mode laser in our work does not influence success of the attack. We have added a justification in the introduction (see text marked red on page 3), and in section 4.2 (see text marked red on page 16).

Comment 2: Using only five keywords, use just one or two words per keyword is recommended.
Response 2: We changed keywords corresponding to the recommendation.

Comment 3: This must be justified in the introduction with references because attacks using lasers are frequently used.
They mention that the laser attack is performed compared with chips manufactured in "old" technologies; it is necessary to reference and mention which old technologies are used.
A thorough comparative study is required in the introduction section.
The reference format is inadequate. There are no references in the introduction.
Response 3: The introduction was extended, references are added. Only few investigations combining power analysis and laser illumination attacks were published in the past. We extended subsection describing state of the art (subsection 2.2) with the investigations which use not only measurements but also simulations. To the best of our knowledge, no other investigations were published in the past.

We extended the introduction and give now appropriate references also in the introduction.

In addition we revised the format of the references.

Comment 4: The testbed in Figure 2 is not clearly visible; the wiring is incorrect. This type of testbed needs to be shown from different angles and described in stages.
Response 4: Figure 2 is improved (it is now Figure 3). We extended it with the PCB with the attacked chip, with a photo of the attacked chip and with the layout of the chip. Additionally, the illuminated area is shown, too. The connections between all blocks/equipment are schematically shown in Figure 2.

Comment 5: Another error appears: "Figure 2 Error! Reference source not found.."
Response 5: Thank you. Error messages is fixed.

Comment 6: Is the output power controlled by the current^2?
Response 6: The laser used has two channels. Each channel is controlled separately by setting the current that will be applied. These details are described at the end of section 3, see text marked red on p.7.

Comment 7: On line 161, another error appears: (see Error! Reference source not found..-(a)). This error is frequently repeated, and the authors are required to review the final compiled version to avoid these types of issues.
Response 7: Thank you. Error messages and referencing style are fixed.

Comment 8: Describe why the authors believe the potential for attacks exploiting Static Current under Laser Illumination (SCuLI) attacks has not yet been investigated.
Response 8: 

Exploiting static current as a leakage, even without laser illumination, is not often reported in the past. We extended introduction with this aspect.

We had made an exhaustive search of the literature, and did not find works exploring SCuLI attacks empirically, especially in downscaled technologies. Only the researchers from Czech Technical University in Prague (Czech Republic) published their results investigating a symmetric cipher using simulations for a 180 nm technology. We extended the state of the art (subsection 2.2, see text marked red on p.4) with these investigations.

In addition, we checked and improved the grammar.

Reviewer 4 Report

Comments and Suggestions for Authors

This work is interesting.

Side-Channel Analysis are adopted to reveal cryptographic keys of an Elliptic Curve Scalar Multiplication accelerator. Without laser illumination, the correctness of the best key candidate is 70 % by analysing the trace measured using the Riscure probe and 90 % by using the differential probe from Teledyne Lecroy. Then, laser illumination with different power and size are added, and the authors did not observe a significant impact of the laser illumination on the attack success in their experiments.

However, the measurements demonstrate that laser illumination influences the static power consumption of the illuminated chip, and these static Current under Laser Illumination may be a novel attack method which may be explored in the future.

 

I have some suggestions to improve this paper.

 

Major issue:

the measurements demonstrate that laser illumination influences the static power consumption of the illuminated chip. The changes of the static power consumption of the chip with/without laser may be given in more details.

Side-Channel Analysis procedure for the trace in Fig.3 and 4 may be summarized briefly.

 

Minor issue:

the correctness of the best key candidate is 70 % by analysing the trace measured using the Riscure probe and 90 % by using the differential probe from Teledyne Lecroy. These data may be given in the abstract.

 

The laser size and power may be given in the abstract.

Author Response

Comment 1: Major issue:

the measurements demonstrate that laser illumination influences the static power consumption of the illuminated chip. The changes of the static power consumption of the chip with/without laser may be given in more details.

Side-Channel Analysis procedure for the trace in Fig.3 and 4 may be summarized briefly.

Response 1: We extended our draft with a detailed description of the analysis and evaluation of the attack’s success, see subsection 4.1.1 (the section is marked red).

Comment 2: Minor issue:

the correctness of the best key candidate is 70 % by analysing the trace measured using the Riscure probe and 90 % by using the differential probe from Teledyne Lecroy. These data may be given in the abstract.

Response 2: Thank you for the suggestion. The data was added to the abstract, please see text marked red on page 1, line 15.

Comment 3: The laser size and power may be given in the abstract.
Response 3: Thank you for the suggestion. In our attack, we used different laser beam spot sizes and output powers, please see TABLE 1 on page 12. To accommodate this information in the abstract while explaining reasons of parameters selection will extend the abstract significantly. For this reason, we extended the abstract only with an example as follows:

Applying 100 % of the laser beam output power and illuminating the smallest area of 143 µm² we observed an offset of 17 mV in the measured trace.

The extension is marked in red in the abstract.

In addition, we checked and improved the grammar.

Reviewer 5 Report

Comments and Suggestions for Authors

I find the work to be meaningful and relevant. The experiments demonstrate the advantages of using a differential probe. Specifically, without laser illumination, the success rate of identifying the correct key candidate reaches 70% when analyzing the trace measured using the Riscure probe, and 90% when using the differential probe from Teledyne Lecroy. Furthermore, their measurements show that laser illumination affects the power consumption of the target chip, particularly influencing the static component. 
The experimental design is logical, and the authors have done a good job in both describing their experimental procedures and presenting the results. Therefore, I recommend that the paper be considered for acceptance. However, I believe that significant revisions are necessary before publication, primarily related to writing and formatting. 
My main concerns are as follows:
1. The manuscript contains numerous issues with cross-referencing, which need to be carefully checked and corrected.
2. The figures and tables are not well handled. For example, Figure 5 improperly includes a table within the figure. Figures and tables should be clearly separated and appropriately labeled.
3. The formatting of the header in Table 1 needs revision for consistency.
4. Appendix A raises some concerns. While it is acceptable to include an appendix, if the authors choose to do so, the data presented must be complete. Currently, some information is missing, e.g. the value of P is not provided.

Author Response

Comment 1: 1. The manuscript contains numerous issues with cross-referencing, which need to be carefully checked and corrected.
Response 1: We do apologize for the inconvenience. Originally, we used another template. The numbering and cross-referencing were fixed.

Comment 2: 2. The figures and tables are not well handled. For example, Figure 5 improperly includes a table within the figure. Figures and tables should be clearly separated and appropriately labeled.
Response 2: Thank you for the suggestion. All information from the Table is integrated in Figure 5 (currently, it is Figure 6).

Comment 3: 3. The formatting of the header in Table 1 needs revision for consistency.
Response 3: Thank you. We have changed the formatting of the Table 1.

Comment 4: 4. Appendix A raises some concerns. While it is acceptable to include an appendix, if the authors choose to do so, the data presented must be complete. Currently, some information is missing, e.g. the value of P is not provided.
Response 4: Thank you for the concern. We have improved the Appendix A.

In addition, we extended the draft with two subsections, and checked and improved the grammar. Extensions are marked red.

Round 2

Reviewer 2 Report

Comments and Suggestions for Authors

The article improved significantly from threating the analysis as “black box” (described in the previous review) into direction of properly documented research, however, there are still some basic information and research missing.

The authors showed the chip architecture in Figure 3 and the laser beam spot size in Figure 6, however, we still have no information about: (a) chip size (W/H), (b) blocks sizes and their placement in the chip layout, (c) which blocks/parts of the chip were targeted and how precise were they illuminated.

Such an attack (with a use of illumination) is strictly time and area (area type/function) dependent, however, we do not notice such experiments to be performed (e.g. results from Table 1).

Still, there is some background/experiments missing, that would explain the leakage characteristic and information analysis – i.e. what is the source of the leakage resulting from laser illumination and which part of the power increase is data-dependent and which is insignificant for the purpose of the attack. This is especially crucial with respect to the area type/function that was illuminated, which (I suspect) is very dependent on the majority of circuit building blocks type (gates, latches, memory etc.) present in the illuminated area. Therefore, the source of the leakage coming from particular circuits (both data dependent and independent) should be explained (theoretically or at least simulated or both).

In summary, as I mentioned before, without detailed research the results have little significance. I encourage authors to repeat the research at the more basic level.

Author Response

Comment 1: The authors showed the chip architecture in Figure 3 and the laser beam spot size in Figure 6, however, we still have no information about: (a) chip size (W/H), (b) blocks sizes and their placement in the chip layout, (c) which blocks/parts of the chip were targeted and how precise were they illuminated.
Response 1: To (a): the area of the attacked accelerator was given as the footnote in Table 1 (see  line 476 of the manuscript, marked in yellow): “* area of the EC accelerator is 2,996,127 µm² ≈ 3 mm²”

We added the chip size (W/H) to Figure 3-(c)

To (b) and (c): The area of the illuminated block Multiplier is about of a half of the area of the whole accelerator. This is clearly shown in Figure 3-(c): The multiplier was highlighted (in white) and the laser beam spot (red point) is placed in the middle of the block; the rest of the chip are the other blocks. We concentrated on the illumination of the Multiplier only. It is resistant against horizontal attacks, works in parallel to other blocks and hides at least partially the processes which are SCA leakage sources. The implementation details and hiding features of the Multiplier are discussed in the manuscript: Lines 186-196 (here, we extended the manuscript describing advantages of the iterative 4-segment Karatsuba multiplication method used in our implementation, see the text marked in red).

The field multiplication of two different polynomials A and B is implemented corresponding to the iterative 4-segment Karatsuba multiplication formula and requires calculating 9 partial products, one per clock cycle, accumulating the field product step-by-step. Applying the 4-segment Karatsuba multiplication formula, or other multi-segment Karatsuba multiplication methods, reduces the execution time and energy consumption for product calculation and increases the resistance to horizontal collision correlation attacks [10]. The partial multiplier for 59-bit long operands is implemented using the classical or school-book multiplication formula. This results in a relatively big area and energy consumption in comparison to other multiplication methods but serves as additional noise source hiding security-critical processes.

Lines 197-201:

… Multiplier … contains a functional unit performing the field reduction in each clock cycle if the block was active. This increases the energy consumption of the blocks but serves as noise increasing the resistance of the kP accelerator to SCA attacks due to the fact that the field multiplier is resistant against SCA attacks.

Lines 206-211:

Here it is important to know that all blocks work in parallel to the field multiplier which is the biggest block of the design, consuming most of the energy. The activity of the field multipliers hides (at least partially) other processes which are also SCA leakage sources. Despite the hiding role of the Multiplier, the design is vulnerable to horizontal address-bit SCA attacks, due to the inherent vulnerability of the Montgomery ladder to this type of attacks and missing algorithmic countermeasures.

The reasons for selecting this block for the illumination experiments are clearly described, see lines 239-243:

The field multiplier is a kind of countermeasure, partially hiding the key-dependent power consumption caused by addressing of different registers. Thus, we expected that increased power consumption of the block Multiplier under laser illumination provides better hiding for the security-critical activity of the block Controller, as well as for the communication of the registers via the Bus.

In our experiments, we illuminated the middle of the multiplier, as clearly shown in Fig.3 and described in line 269:

The middle area of the block Multiplier was selected for laser illumination.

The area of the attacked chip and the size of the laser beam spot are given in Table 1; additionally, we added the size of the chip (W/H) to Fig.3 to better estimate the ratio between illuminated and non-illuminated areas. We extended Fig.3 with the following information (see lines 281-282):

The diameter of the laser beam spot is in the range of 13 µm to 75 µm; see more details in Figure 6.

Comment 2: Such an attack (with a use of illumination) is strictly time and area (area type/function) dependent, however, we do not notice such experiments to be performed (e.g. results from Table 1).
Response 2: In contrast to fault injection attacks, the novel attack described in the manuscript does not target a specific point in time. The chip was illuminated throughout the entire kP execution using the laser in continuous mode. This is clearly explained in the manuscript (see lines 284–288):

We used a single-mode laser due to the known power distribution (Gaussian) and its ability to operate in a Continuous Wave (CW) mode. The last prerequisite is important since the kP operation takes ~3.2 ms and the laser should be able to generate a uniform beam with a constant output power during the execution of the kP operation.

The area illuminated in our experiments is also described; see Fig. 3 and the following:

Line 269:

The middle area of the block Multiplier was selected for laser illumination.

Lines 561-563:

In our attacks, we expected that laser illumination would decrease the success of the attack, since we illuminated the field multiplier block, which is not an SCA leakage source, and increasing its power consumption could hide the contributions of other design blocks.

We extended our manuscript with the following details, see lines 294-296:

We illuminated the central part of the field multiplier of the kP accelerator, see Fig. 3. In all experiments, we visually controlled that the laser beam center remained fixed.

Comment 3: Still, there is some background/experiments missing, that would explain the leakage characteristic and information analysis – i.e. what is the source of the leakage resulting from laser illumination and which part of the power increase is data-dependent and which is insignificant for the purpose of the attack. This is especially crucial with respect to the area type/function that was illuminated, which (I suspect) is very dependent on the majority of circuit building blocks type (gates, latches, memory etc.) present in the illuminated area. Therefore, the source of the leakage coming from particular circuits (both data dependent and independent) should be explained (theoretically or at least simulated or both).
Response 3: In the middle of the multiplier, different logic cells are present. While the reaction of single cells can be simulated using TCAD, it is not applicable for large illuminated area with many different cells. Although the light intensity within the laser beam spot is known, it is not uniform. Some publications by Sarafianos describe the modeling of the behaviour of single NMOS and PMOS transistors (see https://ieeexplore.ieee.org/document/6532028, https://ieeexplore.ieee.org/document/6599120) under laser illumination using an infra-red laser taking into account the Gaussian power distribution in the beam. Experiments related to their manufacturing technology. However, there is currently no practical methodology available for simulating the behaviour of logic or memory cells under laser illumination – particularly when considering specific laser types, target technology, beam intensity distribution, device-to-laser distance, lens characteristics, etc. We addressed this problem in one of our project proposals and hope to develop such models in the future. It is important to note that theoretical models must be validated experimentally. The development of such models is a complex and time-consuming task, requiring appropriate measurement equipment. In contrast, attackers are unlikely to wait for simulations and instead will focus directly on measurements.

To clarify the current limitations in simulation capability, we extended the manuscript with the following passage; see lines 582–586.

At an early stage of design phase, accurate simulation models of logic and memory cells under laser illumination, applicable for simulation of the behaviour of large cryptographic circuits, enable vulnerability evaluation and can open a way to develop appropriate countermeasures. Currently, such models are missing. These practical and theoretical aspects need to be investigated in future.

Comment 4: In summary, as I mentioned before, without detailed research the results have little significance. I encourage authors to repeat the research at the more basic level.
Response 4: We hope that the novelty of the attacks and the challenges in validating the experimental results through theoretical/simulated data are clarified in our answers.

Reviewer 3 Report

Comments and Suggestions for Authors

Dear Authors,

I have reviewed the new version, and the introduction has been substantially improved, and references have been added according to the comments from the previous review. It has been improved with updated references.
Figure 3 of The EC Cryptographic Accelerator is now more precise.
All minor errors and comments have been addressed.
Grammatical improvements have been made. The improved version is sufficient.

Best Regards

Author Response

Comment 1: I have reviewed the new version, and the introduction has been substantially improved, and references have been added according to the comments from the previous review. It has been improved with updated references.
Figure 3 of The EC Cryptographic Accelerator is now more precise.
All minor errors and comments have been addressed.
Grammatical improvements have been made. The improved version is sufficient.
Response 1: Thank you for your nice answer.

Reviewer 4 Report

Comments and Suggestions for Authors

All my concerns are resolved, no further comments.

Author Response

Comment 1: All my concerns are resolved, no further comments.
Response 1: Thank you for your nice answer.

Round 3

Reviewer 2 Report

Comments and Suggestions for Authors

As before, the article improved significantly, however, the disclosure of the “black box” is still required. As a result of illumination, an increase of power is presented, therefore, scientific soundness requires to describe what was illuminated – not just “The middle area of the block Multiplier”. What is in the middle of the multiplier? What was exactly illuminated? Why these circuits present an increase in power? These are the questions, that cannot be left not well described.

1. Now, when the dimensions were revealed, I understand that the multiplier is about 1 mm wide and about 0.8-0.9 mm high. Since, the laser spot size begins with just several micrometers, it means that very small part of the multiplier makes the difference for the final results observed. Therefore, it needs to be identified what exactly is there. I suspect there has to be some kind of architecture of the multiplier (blocks made from different blocks made from basic building blocks or gates or whatever). The building blocks (of proper size) should be revealed in the context of laser beam spot sizes from Figure 6. For example, one can add a big picture (full page width) of the layout of the multiplier center (about 100 micrometer wide), where one can mark 4 circles (oval shapes) that corresponds to (a),(b),(c),(d) laser shapes, and mark layout circuits/blocks that are under the shapes. If the authors cannot identify what parts of multiplier were illuminated, then they should at least provide some statistics (percentage) of types of circuits (registers/latches/gates-what type/etc.) that are in the area targeted by the laser. The gaussian shape of the spot size is already well described, so one can imagine how the light power changes with the distance and between the experiments - the question remains: what’s under?

2. Regarding the part of “Response 3” description about modeling behavior of transistors – the explanation provided by the authors (including proper citations) should be included to the paper in some form of discussion (I get it, the readers should have it too).

Comments on the Quality of English Language

Please use a professional to polish the language as the last step.

Author Response

Comment 1: As before, the article improved significantly, however, the disclosure of the “black box” is still required. As a result of illumination, an increase of power is presented, therefore, scientific soundness requires to describe what was illuminated – not just “The middle area of the block Multiplier”. What is in the middle of the multiplier? What was exactly illuminated?

Response 1: This information was given in the manuscript, please see text marked yellow on page 5:

“Each field arithmetic block, i.e. ALU and Multiplier, consists of different logic gates and flip-flops, …”

Thus, in the middle of the Multiplier, different logic cells are placed all in the IHP 250 nm technology. Please note, that for the expected influence on the attack success, it is not relevant, which exact part of the Multiplier was illuminated. The field multiplier calculates products, and its multiplicands depend on the affine coordinates of the elliptic curve point P, which is the input to the kP accelerator. Theoretically, knowledge of the processed values can be exploited in SCA attacks targeting data-bit vulnerability. The effective countermeasure is randomization of the projective Lopez-Dahab coordinates. With such randomisation, the multiplier can act as a source of noise, hiding other SCA leakage sources – particularly, the address-bit vulnerability.

Please note that we are not trying to countermeasure a leakage source in the multiplier, but are using the illumination of the multiplier to increase the total power consumption of the design and especially increasing the multipliers part. Thereby hiding the address-bit leakages. We discussed both types of vulnerabilities and the reasons why we illuminated the field multiplier in our manuscript. These aspects were also addressed in our previous responses.

Thus, it is not important which part of the field multiplier was illuminated. Illuminating the multiplier increases the power consumption of the illuminated logic cells,

Nevertheless, we added information about the number and types of logic gates in the field multiplier to Appendix B, please see Table A1 on page 18.

We extended the text of our manuscript by adding the reference to Appendix B in the footnote on page 5 (see the text marked in red):

More details about the logic cells of the Multiplier can be found in Appendix B.

Comment 2: Why these circuits present an increase in power? These are the questions, that cannot be left not well described.

Response 2: The reasons, why the circuit consumes more power under laser illumination is the photoelectric effect in semiconductors. This was explained in the manuscript, see the text marked in yellow on page 3:

Laser illumination attacks are feasible due to the known interaction of light with semiconductors. Using laser illumination, it is feasible:

• to inject a fault in a logic cell via switching one of the illuminated transistors, or
• to increase the power consumption of the illuminated logic cells without switching transistor(s) of the attacked circuit.

Additionally, it was explained that some experiments confirm that the increased static current depends on the input values of illuminated logic cells, see the text marked yellow on page 4:

In [23], the static power consumption of the chip was measured under laser illumination without injecting a fault. According to the obtained results the laser illumination increased the static power consumption significantly. Moreover, the increased static current is data dependent, i.e. the static power consumption of an illuminated logic cell depends on its inputs.

Comment 3: 

1. Now, when the dimensions were revealed, I understand that the multiplier is about 1 mm wide and about 0.8-0.9 mm high. Since, the laser spot size begins with just several micrometers, it means that very small part of the multiplier makes the difference for the final results observed. Therefore, it needs to be identified what exactly is there. I suspect there has to be some kind of architecture of the multiplier (blocks made from different blocks made from basic building blocks or gates or whatever). The building blocks (of proper size) should be revealed in the context of laser beam spot sizes from Figure 6. For example, one can add a big picture (full page width) of the layout of the multiplier center (about 100 micrometer wide), where one can mark 4 circles (oval shapes) that corresponds to (a),(b),(c),(d) laser shapes, and mark layout circuits/blocks that are under the shapes. If the authors cannot identify what parts of multiplier were illuminated, then they should at least provide some statistics (percentage) of types of circuits (registers/latches/gates-what type/etc.) that are in the area targeted by the laser. The gaussian shape of the spot size is already well described, so one can imagine how the light power changes with the distance and between the experiments - the question remains: what’s under?

Response 3: We hope that our explanations about the Multiplier (see above) have clearly shown that it is not relevant which logic gates exactly were illuminated.

Nevertheless, for completeness in describing our experiments, we added Fig. A1 in Appendix B on page 18, which shows a photo of the attacked chip surface, and an additional zoomed-in image containing schematic representations of the laser spots and their sizes.

Additionally, we extended the text of the manuscript as following (see the text marked in red on page 12 and footnote 8):

The precise position of the laser beam spots above the Multiplier block is given in Appendix B, see Figure A1. Please note that the chip surface is partially covered with metal fillers, i.e. small metal rectangles⁸ that act as obstacles for the laser beam. As a result, only a small portion of the laser light can reach the transistor level through the gaps between the metal fillers.

⁸ According to the IHP technological process requirements, the 250 nm technologies has to comply with a predefined metal density, which is defined for each metal layer as the percentage of metal area in a layer to the whole area of the layer. Metal fillers are applied as standard means to reduce layout sensitivity in metal etch and chemical-mechanical polishing process steps during manufacturing. The placement of the metal fillers is a mandatory step of the layout process that is performed automatically using computer-aided design tools.

The percentage of the area illuminated in each of our experiments is given in Table 1, see the text marked in yellow on page 12.

Comment 4: 2. Regarding the part of “Response 3” description about modeling behavior of transistors – the explanation provided by the authors (including proper citations) should be included to the paper in some form of discussion (I get it, the readers should have it too).

Response 4: We extended the manuscript corresponding to the recommendation as following (see the text marked in red on page 17):

While the behaviour of individual cells can be simulated using TCAD, this approach is not applicable to large illuminated areas containing many different cells operating over an extended execution time. Some publications by Sarafianos [56]–[57] describe the modelling of the behaviour of individual NMOS and PMOS transistors under infra-red laser illumination, taking into account the Gaussian power distribution of the beam, with experiments conducted in their own manufacturing technology. However, there is currently no practical methodology available for simulating the behaviour of logic or memory cells under laser illumination – particularly when accounting for specific laser types, target technologies, beam intensity distribution, distance to the device, lens characteristics, and so on. It is important to note that theoretical models must be validated experimentally. The development of such models is a complex and time-consuming process that requires suitable measurement equipment.

The list of references was extended by 3 entries, see the text marked in red on page 21:

56. Sarafianos, O. Gagliano, V. Serradeil, M. Lisart, J. -M. Dutertre and A. Tria, "Building the electrical model of the pulsed photoelectric laser stimulation of an NMOS transistor in 90nm technology," 2013 IEEE International Reliability Physics Symposium (IRPS), Monterey, CA, USA, 2013, pp. 5B.5.1-5B.5.9, doi: 10.1109/IRPS.2013.6532028.
57. Sarafianos, O. Gagliano, M. Lisart, V. Serradeil, J. -M. Dutertre and A. Tria, "Building the electrical model of the pulsed photoelectric laser stimulation of a PMOS transistor in 90nm technology," Proceedings of the 20th IEEE International Symposium on the Physical and Failure Analysis of Integrated Circuits (IPFA), Suzhou, China, 2013, pp. 22-27, doi: 10.1109/IPFA.2013.6599120
58. 3D Laserscanning-Microscope. URL: https://www.keyence.de/products/microscope/laser-microscope/vk-x3000/ [Accessed 05.05.2025]

Comment 5: Please use a professional to polish the language as the last step.

Response 5: Thank you for your suggestion.