Physical attacks: Side-channel and fault injection attacks on real-world crypto | Nullcon Berlin 2022

Trainer Name: Lejla Batina , Łukasz Chmielewski

Title: Physical attacks: Side-channel and fault injection attacks on real-world crypto

Dates: April 5, 2022 To April 7, 2022

Time: 9 a.m. To 5:30 p.m. CEST

Venue: NH Hotel, Alexanderplatz, Berlin-Germany




Note: Regarding COVID-19 safety, Nullcon will seek to ensure a safe event, as the health and safety of our exhibitors, delegates, speakers, and staff will always be our number one priority. Nullcon will follow all applicable health regulations required by the local and government authorities.

Training Objectives

Modern cryptography has produced a multitude of ciphers that protect our daily lives including secure authentication, electronic transactions etc. However, once the cipher is implemented on a physical device (microprocessor, FPGA, ASIC etc.) it becomes vulnerable to side-channel and fault attacks. Side-channel attacks pose a unique challenge as an intersection of cryptography, electronics and statistics and pervading all aspects of modern hardware security. The attackers monitor closely the power consumption or electromagnetic emission of a cryptographic device and they are able to extract the secret key using statistical techniques. Fault injection attacks, on the other hand, take advantage of inserting some disturbances (such as glitches by changing e.g. voltage, clock, temperature etc.) into the system leading to faulty computations.

In this training we will provide extensive overviews of both, side-channel and fault analysis, showcasing the core techniques for key recovery. During the training the students will get the chance to develop several basic side-channel analysis tools in Python. They will also learn to perform hands-on physical attacks on real hardware. Subsequently they will use the tools to perform attacks on real-world datasets aiming at the secret key extraction.

The training will cover passive side-channel attacks on crypto implementations and countermeasures, including template attacks and leakage evaluation techniques. In addition, we will also treat active attacks such as fault injection and in particular glitching attacks with voltage and Electro Magnetic Fault Injection (EMFI). The training participants will learn to prepare the attacks including the attack set-up and execution on real hardware.

Training level: Intermediate to Advance

What to Expect? | Key Learning Objectives

Each training module will start with a tutorial identifying the main concepts and the theory behind physical attacks. After that, several assignments will be given to master the content and learn about key insights and identify practical challenges.

Training Detailed Description

A detailed description of the course structure and content, including an outline (day-wise agenda) of theory and practical exercises. Hands-on & interactive approaches are strongly encouraged.

Day 1: Side-channel attacks
Side-channel attacks on crypto implementations and countermeasures:

  • Basic concepts and principles
  • Side-channel leakage modeling
  • Simple power analysis (SPA)
  • Differential power analysis (DPA) and higher-order attacks
  • Assignments 1-2: Hands-on DPA attacks on software and hardware implementations

Day 2:Advanced attacks
Profiling attacks:

  • Probability theory and statistics background
  • Step-by-step guide to profile and exploit a device's side-channel leakage
  • Assignment 3: Template attack on an ECC implementation on ARM Cortex micro-controller
Higher order attacks:
  • Introduction to side-channel countermeasures (masking, shuffling, etc.)
  • Higher-order side-channel attacks
  • Assignment 4: 2nd order attacks on a DPA-protected implementation
Leakage evalution:
  • TVLA and alternatives
  • Leakage simulators
  • Assignment 5: TVLA evaluation of (un)protected implementations

Day 3:
Introduction to fault injection attacks:

  • Fault attacks in practice: principles and use cases
  • Differential Fault Analysis (DFA)
  • Glitching attacks with voltage and Electro Magnetic Fault Injection (EMFI)
  • Assignment 6: Hands-on session on ChipWhisperer


Who Should Attend? | Target Audience

  • Researchers and students who want to learn the core techniques of side-channel analysis
  • Pen testers, government officers, auditors and evaluators of secure embedded devices
  • Developers of secure IoT products
  • Chip designers
  • Any embedded security enthusias

What to Bring? | Software and Hardware Requirements

  • own laptop running Windows / Linux / macOS
  • installed Python version 3
  • extra pen drive

What to Bring? | Prerequisite Knowledge and Skills

  • basic programming
  • basic knowledge of statistics
  • familiarity with every-day cryptography, such as AES, PKC etc.

Resources Provided at the Training | Deliverables

  • Lecture slides and assignments
  • Python code examples for analysis
  • Side-channel datasets captured from AVR/ARM processors and FPGA implementations
  • Detailed description of set-ups used in training

About the Trainer

Lejla Batina is a full professor at Radboud University. She got her professional doctorate in engineering from Eindhoven University of Technology and her PhD in Cryptography from KU Leuven, Belgium (2005). Prior to joining Radboud University she was a postdoc at KU Leuven and she spent 3 years in industry as a cryptographer at Pijnenburg Securealink (later SafeNet B.V.) in The Netherlands. Her research interests include cryptographic implementations and physical attacks and countermeasures. She leads a group of 10+ researchers at Radboud and 8 PhD students have so far graduated under her supervision.

Łukasz Chmielewski is a postdoctoral researcher in the Digital Security Group at Radboud University Nijmegen working in the field of physical attacks, both side-channel analysis (SCA) and fault injection (FI). In particular, his main research interests lie in SCA of public-key cryptosystems (including post-quantum schemes). He also has significant commercial experience in SCA, FI, and software-security evaluations of embedded devices. His overall practical experience in physical attacks spans over last 9 years.