The Temperature Side Channel and Heating Fault Attacks

Abstract

In this paper, we present practical results of data leakages of CMOS devices via the temperature side channel—a side channel that has been widely cited in literature but not well characterized yet. We investigate the leakage of processed data by passively measuring the dissipated heat of the devices. The temperature leakage is thereby linearly correlated with the power leakage model but is limited by the physical properties of thermal conductivity and capacitance. We further present heating faults by operating the devices beyond their specified temperature ratings. The efficiency of this kind of attack is shown by a practical attack on an RSA implementation. Finally, we introduce data remanence attacks on AVR microcontrollers that exploit the Negative Bias Temperature Instability (NBTI) property of internal SRAM cells. We show how to recover parts of the internal memory and present first results on an ATmega162. The work encourages the awareness of temperature-based attacks that are known for years now but not well described in literature. It also serves as a starting point for further research investigations.

J.-M. Schmidt – This work was done while the author was with Graz University of Technology.

Appendix

1.1 Attacking CRT-RSA Using Faults

In the following, we consider an implementation of an RSA decryption that uses the Chinese Remainder Theorem (CRT) to speed up the computation. In our scenario, an adversary is able to supply the card with an input that is encrypted using textbook RSA and receives the decrypted message from the card. Further, the adversary is able to disturb the computation of this decryption and receives the result of this faulted computation. In order to describe how an adversary can benefit from this scenario to factor the modulus and thus compute the secret decryption key, we denote \(n=pq\) an RSA modulus, where \(p\) and \(q\) are two large prime numbers. Let \(d\) be the private key and \(e = d^{-1} \;\mathrm{mod}\; \varphi (n)\) the corresponding public exponent. Furthermore, \(z = \text{ CRT } (x,y)\) denotes the CRT recombination of the value \(z\in \mathbf {Z}_n\) from values \(x\), \(y\) of the subgroups \(\mathbf {Z}_p\) and \(\mathbf {Z}_q\) where

$$ \text{ CRT } (x,y)= xc_p + yc_q \;\mathrm{mod}\; n $$

with \(c_p = q\,(q^{-1}\;\mathrm{mod}\; p)\) and \(c_q = p\,(p^{-1}\;\mathrm{mod}\; q)\) [27].

The usage of the CRT in this scenario allows computing two exponentiations in smaller sub-groups compared to a single exponentiations modulo \(n\):

$$ S \equiv \text{ CRT } ((m^d \;\mathrm{mod}\; p),(m^d \;\mathrm{mod}\; q)) \;\mathrm{mod}\; n. $$

The first fault attack that takes advantage of injecting a random fault \(\varDelta \) in this scenario was presented by Boneh et al. [9]. The fault \(\varDelta \) causes the device to output a value \(\tilde{S}\) instead of \(S\):

$$\begin{aligned} \tilde{S}&\equiv \text{ CRT } ((m \;\mathrm{mod}\; p)^d,(m \;\mathrm{mod}\; q)^d+\varDelta ) \;\mathrm{mod}\; n \\&\equiv m^d + \varDelta p\,(p^{-1} \;\mathrm{mod}\; q) \;\mathrm{mod}\; n. \end{aligned}$$

If an adversary gets hold of both a faulty \(\tilde{S}\) and a correct signature \(S\), the modulus \(n\) can be easily factorized by calculating \(p = \gcd (\tilde{S} - S,n).\)

Fig. 10.

Leakage of 0xFF in the second half of the acquisition window. No leakage during the first 10 s.

Fig. 11.

Leakage of 0xFF in the first half of the acquisition window. The mean temperature decreases afterwards.

1.2 Temperature Leakage of a PIC16F84

We also investigated the leakage of a PIC16F84 microcontroller. We used the same measurement setup as described in Sect. 2 and measured the temperature on the decapsulated rear-side of the chip using a PT100 element. Instead of a MOV operation, we target an ADD instruction that adds either 0x00 or 0xFF to all internal registers that are previously initialized with zero. We measured 500 traces and averaged them to reduce noise.

Figure 10 shows the result where a zero value was written continuously over a period of 10 s. The value 0xFF is written afterwards for another 10 s. It shows an increase of temperature in the second half of the acquisition window. No leakage occurs in the first half of the trace. In Fig. 11, the result is shown when 0xFF is written during the first 10 s, and zero is written afterwards. There, it shows that the temperature slowly increases, similarly to the second half of Fig. 10. After 10 s, the temperature is decreasing again.