Simple Photonic Emission Attack with Reduced Data Complexity

  • Elad Carmon
  • Jean-Pierre Seifert
  • Avishai WoolEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9689)


This work proposes substantial algorithmic enhancements to the SPEA of Schlösser et al. [15] by adding cryptographic post-processing, and improved signal processing to the photonic measurement phase. Our improved approach provides three crucial benefits: (1) For some SBox/SRAM configurations the original SPEA method is unable to identify a unique key, and terminates with up to \(2^{48}\) key candidates; using our new solver we are able to find the correct key regardless of the respective SBox/SRAM configuration. (2) Our methods reduce the number of required (complex photonic) measurements by an order of magnitude, thereby shortening the duration of the attack significantly. (3) Due to the unavailability of the attack equipment of Schlösser et al. [15] we additionally developed a novel Photonic Emission Simulator which we matched against the real equipment of the original SPEA work. With this simulator we were able to verify our enhanced SPEA by a full AES recovery which uses only a small number of photonic measurements.


Photonic Emission Access Pattern Photonic Measurement SRAM Memory Round Activation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Supplementary material


  1. 1.
    Bascoul, G., Perdu, P., Benigni, A., Dudit, S., Celi, G., Lewis, D.: Time resolved imaging: from logical states to events, a new and efficient pattern matching method for VLSI analysis. Microelectron. Reliab. 51(9), 1640–1645 (2011)CrossRefGoogle Scholar
  2. 2.
    Bernstein, D.J.: Cache-timing attacks on AES (2004). Preprint,
  3. 3.
    Bertoni, Y.M., Grassi, L., Melzani, F.: Simulations of optical emissions for attacking AES and masked AES. In: Chakraborty, R.S., Schwabe, P., Solworth, J. (eds.) Security, Privacy, and Applied Cryptography Engineering (SPACE). LNCS, vol. 9354, pp. 172–189. Springer, Verlag (2015)CrossRefGoogle Scholar
  4. 4.
    Carmon, E., Seifert, J.-P., Wool, A.: Simple photonic emission attack with reduced data complexity. Cryptology ePrint Archive, Report 2015/1206 (2015).
  5. 5.
    Chynoweth, A., McKay, K.: Photon emission from avalanche breakdown in silicon. Phys. Rev. 102(2), 369 (1956)CrossRefGoogle Scholar
  6. 6.
    Di-Battista, J., Courrege, J.C., Rouzeyre, B., Torres, L., Perdu, P.: When failure analysis meets side-channel attacks. In: Mangard, S., Standaert, F.X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 188–202. Springer, Heidelberg (2010)Google Scholar
  7. 7.
    Egger, P., Grützner, M., Burmer, C., Dudkiewicz, F.: Application of time resolved emission techniques within the failure analysis flow. Microelectron. Reliab. 47(9), 1545–1549 (2007)CrossRefGoogle Scholar
  8. 8.
    Ferrigno, J., Hlavác, M.: When AES blinks: introducing optical side channel. Inf. Secur. 2(3), 94–98 (2008)CrossRefGoogle Scholar
  9. 9.
    Krämer, J., Kasper, M., Seifert, J.-P.: The role of photons in cryptanalysis. In: 19th Asia and South Pacific, Design Automation Conference (ASP-DAC), pp. 780–787. IEEE (2014)Google Scholar
  10. 10.
    Krämer, J., Nedospasov, D., Schlösser, A., Seifert, J.P.: Differential photonic emission analysis. In: Prouff, E. (ed.) COSADE 2013. LNCS, vol. 7864, pp. 1–16. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Nedospasov, D., Seifert, J.-P., Schlosser, A., Orlic, S.: Functional integrated circuit analysis. In: IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 102–107. IEEE (2012)Google Scholar
  12. 12.
    Newman, R.: Visible light from a silicon pn junction. Phys. Rev. 100(2), 700–703 (1955)CrossRefGoogle Scholar
  13. 13.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Schlösser, A.: Hot electron Luminescence in silicon structures as photonic side channel (in German). Ph.D. thesis, Faculty of Mathematics and Natural sciences, Berlin Institute of Technology (2014)Google Scholar
  15. 15.
    Schlösser, A., Nedospasov, D., Krämer, J., Orlic, S., Seifert, J.-P.: Photonic emission analysis of AES. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES) (2012)Google Scholar
  16. 16.
    Schlösser, A., Nedospasov, D., Krämer, J., Orlic, S., Seifert, J.-P.: Simple photonic emission analysis of AES. J. Cryptographic Eng. 3(1), 3–15 (2013)CrossRefGoogle Scholar
  17. 17.
    Selmi, L., Mastrapasqua, M., Boulin, D.M., Bude, J.D., Pavesi, M., Sangiorgi, E., Pinto, M.R.: Verification of electron distributions in silicon by means of hot carrier luminescence measurements. IEEE Trans. Electron Devices 45(4), 802–808 (1998)CrossRefGoogle Scholar
  18. 18.
    Song, P., Stellari, F., Huott, B., Wagner, O., Srinivasan, U., Chan, Y., Rizzolo, R., Nam, H., Eckhardt, J., McNamara, T., et al.: An advanced optical diagnostic technique of IBM z990 eserver microprocessor. In: Proceedings IEEE International Test Conference (ITC), p. 9. IEEE (2005)Google Scholar
  19. 19.
    Weste, N., Harris, D., Design, C.: A Circuits And Systems Perspective, 4/E. Pearson Education, (2010)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Elad Carmon
    • 1
  • Jean-Pierre Seifert
    • 2
    • 3
  • Avishai Wool
    • 4
    Email author
  1. 1.Tel-Aviv UniversityTel-AvivIsrael
  2. 2.Security in TelecommunicationsTechnische Universität BerlinBerlinGermany
  3. 3.FhG SITDarmstadtGermany
  4. 4.Tel-Aviv UniversityTel-AvivIsrael

Personalised recommendations