The Risk of Outsourcing: Hidden SCA Trojans in Third-Party IP-Cores Threaten Cryptographic ICs

Abstract

Side-channel analysis (SCA) attacks - especially power analysis - are powerful ways to extract the secrets stored in and processed by cryptographic devices. In recent years, researchers have shown interest in utilizing on-chip measurement facilities to perform such SCA attacks remotely. It was shown that simple voltage-monitoring sensors can be constructed from digital elements and put on multi-tenant FPGAs to perform remote attacks on neighbouring cryptographic co-processors. A similar threat is the unsuspecting integration of third-party IP-Cores into an IC design. Even if the function of an acquired IP-Core is not security critical by itself, it may contain an on-chip sensor as a Trojan that can eavesdrop on cryptographic operations across the whole device. In contrast to all FPGA-based investigations reported in the literature so far, we examine the efficiency of such on-chip sensors as a source of information leakage in an ASIC-based case study for the first time. To this end, in addition to a cryptographic core (lightweight block cipher PRESENT) we designed and implemented a voltage-monitoring sensor on an ASIC fabricated by a 40 nm commercial standard cell library. Despite the physical distance between the sensor and the PRESENT core, we show the possibility of fully recovering the secret key of the PRESENT core by processing the sensor's output. Our results imply that the hidden insertion of such a sensor - for example by a malicious third party IP-Core vendor - can endanger the security of embedded systems which deal with sensitive information, even if the device cannot be physically accessed by the adversary.