1

SCNIFFER: Low-Cost, Automated, EfficientElectromagnetic Side-Channel Sniffing

Josef Danial, Student Member, IEEE, Debayan Das, Student Member, IEEE, Santosh Ghosh, Member, IEEE,Arijit Raychowdhury, Senior Member, IEEE and Shreyas Sen, Senior Member, IEEE

Abstract—Electromagnetic (EM) side-channel analysis (SCA)is a prominent tool to break mathematically-secure cryptographicengines, especially on resource-constrained IoT devices. Presently,to perform EM SCA on an embedded IoT device, the entirechip is manually scanned and the MTD (Minimum Traces toDisclosure) analysis is performed at each point on the chip toreveal the secret key of the encryption algorithm. However, an au-tomated end-to-end framework for EM leakage localization, traceacquisition, and attack has been missing. This work proposesSCNIFFER: a low-cost, automated EM Side Channel leakageSNIFFing platform to perform efficient end-to-end Side-Channelattacks. Using a leakage measure such as TVLA, or SNR, wepropose a greedy gradient-search heuristic that converges to oneof the points of highest EM leakage on the chip (dimension:N ×N ) within O(N) iterations, and then perform CorrelationalEM Analysis (CEMA) at that point. This reduces the CEMAattack time by ∼ N times compared to an exhaustive MTDanalysis, and > 20× compared to choosing an attack location atrandom. We demonstrate SCNIFFER using a low-cost custom-built 3-D scanner with an H-field probe (< $500) compared to> $50, 000 commercial EM scanners, and a variety of microcon-trollers as the devices under attack. The SCNIFFER frameworkis evaluated for several cryptographic algorithms (AES-128, DES,RSA) running on both an 8-bit Atmega microcontroller and a32-bit ARM microcontroller to find a point of high leakage andthen perform a CEMA at that point.

Index Terms—End-to-end EM SCA Attack, Low-Cost EMScanning, Automated Framework, SCNIFFER

I. INTRODUCTION

As the internet of things (IoT) continues to grow, security ofmany edge nodes has become critical. With many of these edgenodes being simple microcontrollers, side-channel attacks posea powerful threat to their security. In the world of cryptogra-phy, side-channel attacks have long been identified as a threatto the security of computing and communication systemsattempting to provide confidentiality and integrity of sensitivedata, since the introduction of Differential Power Analysisin [1]. By analyzing physical side-channel information, suchas power consumption, timing, or electromagnetic emissions,cryptographic algorithms that are mathematically secure canbe broken efficiently.

EM side-channel analysis (SCA) is a method of usingthe information found in the electromagnetic emissions of acryptographic system to extract the secret key, compromisingthe security of such a system. Such attacks have been shownto be capable of actually extracting secret key information,as in [2] and [3]. These EM emissions originate from currentconsumption of an IC running cryptographic algorithms, whichwhile flowing through the metal layers of an IC cause EM

Number of TracesNumber of Traces

Number of Traces

Peak

Co

rrela

tio

n

Peak

Co

rrela

tio

n

XMEGA High Leakage Location XMEGA Low Leakage Location

STM32 Low Leakage Location

Number of Traces

Peak

Co

rrela

tio

n

STM32 High Leakage Location

Peak

Co

rrela

tio

n

a) b)

c) d)

Comparison of MTD for Different Chip Locations

MTD = 250

MTD = 250

MTD = 5,000

MTD > 10,000

Fig. 1: The difference in MTD between a CEMA attack at apoint of high leakage vs. at a point of low leakage for both an8-bit XMEGA microcontroller (a, b) and a 32-bit STM32F3microcontroller (c, d). At a location of high leakage, thecorrect key separates in 250 traces for both microcontrollers,while a low leakage location requires > 20× more traces onthe XMEGA. At a low leakage location on the STM32F3, thekey does not separate at all within 10,000 traces.

radiation as described in [4]. The EM emissions can eitherbe caused by key-dependent operations or other operations,the key-dependent operations create key-dependent EM emis-sions, which contribute to the side-channel signal, while otheroperations contribute to algorithmic noise. EM SCA attackshave successfully been used in the real world on PCs, shownin [5] and [6], and also on Smart Cards, in [7] [8]. Onepowerful and commonly used side-channel analysis techniqueis correlational electromagnetic analysis (CEMA). In CEMA,EM measurements are taken while a cryptographic algorithmis executing on the target system (each measurement is knownas a trace), and these traces are correlated with a leakagemodel, such as the Hamming Weight or Hamming Distanceof data at a particular point in an algorithm [1], under ahypothesis of a subset of the secret key. In a successfulattack, the hypothesis that results in maximum correlationcorresponds to the secret key. By attacking the hidden keyincrementally, for example one byte at a time for AES-128,the entire secret key can be recovered, in orders of magnitude

arX

iv:1

908.

0940

7v3

[cs

.CR

] 2

9 Fe

b 20

20

2

less time than brute force or other cryptanalysis methods.

A. Motivation

EM side-channel attacks, while powerful in that they arenon-invasive and do not require any physical changes to thesystem being attacked, and benefit from allowing an attackerto choose the location with maximum information leakage(SNR), introduce a number of additional challenges comparedto the power SCA attacks. Firstly, as the EM signals gothrough a power to EM transformation that reduces amplitudecompared to the measurement noise floor, meaning moretraces, or more expensive measurement equipment may beneeded to perform an attack. Secondly, unlike power attacks,EM attacks require attackers to choose the location of theattack in the system to capture the EM traces. This choice canhave a drastic impact on the effectiveness and efficiency ofan attack. As seen in Figure 1, depending on where the EMprobe is placed on a chip, the MTD for a CEMA attack canvary by > 20×, even for the small 9mm x 9mm Atmega andSTM microcontrollers used as the target devices for this work.Current methods for determining the best location to performCEMA are based on exhaustive search, simply performinga CEMA attack at most locations. Alternatively, it is alsopossible to choose an arbitrary location, and use as many tracesas necessary to perform the CEMA. Practically, if the size ofthe system is larger, finding the correct location of the EMleakage becomes extremely challenging and requires scanningthe entire chip/system.

Given the limitations of present attack systems, in this work,we propose a low-cost, fully automated, end-to-end platformfor performing efficient EM side-channel attacks. The coreof this framework is a ∼ $200 3-D printer, which we havemodified to utilize as a low-cost EM scanner. SCNIFFER alsouses a greedy gradient-search heuristic using a leakage mea-sure,such as test vector leakage assessment (TVLA), or SNRto quickly and automatically locate a point of high leakage.Finally, once the point is determined, the proposed SCNIFFERframework performs the correlational or differential EM anal-ysis (CEMA/DEMA) at this point. While both CEMA andDEMA are possible attacks, throughout this work, we willdemonstrate results with CEMA. Such an automated low-costattack platform significantly increases the threat surface forIoT devices.

B. Contribution

Specific contributions of this article are:• Firstly, a fully-automated system for efficiently scanning

a cryptographic chip and finding a location of high leak-age to mount an end-to-end EM SCA attack is proposed.The entire attack set-up is extremely low-cost, owing tothe custom-built EM scanner (adapting a ∼ $200 3-Dprinter) used for mounting the attack, compared to thecommercially available EM probe stations, which are verycostly (> $50, 000). The system achieves 100µm spatialresolution, and has a scan range of 220mm × 220mm,and is easily replicable. (Section 3)

• Secondly, a greedy gradient-descent heuristic is proposedwhich converges to a point of high leakage on an N ×Nchip within O(N) iterations. This algorithm is evaluatedwith both TVLA and SNR as the measures of leakage.(Sections 4, 5)

• Finally, the SCNIFFER attack is demonstrated on twodifferent microcontroller architectures (8-bit XMEGAand 32-bit STM32F3), improving the number of tracesrequired by ∼ 100× compared to the traditional exhaus-tive search based attack. (Sections 5, 6)

C. Paper Organization

The remainder of the paper is organized as follows. Section2 provides the background and summarizes the existing workson EM Scanning and side-channel attacks. In Section 3,the SCNIFFER framework is introduced and the low cost,custom-built EM scanning platform is presented. Section 4describes two options for measuring leakage, signal amplitudeand TVLA, and provides motivation for finding the point ofhighest leakage. In Section 5, the gradient-descent algorithmfor efficiently determining a point of high information leakageis proposed. Next, Section 6 provides results of running thesystem on microcontrollers of varying architectures, crypto-graphic algorithms executed, and measures of leakage. Finally,Section 7 concludes the paper.

II. BACKGROUND AND RELATED WORK

IoT devices have been successfully attacked using sidechannel attacks, for example CPA was used to extract en-cryption keys from Philips Hue smart lamps in [9]. EM side-channel attacks were first proposed in [10], and share manyproperties with power side-channel attacks, however, can beperformed at a distance, even up to one meter, as in [11]. Oneof the most powerful EM SCA attacks is CEMA, which isthe straightforward application of Correlation Power analysis(CPA) [12] on EM traces.

However, to make these profiled and non-profiled EMSCA attacks more practical and real-time on any embeddedplatform/device, the trace capture and the attack needs to beautomated and more efficient.SCNIFFER can use several methods of assessing leakage,

for instance, simple signal magnitude, Test Vector LeakageAssessment (TVLA) [13], or SNR [14]. In TVLA, two sets oftraces are collected. In one set, both the key and plaintext usedas input to the algorithm under test are kept fixed, and in theother the plaintext is varied randomly, while the key remainsfixed. To assess the leakage, one then performs Welch’s t-testfor each time point of the trace. Welch’s t-test is given byt = X1−X2√

s21N1

+s22N2

, where X1, X2 are the sample means of the

two sets, s1, s2 are sample standard deviations for the sets,and N1, N2 are the sizes of the sets. If the maximum t-valueat a point is above 4.5, one can conclude leakage is presentwith 99.999% confidence. Meanwhile, we consider the signalto noise ratio as defined in [14], to be SNR = V AR[Q]

V AR[N ] , whereQ is the side channel leakage, and N is the noise. UnlikeTVLA, which does not guarantee exploitable leakage, SNR

3

Scope Scanner Amplifier Probe

Picture

Cost $250 $200 $130 $50

SCNIFFERSpecifications

10-bit ADC105 MS/s

100 µm 20dB 16mm2

Model Chipwhisperer-Lite Ender 3 Tekbox TWBA2 Tekbox TBPS01

Riscure EM Probe Station Specifications

- 2.5 µm - 1mm2

TABLE I: Summary of the main components of theSCNIFFER system, their costs, performance, and a compari-son to Riscure’s EM Probe Station.

defined in this way can be directly related to the success rateof a CEMA attack [14].

Once SCNIFFER has chosen a point to attack, CEMA isused to recover the secret key. CEMA revolves around makinghypotheses on secret values, then predicting the EM leakageof an intermediate variable based on the key. Measurements(traces) are taken while the device performs encryption, thenthe measurements are correlated with the predicted leakagefor all hypotheses. The hypothesis that results in the largestcorrelation is taken as the guess for the secret value. Thenumber of traces needed to recover the key in this way is thenthe minimum traces to disclosure (MTD). In this work, thesecret values are the bytes of the AES key, and the intermediatevariable is the first round sbox output, and Hamming Weight,that is, the number of 1’s in the binary representation of thisvariable, is used as the leakage model of data at this point.

Addressing the issue of finding where a chip leaks themost EM radiation has been investigated in [15], and [16].EM scanning with a focus on side-channel attacks, that is,determining where the most cryptographic information leakswithin a chip has been addressed in [17] and [18]. However,such methods focus on observing the leakage over the entirechip, not efficiently finding the point or region of the maximumleakage. This causes these methods to take a long time and amajority of the time is spent collecting data that is unnecessaryfor an attacker. By creating a framework that minimizes thisunnecessary data collection, EM side-channel attacks can bemade more efficient, powerful, and practical, requiring farfewer traces to reveal the secret key of the cryptographicalgorithm. Additionally, these platforms can be orders ofmagnitude more costly than the system proposed in this work,for instance the Riscure EM Probe station [19] itself can cost∼ $50, 000, while the entire SCNIFFER system costs < $500.SCNIFFER is the first fully-automated, efficient EM SCAattack framework and the system is described in the followingsection.

III. SCNIFFER: LOW COST AUTOMATED EM SCANNING

The SCNIFFER system is designed for low cost and au-tomation. In this section, we first describe the physical com-ponents that make up SCNIFFER, then discuss the automationaspect of the system.

Microcontroller under attack

H Field Probe

ChipwhispererCapture Board

Amplifier

3D Scanner

H Field Probe

Microcontroller under attack

SCNIFFER Platforma)

b)

Fig. 2: (a) The complete EM Scanning and trace capture set-upsystem, including the 3-D printer, Chipwhisperer system, EMprobe, amplifier, and victim. (b) Close-up of scanner, showingprobe and victim board.

A. Low Cost EM Scanning Setup

The scanning hardware consists of an Ender-3 3-Dprinter [20] with a 10mm loop diameter H-field probe attachedto the extruder, the Chipwhisperer [21] platform for interfacingwith the victim (The CW309T-XMEGA mounted on the308 UFO Target board) and trace collection, an amplifier toamplify the EM probe output, and finally a PC to control boththe 3-D printer and the Chipwhisperer Lite capture board.While such EM scanning systems do exist, for instance,Riscure’s EM Scanning Station, we chose to create such asystem from scratch for the following reasons: 1) Commercialscanning systems (like Riscure [19]) scanning station is ordersof magnitude more expensive and 2) It is very straightforwardto interface with the custom system to develop the scanningalgorithm. As seen in Table I, the cost of a commercial scanneris orders of magnitude higher than SCNIFFER, and while itis hard to know if this price has been inflated by the selling

4

X

Y

SN

R (d

B)

AES128: SNR Heatmapa)

0, 0

30, 30

30, 0

0, 30

b) Grid Overlay

X

Y

Fig. 3: (a) Heatmap of the SNR values obtained by performinga full 30×30 scan of the 8-bit target microcontroller. (b) Thisshows the grid divisions where leakage measurements wereperformed. 1000 traces were used to compute the SNR valuesat each point. The part of the target microcontroller boardwhich leak the most information can be observed.

company, it is reasonable for prices to be higher, as there arenot many EM scanners on the market.

To manipulate the probe, an Ender-3 3-D printer, runningstock firmware was used. This model of printer has a minimumstep size of 0.1mm, and can be controlled via a USB serialconnection. It has a maximum movement speed of 180 mm/s,with a print area of 220mm×220mm×250mm. The precisionand speed offered by this 3-D printer are sufficient to completea 50 × 50 scan of the 9mm × 9mm IC used in testing inan acceptable time. Additional justification for the choice ofprinter, beyond the cost includes the ease of interfacing, theform factor, maintainability, and software support. The opensource firmware used by this printer is well documented, andcan be controlled through an exposed serial port, making inter-facing very easy. The printer also has an open form factor thatallows the probe and victim board to be mounted easily. Whilethe durability and hardware support would not be as good asa commercial EM scanner, the simple construction and use of

b)

X

Y

t-valu

e

a)

b)

t-value

Nu

mb

er

of

Occu

rren

ces

3-D AES TVLA Surface Plot

Distribution of t-values at a Point of High Leakage

Fig. 4: (a) TVLA Surface plot. Again, the surface is not smoothor monotonic, as there are many local minima and maxima,as in Figure 5(a). (b) Histogram of TVLA measurements at asingle point. 50 TVLA measurements were made at a pointof high leakage, each done as in (a), using 400 traces each.Given the distribution much wider seen in (b), the increasedroughness of the surface in (a) can be explained.

off-the-shelf components make maintenance straightforward.The software support is quite strong, being open source, andthe printer is plug-and-play compatible with any device with aserial port. The system is capable of performing a 30×30 scanof the chip in ∼ 15 minutes, and perform an amplitude scan in∼ 75 minutes. The probe used is a commercial H-field probefor performing EMC measurements, and the signal is amplifiedbefore being passed to the Chipwhisperer capture board. Whilethe probe used does not have extremely high spatial resolution,the probe resolution matches the scan resolution, allowingheatmaps such as the one in Figure 3(a) to be created, andChipwhisperer is able to capture enough information leakagefor the target devices considered, leading to low MTDs whenprobed at appropriate locations, as seen in figure 1, while stillbeing low cost. Even though this probe is on the larger side,the SCNIFFER platform is compatible with more sensitiveprobes and is expected to become more precise with suchprobes. The complete system is shown in Figure 2(a) showingthe 3-D printer, the probe, Chipwhisperer system, and PC.

5

X

Y

SN

R (

dB

)3-D AES SNR Surface Plot

b)

SNR (dB)

Nu

mb

er

of

Occu

rren

ces

Distribution of SNR at a Point of High Leakage

a)

Fig. 5: (a) SNR surface plot of the same scan as Figure 3(a).Here it can be clearly seen that the surface is not smoothor monotonic, as there are many local minima and maxima.(b) Histogram of SNR measurements at a single point. 50SNR measurements were made at 1 point. This distributioncan explain some of the roughness of the surface seen in (a).

The probe and victim IC are shown in detail in Figure 2(b).The probe position can be controlled manually, through the3-D printer controls, or programmatically through the serialconnection to a PC, as it is in the SCNIFFER system.

The major cost savings in the SCNIFFER system comefrom using a low cost 3-D printer to control the probe, insteadof a high cost motorized table. The total cost of the 3-D printer,probe and amplifier used in SCNIFFER is ∼ $500, which is afew orders of magnitude less expensive than many motorizedtables by themselves, and nearly two orders of magnitude lessexpensive than systems such as Riscure’s EM probe station(∼ $50, 000). While more expensive scanners, probes andmeasurement systems could improve spatial and frequencyresolution, such a system would only be available to verysophisticated attackers. As SCNIFFER aims to demonstratepractical, low-cost attacks are possible using systems twoorders of magnitude cheaper than existing scanners, high-cost,high resolution components are not used. Table I summarizesthese components, including their costs and performance com-

TVLA– Amplitude – SNR – MTD Comparison

X

Y

X

Y

X

Y

MTDd)

Signal AmplitudeTVLAa) b)

X

Y

SNRc)

Fig. 6: 10 × 10 heatmap of (a) TVLA values (b) signalamplitudes (c) SNR values and (d) MTDs. From these plotsTVLA and SNR appear to correlate to MTD much better thanthe signal amplitude. While amplitude is easy to measure, itis clear that high amplitude of leakage does not necessarilycorrespond to high information leakage.

pared to the Riscure system.

B. Automated EM Scanning

Now that the SCNIFFER system’s low cost hardware hasbeen described, we move to the automated scanning and attackprocedure. The basic premise of the automated system is tolocate a point on the target device where the chosen leakagemeasure is high by using the scanning algorithm specified inSection 5, then automatically perform CEMA at this point.This removes the need for an expert to manually analyzeexample traces to choose a location for an attack.

During an attack, the probe is positioned at a location dic-tated by the intelligent scanning algorithm, then, the appropri-ate ADC phase for trace collection is determined by capturingtraces at varying ADC phases, and the phase giving the largestaverage amplitude is chosen for further measurements at thatparticular point. The signal is sampled at 29.48MHz, 4× theclock frequency of 7.37MHz, so clock edges are aligned tosamples. The signal is amplified by the external amplifier, aswell as the Chipwhisperer internal amplifier (set to a gain of34.5dB), but no other prepossessing is performed. Chipwhis-perer is then used to capture traces for leakage measurement(through SNR, TVLA or other measures) and finally CEMAis performed at the location found by the algorithm to havethe highest leakage. Example leakage measures tested withSCNIFFER, and the development of the intelligent scanningalgorithm, along with detailed results are described in thefollowing sections.

6

IV. SIGNAL LEAKAGE MEASUREMENT USING SCNIFFER

As the choice of probe location is a major factor indetermining the number of traces needed to recover a keyin CEMA as shown in Figure 1, this location must be chosenintelligently. Currently, this is done by either exhaustive searchof the entire chip, or by an expert evaluating sample EMtraces at several locations, and choosing a location based onvisual inspection of the traces. While an exhaustive searchwill certainly produce the best location to attack, it requires alarge amount of time, especially for systems with a large initialMTD. Choosing a location based on visual inspection of tracesmay result in a location that can be attacked, however not nec-essarily the best in terms of MTD. Additionally, this methodrequires an expert to perform the inspection of traces. In thiswork, we aim to fully automate the process of choosing alocation as an expert might, by looking at measures of leakage,and finding a location with high leakage. As with a manualchoice, this location may not be the location corresponding tothe lowest MTD, but should leak enough information to beattacked in a reasonable amount of time, without the need foran expert.SCNIFFER is designed such that any measure of leakage

can be used. For example signal amplitude, Test Vector Leak-age Assessment (TVLA) [13], or SNR could be used, and theSCNIFFER platform will be able to converge to a locationwhere the leakage measure is high in O(N) measurements.We provide results using both TVLA and SNR, both described,and then compared in the following subsections.

A. Signal Amplitude for Leakage Measurement

As motivation for why side-channel leakage measures mustbe used with SCNIFFER to locate low MTD locations, wemeasure the signal amplitude at each point of the victim chip,producing the heatmap seen in Figure 6(b). The amplitude wasmeasured as the mean square amplitude of each trace, averagedacross 10 traces. As can clearly be seen in that figure, theamplitude does not correlate to the MTD at all, as expected.

Hence, further results are shown using one of the two leak-age measures explained in the following sections, TVLA andSNR. While these are the measures chosen for demonstratingSCNIFFER, they are by no means the best nor the onlymeasures that can be used, as SCNIFFER does not rely onspecific leakage type, only requires that the leakage correlatewith the MTD. Determining the best measures of leakage interms of the attack success rate and minimum number of tracesrequired is a future research direction.

B. TVLA for Leakage Measurement

While signal amplitude is quick to measure, it has no rela-tionship to side channel leakage. As the goal of SCNIFFER isto locate a position with high side channel leakage, amplitudeis therefore not a good measure. A measure that does considerside channel leakage, and may be a better fit for SCNIFFER isTVLA. While high t-values from TVLA may not necessarilyimply a low MTD, it allows locations where leakage isdetected with high confidence to be focused on. The TVLA

performed is the non-specific, fixed versus random t-test. Wechoose N = 200 for the number of traces in each group, for atotal of 400 traces per TVLA performed. This number of tracescreates large separation between points of low leakage andones of high leakage, as seen in Figure 4(a), where the highleakage location reaches a t-value of 22, while the low leakagelocation only reaches a t-value of 4. Note that the TVLAsurface is rough, with many local minima and maxima. Even ata fixed location there is variance in the TVLA measurements,shown in Figure 4(b). However, it is infeasible to performmany TVLA measurements at each point to average out thisnoise.

C. SNR for Leakage MeasurementCompared to amplitude and TVLA, SNR, as defined in [14]

requires more traces, however has a direct relationship to theMTD. Given this relationship, one can estimate the MTD, thusa location maximizing SNR will minimize MTD. 1000 traceswere used to calculate the SNR, as for the 8-bit microcontrollerused, this gave large separation between locations of high andlow leakage, as seen in Figure 5, where the SNR varies from-30dB to 3dB. SNR is calculated using the same intermediatevariable and leakage model as the CEMA used, that is, thefirst round sbox output and the the Hamming Weight model,respectively. Like with TVLA, the surface is somewhat rough,but again it is infeasible to take many SNR measurements toaverage out this noise.

D. Correlation among Amplitude, TVLA, SNR, MTDWhile signal amplitude, TVLA, and SNR can all be used

with SCNIFFER as measures for leakage, since the end goal ofthe SCNIFFER system is to perform an attack, we investigatehow these measures compare to the MTD at each location. Tocompare the measures, a 10× 10 scan of the chip was carriedout, and CEMA was performed using 1,000 traces at eachpoint. The resulting heatmap, along with heatmaps for SNR,TVLA, and amplitude, are shown in Figure 6. From theseresults, clearly TVLA and SNR both appear to correlate tothe MTD strongly, however amplitude correlates very poorly.While signal amplitude is easy to measure, there is no guar-antee that this measure correlates to the MTD, as high signalleakage does not imply high information leakage. Additionally,an uncorrelated EM source having high signal leakage couldconfuse an attacker into choosing a poor location to attack.While TVLA also does not guarantee high exploitable leakage,it can be used to identify and focus on regions where leakage isdetected with confidence. Additionally, for the microcontrollerconsidered in this work, TVLA does empirically correlate tothe MTD quite well, even if it is not guaranteed to be the casein general. Finally, as SNR is directly related to the attacksuccess rate, it unsurprisingly is highly correlated in practice.Further, due to this correlation, the location of highest SNRwill theoretically be the location of lowest MTD, achievingSCNIFFER’s goal.

V. GREEDY GRADIENT-SEARCH HEURISTIC

A critical piece of the SCNIFFER system is the algorithmfor locating the point of high leakage at which the attack

7

should be performed. It is through this algorithm that theSCNIFFER attack framework gains benefits over an exhaus-tive search, as the high leakage location in an N × N gridcan be found with N measurements as opposed to N2. As anexample, we use SNR as the leakage measure to demonstratethe performance of the SCNIFFER greedy gradient-searchalgorithm throughout this section. The remainder of this sec-tion describes the algorithm in detail, and provides results ofrunning the algorithm on an Atmel XMEGA 8-bit processorrunning software AES.

A. Algorithm Description

To avoid taking measurements at all possible points, wepropose a heuristic search algorithm for finding a point of highleakage in a minimum number of scans. The search algorithmworks in two phases. In the first phase, the search space isdivided into an M × M grid, where M is the initial gridsize parameter, and the leakage is measured at the center ofeach grid cell. Then in the second phase, a gradient searchalgorithm is started from the point of the highest leakage foundin the first phase. The gradient is computed by measuring theleakage of the four grid cells adjacent to the current cell, thentreating each measurement as the magnitude of a vector whosedirection is the direction from the cell where the gradientis being estimated to the cell where the measurement wasmade. The average of these vectors is treated as the estimateof the gradient. The next point to measure is determinedby adding a vector in the direction of the gradient with amagnitude of stepSize to the current location. This location isthen mapped to a grid cell, and the leakage is next measuredin the center of this resulting grid cell. Given this method,movement is restricted to be between grid cells, and is notentirely arbitrary, however movement to diagonal cells ormoving multiple cells at once are possible moves, dependingon the stepSize parameter.

The algorithm will stop if it attempts to measure outside thesearch space, instead moving only to the edge. A maximumnumber of iterations can also be specified, along with an “iter-ations without improvement” stopping criteria. The “iterationswithout improvement parameter should be set to a sizeablefraction of the grid resolution N, for values too small, severaliterations may pass without improvement, especially for noisysurfaces, and the algorithm may stop prematurely. This twophase process is described in Algorithm 1.

B. Performance

Based on experimental results, the algorithm is able to locatea point of high leakage in a N ×N grid of possible measure-ments in ≈ N SNR measurements. Figure 7 demonstrates thatas the search grid size increases by N2, the number of testsrequired only increases by N , showing the improvement overan exhaustive search is more drastic as the size of the scanincreases, either due to increased resolution or larger scan area.We also see the effect of the parameters of the algorithm, andsee how varying them affects performance. In Figure 8(a),where, by increasing the resolution of the initial search grid,the lowest MTD found for a given number of measurements

N = Grid Resolution;maxLeakage = 0;initLocs = getInitialLocations(initialGridSize, N);for loc ∈ initLocs do

moveProbe(loc);leakage = getLeakage();if leakage > maxLeakage then

maxLeakage = leakage;startLoc = loc;

endendmoveProbe(startLoc);bestLoc = startLoc;m = startLoc;while Not Converged do

delta = getDelta(get4Neighbors());m = m−stepSize∗delta;moveProbe(m);leakage = getLeakage();if leakage > maxLeakage then

maxLeakage = leakage;bestLoc = loc;

endend

Algorithm 1: Gradient Search Heuristic to find the highleakage location

Effect of Scan Resolution

Number of SNR Measurements

Converges in

~O(N)

Measurements

MT

D

Fig. 7: Leakage vs. number of SNR measurements for varyinggrid scales. The data for the 30× 30 grid was the same as inFigures 3 and 5(a). The full 60× 60 and 10× 10 grids werealso collected, allowing the performance of the algorithm to beseen at various degrees of measurement resolution. Throughthese results, it can be seen that even as the size of the searchspace increases by N2, the time to converge increases by onlyN .

changes. As expected, as more initial points are scanned, fewergradient steps are required to converge to the high leakagelocation. In Figure 8(b), the step size is varied, and we seethat for a small step size, the algorithm gets stuck in a local

8

Effect of Parameters on Algorithm Performance

Number of SNR Measurements

Effect of Step Size

MT

D

Effect of Starting Sample Grid

Number of SNR Measurements

MT

D

a)

b)

Stuck in local minimum

0.54 mm (1 Cell)0.84 mm (2 Cells)1.14 mm (3 Cells)

Fig. 8: (a) MTD vs number of SNR measurements performedfor varying the initial sample grid size parameter. Note that the2× 2 and 3× 3 grids locate the point of high leakage within40 measurements, while a single point start only reaches ahigher MTD, and after 45 such measurements. For all initialsample grid sizes, a step size of 1.14mm was used. (b) Thisdemonstrates the effect of step size on performance. A stepsize too small can result in the algorithm getting stuck in alocal maximum, and in this case as the step size increased,convergence sped up, however, for much larger step sizes, it ispossible to overshoot the location of highest leakage, resultingin slower, less smooth convergence. For all step sizes, a 2× 2initial sample grid was used. Both (a) and (b) used a 30× 30scan resolution.

minimum, and does not converge to the point of high leakagethe other step sizes do. It is worth noting that even thoughthe algorithm gets stuck in a local minimum, the initial gridsearch, SCNIFFER still finds a relatively low MTD location.A larger step size also converges, and if the step size is toolarge however, the convergence is slower, and less smooth, asit may step over the best point. Note that the effective stepsize is a function of both the resolution of the scan, N , andthe step size parameter of the algorithm. This, along with thedimensions, L, of the chip allow calculating the effective stepsize as 1

N ∗ L mm ∗ StepSize. Given these results, one can

X

Path Taken by SCNIFFER: TVLAt-v

alu

e

Y

a)

X

Path Taken by SCNIFFER: SNR

SN

R (d

B)

Y

b)

Fig. 9: Heatmaps for AES running on the 8-bit microcontroller,with the path taken by SCNIFFER shown for TVLA in (a),and SNR in (b). The same search algorithm parameters wereused in all cases.

Number of Traces

Pe

ak

Co

rre

lati

on

MTD for TVLA SCNIFFERa)

MTD = 183

Number of Traces

Pe

ak

Co

rre

lati

on

MTD for SNR SCNIFFERb)

MTD = 134

Fig. 10: MTD plots at locations found by SCNIFFER usingTVLA as a leakage measure (a), and SNR as a leakagemeasure (b). While the MTD is not the minimum, it is fairlyclose to the minimum for both measures, with SNR having aslightly lower MTD than TVLA.

see that for reasonable choices of parameters, the algorithm isobserved to converge to a point of high leakage in O(N) stepsfor an N × N grid of measurements, providing SCNIFFERwith a significant improvement over an exhaustive search.

9

Leakage Measure ConvergenceLocation MTD Total Traces

TVLA (2, 2) 183 5,807SNR (7, 10) 134 10,134Exhaustive (3, 6) 91 100,000

TABLE II: Comparison of different leakage measures usedwith SCNIFFER, as well as results of a full exhaustive search.The total traces includes the traces needed for the initialsearch, gradient search, and CEMA. The exhaustive searchtotal traces includes a 1000 trace CEMA at all 100 locations.

VI. RESULTS

In this section, we provide results of using the SCNIFFERframework in various scenarios. We start with the results ofan attack using TVLA, then with SNR. Following this, weprovide a short discussion of the number of traces needed ina SCNIFFER attack. We then show the performance of theTVLA and SNR based attacks for a variety of cryptographicalgorithms. Next, results comparing the 8-bit architecture chipused so far to a 32-bit architecture chip are shown, againfor both TVLA and SNR measures. Finally, we show resultsshowing the effects of a Masking countermeasure, using theSNR based attack.

A. TVLA Based SCNIFFER

While it is not guaranteed to correlate with MTD, TVLAcan be used with the SCNIFFER algorithm. The path taken forthis case is shown in Figure 9(a). This path remains in the zoneof high TVLA values, and as TVLA correlates well with MTDin our experiments, this location has a very low MTD, seen inFigure 10(b), and is among the lowest on the chip. TVLA ateach location requires a total of 400 traces to compute TVLA,and additional traces would be needed for systems with lowerSNR, as we describe in section IV D. Additionally, as theTVLA surface is not smooth, convergence is slightly slowed,increasing the attack time.

B. SNR Based SCNIFFER

In contrast to TVLA, which does not guarantee leakagefound is exploitable, SNR does, as it is related to the MTD.We see that SNR based SCNIFFER does take a different paththan TVLA, and converges to a different location. The MTDat this location is slightly lower than the TVLA location, butstill not the absolute lowest found on the chip. Furthermore, toaccurately measure SNR, more traces than TVLA are neededfor measurement, increasing the number of traces needed, andthis number increases as the SNR reduces, as discussed insection IV D. Despite this, once the SNR reduces below acertain point, shown in Figure 11, a SNR-based SCNIFFERattack becomes as efficient as a TVLA-based attack, with theadditional guarantee of exploitable leakage.

C. Number of Traces Needed For SCNIFFER Attacks

The performance of the SCNIFFER platform can be quan-tified and compared to other methods by investigating how the

Signal-to-noise Ratio (SNR) (dB)

Nu

mb

er

of

Tra

ce

s A

na

lyze

d

Number of Traces Analyzed vs. SNR

~100x Reduction

in Traces to Attack

Fig. 11: Number of traces required for TVLA and SNR basedSCNIFFER compared to exhaustive search vs. SNR for thecase of a 10 × 10 scan. The ∼ 100× reduction is due to thefact that an exhaustive search must perform a CEMA at eachlocation, while SCNIFFER only visits N locations.

total number of traces needed to perform an attack changesas the SNR of the device under attack changes. Previousworks have shown in [22] and [14] that the MTD for aCEMA attack is related to the SNR of the signal used in theattack by MTD = k0 ∗ 1

SNR2 . Additionally, [23], [24] haveshown that the number of traces needed to perform a TVLA(NTV LA) or calculate SNR (NSNR) is also related to SNR byNTV LA = c0 ∗ 1

SNR and NSNR = c1 ∗ 1SNR . From there, it is

straightforward to quantify the performance of an exhaustivesearch and SCNIFFER using both TVLA and SNR as follows,

NSCN−TV LA = N ∗ c0 ∗1

SNR+ k1 ∗

1

SNR2(1)

NSCN−SNR = N ∗ c1 ∗1

SNR+ k1 ∗

1

SNR2(2)

Nexh = N2 ∗ k1 ∗1

SNR2(3)

where N×N is the resolution of the grid scan, and k0, k1, andc0 are arbitrary constants chosen such that the models matchthe results presented.

A SCNIFFER attack requires measurements to be made atapproximately N points for an N × N grid, as the searchalgorithm requires O(N) measurements, with each requiringNTV LA in the TVLA case and NSNR in the SNR case.Additionally a single CEMA attack requiring MTD tracesis needed, resulting in equations (1) and (2). An exhaustivesearch on the other hand would require a CEMA to beperformed at all N2 locations, resulting in equation (3). Thesetrends are pictured in Figure 11, which clearly shows the 100×reduction in required traces in the case of a 10× 10 scan forlow values of SNR. This reduction can be explained by thefact that the number of traces needed to measure TVLA or

10

Number of SNR Measurements

Ma

xim

um

SN

R (

dB

)

Number of TVLA Measurements

Ma

xim

um

t-v

alu

e

a)

b)

Effect of Crypto Algorithm on

SCNIFFER Algorithm Convergence

Fig. 12: (a) Max t-value vs. number of TVLA tests performedfor all cryptographic algorithms (AES, DES, RSA), showingthe scanning algorithm performs well, finding the point ofmax leakage within 40 TVLA tests in all cases, with a gridsize of 30 × 30. The initial sampling grid was 2 × 2 andthe step size was 0.84mm. Note that for RSA, one of theinitial samples is already close to the maximum, and thismaximum is found in just one step. For AES and DES, whoseleakage patterns are less smooth, and have smaller areas ofhigh leakage, the time to converge is higher. (b) Max SNR vs.number of SNR measurements for all algorithms (AES, DES,RSA). The search algorithm again performs well, convergingin all cases in about O(N) measurements.

SNR changes as 1SNR , compared to the MTD which changes

as 1SNR2 . Additionally, the number of points traversed is only

N , as opposed to N2 for an exhaustive search. Also, we seeTVLA slightly outperforms SNR in terms of number of tracesneeded to perform an attack when SNR is high. For low SNR,the performance of both measures is mostly equivalent, as thenumber of traces needed is dominated by the CEMA, andusing SNR as the leakage measure gives guarantees on thesuccess rate of the CEMA, which TVLA does not.

Number of SNR Measurements

Maxim

um

SN

R (

dB

)

Number of TVLA Measurements

Effect of Architecture on SCNIFFER

Algorithm Convergence

Maxim

um

t-v

alu

e

a)

b)

Fig. 13: (a) Max t-value vs. number of measurements for boththe 8-bit XMEGA microcontroller and the 32-bit STM32F3microcontroller. The algorithm converges within O(N) mea-surements, where N = 30 in both cases. the algorithmparameters used are the same as in Figure 12. (b) Max SNRvs. number of measurements for both microcontroller archi-tectures, again showing convergence in O(N) measurements.The parameters used are the same as those in part (a).

D. Effect of Cryptographic Algorithm on Convergence

Next, in Figure 12(a), the effect of different cryptographicalgorithms running on the target microcontroller can be seen,when using TVLA. For AES, DES, and RSA, the gradientsearch algorithm converges a point of high leakage in a similarnumber of traces. A 30× 30 scan was performed for all algo-rithms, and the parameters were fixed at a 2× 2 starting gridand step size of 0.54 mm for all cases. A similar plot, using thesame parameters but SNR as opposed to TVLA can be seenin Figure 12(b). Again, the search converges in approximatelythe same number of measurements for all algorithms. Throughthis, we see that the greedy gradient search algorithm performswell regardless of the specific cryptographic algorithm, andregardless of the leakage measure chosen.

E. Effect of Architecture on Convergence

Additionally, we investigate the effect of different architec-tures (microcontrollers) on SCNIFFER. Up to now, the results

11

Number of SNR Measurements

Effect of MaskingS

NR

(d

B)

Fig. 14: Max SNR vs. number of measurements for theunmasked and a masked implementation of AES on the 8-bit microcontroller. The algorithm converges within O(N)measurements, where N = 30 in both cases. the algorithmparameters used are the same as in Figure 12.

shown have been obtained with an 8-bit XMEGA microcon-troller. We now use a 32-bit STM32F3 microcontroller runningsoftware AES as the target device. The STM32F3 uses thesame clock frequency as the 8-bit XMEGA, 7.37MHz, andsampling is again done at 4× this frequency. Similarly theamplifier gain is the same as the 8-bit case. Given the sameparameters for the greedy gradient search, the algorithm con-verges to a location of high leakage within N measurements,with N = 30 in this case. These results are shown in Figure13(a) for TVLA, and Figure 13(b) for SNR. In both figures,the 8-bit and 32-bit architectures are compared, given the samemeasurement and search algorithm parameters. In this context,it is worth mentioning that as the size of the chip underattack increases, finding the location of the cryptographicengine could be a difficult task. In scenarios such as attackinglarge systems, the SCNIFFER framework would be extremelyuseful in efficiently determining the position of high leakageand then performing the attack at that point.

F. Effect of Masking on Convergence

Lastly, the effects of a masking countermeasure with afixed mask on the performance of SCNIFFER have beeninvestigated. We again use the same measurement and searchparameters, and for both cases, the SCNIFFER algorithmconverges in approximately O(N) measurements. These re-sults are shown in figure 14, where we see the algorithmconverges after 35-40 measurements for both masked andunmasked implementations. As one would expect, the SNRfor the masked implementation is significantly lower thanthe unmasked implementation, but the SCNIFFER searchalgorithm is still able to locate a higher SNR region throughgradient search. While the measurement parameters used herewere the same as elsewhere, an important note is that forcountermeasures that reduce the SNR more drastically, would

require more traces to be used to calculate the SNR.

VII. CONCLUSIONS

This work has introduced SCNIFFER, a fully automatedintegrated system for conducting end-to-end EM side-channelattacks against cryptographic systems. SCNIFFER combinesan EM leakage scanning platform, and correlation EM analysisinto a single system, which can perform all steps of anattack automatically. The system is comprised of a low-cost custom scanning hardware and gradient search heuristicbased scanning algorithm. We also plan to make our codefor implementing the efficient SCNIFFER framework andcontrolling the low-cost 3-D printer for scanning publiclyavailable.SCNIFFER is capable of using a variety of measures

of leakage, and the search algorithm was shown to find alocation of high leakage in an N ×N chip search space withO(N) measurements, providing a significant improvementover exhaustive search, and performing all stages of the searchand attack completely automatically, removing the need forexpert analysis.

Using this fully automated attack, it is possible to efficientlyfind a point of high leakage and launch a CEMA attackat this location at the press of a button. The attack uses aminimal number of traces, for a variety of microcontrollerarchitectures and cryptographic algorithms. Even as the size ofthe chip increases, or as protections lowering the SNR, suchas masking, are put in place, SCNIFFER retains efficiency.Finally, we show that as the SNR of the system under attackdecreases, SCNIFFER attacks maintain their advantage overexisting methods, reducing the number of traces needed by afactor of N compared to an exhaustive search, for an N ×Nscan of a chip.

REFERENCES

[1] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Advancesin Cryptology CRYPTO 99, ser. Lecture Notes in Computer Science,M. Wiener, Ed. Springer Berlin Heidelberg, pp. 388–397.

[2] K. Gandolfi, C. Mourtel, and F. Olivier, “Electromagnetic analysis:Concrete results,” in Cryptographic Hardware and Embedded SystemsCHES 2001, ser. Lecture Notes in Computer Science, . K. Ko, D. Nac-cache, and C. Paar, Eds. Springer Berlin Heidelberg, pp. 251–261.

[3] J.-J. Quisquater and D. Samyde, “ElectroMagnetic analysis (EMA):Measures and counter-measures for smart cards,” in Smart Card Pro-gramming and Security, ser. Lecture Notes in Computer Science, I. Attaliand T. Jensen, Eds. Springer Berlin Heidelberg, pp. 200–210.

[4] D. Das, M. Nath, B. Chatterjee, S. Ghosh, and S. Sen, “Stellar: Ageneric em side-channel attack protection through ground-up root-causeanalysis,” in 2019 IEEE International Symposium on HardwareOriented Security and Trust (HOST). Los Alamitos, CA, USA:IEEE Computer Society, may 2019, pp. 11–20. [Online]. Available:https://doi.ieeecomputersociety.org/10.1109/HST.2019.8740839

[5] D. Genkin, L. Pachmanov, I. Pipman, and E. Tromer, “Stealing keysfrom pcs using a radio: Cheap electromagnetic attacks on windowedexponentiation,” in Cryptographic Hardware and Embedded Systems –CHES 2015, T. Guneysu and H. Handschuh, Eds. Berlin, Heidelberg:Springer Berlin Heidelberg, 2015, pp. 207–228.

[6] D. Genkin, L. Pachmanov, I. Pipman, and E. Tromer, “ECDHkey-extraction via low-bandwidth electromagnetic attacks on PCs,” inProceedings of the RSA Conference on Topics in Cryptology - CT-RSA2016 - Volume 9610. Springer-Verlag New York, Inc., pp. 219–235.[Online]. Available: http://dx.doi.org/10.1007/978-3-319-29485-8 13

[7] A. Matthews, “Low cost attacks on smart cards.” Next GenerationSecurity Software Ltd. [Online]. Available: https://pdfs.semanticscholar.org/1b5a/48426397d3e5d7d56b35ffe2d8456e29834e.pdf

12

[8] T. Kasper, D. Oswald, and C. Paar, “EM side-channel attacks oncommercial contactless smartcards using low-cost equipment,” in Infor-mation Security Applications, ser. Lecture Notes in Computer Science,H. Y. Youm and M. Yung, Eds. Springer Berlin Heidelberg, pp. 79–93.

[9] E. Ronen, A. Shamir, A.-O. Weingarten, and C. OFlynn, “IoT goesnuclear: Creating a ZigBee chain reaction,” in 2017 IEEE Symposiumon Security and Privacy (SP). IEEE, pp. 195–212. [Online]. Available:http://ieeexplore.ieee.org/document/7958578/

[10] D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi, “The EMsidechannel(s),” in Cryptographic Hardware and Embedded Systems -CHES 2002, ser. Lecture Notes in Computer Science, B. S. Kaliski, . K.Ko, and C. Paar, Eds. Springer Berlin Heidelberg, pp. 29–45.

[11] C. Ramsay and J. Lohuis, “Tempest attacks against aes,” TechnicalReport White paper, Fox-IT, Tech. Rep., 2017. [Online]. Available:https://hardwear.io/document/slides-craig-ramsay.pdf

[12] E. Brier, C. Clavier, and F. Olivier, “Correlation power analysis with aleakage model,” in Cryptographic Hardware and Embedded Systems -CHES 2004, ser. Lecture Notes in Computer Science, M. Joye and J.-J.Quisquater, Eds. Springer Berlin Heidelberg, pp. 16–29.

[13] G. Becker, J. Cooper, E. DeMulder, G. Goodwill, J. Jaffe, G. Kenworthy,T. Kouzminov, A. Leiserson, M. Marson, P. Rohatgi et al., “Test vectorleakage assessment (tvla) methodology in practice,” in InternationalCryptographic Module Conference, vol. 1001, 2013, p. 13.

[14] S. Mangard, “Hardware countermeasures against DPA a statisticalanalysis of their effectiveness,” in Topics in Cryptology CT-RSA 2004,ser. Lecture Notes in Computer Science, T. Okamoto, Ed. SpringerBerlin Heidelberg, pp. 222–235.

[15] Y. Liu and B. Ravelo, “Fully time-domain scanning of EM near-fieldradiated by RF circuits,” Progress In Electromagnetics Research, vol. 57,pp. 21–46, 2014.

[16] V. Lomn, P. Maurine, L. Torres, T. Ordas, M. Lisart, and J. Toublanc,“Modeling time domain magnetic emissions of ICs,” in IntegratedCircuit and System Design. Power and Timing Modeling, Optimization,and Simulation, ser. Lecture Notes in Computer Science, R. van Leukenand G. Sicard, Eds. Springer Berlin Heidelberg, pp. 238–249.

[17] L. Sauvage, S. Guilley, and Y. Mathieu, “Electromagnetic radiations offpgas: High spatial resolution cartography and attack on a cryptographicmodule,” ACM Transactions on Reconfigurable Technology and Systems(TRETS), vol. 2, no. 1, pp. 1–24, 2009.

[18] J. Heyszl, S. Mangard, B. Heinz, F. Stumpf, and G. Sigl, “Localizedelectromagnetic analysis of cryptographic implementations,” in Topicsin Cryptology CT-RSA 2012, ser. Lecture Notes in Computer Science,O. Dunkelman, Ed. Springer Berlin Heidelberg, pp. 231–244.

[19] EM probe station: Electromagnetic analysis solution. [Online].Available: https://www.riscure.com/product/em-probe-station/

[20] Creality3d ender-3 3d printer economic ender DIYKITS. [Online]. Available: https://www.creality3d.shop/products/creality3d-ender-3-pro-high-precision-3d-printer

[21] C. OFlynn and Z. D. Chen, “ChipWhisperer: An open-source platformfor hardware embedded security research,” in Constructive Side-ChannelAnalysis and Secure Design, ser. Lecture Notes in Computer Science,E. Prouff, Ed. Springer International Publishing, pp. 243–260.

[22] O. Standaert, E. Peeters, G. Rouvroy, and J. Quisquater, “Anoverview of power analysis attacks against field programmablegate arrays,” vol. 94, no. 2, pp. 383–394. [Online]. Available:https://ieeexplore.ieee.org/document/1580507

[23] D. B. Roy, S. Bhasin, S. Guilley, A. Heuser, S. Patranabis, andD. Mukhopadhyay, “CC meets fips: A hybrid test methodology for firstorder side channel analysis,” IEEE Transactions on Computers, vol. 68,no. 3, pp. 347–361, 2018.

[24] D. B. Roy, S. Bhasin, S. Guilley, A. Heuser, S. Patranabis, andD. Mukhopadhyay, “Leak me if you can: Does tvla reveal successrate,” IACR Cryptology ePrint Archive, Tech. Rep., 2016. [Online].Available: https://eprint.iacr.org/2016/1152