2010 International Conference on Design & Technology of Integrated Systems in Nanoscale Era

Techniques for Electromagnetic Attacks Enhancement Youssef SOUISSI, Jean-Luc DANGER, Sami MEKKI, Sylvain GUILLEY and Maxime NASSAR Institut TELECOM, TELECOM ParisTech, CNRS LTCI (UMR 5141) D´epartement COMELEC, 46 rue Barrault, 75 634 PARIS Cedex 13, FRANCE. Email:{ysouissi,danger,mekki,guilley,nassar}@enst.fr

to enhance DEMA, only few publications tackle this issue. Thanh-Ha Le et al. use the fourth-order cumulant to remove the second order noise [8], [9], and Xavier Charvet et al. employ wavelet-based denoising for SCA enhancement [10]. In this paper, in order to improve DEMA attacks, we propose two techniques that have shown their efficiency in other disciplinary fields. The first one is an experimental technique based on the electromagnetic shielding theory [11], [12]. The second is a preprocessing technique based on the Kalman filtering. The rest of the paper is organized as follows. In section II, we give an overview of the EMA attacks. We start by the theoretical background then we depict the material background needed to perform such attacks. Section III is devoted to the theoretical background of our techniques to enhance DEMA. For this purpose, this section will be divided into two parts: the first part will be dedicated to the electromagnetic shielding technique and the second one to the Kalman filtering. In section IV, we show how useful these techniques are for electromagnetic attacks. Finally, section V concludes the paper and opens perspectives for new ways to improve DEMA attacks on cryptographic implementations.

Abstract—Electromagnetic attacks (EMA) pose real threats to embedded devices containing a secret information. Such attacks are of great concern since they are completely passive, low cost and easily mounted in practice. In this paper, we propose two innovative techniques to enhance electromagnetic attacks by reducing the number of measurements needed to succeed an attack on cryptographic implementations. The first method is based on the electromagnetic shielding theory which aims at decreasing the contribution of external noise sources. Whereas, the second provides an algorithmic solution to preprocess electromagnetic signals using the Kalman filtering (KF). Index Terms—Electromagnetic attacks (EMA), symmetrical encryption (AES, DES), electromagnetic shielding, Kalman filtering (KF).

I. I NTRODUCTION Nowadays, we are more and more surrounded by a large variety of electronic devices such as laptops, smart cards and cell phones [1], that are in charge of concealing secret informations about the user. Attacks based on the physical accessibility of the device are all of great concern. Thus, the impact on the security of such embedded devices becomes immediately clear. Those attacks, that exploit the leaked information from devices performing a cryptographic operation, belong to the so-called side-channel attack (SCA) class. The leakage is passively observed via timing information [2], power consumption [3], electromagnetic (EM) emanations [4], etc. SCAs are non-invasive physical attacks that pose a real threat since they make it possible to mount successful attacks quickly and at a low cost, even if the implemented algorithms are secure from a classical cryptanalytic point of view. This paper mainly deals with the differential electromagnetic analysis attacks (DEMA) [4] on symmetrical algorithms such as the Advanced Encryption Standard (AES) [5], [6] and the Data Encryption Standard (DES) [7]. These attacks, successors of the differential power analysis attacks (DPA) [3], correlate the leakages with an internal power model which depends on the cryptographic key. The traditional metric used to decide for the correct hypothesis is the number of electromagnetic measurements for the key guess to stabilize. In fact, DEMA attacks are very sensitive to the magnitude of the electromagnetic consumption signals to guess the value of the secret key. In real life, electromagnetic consumption signals are always affected by some form of noise. In this context, the importance of noise analysis becomes clear. Despite the great concern of this topic

978-1-4244-6340-4/10/$26.00 ©2010 IEEE

II. E LECTROMAGNETIC SIGNALS OVERVIEW Digital integrated circuits are built out of individual transistors which dissipate power by charging the various capacitances whenever they are switched. The current, that flows across the transistor substrate when charge is applied to the gate, produces electromagnetic emanations. Thus, the created electromagnetic field can be easily eavesdropped by an attacker using inductive probes (antennas) which are sensitive to the electromagnetic impulses. According to Faraday’s laws of induction,  the EM antenna output voltage is computed as → − − → . = B · d S , where φ is the magnetic flux through V = − ∂φ ∂t → − → − the surface, B is the magnetic field and S is the surface of the antenna. Electromagnetic signals can be analysed by different means, such as distance of means test [3], correlation analysis [13], maximum likelihood test [14], or any hybrid technique [15]. In what follows we will focus only on the first differential analysis, namely the distance of means test. The electromagnetic wave theory involves two types of zones: the far zone, where electric and magnetic fields are

-1-

2010 International Conference on Design & Technology of Integrated Systems in Nanoscale Era

E coupled and characterized by the free space relationship H = 377 Ω, and the near zone, where, according to the topology of the source, one of the two electric or magnetic fields will be dominant. If we call d the distance from the antenna to the source, the boundary between the two zones is only vaguely defined, and depends on the dominant wavelength λ emitted by the source and the features of the used antenna. Generally, the limit between the two zones is considered to be at a distance λ . Therefore, when setting up an EM measurement, the d = 2π first aspect to consider is what type of antenna to use and the distance from the antenna to the source. In fact, the antenna should be placed as close as possible to the source in order to decrease the contribution of surrounded external sources and because the source itself emits with few power.

through the barrier. When building a shield, three points should be taken into consideration: 1) The rifts of the the cage that allow the penetration of EM emanations, which is limited to oscillations that have wavelength shorter than two times the diameter of the opening. 2) The discontinuity of the shield: by accessing the circuit through an opening creates a discontinuity that causes losses and disturbances. 3) The electrostatic and magnetic characterizations of the cage. Our cage is built with steel material and covered internally by a thin aluminium sheet. This combination between two materials aims to improve the efficiency of the shield against the two types of noise. Indeed, the steel material is known for its high magnetic permeability, which ensures the magnetic shielding [17]. The magnetic permeability can be defined as the material’s ability to acquire high magnetization in a magnetic field. In addition, the aluminium has a high conductivity, which ensures the electrostatic shielding. In fact, the electrical conductivity is a measure of the material’s ability to conduct an electric charge.

III. T HE PROPOSED TECHNIQUES FOR DEMA ENHANCEMENT

As discussed before, EM measurements must be often made in the presence of magnetic, electric or both fields which can produce electromagnetic noise on the measurements. DEMA attacks are very sensitive to the magnitude of collected EM signals. Therefore, the useful information needed to retrieve the cryptographic key can be hidden by the noise, which considerably affects the quality of the attack. In order to improve the reliability of the EM measurements, it is necessary to minimize the contribution of the external sources, relatively to the considered source. Those external sources concern nearby circuits of the board, exterior lighting, electrical wiring, etc. Basically, we distinguish two independent types of electromagnetic noise: electrostatic and magnetic. Generally, the external noise sources engender combinations of the two noise types, which complicates the noise reduction problem. Electrostatic fields are induced by the presence of voltage, which is the origin of the electrostatic noise. Whereas, magnetic fields are generated either by the flow of electric current or by the presence of permanent magnetism, which is the origin of the magnetic noise. In academic cases, the noise is reduced by averaging the EM signals, since we are free to acquire as many measurements we want to perform a successful attack. However, in real life, the attacker might be limited by the number of measurements. Furthermore, for some protected cryptographic implementations such as masked algorithms [16], the attacker is not allowed to average the EM signals.

B. Kalman filtering Based on the state space model theory [18], the behaviour of any system can be described by two equations: a state equation (1) (or process model equation) that defines the evolution of the process through time and a measurement (or observation) equation (2) that describes how the hidden state (internal state) is observed. The most general state space representation of a discrete time invariant systems is written in the following form: xk zk

=

Axk−1 + Buk + wk ,

(1)

=

Hxk + vk ,

(2)

for time points k = 1, 2, . . ., where xk is the true state vector, zk is the measurement vector of the true state vector, uk is the optional input control vector, wk is the process noise vector, vk is the measurement noise vector, H is the observation matrix model which maps the true state vector into the measurement vector, A the state transition matrix model which is applied to the previous true state vector and B is the optional control input matrix model which is applied to the control vector uk . The Kalman filter theory assumes that wk and vk of covariance Q and R respectively are zero mean Gaussian processes, i.e. their amplitude can be modelled as a normal distribution and E(w) = E(v) = 0, where E(.) is the expectation value. Moreover, the noise vectors (v1 , . . . , vk ) and (w1 , . . . , wk ) are assumed to be uncorrelated, i.e. mutually independent. The Kalman filtering technique is depicted in Figure 1. The KF is a recursive estimator that has two distinct phases: prediction and correction. The prediction phase estimates the state at time k from previous time step, i.e. at time k − 1. This

A. Electromagnetic shielding In order to decrease the contribution of external sources, we propose to surround the considered source (i.e. the FPGA during the encryption process) with what is known as a Faraday cage. EM measurement operation is performed inside the shield. Conceptually, the shield is a barrier to the transmission of electromagnetic fields. Moreover the effectiveness of the shield can be defined as the ratio of the magnitude of the incident magnetic (or electrostatic) field on the barrier to the magnitude of the transmitted magnetic (or electrostatic) field

-2-

2010 International Conference on Design & Technology of Integrated Systems in Nanoscale Era

optional input control uk

process noise wk with covariance Q

Infiniium Agilent oscilloscope with a bandwidth of 6 GHz and a maximal sample rate of 40 GSa/s, antennas of the HZ–15 kit from Rohde & Schwarz. One picture of our EM measurement setup is shown in Figure 3. The board is taken backside, because we have noticed that the most leaking components were not the FPGA itself, but the decoupling capacitors that supply it with power. Those capacitors are surface mounted components (CMS) that have a fast response time, and thus radiate useful information about every distinct round of the algorithm. Moreover, they are easily accessible altogether with a large coil-shaped antenna: therefore the EM leakage of the entire FPGA is captured without precise knowledge of the placement information within the FPGA.

measurement noise vk with covariance R true state system xk at time k

xk = Axk−1 + Buk + wk−1

measurement device

measurement noise zk = Hxk + vk

KF

studied system optimal estimate of xk

Figure 1.

Kalman technique description.

phase is represented by two equations: x ˆk|k−1 Pk|k−1

= =

Aˆ xk−1|k−1 + Buk T

APk−1|k−1 A + Q

(3) (4)

where x ˆk|k−1 the a priori state vector estimate at time k given knowledge of the process up to time k − 1, Pk|k−1 the covariance matrix of a priori estimate error and AT the transpose of the matrix A. In the correction phase, the estimated state is combined with the current measurement to refine the state estimate [19]. This phase is represented by three equations: Kk x ˆk|k Pk|k

= =

Pk|k−1 H T (HPk|k−1 H T + R)−1 x ˆk|k−1 + Kk (zk − H x ˆk|k−1 )

(5) (6)

=

(I − Kk H)Pk|k−1

(7)

where Kk is the Kalman gain at time k, x ˆk|k the a posteriori state vector estimate at time k given measurement zk , Pk|k the covariance matrix of a posteriori estimate error and I the identity matrix. One description of the Kalman filtering algorithm is shown in Figure 2.

Figure 3.

EM measurement setup.

A. Electromagnetic shielding results

Initialization of (x0,P0 )

Prediction phase equations: xˆk|k−1 = Aˆ xk−1|k−1 + Buk Pk|k−1 = APk−1|k−1AT + Q

Correction phase equations: Kk = Pk|k−1H T (HPk|k−1 H T + R)−1 xˆk|k = xˆk|k−1 + Kk (zk − H xˆk|k−1) Pk|k = (I − Kk H)Pk|k−1

Figure 2.

Figure 4.

Kalman filter algorithm.

Shielding technique setup.

As discussed before, the space surrounding the considered source can be divided into a far zone and a near zone. For this purpose, we show the effectiveness of the shield against electromagnetic noises by minimizing the contribution of far

IV. E XPERIMENT RESULTS Our measurement setup consists of one Xilinx Virtex–II Pro FPGA soldered on SASEBO platform [20], an 54855

-3-

2010 International Conference on Design & Technology of Integrated Systems in Nanoscale Era

sources. Then, in the near zone, we describe how the shield can be useful to enhance DEMA attacks by decreasing the noise, which is generated by nearby sources. In order to achieve the first part of the experiment, we use a dosimeter [21] to measure the source’s exposure to the electromagnetic field in the experimental environment. Figures 5 and 6 show the detected frequencies with and without the shield. Obviously, the shield removes totally or partially the contribution of high frequencies (> 80 MHz), in the far zone.

subkey. Measurements are performed for 10 000 EM signals, then we launched the DEMA attack. As shown in the Figure 7, for unaveraged EM signals (denoted as “1x avg”), five subkeys over sixteen were founded when using the shielding technique. Whereas, for the basic attack (i.e. without shielding), we could not retrieve any subkey. Without shielding

Sb0 Sb4 Sb8 Sb12 Sb1 Sb5 Sb9 Sb13 1x avg Sb2 Sb6 Sb10 Sb14 Sb3 Sb7 Sb11 Sb15

Sb0 Sb4 Sb8 Sb12 Sb1 Sb5 Sb9 Sb13 16x avg Sb2 Sb6 Sb10 Sb14 Sb3 Sb7 Sb11 Sb15

Figure 5.

00 000 111 00 11 11111 000 00 11 000 111 00 11 000 111 00 11 000 111 00 11 000 111 00 000 111 00 00 11 00011 111 00 11 00011 111 00 11 000 111 00 00 11 00011 111 00 11 00011 111 00 00011 111 00 000 111 00 11 000 111 00 11 000 111 00 11 000 111 00 11 000 111 00 11 000 111 00 11 000 111 00 11 000 111 00 11 000 111 00 11 000 111 00 11 000 111 00 11 000 111 00 11 000 111 00 11 000 111 00 00011 111 00 00011 111 00 11

Detected frequencies without shielding.

Sb0 Sb4 Sb8 Sb12

Sb1 Sb5 Sb9 Sb13

256x avg

Sb2 Sb6 Sb10 Sb14 Sb3 Sb7 Sb11 Sb15

Sb0 Sb4 Sb8 Sb12

Sb1 Sb5 Sb9 Sb13

1024x avg

Sb2 Sb6 Sb10 Sb14 Sb3 Sb7 Sb11 Sb15

Figure 6.

11 00 00 11

Detected frequencies with shielding.

With shielding

11 00 00 11 00 11 00 11 00 11 00 11

11 00 00 11 00 11 00 11 00 0011 11 00 11 0011 11 00

Sb0 Sb4 Sb8 Sb12

Sb1 Sb5 Sb9 Sb13 Sb2 Sb6 Sb10 Sb14 Sb3 Sb7 Sb11 Sb15

11 00 00 00 11 11 00 11 00 11 00 00 11 00011 111 0011 00 00 11 00011 111 00 11 00 11 00 11 00 11 11 00 00 11 00 11 00 11 000 111 00 00 00 11 00011 111 0011 11 00 11 00 11 000 111 00 11 000 111 00 11 000 111 00 00 00 00011 111 0011 11 0011 11 00 11 000 111 00 11 00 11 00 00011 111 0011 0011 00 11 00011 111 0011 0011 00 000 111 00 11 00 11 00 11 000 111 00 11 00 11 00 11 000 111 00 11 00 11 00 11 000 111 00 11 00 11 00 11 000 111 00 11 00 11 00 11 000 111 00 11 00 11 00 11 000 111 00 11 00 11 00 00011 111 0011 0011 00 11 Sb0 Sb4 Sb8 Sb12

Sb1 Sb5 Sb9 Sb13 Sb2 Sb6 Sb10 Sb14 Sb3 Sb7 Sb11 Sb15

Sb0 Sb4 Sb8 Sb12

Sb1 Sb5 Sb9 Sb13 Sb2 Sb6 Sb10 Sb14 Sb3 Sb7 Sb11 Sb15

Sb0 Sb4 Sb8 Sb12

Sb1 Sb5 Sb9 Sb13 Sb2 Sb6 Sb10 Sb14 Sb3 Sb7 Sb11 Sb15

Broken Sbox

Unbroken Sbox

The second part of the experiment deals with the DEMA attack. In this case, EM measurements are performed inside the shield, which is connected to the board electrical ground. As shown in Figure 4, the penetration of the probe through the shield is allowed by a small opening. The DEMA attack is performed on an unprotected AES 128 bit implementation. The internal model that we used to extract the key is based on the number of expected bits toggle count between the two successive values taken by the state register over time, which is known as Hamming distance model [22]. In order to find the entire 128 bit key, DEMA attack is performed on sixteen AES Sboxes. For each attacked Sbox, we retrieve one 8 bit

Figure 7.

AES Sboxes attack using the electromagnetic shielding.

The number of founded subkeys is getting high with averaging, for both attacks. In fact, after averaging EM signals 1024 times, all subkeys were retrieved. Thanks to shielding, we realize that we need only 696 EM signals to break all Sboxes. On the other hand, 1579 measurements are necessary to perform a complete attack. Obviously, the shield enhances the quality of measurements. Therefore, DEMA attack with shielding is more efficient than the basic attack.

-4-

2010 International Conference on Design & Technology of Integrated Systems in Nanoscale Era

using KF, the EM signals are refined as shown in Figure 10.

1

st

1 -order success rate

0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1

Without shielding With shielding

0 1

10

100

1000

Repetition factor q ⎯ for 10 000 different measures

Figure 8. Success rate when breaking AES with 10 000 × q measurements, for a repetition factor q ∈ {1, 16, 256, 1 024}.

Recent security evaluation methodologies, such as that presented in [23], suggest to quantify the strength of an attack by a success rate. The o-th order success rate is defined as the probability that an attack succeeds in recovering the correct key amongst the best o guesses. In our setup, this means that the targeted subkey shall be ranked at least o-th amongst the 28 candidates. The o-th order success rate can be estimated heuristically by repeating several attacks on different measurement campaigns comprised of the same number of traces. In our evaluation, we have carried out only series of 10 000 measurements with a single key, considered arbitrary. However, given that the attacked algorithm is an AES, where all the substitution boxes (sbox) are identical in functionality (they all compute the SubBytes look-up described in the NIST standard FIPS 197 [5]) and that are evaluated in parallel, we can consider that the attack on each sbox is independent. As for our experiments, the guessed round key (that of the last round) is different for each of the sixteen bytes of the state, we are actually conducting sixteen similar attacks concomitantly. This statement is a consequence of an “ergodicity” property: it holds because the outcome of an evaluation is not expected to change depending on the date at which it is conducted. So leading all the evaluations in parallel or sequentially should yield equivalent results. Therefore, the number of broken sboxes (i.e. that for which the exact key byte has been recovered) amongst the sixteen ones when the number of observations is equal to 10 000 (displayed with hachures in Fig. 7) can be reinterpreted as the success rate of order o = 1 (multiplied by sixteen). As the number of broken sboxes is always larger with a Faraday cage than without, we can thus conclude that the first order success rate is greater with a Faraday cage. This result is shown in Fig. 8. Eventually, we emphasize that our prototyping experiments are done with a home-made shield. These results could be improved with an improved commercial-grade shield.

Figure 9.

DES first round measurement without any filtering.

Figure 10.

DES first round measurement with Kalman filtering.

As discussed in the introduction, the common metric used to decide for the correct hypothesis is the number of electromagnetic measurements for the key guess to stabilize. The gain in term of EM measurements using the KF is computed as follows: . Nbasic − NKF × 100 , Gain = Nbasic

(8)

where Nbasic is the number of EM measurements required for a successful basic DEMA attack and NKF is the number of Kalman filtered EM measurements for a successful DEMA attack. Using the KF, we are able to make the attack faster for all Sboxes. The efficiency of the Kalman filter can be shown through Table I. As a matter of fact, we have a gain over 50% for five Sboxes. V. C ONCLUSION We have proposed two different techniques to improve electromagnetic attacks on cryptographic implementations. Indeed, we have shown the efficiency of shielding and Kalman filtering by making the EMA attacks faster. Generally, a

B. Kalman filtering results One typical EM measurement of the first round of DES implementation without KF is depicted in Figure 9. When

-5-

2010 International Conference on Design & Technology of Integrated Systems in Nanoscale Era

Table I G AIN IN TERM OF EM

MEASUREMENTS USING THE

Sb 1

Sb 2

Sb 3

Sb 4

KF

Sb 5

FOR

Sb 6

[18] P. Zarchan and H. Musoff, Fundamentals of Kalman Filtering: A Practical Approach. American Institute of Aeronautics and Astronautics (AIAA), February 2001, ISBN: 1563474557. [19] Y. Souissi, S. Guilley, J.-L. Danger, G. Duc, and S. Mekki, “Improvement of power analysis attacks using Kalman filter,” ser. IEEE Signal Processing Society. IEEE, March 14-19 2010, Dallas, Texas, USA. [20] A. Satoh. Side-channel Attack Standard Evaluation Board, SASEBO (Project of the AIST); SASEBO-G experimental board – http://www. rcis.aist.go.jp/special/SASEBO/SASEBO-G-en.html. [21] ANTENNESSA (http://www.satimo.com/), “EME SPY 120: Personal Exposure Meter,” Tech. Rep. [Online]. Available: http://www.antennessa.com [22] S. Guilley, “Contre-mesures g´eom´etriques aux attaques exploitant les ´ canaux cach´es,” Ph.D. dissertation, Ecole Nationale Sup´erieure des T´el´ecommunications, January 2007. [23] F.-X. Standaert, T. Malkin, and M. Yung, “A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks,” in EUROCRYPT, ser. Lecture Notes in Computer Science, vol. 5479. Springer, April 26-30 2009, pp. 443–461, Cologne, Germany.

DES.

DES Sbox

Sb 0

Gain (%)

61.42 6.22 62.67 27.71 39.88 81.24 69.17 54.94

Sb 7

perfect shielding is considered as the best solution to reduce the electromagnetic noise. All the same, shielding needs to have space to accommodate the experiment. In our case (based on SASEBO), the Faraday cage needed to be ad hoc. As for Kalman filtering technique, we were able to considerably reduce the number of electromagnetic measurements needed to perform a successful attack. R EFERENCES [1] H. Saputra, “Security issues in embedded system design,” Ph.D. dissertation, Pennsylvania State University, University Park, PA, USA, 2005, Adviser-Kandemir, M. and Adviser-Vijaykrishnan, N. [2] P. C. Kocher, J. Jaffe, and B. Jun, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,” in Proceedings of CRYPTO’96, ser. LNCS, vol. 1109. Springer-Verlag, 1996, pp. 104– 113, (PDF). [3] ——, “Differential Power Analysis,” in Proceedings of CRYPTO’99, ser. LNCS, vol. 1666. Springer-Verlag, 1999, pp. 388–397, (PDF). [4] D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi, “The EM Side-Channel(s),” in CHES ’02: Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems. London, UK: Springer-Verlag, 2003, pp. 29–45. [5] Advanced Encryption Standard (AES) home webpage. http://csrc.nist.gov/encryption/aes, 2001. [6] W. E. Burr, “Selecting the advanced encryption standard,” IEEE Security and Privacy, vol. 1, no. 2, pp. 43–52, 2003. [7] National Institute of Standards and Technology, FIPS PUB 46-3: Data Encryption Standard (DES). NIST, Oct. 1999, supersedes FIPS 46-2. [Online]. Available: http://www.itl.nist.gov/fipspubs/fip186-2.pdf [8] T.-H. Le, J. Cledi`ere, C. Servi`ere, and J.-L. Lacoume, “Higher order statistics for side channel analysis enhancement,” in e-Smart, September 2006, Sophia-Antipolis, France. [9] ——, “Noise Reduction in Side Channel Attack using Fourthorder Cumulant,” IEEE Transaction on Information Forensics and Security, vol. 2, no. 4, pp. 710–720, December 2007, DOI: 10.1109/TIFS.2007.910252. [10] H. Pelletier and X. Charvet, “Improving the DPA attack using Wavelet transform,” September 2005, NIST’s Physical Security Testing Workshop. Website: http://csrc.nist.gov/groups/STM/cmvp/documents/ fips140-3/physec/papers/physecpaper14.pdf. [11] K. L. Kaiser, Electromagnetic Shielding. CRC Press, Taylor and Francis Group, 2005, ISBN: 9780849363726. [12] M. I. Montrose and E. M. Nakauchi, Testing for EMC compliance: Approaches and Techniques. Wiley-IEEE Press, April 8 2004, ISBN 978-0471433088. ´ Brier, C. Clavier, and F. Olivier, “Correlation power analysis with [13] E. a leakage model,” in CHES, ser. LNCS, vol. 3156. Springer, August 11–13 2004, pp. 16–29, Cambridge, MA, USA. [14] R. Bevan and E. Knudsen, “Ways to Enhance Differential Power Analysis,” in ICISC, ser. Lecture Notes in Computer Science, vol. 2587. Springer, November 2003, pp. 327–342. [15] TELECOM ParisTech SEN research group, “DPA Contest,” 2008–2009, http://www.DPAcontest.org/. [16] J. A. Ambrose, R. G. Ragel, and S. Parameswaran, “A smart random code injection to mask power analysis based side channel attacks,” in CODES+ISSS ’07: Proceedings of the 5th IEEE/ACM international conference on Hardware/software codesign and system synthesis. New York, NY, USA: ACM, 2007, pp. 51–56. ´ [17] F. Rachidi, “Compatibilit´e e´ lectromagn´etique.” Course note of Ecole Polytechnique F´ed´erale de Lausanne, 2006. [Online]. Available: http://lrewww.epfl.ch/dir-CEM/Blindage.pdf

-6-