Side-Channel Attacks and Countermeasures
Power analysis, fault injection, and how smart cards defend against them.
Side-Channel Attacks on Smart Cards
Side-channel attacks exploit physical information leakage — power consumption, electromagnetic emanation, timing behaviour, or induced faults — rather than mathematical weaknesses in an algorithm. A card that is theoretically secure against cryptanalysis can be fully broken by measuring its power trace for a few seconds. Common Criteria EAL4+ with AVA_VAN.5 requires that evaluation labs demonstrate resistance against these attacks at high attack potential.
Use the EAL Comparator to identify which certified cards have passed AVA_VAN.5 side-channel resistance verification.
Simple Power Analysis (SPA) and Differential Power Analysis (DPA)
SPA/DPA — collectively side-channel attacks on power consumption — are the most widely studied class of physical attacks on smart cards.
Simple Power Analysis (SPA) uses a single power trace to visually identify algorithm steps. In an unprotected RSARSACryptographyPublic-key algorithm for smart card signatures and key exchange.Click to view → implementation, the conditional square-and-multiply steps in the exponentiation loop are visible as distinct power patterns — each "multiply" segment corresponds to a '1' bit in the private exponent.
Differential Power Analysis (DPA) is a statistical attack requiring many traces. The attacker partitions traces by a hypothesis about a small portion of the secret (e.g., one byte of an AESAESCryptographyNIST symmetric block cipher for smart card encryption.Click to view → key), computes a statistical distinguisher (difference-of-means or correlation), and iterates over all key byte hypotheses until the correct one yields a higher correlation than the rest.
| Attack | Traces needed | Key information required | Attack difficulty |
|---|---|---|---|
| SPA | 1–10 | Algorithm structure visible | Low (unprotected RSA) |
| DPA | 100–100,000 | Only ciphertext / operation type | Medium |
| CPA (Correlation PA) | 1,000–10,000 | Power model (Hamming weight) | Medium–High |
| Higher-Order DPA | 10,000–1,000,000 | Shares from masking scheme | High |
| Template Attack | Training set + 1 | Pre-characterised card family | Very high |
Fault Injection Attacks
Fault injectionFault injectionSecurityPhysical attack inducing errors to bypass security.Click to view → introduces transient errors in the card during cryptographic operations to extract key material or bypass security checks. Attack vectors include:
- Voltage glitching — momentarily dropping VCC below specification causes the CPU to skip instructions or corrupt register values
- Clock glitching — inserting a spurious clock edge causes the CPU to execute two instructions in one cycle
- Laser fault injection — a focused laser beam ionises transistors in the chip, flipping individual bits with spatial precision
The classic fault attack on RSA-CRT (Bellcore attack, 1997) requires a single faulty
signature: the attacker computes gcd(faulty_sig - correct_sig, N) to recover a
private key prime in milliseconds. Modern secure element
implementations counter this with redundant CRT computation and output verification.
Template Attacks and Machine Learning
Template attacks are the most powerful side-channel variant when the attacker has access to a characterisation device (same chip, open key). They build a multivariate statistical profile of the power leakage for each key hypothesis across all time samples simultaneously, then apply maximum likelihood matching to a single target trace.
Modern attacks increasingly use deep learning (convolutional neural networks, attention models) on raw traces, eliminating the need for a hand-crafted power model and reducing the number of attack traces needed by one to two orders of magnitude compared to classical DPA on masked implementations.
Countermeasures
Certified cards implement multiple layers of complementary countermeasures:
| Countermeasure | Attacks mitigated | Overhead |
|---|---|---|
| Boolean/arithmetic masking | SPA, DPA, CPA, template | 2–4× computation |
| Shuffling (random execution order) | First-order DPA, template | ~1.5× time |
| Dummy operations / constant time | SPA, timing side-channel | 5–30% time |
| Voltage / clock monitoring | Glitch injection | Negligible |
| Laser and EM shields (metal mesh) | Laser FI, EM probing | Manufacturing cost |
| Active shield mesh | Physical probing | Manufacturing cost |
| Redundant computation with comparison | Fault injection | ~2× time |
| Algorithm-level randomisation (randomised projective coordinates for ECCECCCryptographyEfficient public-key cryptography using elliptic curves.Click to view →) | SPA, DPA | ~10% time |
Higher-order masking — splitting a secret into d+1 shares so that any d shares are independent of the secret — is the dominant software countermeasure against DPA of order d. Cards targeting EAL 5+ routinely implement second-order masking and active hardware shields.
See Smart Card Cryptography for the algorithmic foundations that these countermeasures protect.
자주 묻는 질문
Our guides cover a range of experience levels. Getting Started guides introduce smart card fundamentals. Security guides address Common Criteria certification and key management. Programming guides target developers working with APDU commands, JavaCard applets, and GlobalPlatform card management.