# SPERO: <u>Simultaneous Power/EM Side-channel</u> Dataset Using <u>Real-time</u> and <u>Oscilloscope Setups</u>

Yunkai Bai University of Florida Gainesville, FL, USA baiyunkai@ufl.edu Rabin Yu Acharya Intel Corporation Hillsboro, OR, USA rabin.yu.acharya@intel.com Domenic Forte University of Florida Gainesville, FL, USA dforte@ece.ufl.edu

Abstract—Cryptosystem implementations often disclose information regarding a secret key due to correlations with side channels such as power consumption, timing variations, and electromagnetic emissions. Since power and EM channels can leak distinct information, the combination of EM and power channels could increase side-channel attack efficiency. In this paper, we develop a miniature dual-channel side-channel detection platform, named RASCv3 to successfully extract subkeys from both unmasked and masked AES modules. For the unmasked AES, we combine EM and power channels by using mutual information to extract the secret key in real-time mode and the experiment result shows that less measurements-to-disclosure (MTD) is used than the last version (RASCv2). Further, we adopt RASCv3 to collect EM/Power traces from the masked AES module and successfully extract the secret key from the masked AES module in fewer power/EM/dual channel traces. In the end, we generate an ASCAD format dataset named SPERO, which consists of EM and power traces collected simultaneously during unmasked/masked AES module doing encryption and upload to the community for future use.

Index Terms—Side-channel attack, RASCv3, masked AES, offline, real-time

#### I. INTRODUCTION

Modern cryptosystems operate through semiconductor logic gates, which are constructed out of transistors. As data is encrypted or decrypted, these gates emit electromagnetic (EM) radiation and cause variations in power due to the transition of these transistors. This characteristic has been leveraged over the past few decades to extract secret keys from cryptosystems in so-called side-channel attacks (SCAs) using power and EM.

The concept of power-based side-channel attacks was first introduced in Paul Kocher's seminal paper [1]. Kocher et al. [1]–[3] presented the differential power analysis (DPA) attack which exploits and enlarges power leakage differences when DES cryptographic systems process various logic bits. In 2004, Brier and colleagues [4] developed the correlation power analysis (CPA) technique, which utilizes the linear relationship between power consumption and its hamming distance (HD) to identify the correct secret key from all possible hypotheses. The EM-based side-channel attack originated from [5] in 2001 where Gandolfi et al. successfully recovered keys from EM leakage on three different CMOS chips. Agrawal et.al [6] demonstrated EM vulnerabilities in basic implementations of

This work has been supported in part by the US Army Research Office (ARO) under award number W911NF-19-1-0102.

widely used cryptographic systems like DES [7], RSA [8], [9] and COMP128 [10] across devices such as smart cards, cryptographic tokens, and SSL accelerators. Furthermore, Ding et al. [11] presented the correlation electromagnetic attack (CEMA) on the P89C668 microcomputer.

Besides these single-channel SCA attack methods, multiple papers [12]-[14] turn to recover secret keys from dual-channel information, e.g. using both EM and power traces. Compared with single-channel SCAs, dual-channel SCAs contain more information, and therefore, increase the SCA success rate with fewer traces. Standaert et al. [13] concatenated EM and power traces and their experiments show less entropy is achieved after concatenation. Souissi et.al [12] try to combine multiple channels by summing up the square of each channel. Compared with the single power channel, this sum of squares method has a larger signal-to-noise ratio (SNR), and the experiments demonstrate that fewer traces are needed to attack the same SBox. However, dual-channel attacks also require more processing resources and lack granularity in the combination of features at different time indexes. Furthermore, nearly all SCA attack papers, either single-channel or dual-channel attack, are limited to offline setups where data collection relies on traditional instruments such as oscilloscope and commercial EM probe, and processing relies on PC platforms. The offline mode faces various challenges in practical scenarios outside of the lab environment, such as power constraints, tiny space, onboard processing and remote communication. To solve these problems, Bai et.al [14] combine EM and power channels in a linear fashion by using mutual information [15]-[17] to determine the optimal coefficients for each feature. The proposed methodology is also implemented onto a miniature side-channel platform named RDCP (or RASCv2) to simultaneously measure dual-channel traces and process them to extract AES subkeys in real time. The experiment result shows the success rate of dual-channel increases by at least 30% compared to single power/EM channels in the offline mode and over 50% in the real-time mode.

In this paper, we upgrade RASCv2 to its third version, RASCv3, and create the first open-source SCA dataset containing both power and EM measurements. Our main contributions are summarized as follows:

 RASCv3's design is described and its features are compared with other side channel measurement systems, including RASCv2, traditional oscilloscope and probe, and Chipwhisperer. Unlike the oscilloscope and the Chipwhisperer, RASCv3 has advantages in low cost and diminutive size while obtaining desired results.

- We also upgrade and describe RASC's near-field antenna design so that EM traces collected with RASCv3 have higher SNR.
- RASCv3's offensive capabilities are compared with RASCv2 for unmasked AES encryption in single and dualchannel variants. Fewer traces are needed to achieve a 100% subkey extracting rate. Furthermore, masked AES is proven breakable by RASCv3 for all 16 subkeys with more traces needed than unmasked cases. For this, we extend a secondorder side-channel attack to utilize information from both power and EM channels.
- The dual-channel traces collected by using oscilloscope and RASC setups are named SPERO, and have been uploaded to GitHub for academic use by peers [18]. To our knowledge, there is no other dataset collecting EM and power simultaneously.

The remainder of this paper is organized as follows. Section II introduces the design of RASCv3, its upgrade from RASCv2, and its comparison with other side-channel detection setups. Section III introduces the key concepts of designing a near-field antenna for RASCv3 and its comparison with commercial EM probe [19] and RASCv2's antenna. In Section IV, we implement the proposed methodology into RASCv3 and extract subkey from both normal (unmasked) and masked AES encryption. It includes the experimental setup, results, and discussion. We conclude and offer directions for future work in the last section.

## II. OVERVIEW OF RASC

#### A. What is RASC?

Traditional side-channel analysis turns to sophisticated instruments such as oscilloscopes which are infeasible for infield use and power hungry. To resolve this, we previously proposed RASC (short for, remote access to a side-channel platform), an external miniature monitor, that performs side-channel analysis for offensive (e.g., secret extraction) and defensive purposes (e.g., disassembly and malware detection) on a target chip. The first version of RASC was introduced by Stern et al. in 2019 [20], and the upgrade version (RASCv2) was first presented by Bai et al. in 2022 [21]. In this section, we introduce the design of the third version of RASC (RASCv3) and compare it with RASCv2 and traditional side-channel instruments, such as oscilloscope and EM probe.

# B. Structure and Specs of RASCv3

Figure 1 presents the structure of the RASCv3 while its high-level schematic is shown in Figure 2. RASCv3 consists of two boards, referred to as PCB1 and PCB2. PCB1 contains two ADCs for simultaneously sampling EM and power traces, an FPGA for data processing, and a few I/O ports for external connections. PCB2 has an electrical pad connecting to an external printable near-field antenna, and an amplifier for



Fig. 1. RASCv3 cross-sectional structure and CONOP.



Fig. 2. RASCv3 schematic.

enhancing captured EM waves. The connection of two PCB boards is presented in Figure 1, i.e., the two boards could be attached to each other and stacked on top of the target chip. For repeatability, we 3D print a holder to position RASC [21] on top of the target chip in its operational scenario. EM traces are could be gathered by the near-field of antenna and the power of the RASC board could be supplied by the power source of the target chip. Compared with RASCv2, RASCv3 adjusts its design and upgrades its key specs so that it can handle more sophisticated experiments and practical applications. The main chip and functional upgrades are:

1) ADCs. Compared with the 8-bit ADC(ADC08200) on RASCv2 (200MS/s, 500MHz, 8-bit), the new ADC on RASCv3 (LT2242 [22]) could achieve faster sampling (250 MS/s at maximum), larger bandwidth (1GHz), and higher voltage sensitivity (12-bit). Faster sampling allows the ADC to capture more data points within a given period, and it recovers side-channel leakage more accurately as evident in later experiments. With 12-bit resolution, the minimum detecting voltage is around 1mV, allowing RASCv3 to infer minor changes in power/EM. Also, RASCv2 output only support CMOS mode so that its detecting range is from 0V to 3V. Thus, it lacks the ability to detect negative voltage and this seriously affects



Fig. 3. Size comparison of oscilloscope, RASCv2, and RASCv3.

the integrity of EM traces [21]. In RASCv3, the LT2242 supports LVCMOS mode so that its voltage detecting range is from -1V to 1V, allowing entire EM traces to be collected.

- 2) **FPGA.** Compared with the Spartan 3e FPGA [23] on RASCv2, Artix-7 xca100t [24] is chosen on RASCv3 for its *larger memory*, *higher clock rate*, and additional *I/O ports*. RASCv2's memory was sufficient for simple algorithms such as linear SVM classifiers with limited features. In RASCv3, the memory is over 1000Kb, allowing more complex and nonlinear classifiers such as QDA. These upgrades allow RASCv3 to contain more sophisticated SCA methods and the ability to process longer traces in real-time experiments.
- 3) **EM Antenna.** In RASCv2, we inserted a four-loop internal near-field antenna into PCB2. It helps gather EM waves from the target board, and the subkey could be successfully extracted in an unmasked AES-128 subkey extracting experiment [21]. However, as mentioned in [21], the SNR ratio of the internal layer of the antenna is affected by the connection between layers, and this impacts key extraction efficiency. In RASCv3, we substitute the internal antenna with a cheaper and printable near-field antenna. This new antenna has advantages in *reduced cost* (< \$1), *higher SNR ratio*, and *better portability*.

Figure 3 shows RASCv3 compared to RASCv@ and an oscilloscope. The size of RASCv2 is about this size of a quarter while RASCv3 is about 50% larger. Considering the balance of size and performance, RASCv3 could still be thought of as small and suitable for deployment outside of lab environments.

# C. Working Modes of RASC

In this paper, we consider offline and real-time modes to extract AES key information:

 Offline mode. Here, an oscilloscope and commercial probe are used to collect EM/power traces and store them first. These traces are sent to a PC through UART for processing and key extraction. 2) Real-time mode. In this mode, we use RASC to collect power/EM traces and implement DPA attacks on RASC's FPGA to extract the subkey bits internally. The extracted subkey bits are then transmitted to a PC through UART.

# D. Comparison between RASC and oscilloscope

Table I compares RASCv3, RASCv2, MDO3102 oscilloscope, and ChipWhisperer [25] which is a popular commercial board. The highlights are as follows:

- 1) **Price.** The traditional side-channel analysis system consists of a commercial EM probe and oscilloscope. The oscilloscope (Tektronix MDO 3102) in our lab can sample data over 5 GS/s and costs over \$16,000, and the commercial EM probe also costs over \$800. However, the total cost of RASCv2 is around \$250 (produced at low volume), which is comparable to ChipWhisper lite edition (produced at high volume). RASCv3 upgrades RASCv2's functionality and costs around \$400 (also at low volume). The cost of RASC (v2 and v3) could be dropped to a much lower value if RASC is fabricated in larger quantities like commercial systems.
- 2) Size. RASCv2 and RASCv3's size are shown in Figure 3. Even though RASCv3 is 50% larger in size, it still could be thought of as small. The tiny body of two versions of RASC could let them be easily placed into narrower spaces to monitor IoT devices. Benchtop oscilloscopes commonly used in SCA cannot.
- 3) Voltage Testing Range. The testing voltage range of two ADCs on RASCv2 is from 0V to 3.3V, and RASCv3 is from -1V to 1V. For both power/EM ADC, the range of RASCv3 is acceptable since this range covers the power supply of most commercial FPGA/MCU development boards. Compared with two versions of RASC and ChipWhisperer, the oscilloscope has a much more extensive testing range.
- 4) Sampling Speed. The oscilloscope has the advantage of sampling speed. As for Tektronix MDO 3102, the maximum sampling speed could reach 5 GS/s. The sampling speeds of RASCv2/RASCv3 and ChipWhisperer are smaller than the oscilloscope. Sampling speed is more important in sophisticated experiments such as finegrained malware detection and disassembly.
- 5) Remote Communication. The RASCv2 and RASCv3 both support Bluetooth communication over 20 meters. This functionality allows RASC to work remotely and communicate results to attack/defense parties. However, ChipWhisper and the oscilloscope do not support this feature.
- 6) Resolution. RASC's resolution is increased from 10mV to 1mV between versions 2 and 3. The new version of RASC (RASCv3) is comparable to the resolution of the ChipWhisperer board. Even though the oscilloscope can detect faint changes in voltage/EM, RASC performs quite well in our experiments.
- 7) **Programmable.** On both RASCv2 and RASCv3 PCB1, we set 14 I/O ports. FPGA code can be loaded on PCB1

 $TABLE\ I$  Comparison between traditional side-channel analysis systems, ChipWhisperer, RASCv2, and RASCv3.

| Property\Setup       | Oscilloscope [26] + EM antenna [19] | ChipWhisperer-Lite 32-Bit [25] | RASCv2 [21] | RASCv3 (This paper) |
|----------------------|-------------------------------------|--------------------------------|-------------|---------------------|
| Cost                 | >\$16,000                           | \$250                          | \$250       | \$400               |
| Size                 | 20cm×42cm×15cm                      | 11.5cm×8.8cm                   | 2.5cm×2.5cm | 3.8cm×3.8cm         |
| Test Voltage Range   | [-20V, 20V]                         | [-1V, 1V]                      | [0, 3.3V]   | [-1V, 1V]           |
| Sampling Speed       | 5 GS/s                              | 105 MS/s                       | 200 MS/s    | 250 MS/s            |
| Remote Communication | No                                  | No                             | Yes         | Yes                 |
| Resolution           | 16-bit, 60μV                        | 10-bit, 1.95mV                 | 8-bit, 10mV | 12-bit, 0.5mV       |
| Programmable         | No                                  | Yes                            | Yes         | Yes                 |

to achieve many different functionalities. The oscilloscope can access Matlab on the laptop and supports API code. However, this is not as flexible as compared to an FPGA.

In conclusion, RASCv3 has advantages in low price, small footprint, and remote communication. At the same time, compared with oscilloscopes, it has limitations in the sampling speed, resolution, and voltage testing range. However, in many scenarios like cracking AES-128 subkeys, there is no need to sample traces at such high speeds. In other words, the RASC can serve as a substitute for an oscilloscope in practical defense/offense applications.

#### III. NEAR-FIELD ANTENNA DESIGN

#### A. Antenna Principles and Considerations

In SCA real-time scenarios, the near-field antenna transforms EM leakage from the useful signal source (e.g., VDD or GND) on the target chip to current. After that, RASC detects the voltage when the current of the antenna goes through a load resistance. More power received by the antenna will cause a larger amplitude and higher SNR of EM traces. A higher SNR could increase the subkey extracting efficiency in the SCA experiment. Our near-field antenna is designed carefully to increase received power received power  $P_r$  based on equations from a common radars book [27].

$$P_r = \frac{P_t G A_e \sigma}{(4\pi)^2 R^4} \tag{1}$$

Here,  $P_r$  and  $P_t$  stands for the received and transmitted power. G is the antenna gain. A is the effective aperture of the receiving antenna.  $\sigma$  is the radar cross-section of the target. R is the distance between the transmitter and the target.

In our case, the diameter for the near-field antenna is decided by the size of the RASC's PCB2, and its max size is  $2\text{cm} \times 2\text{cm}$ . When working, the near-field antenna is arranged to a position with a fixed parallel angle and a fixed close distance (e.g., 1mm) to a fixed signal source on the target board. The transmitted power  $P_t$ , the distance R and the directivity (D) could be thought of as the same. Besides, considering the diameter of our antenna, our antenna clearly receives the near-field EM wave, and we can ignore the radar cross-section  $(\sigma)$  since it is a far-field parameter. Thus, the parameters most significantly affecting the received power is the effective aperture (A) and the antenna gain (G). A and G are computed as follows:

$$A_e = e_{cd} \frac{\lambda^2}{4\pi} D \tag{2}$$

$$G = e_{cd}D (3)$$

In formula 4,  $R_r$  is the radiation resistance, and  $R_L$  is the loss resistance. The radiation resistance  $R_r$  is used to represent in the receiving mode the transfer of energy from the free-space wave to the where D stands for the directivity of the antenna to the signal source and  $e_{cd}$  is the radiation efficiency. The directivity of an antenna is defined as "the ratio of the radiation intensity in a given direction from the antenna to the radiation intensity averaged over all directions" [28]. Considering the angle between the near-field antenna and the signal source is set to a fixed ideal angle, the directivity remains the same. Thus, A and G are determined by the radiation efficiency  $(e_{cd})$  as shown in Eqn. (4).

$$e_{cd} = \frac{R_r}{R_L + R_r} \tag{4}$$

In the above equation,  $R_r$  is the radiation resistance and  $R_L$  is the loss resistance. The radiation resistance  $R_r$  is used to represent the transfer of energy from the free-space wave to the antenna in the receiving mode [28]. The loss resistance  $R_L$  refers to the resistance that results in power loss.  $R_r$  and  $R_L$  for N-turn circle antennas are presented as follows.

$$R_r = 20\pi^2 \left(\frac{C}{\lambda}\right)^4 N^2 \tag{5}$$

$$R_L = \frac{NC}{2\pi b} \sqrt{\frac{\omega \mu_0}{2\sigma}} \tag{6}$$

Here, C is the circumference, N stands for the number of turns, b is the diameter of the wires,  $\omega$  is the angular frequency of the target source,  $\mu_0$  is the permeability of free space, and  $\sigma$  is the conductivity of the material from which the antenna is made. Substituting Eqns. (5) and (6) into Eqn. (4), we obtain

$$e_{cd} = \frac{20\pi^2 (\frac{C^3}{\lambda^4})N}{\frac{1}{2\pi b}\sqrt{\frac{\omega\mu_0}{2\sigma}} + 20\pi^2 (\frac{C^3}{\lambda^4})N}.$$
 (7)

Based on Eqn. (7), it is clear the circumference (C) and turns (N) have a positive relationship with radiation efficiency  $(e_{cd})$ . In other words, under the case of the same distance and same direction, a larger size and/or more turns could lead to higher radiation efficiency  $(e_{cd})$ . This in turn could create a higher effective aperture (A) and the antenna gain (G) in order to receive more power from the signal source. However, increasing C and N does not mean everything for higher amplitude in the SCA experiments. The voltage received at the



Fig. 4. Near-field antenna comparison. Left is the commercial EM probe, Right top is the printable antenna for RASCv3 board 3. The right middle is the near-field antenna on RASCv3 board 2. The right bottom is the internal antenna inside RASCv2 board 2.

side-channel instrument (such as an oscilloscope or RASC) is presented in Eqn. (8).

$$V_{inst} = \sqrt{\frac{P_r}{R_{ant}}} R_{inst} \tag{8}$$

 $V_{inst}$  stands for the voltage at the side-channel instrument side.  $R_{inst}$  denotes the load resistance at the side-channel instrument side and can be thought of as the same in the analysis.  $P_r$  and  $R_{ant}$  refer to the received power and resistance of the near-field antenna.

Even if the radiation efficiency  $(e_{cd})$  increases and the antenna gets more power  $(P_r)$ , the more turns and larger size antenna could also significantly increase the resistance of the antenna  $R_{ant}$ . The induced current of the antenna could be seriously decreased, and the amplitude of the voltage of the instrument side could also be affected. For larger  $V_{inst}$ , the near-field antenna should receive much power  $(P_r)$  from the signal source but maintain a low resistance  $(R_{ant})$  by adjusting the turns (N) and the circumference (C). Thus, the number of turns and size of the antenna should be adjusted carefully according to practical considerations, ensuring they are neither too large nor too small.

#### B. Antenna Designs Per RASC Version

In RASCv1 [20], a one-layer near-field antenna of ly  $1.5 \text{cm} \times 1.5 \text{cm}$  dimensions was inserted into the internal layer PCB2. Although it was supposed to obtain at least -40dB signal, it was unable to do so because PCB material in RASCv1 significantly weakened the received power  $(P_r)$  and caused low voltage amplitude  $(V_{inst})$  at the instrument side. Furthermore, the low amplitude  $V_{inst}$  led to poor SNR of



Fig. 5. Near-field antenna magnitude comparison.

the received EM waves. Thus, RASCv1's EM traces proved useless for SCA experiments.

Based on the lessons learned from RASCv1, the size of the near-field antenna in RASCv2 was increased to  $2\text{cm} \times 2\text{cm}$ , and 4 turns of the near-field antenna were separated into 4 internal layers of PCB2. The improvement of the circumference (C) and turns (N) significantly increased the detected voltage amplitude and the received EM traces were effective in the SCA experiments [21]. However, the transmission efficiency  $(e_{cd})$  was still affected by the internal connection between PCB layers, and the structure of the internal layers increased RASCv2's cost.

In RASCv3, we leave two connection pads on the bottom layer to connect to a 2cm×2cm printable antenna shown in Figure 4. The printer used is the DMP-2850 from Dimatix. The ink used is NPS-L ink from Iwatani Corporation, and mainly consists of silver and isohexadecane. By printing the antenna, it is easy for us to iteratively improve its design and makes RASCv3 capable of adapting to more challenging scenarios. To prevent the short circuit between the near-field antenna and the signal source, we designed a holder (white frame presented in Figure 4).

### C. Quantitative Antenna Comparison

Four different antennae are tested in this section: commercial EM probe (RF-K74 from LANGER EMV Technik [19]), antenna inside RASCv2, antenna on RASCv3, and printable antenna for RASCv3. In figure 5, we test the magnitude of each versus frequency. All antennae are set to the same position 2mm above the Arduino UNO GND port during the response magnitude testing. Eqn. (9) explains how we calculate the magnitude.

$$I = 20 \log \left( \frac{V_{test}}{V_{ref}} \right) \tag{9}$$

 $V_{ref}$  stands for the reference voltage of the signal source and it is 3V in our experiment.  $V_{test}$  denotes the response voltage of three antennae during the testing.

The EM response of the 4-turn internal antenna inside RASCv2 has the lowest magnitude among these four antennae. Luckily, we arrange  $100\times$  amplifier circuit on RASCv2 to augment the signal. The antenna on RASCv3 also has 4 turns but is designed on the bottom layer of RASCv3. Compared

with the internal antenna inside RASCv2, it could receive signals without interference from PCB layers. Thus, the detected voltage from RASCv3 is higher than the internal antenna inside RASCv2. Compared with the antenna on the bottom of RASCv3, the printable antenna has  $1.5\times$  the circumstance and  $2\times$  wider traces. This modification lowers the resistance and could increase the magnitude of the printable antenna, as shown in Figure III-C. For the commercial EM probe, it has the highest magnitude among all four antennae in the testing.

For the cost, the commercial EM probe is around \$800 while the internal antenna for RASCv2 is \$100. The printable antenna is the cheapest and it costs around 1 US dollars. Besides, our designed antennae (internal and printable) are more flexible to use. They can be situated on the target chip to work with either RASC or an oscilloscope. However, the commercial EM probe can only be matched with an oscilloscope and holder.

# IV. MASKED/UNMASKED AES CRACKING EXPERIMENTS

### A. Introduction to Masked and Unmasked AES

The Advanced Encryption Standard (or AES) [29] is a widely used symmetric-key encryption algorithm that provides strong security for data protection. While it remains effective against brute force, mathematical, and even quantum attacks, it is still vulnerable to side-channel attacks (SCAs). SCAs utilize the side-channel leakage caused by transitions inside gates of a chip to infer secret information of the encryption module, such as encryption keys. Till now, many papers have shown that SCAs could extract subkeys of AES with few traces.

Masked AES, however, is a variant of AES designed to enhance the security of AES implementations, particularly against SCAs. Attacking a first-order masking scheme requires a second-order SCA. The masked AES code used in this paper is available on Github [30], and is listed in Algorithm IV-A for the reader's reference. Unlike normal (unmasked) AES encryption, masked AES randomly generates 16 8-bit masked vectors (m[0], ...m[15]) to mask all processed values, including round key, plaintext, and the Sbox. In line 7 to 10 of Algorithm IV-A, m[4], m[6], m[7], m[8], and m[9] are used to mask 16 round keys. In line 14 to 17, m[6], m[7], m[8], and m[9] are adopted to mask 16 plaintext bytes. In lines 20-22, the Sbox is masked with m[5]. The intermediate value after AddRoundKev and Sbox operation are masked by m[4] and m[5] in Eqns. (10) and (11). After masking, first-order attacks cannot make the correct assumption of any intermediate values after masking AddRoundKey and Sbox outputs.

$$p'[i] \oplus s'[i] = p[i] \oplus s[i] \oplus m[4], i = 1, \dots, 16$$

$$sbox'(p'[i] \oplus s'[i]) = sbox(p[i] \oplus s[i]) \oplus m[5], i = 1, \dots, 16$$
(10)

Though one cannot directly guess the output of a single Sbox output, we still can guess the XOR of two Sbox outputs since all 16 Sbox bits share the same mask (m5), and XOR of any two Sbox output bits could remove the random mask (m5) [31], [32]. This is presented in Eqn. (12). Here, sbox

# Algorithm 1 Masked AES-128 implementation

```
1: Input: 16-byte plaintext p[0], \ldots, p[15]
          16-byte mask vector m[0], \ldots, m[15]
          16-byte master key s[0], \ldots, s[15]
 4: Output: 16-byte ciphertext c[0], \ldots, c[15]
                                                       5: for i = 0 to 3 do
        s'[i*4] = s[i*4] \oplus (m[6] \oplus m[4]);
        s'[i*4+1] = s[i*4+1] \oplus (m[7] \oplus m[4]);

s'[i*4+2] = s[i*4+2] \oplus (m[8] \oplus m[4]);

s'[i*4+3] = s[i*4+3] \oplus (m[9] \oplus m[4]);
 7:
10: end for
                                                         11: for i = 0 to 3 do
        p'[i*4] = p[i*4] \oplus (m[6] \oplus 0);
12:
        p'[i*4+1] = p[i*4+1] \oplus (m[7] \oplus 0);
13:
        p'[i*4+2] = p[i*4+2] \oplus (m[8] \oplus 0);
14:
        p'[i*4+3] = p[i*4+3] \oplus (m[9] \oplus 0);
15:
16: end for
17: for i = 0 to 15 do
                                                             ▶ Mask Sbox
        sbox'[i \oplus m[4]] = sbox[i] \oplus m[5];
18:
19: end for
20: for round = 1 to 9 do
        for i = 0 to 15 do
21:
22:
            state[i] = p'[i] \oplus s'[i];
23:
24:
        for i = 0 to 15 do
25:
            state[i] = p'[i] \oplus s';
26:
        for i = 1 to 16 do
27:
            state[i] = sbox[state[i]]; \\
28:
29:
        end for
        ShiftRows(state);
30:
        Remask(state, m[0], m[1], m[2], m[3], m[5]);
31:
        MixColumns(state);
32:
33: end for
34:
                                                              35: return (c[1], \ldots, c[16])
```

is unmasked Sbox and sbox' is masked Sbox. state is the intermediate value during the encryption.

$$HW(sbox'(state[i]) \oplus sbox'(state[j]))$$
  
=  $HW(sbox(state[i]) \oplus sbox(state[j]))$  (12)

If we only focus on a single bit of XOR value of two masked Sbox outputs, the hamming weight (HW) of XOR value also equals to the absolute difference of two masked Sbox output HW [32], i.e.,

```
HW(sbox'(state[i]) \oplus sbox'(state[j]))
= HW(sbox(state[i]) \oplus sbox(state[j]))
= ||HW(sbox'(state[i])| - |HW(sbox'(state[j]))|| \quad (13)
```

When a second-order attack is implemented to attack this masking scheme, two 8-bit subkeys are attacked at the same time, and thus 65536 (256×256) hypotheses need to be checked. Based on Eqn. (13), we pair two subkeys from all 16 subkey bits (s[0] and s[1], s[2] and  $s[3], \ldots, s[14]$  and s[15]) and guess two subkeys of masked AES at the same time. For single-channel second-order attack, we first calculate the absolute difference between Sbox position i and j in power/EM traces ( $P_i, P_j, EM_i, EM_j$ ) to get power absolute difference

<sup>&</sup>lt;sup>1</sup>Apostrophes in equations and in Algorithm IV-A refer to masked variables.

 $AP_{ij}$  and EM absolute difference  $AEM_{ij}$  in Eqns. (14) and 15. The power and EM absolute value is adopted to describe ||HW(sbox'(state[i])| - |HW(sbox'(state[j]))|| for single-channel power/EM attacks.

$$AP_{ij} = ||P_i| - |P_j|| \tag{14}$$

$$AEM_{ij} = ||P_i| - |P_j|| \tag{15}$$

For the dual-channel (power and EM) second-order attack, we adopt combination coefficient  $\alpha$  (range in [0,1]) to combine absolute power value( $AP_{ij}$ ) and absolute EM value( $AEM_{ij}$ ) to get absolute combined value  $AZ_{ij}$  [14].

$$AZ_{ij} = \alpha * AP_{ij} + (1 - \alpha) * AEM_{ij}$$
 (16)

Then, we calculate the index of combination coefficient  $\alpha$  using the method proposed in our prior work [14] that makes the highest correlation I between absolute combined value  $AZ_{ij}$  and two Sbox output hypothesis  $HW(sbox'(state[i]) \oplus sbox'(state[j]))$ .

#### B. SPERO Dataset

In this section, we briefly describe our SPERO dataset, including the unmasked/masked AES code, our experimental setup, and the structure of our dataset.

- 1) AES code: There are two AES codes considered in this paper, and a brief explanation of each is given below. Unmasked AES is typical AES-128 (in ECB mode) software implementation and it could be found on website [33]. Masked AES is from Github [30], which is used by many peers in this area. The masked AES code generates the mask at the beginning of the round and removes them after the ShiftRows operation. Thus, the selected masked AES code does not leak during the Sbox computation.
- 2) Experiment Setup: In our experiments, we gather EM and power traces at the same time when the attack target is encrypting data. The target board is Arduino UNO and its core frequency is 16MHz. The sampling speed of our oscilloscope MDO3102 is set to 100MS/s in the unmasked AES experiment and 500MS/s in the masked AES experiment. The sampling speed of RASCv3 is 160MS/s in both masked/unmasked experiment.
- 3) Dataset Structure: Our dataset [18] follows the format and structure of the popular side-channel attack dataset called ASCAD [34]–[37]. As shown in Figure 6, we collected 2000-feature power/EM traces for the third subkey of the first round of unmasked and masked AES encryptions. Since each subkey of unmasked/masked AES consists of 8 bits, there are a total of 256 possible subkey values. For each subkey value, we have gathered 256 traces, where the plaintext at position 3 varies from 0x00 to 0xFF. Consequently, there are a total of 131072 (256×256×2) power/EM traces for both unmasked and masked AES encryption. In these 131072 traces, the first 100000 of EM/power traces have been organized into the profiling folder, while the remaining 31072 traces have been placed in the testing folder. Furthermore, each power/EM trace is labeled sequentially and accompanied by essential



Fig. 6. Unmasked/masked AES dataset organization.

information, including the label's sequence number, channel, and plaintext value. Lastly, we have included a tutorial text to guide users in opening the files using the provided Python script. Upon publication, the unmasked/masked AES ASCAD file will be made available for download on GitHub.

# C. Single and Dual-channel Attack Results on Unmasked AES

In this subsection, we examine the measurements-todisclosure (MTD) for key extraction against unmasked AES in both offline and real-time modes. The offline mode result is presented in Table II and it could be found in our earlier work [14]. For offline mode, Table II shows the MTD for 100% success rate with the differential attack for all 16 AES-128 subkeys on two Arduino UNO boards. We profile on Board 1 and test on Boards 1 and 2 to examine generalizability. To be more specific, power/EM channel refers to only using power/EM features and the "Combined" results combine EM and power channel using the dual channel methodology presented in [14]. In the offline experiments, we arrange the commercial EM probe closely near the signal source to collect EM traces. For collecting EM waves, the selected position is closer to the signal source and the interference signals/white noise on board attenuate through the air. Thus, as presented in a table, the power channel has a lower SNR ratio than the EM channel and needs more traces to achieve a full extraction rate than the EM channel. Besides, the experimental result in the table shows the combined feature is more efficient in extracting the secret key. That is, the proposed approach only needs 267

TABLE II
MTD FOR UNMASKED AES-128 ENCRYPTION MODULE IN OFFLINE MODE
USING DIFFERENTIAL ATTACK,

| Subkey | Power   |         | EM      |         | Combined |         |
|--------|---------|---------|---------|---------|----------|---------|
| Subkey | Board 1 | Board 2 | Board 1 | Board 2 | Board 1  | Board 2 |
| 1      | 150     | 150     | 100     | 100     | 70       | 85      |
| 2      | 400     | 350     | 250     | 250     | 160      | 200     |
| 3      | 950     | 900     | 750     | 600     | 420      | 400     |
| 4      | 800     | 800     | 400     | 400     | 350      | 350     |
| 5      | 800     | 800     | 380     | 400     | 320      | 300     |
| 6      | 200     | 170     | 80      | 100     | 40       | 50      |
| 7      | 1200    | 1150    | 1000    | 950     | 450      | 450     |
| 8      | 1000    | 1000    | 700     | 750     | 400      | 420     |
| 9      | 800     | 800     | 400     | 380     | 300      | 300     |
| 10     | 200     | 250     | 150     | 150     | 60       | 50      |
| 11     | 300     | 320     | 250     | 280     | 150      | 180     |
| 12     | 1000    | 900     | 650     | 600     | 450      | 430     |
| 13     | 1000    | 950     | 550     | 550     | 400      | 400     |
| 14     | 300     | 320     | 200     | 200     | 140      | 150     |
| 15     | 700     | 650     | 400     | 450     | 350      | 350     |
| 16     | 400     | 400     | 250     | 250     | 200      | 250     |
| Avg.   | 637     | 619     | 394     | 400     | 267      | 272     |

traces on average for extracting subkeys from board 1 and 272 traces for board 2.

In the real-time mode, we implement DPA algorithms onto RASC and let it extract the subkey bits internally. Before that, we adopt feature key extraction methods such as minimum redundancy and max relevance (mRMR [15]) to determine the useful features. This is significantly important for better combining the power/EM features and saving the FPGA's memory. The details of how we implement the proposed methodology in real-time were presented in [14]. We perform real-time attacks using RASCv2 and RASCv3 and report the results in Tables III and IV, respectively. Compared with the offline mode results in Table II, the real-time mode results need more traces to achieve a 100% success rate. The average MTD for power/EM/combined channel of board 1 using RASCv2 is 3171, 5637, and 2450. Using RASCv3, they are 2571, 4040, and 2134, demonstrating that it needs fewer traces due to its higher sensitivity (12-bit vs. 8-bit). Besides, the LT2242 [22] ADC on RASCv3 has advantages in lower SNR(65.4dB) compared with ADC08200 ADC(43.4dB) on RASCv2. Furthermore, the detecting range of the ADC08200 ADC on the RASCv2 board is set to the range of 0V to 3V [21] and this causes some issues when detecting minus voltages. Though the external voltage level shifter circuit could raise trace voltage to 0V-3V for RASCv2, it still affects lowering the SNR ratio of the whole EM traces, and this is part of the reason that RASCv3 uses fewer MTD EM traces than RASCv2 in real-time mode. Another reason contributes to the usage of various antennae for RASCv3. In the realtime mode of attacking unmasked AES inside RASCv2, the internal EM antenna inside RASCv2 is distributed in four inner layers of RASC. The bad interconnection between different antenna layers undermines the SNR of collected EM traces from RASCv2. For RASCv3, we adopt a printable antenna to receive EM waves. As shown in Figure 5, the printable antenna for RASCv3 has a higher magnitude than the internal antenna inside RASCv2 and a better structure in design. This leads to

TABLE III
MTD FOR UNMASKED AES-128 ENCRYPTION MODULE IN REAL-TIME
USING DIFFERENTIAL ATTACK INSIDE RASCV2 [14].

| Subkey | Power   |         | EM      |         | Combined |         |
|--------|---------|---------|---------|---------|----------|---------|
| Subkey | Board 1 | Board 2 | Board 1 | Board 2 | Board 1  | Board 2 |
| 1      | 350     | 500     | 1200    | 1200    | 300      | 400     |
| 2      | 2500    | 3000    | 6000    | 6500    | 2000     | 2200    |
| 3      | 5000    | 5500    | 7000    | 7500    | 4000     | 4500    |
| 4      | 4000    | 5000    | 7500    | 7800    | 3500     | 4000    |
| 5      | 3000    | 5000    | 5000    | 6000    | 2500     | 3500    |
| 6      | 150     | 200     | 500     | 650     | 100      | 150     |
| 7      | 5500    | 6000    | 10000   | 10000   | 4000     | 4500    |
| 8      | 2500    | 3500    | 5500    | 6500    | 2000     | 3000    |
| 9      | 3000    | 3500    | 8000    | 8000    | 2000     | 3000    |
| 10     | 550     | 900     | 3000    | 4000    | 500      | 700     |
| 11     | 3000    | 4000    | 7500    | 8000    | 2500     | 3000    |
| 12     | 6000    | 6500    | 9000    | 9000    | 4000     | 4200    |
| 13     | 6000    | 6500    | 9500    | 9500    | 4500     | 4700    |
| 14     | 3000    | 3000    | 7000    | 7000    | 2500     | 2500    |
| 15     | 5000    | 5000    | 1000    | 10000   | 4000     | 4000    |
| 16     | 1200    | 1500    | 2500    | 2500    | 800      | 900     |
| Avg.   | 3171    | 3725    | 5637    | 6509    | 2450     | 2828    |

TABLE IV
MTD FOR UNMASKED AES-128 ENCRYPTION MODULE IN REAL-TIME USING DIFFERENTIAL ATTACK INSIDE RASCV3.

| Subkey | Power   |         | EM      |         | Combined |         |
|--------|---------|---------|---------|---------|----------|---------|
| Subkey | Board 1 | Board 2 | Board 1 | Board 2 | Board 1  | Board 2 |
| 1      | 300     | 350     | 650     | 800     | 200      | 250     |
| 2      | 2200    | 2300    | 4000    | 5000    | 1800     | 1900    |
| 3      | 4500    | 4600    | 6000    | 7000    | 3600     | 3800    |
| 4      | 3500    | 3800    | 5000    | 6000    | 3000     | 3100    |
| 5      | 2500    | 2700    | 4000    | 4600    | 2000     | 2300    |
| 6      | 150     | 200     | 500     | 600     | 100      | 150     |
| 7      | 5000    | 5300    | 7000    | 8000    | 3500     | 3900    |
| 8      | 2000    | 2200    | 3500    | 4500    | 1700     | 1900    |
| 9      | 2000    | 2400    | 5000    | 6000    | 1500     | 1800    |
| 10     | 500     | 800     | 2000    | 2500    | 450      | 550     |
| 11     | 2500    | 2800    | 3500    | 4000    | 2300     | 2800    |
| 12     | 4500    | 4800    | 5500    | 6500    | 4000     | 4300    |
| 13     | 4500    | 5000    | 6000    | 7200    | 4000     | 4200    |
| 14     | 2500    | 2700    | 4000    | 5300    | 2200     | 2300    |
| 15     | 3500    | 4000    | 6000    | 7000    | 3000     | 3200    |
| 16     | 1000    | 1300    | 2000    | 2500    | 800      | 900     |
| Avg.   | 2571    | 2828    | 4040    | 4843    | 2134     | 2333    |

a higher SNR ratio of the EM waves collected by RASCv3, and less MTD to achieve 100% subkey extracting rate in the EM channel.

Compared with the offline mode results, RASCv3 still needs more traces to achieve a 100% success rate, either in single Powe/EM or dual-channel. Part of the reason is we bypass division and decimal calculation inside FPGA, and this reduces the attack accuracy. Other potential reasons are due to the BNC connector port and better impedance matching in the oscilloscope. This could always let oscilloscopes achieve better sampling in collecting EM or power traces. Nevertheless, the real-time experiments still demonstrate the efficiency of the proposed dual-channel methodology in paper [38]. That is, it achieves a higher success rate compared to a single EM/power channel with the same amount of traces and has lower MTD.

#### D. Single and Dual-channel Attack Results on Masked AES

The masked AES generates random masks during each encryption, making a first-order SCA theoretically impossible. Here, we collect 10 million traces during a fixed vs random



Fig. 7. T-test result of masked AES using 10M traces.

For extracting subkeys from masked AES, we use the second-order attack described in Section IV-A to extract two subkeys at the same time, e.g., subkeys 1 and 2, subkeys 3 and 4, ..., subkeys 15 and 16. We list the second-order differential attack MTD against masked AES offline mode using traces collected by an oscilloscope in Table V and RASCv3 in Table VI. For this comparison, we arrange the printable antenna near the signal source to collect EM traces in both oscilloscope and RASC experiments. In this section, RASCv3's FPGA cannot satisfy the memory requirements of the second-order attack, and thus we cannot perform its attack in real-time mode. In next version of RASC, a larger memory may be included to address this.

Using an oscilloscope with RASC's printable antenna, the EM channel in Table VI needs 2.5× more traces than the power channel. However, in the case of unmasked AES in Table IV, the EM traces are also collected with a printable antenna but only need 70% traces more than the power channel. Unlike the first-order attack, the second-order attack utilizes the differences of trace sections which execute the same instructions but from different Sbox operations. For getting the correct trace difference in the second order attack, the trace segment of the collected trace should not only consider the accuracy among other collected traces but also need to consider the accuracy versus other segments in the same traces. To be more specific, if we stack all traces to a matrix, the first-order attack only needs to consider the detection accuracy in vertical direction but the second-order attack needs to consider the accuracy in both vertical and horizontal directions. The higher amplitude of traces makes it easier to get differences in both vertical and horizontal directions and could be beneficial to the subkey extraction efficiency.

When RASC is used instead on an oscilloscope, we need

TABLE V
MTD FOR MASKED AES-128 ENCRYPTION MODULE IN OFFLINE MODE
OSCILLOSCOPE USING 2ND-ORDER DIFFERENTIAL ATTACK.

| Subkey | Power   |         | EM      |         | Combined |         |
|--------|---------|---------|---------|---------|----------|---------|
| Subkey | Board 1 | Board 2 | Board 1 | Board 2 | Board 1  | Board 2 |
| 1      | 21000   | 22000   | 65000   | 70000   | 19500    | 20000   |
| 2      | 21000   | 22000   | 65000   | 70000   | 19500    | 20000   |
| 3      | 20000   | 23000   | 67000   | 69000   | 18000    | 19000   |
| 4      | 20000   | 23000   | 67000   | 69000   | 18000    | 19000   |
| 5      | 18000   | 20000   | 63000   | 66000   | 16500    | 17500   |
| 6      | 18000   | 20000   | 63000   | 66000   | 16500    | 17500   |
| 7      | 23000   | 23000   | 65000   | 66000   | 20000    | 20000   |
| 8      | 23000   | 23000   | 65000   | 66000   | 20000    | 20000   |
| 9      | 17500   | 19000   | 70000   | 70000   | 15500    | 16000   |
| 10     | 17500   | 19000   | 70000   | 70000   | 15500    | 16000   |
| 11     | 20000   | 20000   | 68000   | 70000   | 18000    | 18000   |
| 12     | 20000   | 20000   | 68000   | 70000   | 18000    | 18000   |
| 13     | 18500   | 19000   | 72000   | 75000   | 16000    | 17000   |
| 14     | 18500   | 19000   | 72000   | 75000   | 16000    | 17000   |
| 15     | 19000   | 21000   | 73000   | 75000   | 17000    | 18500   |
| 16     | 19000   | 21000   | 73000   | 75000   | 17000    | 18500   |
| Avg.   | 19625   | 20875   | 67875   | 70125   | 17563    | 18250   |

128500 power traces, 307375 EM traces, and 111875 dual-channel traces on average to extract subkeys. The main reason that RASC needs more EM/power traces is its lower sampling speed, lower sensitivity, and reduced tolerance to clock jitter. The former two have already been discussed in Section II-D. In the case of the latter, clock jitter is also important to the accuracy of collecting traces. The oscilloscope's jitter (< 0.01%) is two orders of magnitude less than RASC ( $\approx 1\%$ ). A high clock jitter could cause a mismatch when we subtract two Sbox operations in the traces during the second order attack. Nevertheless, the combined channel still uses 13% less traces to achieve a 100% rate versus the power channel and 63% less than the EM channel.

As for the comparison of MTDs in unmasked and masked AES, the masked AES needs many more traces to achieve a 100% cracking rate than the unmasked case. Besides the challenges in trace amplitude, the second-order attack also needs to consider DC shift in both vertical and horizontal directions. On the other hand, the first-order attack only needs to consider the DC shift in the vertical direction. Besides, the second-order attack requires more hypotheses (65536) than the first-order (256), and this increases the possibility of failure in the subkey extraction. The combined channel still uses 10% less traces to achieve a 100% rate versus power channel and 75% less than EM channel. This demonstrates the benefits of the proposed combination methodology not only in unmasked AES but also against masked AES.

# V. CONCLUSION AND FUTURE WORK

In this paper, we successfully demonstrate the attack capability of RASCv3 in both masked and unmasked AES subkey extraction experiments. Compared with RASCv2, RASCv3 upgrades its functionality in sampling speed, sensitivity, and EM wave detection. In the unmasked AES subkey extraction experiment, RASCv3 utilizes fewer traces to achieve 100% subkey extraction rate than RASCv2. Compared with other side-channel instruments, RASCv3 has advantages in its low

TABLE VI
MTD FOR MASKED AES-128 ENCRYPTION MODULE IN OFFLINE MODE
RASC USING 2ND-ORDER DIFFERENTIAL ATTACK.

| Subkey | Po      | Power   |         | EM      |         | Combined |  |
|--------|---------|---------|---------|---------|---------|----------|--|
| Subkey | Board 1 | Board 2 | Board 1 | Board 2 | Board 1 | Board 2  |  |
| 1      | 120000  | 140000  | 300000  | 320000  | 100000  | 110000   |  |
| 2      | 120000  | 140000  | 300000  | 320000  | 100000  | 110000   |  |
| 3      | 130000  | 140000  | 320000  | 340000  | 110000  | 120000   |  |
| 4      | 130000  | 140000  | 320000  | 340000  | 110000  | 120000   |  |
| 5      | 118000  | 130000  | 290000  | 300000  | 100000  | 110000   |  |
| 6      | 118000  | 130000  | 290000  | 300000  | 100000  | 110000   |  |
| 7      | 125000  | 140000  | 310000  | 330000  | 110000  | 115000   |  |
| 8      | 125000  | 140000  | 310000  | 330000  | 110000  | 115000   |  |
| 9      | 140000  | 140000  | 330000  | 370000  | 130000  | 135000   |  |
| 10     | 140000  | 140000  | 330000  | 370000  | 130000  | 135000   |  |
| 11     | 138000  | 145000  | 319000  | 350000  | 120000  | 130000   |  |
| 12     | 138000  | 145000  | 319000  | 350000  | 120000  | 130000   |  |
| 13     | 135000  | 150000  | 290000  | 310000  | 120000  | 130000   |  |
| 14     | 135000  | 150000  | 290000  | 310000  | 120000  | 130000   |  |
| 15     | 122000  | 135000  | 300000  | 310000  | 105000  | 115000   |  |
| 16     | 122000  | 135000  | 300000  | 310000  | 105000  | 115000   |  |
| Avg.   | 128500  | 140000  | 307375  | 328750  | 111875  | 120568   |  |

price, small size, and portable features, such as remote communication. In the masked AES subkey extraction experiment, we successfully combine dual-channel traces to extract the subkey from masked AES and the experiment result shows 10% and 75% fewer traces are needed in dual channel than EM/power channel with oscilloscope and 13% and 63% fewer traces are needed in the dual channel than EM/power channel with RASCv3. Besides, we generate the SPERO dataset by gathering EM/Power channel traces of unmasked/masked AES at the same time during encryption and make it available to the community.

In future work, we will upgrade RASCv3 to a new version that consists of a larger memory FPGA, and ADCs with higher sampling rates. With the improved version of RASCv3, we can sample more accurately and increase the accuracy of collecting traces in masked AES subkey extraction. Besides, larger memory could contain more hypotheses and implement the second-order attack algorithm in real-time.

#### REFERENCES

- P. Kocher, J. Jaffe, and B. Jun, "Differential Power Analysis," in Advances in Cryptology—CRYPTO'99. Springer, 1999, pp. 388–397.
- [2] P. Kocher, J. Jaffe, B. Jun, and P. Rohatgi, "Introduction to Differential Power Analysis," *Journal of Cryptographic Engineering*, vol. 1, pp. 5– 27, 2011.
- [3] P. Kocher, J. Jaffe, B. Jun et al., "Introduction to Differential Power Analysis and Related Attacks," 1998.
- [4] E. Brier, C. Clavier, and F. Olivier, "Correlation Power Analysis with a Leakage Model," in *Cryptographic Hardware and Embedded Systems* (CHES) 2004. Springer, 2004, pp. 16–29.
- [5] K. Gandolfi, C. Mourtel, and F. Olivier, "Electromagnetic Analysis: Concrete Results," in *Cryptographic Hardware and Embedded Systems* (CHES) 2001. Springer, 2001, pp. 251–261.
- [6] D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi, "The EM Side—channel(s)," in Cryptographic Hardware and Embedded Systems (CHES) 2002, pages=29-45, year=2003, organization=Springer.
- [7] F. Pub, "Data Encryption Standard (DES)," FIPS PUB, pp. 46-3, 1999.
- [8] X. Zhou and X. Tang, "Research and implementation of rsa algorithm for encryption and decryption," in *Proceedings of 2011 6th International Forum on Strategic Technology*, vol. 2. IEEE, 2011, pp. 1118–1121.
- [9] P. Mahajan and A. Sachdeva, "A study of encryption algorithms aes, des and rsa for security," Global Journal of Computer Science and Technology, vol. 13, no. 15, pp. 15–22, 2013.

- [10] Y. Zhou, Y. Yu, F.-X. Standaert, and J.-J. Quisquater, "On the need of physical security for small embedded devices: a case study with COMP128-1 implementations in SIM cards," in *Financial Cryptography* and Data Security. Springer, 2013, pp. 230–238.
- [11] G. L. Ding, J. Chu, L. Yuan, and Q. Zhao, "Correlation Electromagnetic Analysis for Cryptographic Device," in 2009 Pacific-Asia Conference on Circuits, Communications and Systems. IEEE, 2009, pp. 388–391.
- [12] Y. Souissi, S. Bhasin, S. Guilley, M. Nassar, and J.-L. Danger, "Towards Different Flavors of Combined Side Channel Attacks," in *Topics in Cryptology—CT-RSA* 2012. Springer, 2012, pp. 245–259.
- [13] F.-X. Standaert and C. Archambeau, "Using subspace-based template attacks to compare and combine power and electromagnetic information leakages," in *International Workshop on Cryptographic Hardware and Embedded Systems*. Springer, 2008, pp. 411–425.
- [14] Y. Bai, J. Park, M. Tehranipoor, and D. Forte, "Dual Channel EM/Power Attack Using Mutual Information and its Real-time Implementation," in 2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE, 2023, pp. 133–143.
  [15] H. Peng, F. Long, and C. Ding, "Feature selection based on mu-
- [15] H. Peng, F. Long, and C. Ding, "Feature selection based on mutual information criteria of max-dependency, max-relevance, and min-redundancy," *IEEE Transactions on Pattern Analysis and Machine Intelligence*, vol. 27, no. 8, pp. 1226–1238, 2005.
- [16] C. Ding and H. Peng, "Minimum redundancy feature selection from microarray gene expression data," *Journal of Bioinformatics and Com*putational Biology, vol. 3, no. 02, pp. 185–205, 2005.
- [17] T. M. Cover, Elements of Information Theory. John Wiley & Sons, 1999.
- [18] "SPERO," https://github.com/YunkaiUF/SPERO.
- [19] "Emv," https://www.langer-emv.de/en/index.
- [20] A. Stern, K. Yang, J. Vosatka, A. Duncan, J. Park, D. Forte, and M. Tehranipoor, "Rasc: Enabling remote access to side-channels for mission critical systems," *GOMACTech*, 2019.
- [21] Y. Bai, A. Stern, J. Park, M. Tehranipoor, and D. Forte, "Rascv2: Enabling remote access to side-channels for mission critical and iot systems," ACM Transactions on Design Automation of Electronic Systems (TODAES), vol. 27, no. 6, pp. 1–25, 2022.
- [22] "LT2242," https://www.analog.com/media/en/technical-documentation/ data-sheets/224212fc.pdf.
- [23] "Spartan3e," https://docs.rs-online.com/eaea/0900766b80ce9c9b.pdf.
- 24] "Artix7," https://www.farnell.com/datasheets/2301213.pdf.
- [25] "Chipwhisperer-lite level 2 kit," https://www.newae.com/products/ NAE-SCAPACK-L2.
- [26] "MDO3102 Mixed Domain Oscilloscopes," https://www.tek.com/en/datasheet/mixed-domain-oscilloscopes.
- [27] M. I. Skolnik, "Introduction to Radar Systems," New York, 1980.
- [28] C. A. Balanis, Antenna Theory: Analysis and Design. John Wiley & Sons, 2016.
- [29] "ADC08200," https://www.ti.com/lit/ds/symlink/adc08200.pdf.
- [30] "MaskedAES," https://github.com/CENSUS/masked\_aes-c/tree/main.
- [31] T. S. Messerges, "Using second-order power analysis to attack dpa resistant software," in *International Workshop on Cryptographic Hardware and Embedded Systems*. Springer, 2000, pp. 238–251.
- [32] E. Oswald, S. Mangard, C. Herbst, and S. Tillich, "Practical secondorder dpa attacks for masked smart card implementations of block ciphers," in *Cryptographers' Track at the RSA Conference*. Springer, 2006, pp. 192–207.
- [33] "AEScode," https://github.com/kokke/tiny-AES-c.
- [34] U. Rioja, L. Batina, J. L. Flores, and I. Armendariz, "Auto-tune POIs: Estimation of Distribution Algorithms for Efficient Side-Channel Analysis," *Computer Networks*, vol. 198, p. 108405, 2021.
- [35] "ANSSI," https://github.com/ANSSI-FR/ASCAD.
- [36] "AESPT," https://github.com/urioja/AESPT.
- [37] R. Benadjila, E. Prouff, R. Strullu, E. Cagli, and C. Dumas, "Deep learning for side-channel analysis and introduction to ascad database," *Journal of Cryptographic Engineering*, vol. 10, no. 2, pp. 163–188, 2020.
- [38] Y. Bai, J. Park, M. Tehranipoor, and D. Forte, "Real-time instruction-level verification of remote iot/cps devices via side channels," *Discover Internet of Things*, vol. 2, no. 1, p. 1, 2022.
- [39] G. Becker, J. Cooper, E. De Mulder, G. Goodwill, J. Jaffe, G. Kenworthy et al., "Test vector leakage assessment (TVLA) derived test requirements (DTR) with AES," in *International Cryptographic Module Conference*, 2013
- [40] "SCAPEgoat," https://github.com/vernamlab/SCApeGoat.