Abstract: This work presents two implementation attacks against cryptographic algorithms. Based on these two presented attacks, this thesis shows that the assessment of physical attack complexity is error-prone. Hence, cryptography should not rely on it. Cryptographic technologies have to be protected against all implementation attacks, have they already been realized or not. The development of countermeasures does not require the successful execution of an attack but can already be carried out as soon as the principle of a side channel or a fault attack is understood.
Introduction
Ever since the first implementation attacks on cryptographic devices were introduced in the mid-nineties (i.e., side channel attacks and fault attacks, cf. Figure 1) , new possibilities of implementation attacks have been consistently explored. The risk that these attacks pose is reduced by reacting to known attacks and by developing and implementing countermeasures against them. For implementation attacks whose theory is known but which have not been conducted yet, however, the situation is different. Attacks whose physical realization is assumed to be very complex are taken less seriously. The trust that these attacks will not be realized due to their physical complexity means that no countermeasures are developed at all. This leads to unprotected devices once the assessment of the complexity turns out to be wrong.
The thesis Why cryptography should not rely on physical attack complexity [6] by Juliane Krämer presents two practical implementation attacks whose theory is known for several years. Since neither attack has previously been successfully implemented in practice, however, they were not considered a serious threat. Their physical attack complexity has been overestimated and the implied security threat has been underestimated.
First, the photonic side channel is introduced, which offers not only temporal resolution, but also the highest possible spatial resolution. Both simple and differential photonic side channel analyses are shown. Then, a fault attack against pairing-based cryptography is presented. It is shown how attackers can reveal the secret key of symmetric as well as asymmetric cryptographic algorithms based on these implementation attacks, and countermeasures on the software and the hardware level are presented to prevent these attacks in the future. 
The photonic side channel
The photonic side channel exploits highly spatially resolved photonic emissions of a target device to reveal the secret key of a cryptographic algorithm. It was first presented in 2008 [7] , but was not considered a realistic threat due to the immense cost of more than 2,000,000 € for the measurement setup. When we presented a low-cost approach in 2012, we showed that the initial skepticism towards the applicability of this side channel was unfounded. Based on this low-cost setup, we developed the theory of Simple Photonic Emission Analysis (SPEA) and Differential Photonic Emission Analysis (DPEA) and conducted practical attacks. Given the low-cost system and the methodology of SPEA and DPEA, the photonic side channel complements the cryptanalytic tools for attacking cryptography.
In a photonic side channel attack, first emission images have to be taken to gain spatial orientation on the device under attack. For this, we used a Si-CCD detector. These images are then analyzed to find interesting spots on the device. With a second detector, an InGaAs-APD, the emissions of these selected spots, e.g., single transistors, are then measured over time. Afterwards, these photonic emission traces are analyzed to reveal secret cryptographic information.
As explained in the thesis [6, Chapter 3], a single trace does not contain more information than just few photons, if any. Thus, for any analysis, measurements have to be repeated thousands of times and the images have to be integrated over time.
We analyzed the AES algorithm and accesses to its S-Box during the SubBytes operation, respectively. The 256-byte S-Box was stored in SRAM in our target devices, an ATMega328P and an ATXMega128A1 from the Atmel AVR family.
Simple photonic emission analysis
An SPEA reveals secret information of a cryptographic device based on traces of photonic emissions that have been recorded while the device computes a cryptographic operation with different input data. A single input might be sufficient for a successful SPEA. The information is revealed by mapping certain computational operations to locationdependent leakage and photonic emission patterns at certain points in time, which do not have to be known in advance. Figure 2 shows the AES S-Box stored in SRAM. A single SRAM row of this target device stores 64 bits, i.e., 8 bytes. The 256 bytes of the S-Box are located from memory address 0x23f to 0x33e. The address 0x23f is the eighth byte of the SRAM line starting with address 0x238, i.e., the S-Box has an offset of 7 bytes. The emissions of the row drivers are clearly visible to the left of the memory bank. Moreover, the image allows direct readout of the bit values of the stored data. The byte shown in the overlay, for example, corresponds to 0b01100011 = 0x63, the first value of the AES S-Box.
It can be seen that the S-Box exhibits an offset of seven bytes, i.e., in the bottom row only a single byte of the S-Box is stored, while in the top row seven bytes are stored. Whenever an element is accessed during the SubBytes operation, the respective row driver emits photons, which is why we measured the photons of one of the row drivers in our attack. This allows to observe time-resolved access patterns to a specific memory row containing S-Box elements. Using this information and information about the input data, the set of key candidates can be greatly reduced [4, 5] .
Differential photonic emission analysis
A DPEA reveals secret information of a cryptographic device based on traces of photonic emissions that have been recorded while the device computes a cryptographic operation with different input data. The data dependency of the intensity of the photonic emissions at certain points in time, which do not have to be known in advance, is exploited by a statistical analysis. The DPEA targets the AVR architecture's datapath to recover photonic side channel leakage. We determined that the emissions of the datapath's driving inverters are both data and address dependent. The large driving inverters that connect an SRAM bank to the rest of the data path are clearly visible on emission images and it can be seen that the driving inverters for the first and second SRAM bank are mirrored (cf. Figure 3 ). Photonic emission images of the driving inverters for the second SRAM bank on the ATMega328P. The bit order is shown, i.e, the most significant bit is at the left most position. Bits 0 to 2 and bits 3 to 7 were measured together, respectively, due to the strong light source above the least significant bits.
By analyzing photonic emissions of these driving inverters, we revealed the secret AES key by applying several statistical methods such as Difference of Means, Pearson correlation, and the stochastic approach [2, 3] .
A fault attack against a real-word pairing implementation
The second example of an attack that was previously not regarded as a realistic threat is a higher-order fault attack against pairing computations [1] . Pairings are, e.g., used as mathematical building blocks of identity-based cryptography. Ever since they were suggested for this purpose, fault attacks against them were proposed. However, all of them were only described theoretically until we published our results. Not only higher-order attacks, but even single-fault attacks against pairing computations were previously not practically realized. Second-order fault attacks were even considered to be an unrealistic attack scenario [8] . Second-order attacks, however, are needed to successfully attack a pairing since a pairing consists of two consecutive functions (the Miller algorithm and the final exponentiation) which both have to be attacked. This aspect makes such fault attacks especially challenging. We conducted the first practical fault attack against a pairing computation, and even conducted it against a real-world pairing implementation. We successfully conducted a second-order fault attack against an implementation of the eta pairing from the RELIC toolkit, which was also used for the implementation of pairing-based cryptography in wireless sensor networks. As in the case of the photonic side channel attack, we attacked an ATXMega128A1 microcontroller. The setup for this attack is shown in Figure 4 . The attack consists of two clock glitches which were used to skip two instructions of the code. By analyzing the output of the attacked pairing, we automatically realized whether or not the attack was succesful and, if yes, revealed the secret information (which is an elliptic curve point in case of cryptographic pairings) by applying algebraic techniques.
Conclusion
By presenting these two attacks, we show that reliance upon physical attack complexity is not recommended when it comes to cryptography and the protection of sensitive information. The human estimation of physical attack complexity is error-prone. We have to face attackers who are better than we expect, and thus, cryptography needs also be secured against presumably physically infeasible attacks.
