LC Networks Communication

Solutions

Security Testing Tool
  • icWaves for SCA

Product details

Introduction
Generating a trigger pulse at the right point in time is essential in fault injection and side channel analysis testing. Clock jitter and random program interrupts may however make this difficult. This may result in inaccurate timing of the injection of faults. Or, when performing side channel analysis, the measurement window may be unnecessary large resulting in a slow data acquisition process, an excessive amount of data, and strongly misaligned traces. In these situations, it would be much better to detect a pattern in the signal just before the point a fault should be injected or a measurement should start.

icWaves offers a solution for this. This FPGA-based device generates a trigger pulse after real-time detection of a pattern in the power or EM signal of a chip. icWaves has a special narrow band-pass filter built in to enable the detection of a pattern even in noisy signals. The latter is important because side channel signals are typically noisy and detecting a predefined pattern is therefore not always feasible without a tuneable filtering mechanism. Besides triggering a fault, icWaves is also used to prevent a smart card from shutting down after detecting a fault injection attack. By detecting the wave pattern that indicates the shutdown of the card, icWaves generates a trigger to stop the shutdown process.

Key features 
  • Reduces the DPA acquisition window and alignment problems on smart cards with significant time variations
  • Enables side channel testing of devices without requiring access to external trigger points such as I/O or other events
  • Offers accurate and real-time detection of any wave form to enable efficient and repeatable fault injection
  • Prevents the smart card to shut down in fault injection testin
  • Uses signal processing features of the Inspector software to create a suitable reference signal
  • Provides simulation function for determining the optimal threshold value

Usage
The side channel signal is not always suitable to detect a pattern:
  • The side channel signal may be too noisy
  • The frequency range of the side channel signal is too high (e.g. because the crypto clock of the test object exceeds the sample frequency of icWaves).
For these cases the built-in analog Filter block provides a solution. The filter block consists of a mixer that multiplies the side channel signal with a pure sinusoidal signal. The frequency of this sine wave is set by the user through the software interface between 0 and 400 MHz. The mixer shifts down the frequency range of the side channel signal. The mixer is attached to a 1 MHz low pass filter. The mixer with low pass filter operates as a band pass filter with a centre frequency equal to the frequency of the sine wave and with a frequency range of 2 MHz. The resulting intermediate signal is demodulated by a rectifier with 1 MHz low pass filter to avoid random phase errors. The demodulated signal is present at the ‘filter out’ connector and can be fed into the ‘signal in’ input of the icWaves for pattern detection.
 
The input voltage range of the filter block can be set by the user through the software interface.
 
The Acquisition block acquires the data from the signal input at 100 MS/s. If a lower sample speed is used, icWaves uses oversampling to minimize undesired anti-aliasing effects.
The SAD processor block compares the input signal with the stored reference signal by continuously computing the Sum of Absolute Differences (SAD). When the SAD value drops under the specified threshold the Trigger block is notified.
 
The Trigger block provides some additional trigger features that can be useful for trig- gering on complex input signals:
  • A hold-off time can be specified to hold- off the trigger signal in order to find a better correlation
  • icWaves can be configured to trigger only after several occurrences of the reference pattern
  • The trigger can be delayed
A user configures icWaves for trigger pulse generation in three steps:
  1. Operating as an oscilloscope, icWaves sto res one or more traces in Inspector. Signal processing, such as additional fil- tering or averaging, can be performed on the traces using the Inspector software to derive one reference trace.
  2. The user selects a distinct pattern from the reference trace. The SAD (Sum of Absolute Differences) simulation function may be used to calculate the SAD- values between the selected pattern and a test trace set. These SAD-values are used to select the most appropriate SAD threshold for triggering.
  3. icWaves can now be used as a trigger source. When the reference pattern is detected in the measured signal a trigger pulse is generated in real time. As a result the area of interest is perfectly aligned.​

Inspector integration
icWaves is controlled with the Inspector soft ware. It is interoperable with all hardware components. icWaves works on smart cards and embedded chipsets, and supports Inspector’s functionality for power and elec tromagnetic analysis (DPA, DEMA) and per turbation attacks with laser, voltage and clock glitches.

icWaves SDK
icWaves can also be operated without using Inspector. A Software Develop- ment Kit (SDK) is provided for integrating icWaves in your custom tools. It contains a documented standard C API (Application Programmers Interface) and an example program that shows how to use the API functions. The Inspector software uses this same API, so all the icWaves features available in Inspector can also be used from your custom software.
 
Technical specifications
  • 8 MS memory depth for acquiring a reference trace
  • Sample rate up to 200 MS/s with 8 bit resolution (oversampling is used for lower sample rates)
  • Reference signal(s) can contain up to 1×512 or 2×256 samples
  • Real-time comparison uses Sum of Absolute Differences (SAD)
  • Pattern-to-trigger delay around 500 ns
  • Narrow band-pass filter, bandwidth of 1 MHz and adjustable centre frequency
  • Centre frequency of band-pass filter programmable between 0 and 400 MHz
TTL-level trigger output (Trigger out):
  • Configurable hold off time (5 ns resolution)
  • Configurable delay (5 ns resolution)
  • Possibility to specify number of patterns to skip before trigger
  • Fixed pulse length of 1 microsecond 
Input/output
  • Filter in: analog input signal for tunable band-pass filter with selectable sensitivity between 16mV p-p and 128mV p-p , 50 Ω
  • Filter out: analog output signal of tuneable band- pass filter, signal level 500mV p-p , 50 Ω
  • Signal in: analog input signal, 2V p-p , 50 Ω
  • Trigger in (1×) / out (2×): TTL-level trigger in/output