Side-Channel Oscilloscope

Side-Channel Analysis used for codebreaking could be used constructively as a probing tool for internal gates in integrated circuits. This paper outlines basic methods and mathematics for that purpose

💡 Research Summary

The paper proposes a novel use of side‑channel analysis (SCA) techniques, traditionally employed for cryptographic key extraction, as a non‑invasive probing tool for internal nodes of integrated circuits. The authors term this approach a “Side‑Channel Oscilloscope” (SCO). The core idea is to treat measured power consumption traces as linear combinations of elementary step‑current responses associated with individual gate transitions. By modeling a combinational circuit as a hierarchy of sub‑blocks, each with a finite set of possible input transitions, the authors define a step‑current response S(k, j, t) for the j‑th transition of the k‑th sub‑block. They then introduce an activation function T(k, j, I_i, I_{i‑1}) that takes the values +1, –1, or 0 depending on whether the specific transition occurs, does not occur, or is undefined. After normalizing all traces to zero mean, the power trace for a given input transition can be expressed as a sum over all sub‑blocks and transitions, weighted by the activation functions.

A crucial assumption is that the activation functions for different (k, j) pairs are orthogonal over a large set of random input transitions: the inner product of two distinct activation vectors averages to zero, while the inner product of a vector with itself equals the number of samples M. This orthogonality mirrors the mathematical foundations of template attacks and principal component analysis in SCA.

To isolate the step‑current response of a target transition (p, q), the authors propose applying M random input transitions, recording the corresponding power traces, and multiplying each trace by the activation function T(p, q, ·) before summing. Because of orthogonality, contributions from all non‑target transitions cancel out in expectation, leaving only the target term amplified by a factor of M/2. Consequently, the desired step‑current response can be recovered as s_acc(t) = (M/2)·S(p, q, t).

The method is applied recursively: the circuit is repeatedly partitioned into two sub‑blocks using a minimum‑cut bisection, which helps preserve orthogonality at each level. By iterating the extraction process down the hierarchy, one can eventually reach a single net or gate. At that point, the step‑current response can be integrated (or transformed via Laplace techniques) to obtain the corresponding voltage waveform, providing a full temporal picture of the internal node’s behavior.

The authors acknowledge that perfect orthogonality is unlikely in real silicon, as transitions can be correlated. Nonetheless, they argue that modest correlation merely adds noise to the measurement; the target transition’s signal remains amplified relative to this background. They suggest enhancing the technique by imposing DFT constraints, employing more sophisticated post‑processing such as principal component analysis (as used in template attacks), or refining the block partitioning strategy.

In conclusion, the paper demonstrates that side‑channel power analysis can be repurposed from a cryptanalytic attack into a diagnostic instrument capable of “seeing” inside a chip without physical probes. This Side‑Channel Oscilloscope could be valuable for modeling emerging technologies, debugging inaccessible circuitry, and evaluating security properties where the circuit topology is known but the actual silicon implementation is not. The work bridges the gap between security research and practical circuit measurement, opening avenues for further refinement and application in both academia and industry.