Paper 2025/644

Attacking at non-harmonic frequencies in screaming-channel attacks

Jeremy Guillaume, Université Bretagne Sud, French National Centre for Scientific Research, Lab-STICC
Maxime Pelcat, Institut National des Sciences Appliquées de Rouen, French National Centre for Scientific Research, IETR
Amor Nafkha, CentraleSupélec, French National Centre for Scientific Research, IETR
Ruben Salvador, CentraleSupélec, Inria Rennes - Bretagne Atlantique Research Centre, French National Centre for Scientific Research, Institut de Recherche en Informatique et Systèmes Aléatoires
Abstract

Screaming-channel attacks enable Electromagnetic (EM) Side-Channel Attacks (SCAs) at larger distances due to higher EM leakage energies than traditional SCAs, relaxing the requirement of close access to the victim. This attack can be mounted on devices integrating Radio Frequency (RF) modules on the same die as digital circuits, where the RF can unintentionally capture, modulate, amplify, and transmit the leakage along with legitimate signals. Leakage results from digital switching activity, so the hypothesis of previous works was that this leakage would appear at multiples of the digital clock frequency, i.e., harmonics. This work demonstrates that compromising signals appear not only at the harmonics and that leakage at non-harmonics can be exploited for successful attacks. Indeed, the transformations undergone by the leaked signal are complex due to propagation effects through the substrate and power and ground planes, so the leakage also appears at other frequencies. We first propose two methodologies to locate frequencies that contain leakage and demonstrate that it appears at non-harmonic frequencies. Then, our experimental results show that screaming-channel attacks at non-harmonic frequencies can be as successful as at harmonics when retrieving a 16-byte AES key. As the RF spectrum is polluted by interfering signals, we run experiments and show successful attacks in a more realistic, noisy environment where harmonic frequencies are contaminated by multi-path fading and interference. These attacks at non-harmonic frequencies increase the attack surface by providing attackers with an increased number of potential frequencies where attacks can succeed.

Note: This version of the article has been accepted for publication, after peer review (when applicable) and is subject to Springer Nature's AM terms of use, but is not the Version of Record and does not reflect post-acceptance improvements, or any corrections. The Version of Record is available online at: http://dx.doi.org/10.1007/978-3-031-54409-5_5

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Published elsewhere. Smart Card Research and Advanced Applications. CARDIS 2023. Lecture Notes in Computer Science, vol 14530. Springer, Cham
DOI
10.1007/978-3-031-54409-5_5
Keywords
side-channel attacksscreaming-channel attacksEM side-channel attackshardware security
Contact author(s)
jeremy guillaume @ univ-ubs fr
maxime pelcat @ insa-rennes fr
amor nafkha @ centralesupelec fr
ruben salvador @ inria fr
History
2025-04-12: approved
2025-04-08: received
See all versions
Short URL
https://ia.cr/2025/644
License
Creative Commons Attribution-NonCommercial-NoDerivs
CC BY-NC-ND

BibTeX 

@misc{cryptoeprint:2025/644,
      author = {Jeremy Guillaume and Maxime Pelcat and Amor Nafkha and Ruben Salvador},
      title = {Attacking at non-harmonic frequencies in screaming-channel attacks},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/644},
      year = {2025},
      doi = {10.1007/978-3-031-54409-5_5},
      url = {https://eprint.iacr.org/2025/644}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.