Document Type : Research Article


Faculty of Computer Science and Engineering, Shahid Beheshti University, Tehran, Iran


Side-channel analysis methods can reveal the secret information of digital electronic systems by analyzing the dependency between the power consumption of implemented cryptographic algorithms and the secret data. Recent studies show that it is possible to gather information about power consumption from FPGAs without any physical access. High flexibilities of modern FPGAs cause that they are used for cloud accelerator in Platform as a Service (PaaS) system; however, new serious vulnerabilities emerged for these platforms. Although there are some reports about how switching activities from one region of FPGA affect other regions, details of this technique are not analyzed. In this paper, we analyzed the strength of this kind of attack and examined the impact of geometrical and electrical parameters of the victim/attacker modules on the efficiency of this attack. We utilized a Zynq-based Xilinx platform as the device under attack. Experimental results and analyses show that the distance between the victim module and the sensor modules is not the only effective parameter on the quality of attack; the influence of the relational location of victim/attacker modules could be more considerable on the quality of attack.


[1] Ibm puredata system for analytics architecture, 2014.
[2] Amazon ec2 f1 instances, available on
[3] D. R. E. Gnad, F. Oboril, S. Kiamehr, and M. B. Tahoori. Analysis of transient voltage fluctuations in fpgas. In 2016 International Conference on Field-Programmable Technology (FPT), pages 12–19, Dec 2016.
[4] Samuel T. King, Joseph Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, and Yuanyuan Zhou. Designing and implementing malicious hardware. In Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, LEET’08, pages 5:1–5:8, Berkeley, CA, USA, 2008. USENIX Association.
[5] R. S. Chakraborty, I. Saha, A. Palchaudhuri, and G. K. Naik. Hardware trojan insertion by direct modification of fpga configuration bitstream. IEEE Design Test, 30(2):45–54, April 2013.
[6] P. Swierczynski, M. Fyrbiak, P. Koppe, and C. Paar. Fpga trojans through detecting and weakening of cryptographic primitives. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 34(8):1236–1249, Aug 2015.
[7] Paul Kocher, Joshua Jaffe, Benjamin Jun, and Pankaj Rohatgi. Introduction to differential power analysis. Journal of Cryptographic Engineering, 1(1):5–27, Apr 2011.
[8] Eric Brier, Christophe Clavier, and Francis Olivier. Correlation power analysis with a leakage model. volume 3156, pages 16–29, 08 2004.
[9] F. Schellenberg, D. R. E. Gnad, A. Moradi, and M. B. Tahoori. An inside job: Remote power analysis attacks on fpgas. In 2018 Design, Automation Test in Europe Conference Exhibition (DATE), pages 1111–1116, March 2018. [10] M. Zhao and G. E. Suh. Fpga-based remote power side-channel attacks. In 2018 IEEE Symposium on Security and Privacy (SP), pages 229– 244, May 2018.
[11] D. R. E. Gnad, F. Oboril, and M. B. Tahoori. Voltage drop-based fault attacks on fpgas using valid bitstreams. In 2017 27th International Conference on Field Programmable Logic and Applications (FPL), pages 1–7, Sep. 2017. [12] Jonas Krautter, Dennis R. E. Gnad, and Mehdi B. Tahoori. Fpgahammer: Remote voltage fault attacks on shared fpgas, suitable for dfa on aes. 08 2018.
[13] Dina Mahmoud and Mirjana Stojilović. Timing violation induced faults in multi-tenant fpgas. In 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE), pages 1745– 1750. IEEE, 2019.
[14] Md Mahbub Alam, Shahin Tajik, Fatemeh Ganji, Mark Tehranipoor, and Domenic Forte. Ramjam: Remote temperature and voltage fault attack on fpgas using memory collisions. In 2019 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pages 48–55. IEEE, 2019.
[15] Dennis RE Gnad, Cong Dang Khoa Nguyen, Syed Hashim Gillani, and Mehdi Baradaran Tahoori. Voltage-based covert channels in multitenant fpgas. IACR Cryptol. ePrint Arch., 2019:1394, 2019.
[16] Ilias Giechaskiel, Kasper Bonne Rasmussen, and Jakub Szefer. C3apsule: Cross-fpga covertchannel attacks through power supply unit leakage. In 2020 IEEE Symposium on Security and Privacy (SP), pages 1728–1741. IEEE, 2020.
[17] Milad Salimian and Ali Jahanian. Analysis of geometrical parameters for remote side-channel attacks on multi-tenant fpgas. In 2020 17th International ISC Conference on Information Security and Cryptology (ISCISC), pages 28–35. IEEE, 2020.
[18] Jian Song, Qi An, and Shubin Liu. A highresolution time-to-digital converter implemented in field-programmable-gate-arrays. IEEE Transactions on Nuclear Science, 53(1):236–241, Feb 2006.
[19] C. Liu and Y. Wang. A 128-channel, 710 m samples/second, and less than 10 ps rms resolution time-to-digital converter implemented in a kintex-7 fpga. IEEE Transactions on Nuclear Science, 62(3):773–783, June 2015.
[20] Jinyuan Wu and Zonghan Shi. The 10-ps wave union tdc: Improving fpga tdc resolution beyond its cell delay. In 2008 IEEE Nuclear Science Symposium Conference Record, pages 3440–3446. IEEE, 2008.
[21] E. Bayer and M. Traxler. A high-resolution ( < 10 ps rms) 48-channel time-to-digital converter (tdc) implemented in a field programmable gate array (fpga). IEEE Transactions on Nuclear Science, 58(4):1547–1552, Aug 2011.
[22] J. Wu. Several key issues on implementing delay line based tdcs using fpgas. IEEE Transactions on Nuclear Science, 57(3):1543–1548, June 2010.
[23] Y. Wang, J. Kuang, C. Liu, and Q. Cao. A 3.9-ps rms precision time-to-digital converter using ones-counter encoding scheme in a kintex-7 fpga. IEEE Transactions on Nuclear Science, 64(10):2713–2718, Oct 2017.
[24] K. Arabi, R. Saleh, and X. Meng. Power supply noise in socs: Metrics, management, and measurement. IEEE Design Test of Computers, 24(3):236–244, May 2007.
[25] Haile Yu, Qiang Xu, and Philip HW Leong. Finegrained characterization of process variation in fpgas. In 2010 International Conference on FieldProgrammable Technology, pages 138–145. IEEE, 2010.
[26] Christoph Ruething, Andreas Agne, Markus Happe, and Christian Plessl. Exploration of ring oscillator design space for temperature measurements on fpgas. In 22nd International Conference on Field Programmable Logic and Applications (FPL), pages 559–562. IEEE, 2012.
[27] John J León Franco, Eduardo Boemo, Encarnación Castillo, and Luis Parrilla. Ring oscillators as thermal sensors in fpgas: Experiments in low voltage. In 2010 VI Southern Programmable Logic Conference (SPL), pages 133–137. IEEE, 2010.
[28] Kenneth M Zick and John P Hayes. Low-cost sensing with ring oscillator arrays for healthier reconfigurable systems. ACM Transactions on Reconfigurable Technology and Systems (TRETS), 5(1):1–26, 2012.
[29] Adrien Le Masle and Wayne Luk. Detecting power attacks on reconfigurable hardware. In 22nd International Conference on Field Programmable Logic and Applications (FPL), pages 14–19. IEEE, 2012.
[30] Kenneth M. Zick, Meeta Srivastav, Wei Zhang, and Matthew French. Sensing nanosecond-scale voltage attacks and natural transients in fpgas. In Proceedings of the ACM/SIGDA International Symposium on Field Programmable Gate Arrays, FPGA ’13, page 101–104, New York, NY, USA, 2013. Association for Computing Machinery.
[31] Tamzidul Hoque. Ring oscillator based hardware trojan detection. PhD thesis, University of Toledo, 2015.
[32] F. Schellenberg, D. R. E. Gnad, A. Moradi, and M. B. Tahoori. Remote inter-chip power analysis side-channel attacks at board-level. In 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), pages 1–7, Nov 2018.
[33] David Knichel, Thorben Moos, and Amir Moradi. The risk of outsourcing: Hidden sca trojans in third-party ip-cores threaten cryptographic ics. In 2020 IEEE European Test Symposium (ETS), pages 1–6. IEEE, 2020.
[34] Ilias Giechaskiel, Kasper Bonne Rasmussen, and Jakub Szefer. Measuring long wire leakage with ring oscillators in cloud fpgas. In 2019 29th International Conference on Field Programmable Logic and Applications (FPL), pages 45–50. IEEE, 2019.
[35] Stefan Mangard, Elisabeth Oswald, and Thomas Popp. Power analysis attacks: Revealing the secrets of smart cards, volume 31. Springer Science & Business Media, 2008.
[36] Dpa contest v2.
[37] Marco Bucci, Raimondo Luzzi, Michele Guglielmo, and Alessandro Trifiletti. A countermeasure against differential power analysis based on random delay insertion. In 2005 IEEE International Symposium on Circuits and Systems, pages 3547–3550. IEEE, 2005.