Device developers are nowadays aware of the risks of hardware side channel analysis. While a computer chip does its calculations, it may leak sensitive information through its power consumption or other side channels. There are mitigations against side channel leakage, but the number of attacks and side channels is still growing. Therefore, it is important to remain vigilant.
At the September 2023 Conference on Cryptographic Hardware and Embedded Systems (CHES) in Prague, researchers from the Karlsruhe Institute of Technology reported a new side channel vulnerability and demonstrated a successful attack. In this case, the researchers did not look at power consumption, but at clock jitter. Almost any chip will have a clock signal that times the sequence of instructions. Often the clock is generated by a phase-locked loop (PLL) circuit, which allows the clock speed to be controlled by the chip itself. Although a PLL can generate a stable clock, it would never be exact. Clock jitter is a small frequency variation (less than 1%) that is normal and acceptable.
PLL jitter is caused by noise. This could be natural noise or program-induced fluctuations in power consumption and electromagnetism. Here it follows that clock jitter may behave as a side channel and carry sensitive information. If the jitter is indirectly caused by power consumption, it may be a relatively weak side channel, and a direct power measurement may have a better signal quality. But there are two reasons why jitter is an interesting side channel.
First, the jitter appears in a high frequency clock that may be externally observable. It may behave as a radio signal and propagate without a galvanic connection. This allows for an attacker to observe the leakage at a larger distance.
Second, the jitter may be the best side channel if other sources are mitigated. There are many countermeasures that would obscure power consumption, but these may not undo jitter in the PLL clock.
Can clock jitter be measured? Yes, dedicated circuits (e.g., a tapped delay line) can measure jitter and convert it into an analog signal. This signal can be sampled and analyzed for the presence of secret data leakage. Alternatively, the clock signal could be measured with a high-end oscilloscope and resampled through a software conversion. The research team confirmed that a secret key in a target chip running the Advanced Encryption Standard (AES) crypto algorithm could be extracted in around 50k measurements. That is considered strong leakage in the side channel research community.
How is all this relevant to you? If you are a chip or device developer, and your solution includes a PLL, be aware that there is an additional side channel to consider. Also, this new study demonstrates that side channel leakage remains an open issue. We need to accept that new attacks will keep emerging and that strong security testing is needed to evaluate and mitigate risk.