Physical Security Fran¸ cois-Xavier Standaert & Jean-Jacques Quisquater UCL Crypto Group Laboratoire de Micro´ electronique Universit´ e catholique de Louvain Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium fstandae;jjq@uclouvain.be A cryptographic primitive can be considered from two points of view: on the one hand, it can be viewed as an abstract mathematical object or black box (i.e. a trans- formation, possibly parameterized by a key, turning some input into some output); on the other hand, this primitive will in fine have to be implemented in a program that will run on a given processor, in a given environment, and will therefore present specific characteristics. The first point of view is that of classical cryptanalysis; the second one is that of physical security. Physical attacks on cryptographic devices take advantage of implementation specific characteristics to recover the secret parameters involved in the computation. They are therefore much less general, since specific to a given implementation, but often much more powerful than classical cryptanalysis, and are considered very seriously by cryptographic devices implementors. Physical attacks can be classified in many ways. The literature usually sorts them along two orthogonal axes. Invasive vs. non-invasive: invasive attacks require depackaging the chip to get direct access to its inside components; a typical example of this is the connection of a wire on a data bus to see the data transfers. A non-invasive attack only exploits externally available information (the emission of which is however often unintentional) such as running time, power consumption, ... One can go further along this axis by distinguishing local and distant attacks: a local attack requires close but external, i.e. non-invasive, proximity to the device under concern, for example by a direct connection to its power supply. As opposed, a distant attack can operate at a larger distance, for example by measuring electromagnetic field several meters (or hundreds of meters) away, or by interacting with the device through an internet connection. Active vs. passive: active attacks try to tamper with the devices proper function- ing; for example, fault-induction attacks will try to induce errors in the computation. As opposed, passive attacks will simply observe the device’s behavior during its pro- cessing, without disturbing it. Note that these two axes are well orthogonal: an invasive attack may completely avoid disturbing the device’s behavior, and a passive attack may require a preliminary depackaging for the required information to be observable. These attacks are of course not mutually exclusive: an invasive attack may for example serve as a preliminary step for a non-invasive one, by giving a detailed description of the chip’s architecture that helps to find out where to put external probes. In parallel, physical attacks can also be classified according to the cost of the equip- ment and expertise required to carry out an attack. For example, a taxonomy for