Generating a trigger pulse at the right point in time is essential in fault injection and side channel analysis testing. Clock jitter and random program interrupts may however make this difficult. This may result in inaccurate timing of the injection of faults. Or, when performing side channel analysis, the measurement window may be unnecessary large resulting in a slow data acquisition process, an excessive amount of data, and strongly misaligned traces. In these situations, it would be much better to detect a pattern in the signal just before the point a fault should be injected or a measurement should start.
icWaves offers a solution for this. This FPGA-based device generates a trigger pulse after real-time detection of a pattern in the power or EM signal of a chip. icWaves has a special narrow band-pass filter built in to enable the detection of a pattern even in noisy signals. The latter is important because side channel signals are typically noisy and detecting a predefined pattern is therefore not always feasible without a tuneable filtering mechanism. Besides triggering a fault, icWaves is also used to prevent a smart card from shutting down after detecting a fault injection attack. By detecting the wave pattern that indicates the shutdown of the card, icWaves generates a trigger to stop the shutdown process.
Reduces the DPA acquisition window and alignment problems on smart cards with significant time variations
Enables side channel testing of devices without requiring access to external trigger points such as I/O or other events
Reference pattern memory holds 1 x 1024 or 2 x 512 samples
Offers accurate and real-time detection of any wave form to enable efficient and repeatable fault injection
Prevents the smart card to shut down in fault injection testing
Uses signal processing features of the Inspector software to create a suitable reference signal
Provides simulation function for determining the optimal threshold value
SAD based high-speed comparison
How to use icWaves
The side channel signal is not always suitable to detect a pattern:
- The side channel signal may be too noisy
- The frequency range of the side channel signal is too high (e.g. because the crypto clock of the test object exceeds the sample frequency of icWaves).
For these cases the built-in analog Filter block provides a solution. The filter block consists of a mixer that multiplies the side channel signal with a pure sinusoidal signal. The frequency of this sine wave is set by the user through the software interface between 0 and 400 MHz. The mixer shifts down the frequency range of the side channel signal. The mixer is attached to a 1 MHz low pass filter. The mixer with low pass filter operates as a band pass filter with a centre frequency equal to the frequency of the sine wave and with a frequency range of 2 MHz. The resulting intermediate signal is demodulated by a rectifier with 1 MHz low pass filter to avoid random phase errors. The demodulated signal is present at the ‘filter out’ connector and can be fed into the ‘signal in’ input of the icWaves for pattern detection.
The input voltage range of the filter block can be set by the user through the software interface.
The Acquisition block acquires the data from the signal input at 200 MS/s. If a lower sample speed is used, icWaves uses oversampling to minimize undesired anti-aliasing effects.
The SAD processor block compares the input signal with the stored reference signal by continuously computing the Sum of Absolute Differences (SAD). When the SAD value drops under the specified threshold the Trigger block is notified.
The Trigger block provides some additional trigger features that can be useful for trig- gering on complex input signals:
- A hold-off time can be specified to hold- off the trigger signal in order to find a better correlation
- icWaves can be configured to trigger only after several occurrences of the reference pattern
- The trigger can be delayed
A user configures icWaves for trigger pulse generation in three steps:
- Operating as an oscilloscope, icWaves stores one or more traces in Inspector. Signal processing, such as additional filtering or averaging, can be performed on the traces using the Inspector software to derive one reference trace.
- The user selects a distinct pattern from the reference trace. The SAD (Sum of Absolute Differences) simulation function may be used to calculate the SAD- values between the selected pattern and a test trace set. These SAD-values are used to select the most appropriate SAD threshold for triggering.
- icWaves can now be used as a trigger source. When the reference pattern is detected in the measured signal a trigger pulse is generated in real time. As a result the area of interest is perfectly aligned.
icWaves is controlled with the Inspector software. It is interoperable with all hardware components. icWaves works on smart cards and embedded chipsets, and supports Inspector’s functionality for power and electromagnetic analysis (DPA, DEMA) and per turbation attacks with laser, voltage and clock glitches.
icWaves can also be operated without using Inspector software. A Software Development Kit (SDK) is provided for integrating icWaves in your custom tools. It contains a documented standard C API (Application Programmers Interface) and an example program that shows how to use the API functions. The Inspector software uses this same API, so all the icWaves features available in Inspector can also be used from your custom software.
- 8 MS memory depth for acquiring a reference trace
- Sample rate up to 200 MS/s with 8 bit resolution (oversampling is used for lower sample rates)
- Reference signal(s) can contain up to 1×1024 or 2×512 samples
- Real-time comparison uses Sum of Absolute Differences (SAD)
- Pattern-to-trigger delay around 250 ns
- Narrow band-pass filter with bandwidth of 1 MHz and adjustable centre frequency from 0 to 400 MHz
TTL-level trigger output (Trigger out):
- Configurable hold off time (5 ns resolution)
- Configurable delay (5 ns resolution)
- Possibility to specify number of patterns to skip before trigger
- Fixed pulse length of 1 microsecond
- Filter in: analog input signal for tunable band-pass filter with selectable sensitivity between 16mV p-p and 128mV p-p , 50 Ω
- Filter out: analog output signal of tuneable band- pass filter, signal level 500mV p-p , 50 Ω
- Signal in: analog input signal, 4V p-p , 50/1M Ω
- Trigger in (1×) / out (2×): TTL-level trigger in/output
- Contact us
Bartek Gedrojc 大虎
- Sales and Business Development Director Tools