ROCKET: Runtime Operating-Condition Aware KEy Refreshing Technique for Resisting Side-Channel Analysis Attacks

The security of embedded devices relying on symmetric cryptography can be compromised by Side-Channel Analysis (SCA) attacks, in which adversaries extract keys by exploiting physical leakages. A practical, implementation-agnostic countermeasure is key refreshing, where the key is updated before an attacker can gather enough traces to succeed. However, refreshing too infrequently endangers security, while refreshing too often incurs significant overhead for rekeying and key exchange. Moreover, the optimal refresh rate varies substantially with the device's operating conditions. To address this challenge, this paper introduces ROCKET, a voltage-and temperature-aware rekeying framework that uses an on-chip digital sensor to continuously monitor operating conditions and trigger rekeying when needed during runtime, preventing successful SCA attacks. Indeed, we show that the status reported by the digital sensor (AFN) consolidates the device's leakage rate into a single quantitative value. Therefore, there is no need to map the leakage rate to a 2-input entry (V, T), and it can be captured solely by the sensor's AFN scalar metric. ROCKET is validated across a wide voltage-temperature grid on FPGA hardware and evaluated on different FPGA boards to demonstrate robustness against process variation. ROCKET enables secure and adaptive key refreshing without modifying the underlying cryptographic implementation, making it suitable for constrained or legacy embedded platforms where integrating SCA-resistant designs is impractical. I. INTRODUCTION Embedded devices process data at the edge, making trustworthy operation crucial. To this end, they are equipped with security features such as secure boot and protection of data at rest and in transmission. Thus, it is necessary not only to incorporate cryptographic modules into these devices, but also to ensure that such primitives resist Side-Channel Analysis (SCA) attacks where an adversary extracts keys, and thus the sensitive data processed by the device, via measuring physical leakages (e.g., power or electromagnetic emissions) and correlating them with key-dependent hypothetical leakage models. To mitigate the SCA attacks, various schemes have been proposed. We classify those strategies in two broad classes: 1) those that aim at avoiding leakage through specialized cryptographic implementations, and 2) those that aim at making attacks impractical on a standard (i.e., leaky) cryptographic implementation. In this paper, we focus on a method that falls into the second category and is therefore less intrusive to the device specification. Specifically, we are interested in key refreshing (aka rekeying), which ensures that the encryption key is ephemeral. The idea is to keep the key's lifetime shorter than the duration required for a successful SCA. Since SCA correlation requires multiple traces to reliably distinguish key-byte hypotheses, frequently updating the key prevents the attacker from gathering enough consistent traces to recover the key. This strategy requires estimating the attacker's ability to collect traces over