{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,18]],"date-time":"2026-01-18T03:18:35Z","timestamp":1768706315217,"version":"3.49.0"},"reference-count":0,"publisher":"Universitatsbibliothek der Ruhr-Universitat Bochum","issue":"1","license":[{"start":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T00:00:00Z","timestamp":1768521600000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["TCHES"],"abstract":"<jats:p>Embedded devices that are physically unreachable or contained within tamperproof enclosures are often considered naturally resilient to physical side-channel attacks. We present an active EM side-channel attack technique that enables sidechannel attacks across the security boundaries introduced by these physical security measures. Our technique actively induces side-channel leakage based on a relay mechanism, which serves as a means of leakage propagation from the cryptographic IC to the attacker via intermediate Relay Points located within the boundary. In the first leakage path, the instantaneous current consumption caused by transistor switching inside the cryptographic IC affects the impedance of nearby nonlinear elements (such as regulators) that act as Relay Points. This phenomenon is inevitable due to the necessity of the regulator\u2019s operations to ensure the provision of a stable voltage to the cryptographic IC. In the second path, EM waves irradiated by the attacker from outside the security boundary create a leakage channel where reflected waves are modulated by the impedance variation of Relay Points, and leak outside as side-channel information. We experimentally demonstrate that side-channel attacks can be performed from the power cable on the primary side of an AC\/DC adapter, even in environments protected by physical security measures, including a shielded box and ferrite cores. This attack can be executed non-invasively using EM waves in the hundreds of MHz band, and has the advantage of being able to actively control the presence and intensity of leakage. The proposed attack technique may be applicable in a wide range of applications as it exploits the behavior of nonlinear elements present in all embedded systems. As countermeasures against the proposed attack, we discuss the effectiveness of EM fault sensors for detecting continuous wave irradiation, induced EM interference detectors with broadband monitoring capabilities, and tamper detection systems utilizing radio frequencies. This research highlights the importance of considering active EM measurements as a new threat model in physical security evaluations.<\/jats:p>","DOI":"10.46586\/tches.v2026.i1.376-401","type":"journal-article","created":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T15:13:39Z","timestamp":1768576419000},"page":"376-401","source":"Crossref","is-referenced-by-count":0,"title":["Active Electromagnetic Side-Channel Analysis: Crossing Physical Security Boundaries through Impedance Variations"],"prefix":"10.46586","volume":"2026","author":[{"given":"Taiki","family":"Kitazawa","sequence":"first","affiliation":[]},{"given":"Lennert","family":"Wouters","sequence":"additional","affiliation":[]},{"given":"Benedikt","family":"Gierlichs","sequence":"additional","affiliation":[]},{"given":"Daisuke","family":"Fujimoto","sequence":"additional","affiliation":[]},{"given":"Ingrid","family":"Verbauwhede","sequence":"additional","affiliation":[]},{"given":"Yuichi","family":"Hayashi","sequence":"additional","affiliation":[]}],"member":"25480","published-online":{"date-parts":[[2026,1,16]]},"container-title":["IACR Transactions on Cryptographic Hardware and Embedded Systems"],"original-title":[],"link":[{"URL":"https:\/\/tches.iacr.org\/index.php\/TCHES\/article\/download\/12686\/12368","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/tches.iacr.org\/index.php\/TCHES\/article\/download\/12686\/12368","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T15:13:40Z","timestamp":1768576420000},"score":1,"resource":{"primary":{"URL":"https:\/\/tches.iacr.org\/index.php\/TCHES\/article\/view\/12686"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,16]]},"references-count":0,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,1,16]]}},"URL":"https:\/\/doi.org\/10.46586\/tches.v2026.i1.376-401","relation":{},"ISSN":["2569-2925"],"issn-type":[{"value":"2569-2925","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,16]]}}}