Effects of the Position of the Target Register on Correlation Attacks

The correlation attacks described in section 5.3 all target the register at the start of the first round after the initial Add Key operation (apart from Figure 5-4, where there is only an s-box and a register). This was chosen as in the AES design each round was performed in one clock cycle so there were no registers after the s-box and it was a simpler modification to reset the initial register at the start of each encryption than to alter the structure of the round. A simulation of power analysis was performed in Matlab where the target of the attack was a register that stored the results of the substitution. A graph of the correlation from all 256 key values from a simulated DPA attack is shown in Figure 5-9, and an attack on a real FPGA is shown in Figure 5-10, in both cases the correct key value was 43.

Figure 5-9: Graph showing the correlation of the 256 key guesses for the Matlab model of a 1,000 trace correlation attack on AES targeting the algorithm after the S-Box.

Figure 5-10: Correlation of the 256 key guesses for a 30,000 trace correlation attack on an FPGA AES implementation, targeting the algorithm after the s-box.

A number of differences become immediately apparent when comparing this graph to the one shown in Figure 5-2. In Figure 5-2 the variable plaintext byte is XORed with constant key, the statistics are like those described in section 4.3.5.1, with a reduction in the correlation by ¼, in an 8-bit attack, from the maximum for each incorrect bit in a guess. It is significantly easier to extract the correct value from a post s-box attack. This is because there is potentially a high correlation between the predictions for correct and incorrect key hypothesis when the target is (Plaintext XOR KeyGuess) as one bit difference in the key leads to only 1 bit difference in the output. In contrast, as the s-box is a complex, non-linear function then after it is applied a single bit difference in the key guess leads to a vastly different output and hence there is a much lower correlation for incorrect key guesses. As explained by Prouff in [74] the same properties that make an s-box satisfy the propagation criterion to give an algorithm resistance to linear and differential cryptanalysis also make the s-box fundamentally vulnerable to DPA.

Performing a 2-byte power analysis attack has an analogous effect on the correlation; an example is given in Figure 5-11.

Figure 5-11: Graph showing the correlation of the 65,536 key guesses for the Matlab model of a post s-box correlation attack on 2 bytes of AES (2B 7E) with 1,000 traces.

Knowing the position of the registers in the AES design would not always be possible in a realistic situation. If the incorrect position is attacked with the prediction

function clearly this will not give the correct result. It is however unlikely that the result that is given will be confused with the correct one as they look significantly different. If the target is pre s-box when it should be after it then it looks similar to a correct attack, there is no large peak indicating the correct result but there is still the same characteristic shape in the graph, this is because there is still the same pattern in the values of the prediction matrix irrespective of whether any of the predictions are accurate. If the target is post s-box instead of before it then the graph looks significantly different, there are not the same number of levels for the correlation and the highest and lowest values are significantly reduced. This is illustrated in Figure 5-12.

Figure 5-12: Graphs showing the results of a correlation when the attack targets the incorrect side of the s-box, the graph on the left targets post s-box and the graph on the right targets pre

s-box, in both cases the correct key, 43, is not represented by the highest peak.

Figure 5-13 shows three DPA traces where the correlation values have been sorted into descending order. Each has an SNR of 0.25 but a different number of traces. As the number of traces increases the correlation line becomes flatter and it appears that the correlation for incorrect guesses will approach zero. This is however not quite the case, the amount of variability of the calculated values decreases as the number of traces increases. This is discussed further in Chapter 6.

Figure 5-13: Correlation of all 256 key guesses for 3 different numbers of traces arranged in descending order.

5.5 Conclusion

A number of different methods for performing DPA have been developed. A system that records the power consumption of an FPGA configured as an AES core was made and programs that analyse the data were written. Also a method of performing DPA using Modelsim VHDL simulations was made which also proved effective, this creates measurements with much less noise than a real system which means that less power traces are required to perform DPA saving time collecting and processing data. It does only measure register transitions so any information leaked through other sources, such as logic gates, would not show up in these simulations. Additionally a model of DPA was made in Matlab, this allowed even faster experiments to be performed, which is important in order to perform Monte Carlo simulations of a DPA system so the properties of DPA can be better understood, this will be used extensively in Chapter 6.

After gaining experience of collecting and analysing DPA data it was discovered that the choice of the position in the algorithm that is attacked has a significant effect on the results and the number of traces required to successfully retrieve a the value of a byte of the key. If the value targeted is after the s-box then it

is much easier to perform DPA. This is because of the non-linear properties of the s- box, even if there is only a single bit error in the key guess this will lead a significantly different value after the s-box and hence the correlation for an incorrect key guess will be lower and therefore easier to distinguish from the correct value.

Chapter 6 The Statistics of