Simple Power Analysis

Simple Power Analysis (SPA) is a side-channel attack first introduced by Kocher et al. in [101] as “a technique that involves directly interpreting power consumption measurements collected during cryptographic operations”. The goal of SPA attacks is to obtain information about the device under attack working from few power traces, even just one. The information revealed covers from the algorithm to the cryptographic key in a completely successful attack.

Let’s suppose the attacker localizes an instant when an instruction that manipulates sensitive information is executed (e.g. load part of the secret key to the accumulator). Depending on the Hamming Weight (HW) (number of ’1’) of the key data manipulated, the amplitude of the power trace in that instant varies. If the attacker is expert and has a consumption reference model, he can estimate the HW of the key from the power amplitude.

Another scenario could be an implementation where the instructions executed depend on data (e.g. conditional branch depending on a bit value). If the attacker has information about the implementation and localizes the execution of the algorithm in the power trace, it can derive the data processed from the duration of the cycles. If the execution duration is different for different instructions, it is possible to assign sections of the power trace to

2.1. Power Analysis Attacks

concrete instructions executed.

We have two different sources for an attack, although authors typically refer SPA to the amplitude based ones.

SPA attacks require detailed knowledge about the implementation of the algorithm in the device. The attack process starts with a thorough analysis of the target device and its implementation of the algorithm. Useful information includes algorithm implementation, points of interest or the target device.

We can find descriptions of profiling methods since 1999, when Biham and Shamir [28] described a method to map parts of a power trace to the key scheduling operation of AES algorithm. Power traces of a device executing the AES algorithm were analyzed in a device similar to the target of the attack. Profiling does not require a lot of traces of the device under attack, which is one of the limitations that SPA overcomes, but traces of similar devices available are needed to get experience and create a model. In [68], Fahn and Pearson describe the profiling stage of their attack Inferential Power Analysis (IPA). In the process, they included in the profiling stage every round of the Data Encryption Standard (DES) algorithm, as it is the same code with different arguments.

In [122] and [6], the authors describe the process followed to extract a model of an 8-bit microcontroller before attacking a device. In [7], authors obtain their own model of smart-cards from experience after realizing that stated models were not suitable for their devices.

Simple Power Analysis includes three major attack families: Visual Inspection, Tem- plate and Collision Attacks.

Visual Inspection requires great personal knowledge from the attacker about the implementation of the algorithm and the device. An example is [101], where the authors highlight the visual recognition of the DES algorithm and its 16 rounds. In higher resolution views authors point out different rotations of the key based on the repetition of a concrete pattern inside round power trace. Moreover, they distinguish between instructions, so they can conclude if a conditional branch skips a jump instruction. All this results can lead to useful information for other attacks, even if they fail in the extraction of the key.

It is possible to reverse engineering the code executed by a device when executing the encryption algorithm using SCA, a technique known as SCA Reverse Engineering (SCARE). It is first applied in [146] using Self-Organized Maps. In [66] authors extract the code executed of an 8-bit PIC microcontroller with hidden Markov Models. If the software implementation is known and there are data-dependent or key-dependent branches, using this technique it is possible to distinguish which path has been chosen, which gives information on the data manipulated.

Template attacks were introduced by Chari et al. [43]. In a template-based power analysis attack, the attacker is assumed to know the power consumption characteristics of some instructions of a device. This characterization is stored and called template. Templates are then used as follows. In a template-based DPA attack, the attacker matches the templates based on different key hypotheses with the recorded power traces. The templates that match best indicate the key. This type of attack is the best attack in an

Chapter 2. Related work

information theoretic sense, see [43].

Template attacks compare the power trace of the attack with templates created from previous analysis following the maximum-likelihood decision rule. In the profiling stage, the characterization phase, a template is created as a multivariate normal distribution, defined by its mean vector and its covariance matrix, from power traces. We can have templates for a pair instruction-operand, or for a pair data-key. Once every possible value has its template (e.g. every pair key-value with its template) the comparison with the power trace of the device under attack can be done. This second stage, the matching phase, involves calculating the probability density function of the multivariate normal distribution with every template. The template with the highest probability indicates the correct key.

Some difficulties emerge when considering the practical characterization of a device. Power traces from the same source data (instruction-operand, data-key) are grouped, the points of interest are set and the mean vector and covariance matrix are calculated. More interesting points involve more information. On the other hand, they grow the covariance matrix quadratically. The attacker must arrive at a compromise solution depending on the device under attack. These attacks were first described in [43].

Collision attacks exploit the coincidence of an intermediate value in two different encryption runs. If two different plaintexts (or ciphertexts) have a common intermediate value detected through SPA, the collection of possible key values is reduced to a subset. There are more than one point to detect the collision of the two encryptions, because intermediate values are manipulated in more than one point: load into accumulator, operate, save in memory, ... To detect a collision, the previous attacks are used (mainly template attack). Collision attacks were first applied by Wiemers and Schramm et al. [159], identifying collisions in a power trace of a DES implementation, following to its application to AES [157]. These attacks were enhanced by [108] including almost- collisions in the attack (much more points of interest reducing possible key values) for Feistel ciphers.

In order to reduce the number of traces required, the attacker also looks for one-byte collisions inside one execution. In [29], the target is the S-box transformation of AES, which is executed 16 times per round, 160 times per execution. The attack is has 99% probability of success with only 7 traces, known plaintext and 234.74offline operations.

The cryptanalytic method employed modifies the operations needed offline and the power of the attack. In [29] a linear systems of equations of the operations that collide is used, from the linear operations of the S-box. In [33] a set of non-linear systems of equations is built using linear and non-linear operations of the S-box. The collision detection might not be feasible with high noise level. Multiple-Differential Side-Channel Collision Attack (MDCA) [31] presents the combinations of methods to detect collisions with the abovementioned cryptanalytic methods. The proposed methods include average, binary and ternary voting, and several measurement with the same input are required, so it is unfeasible in some scenarios. The binary voting scheme consists on discarding the traces that differ over a set threshold from the rest before averaging the trace. The ternary voting performs the voting comparing with a reference trace, with a profiling stage.

2.1. Power Analysis Attacks

Attack Channel Previous effort Required knowledge Efficacy Visual Inspection Amplitude

and Time Low High Medium

Template Amplitude

and Time High High High

*

Stochastic Amplitude High Medium High*

*_{Template higher than Stochastic with a high number of profiling samples}

Table 2.1: SPA summary

Advanced stochastic methods have turned out to be efficient tools to optimize pure timing and combined timing and power attacks. Using such methods, the efficiency of some known attacks could be increased considerably (up to a factor of fifty) [156].

The Stochastic Model[156] assumes that the physical observable It(x, k) at time t is

composed of two parts, a data-dependent part ht(x, k)as a function of known data x and

subkey k and a noise term Rtwith zero mean, seen as stochastic variables.

The attack consists of two main phases: a profiling phase and a key extraction phase. Key extraction applies the “maximum likelihood principle” between model and traces. The “minimum principle” could also be applied as shown in [156]. Although it is less efficient for key extraction, it requires less measurements.

Gierlichs et al. [77] show that towards a low number of profiling measurements stochastic methods are more efficient than Template attacks, whereas towards a high number of profiling samples Templates achieve superior performance results.

Table 2.1 shows a summary of the characteristics of SPA.

SPA require great knowledge from the attacker point of view. Therefore, in the evaluation framework used in this Ph.D. thesis, described in Chapter 3, we consider that the attacker has knowledge about the algorithm, the target and the leakage model, with aligned and pre-processed traces.