) 7 1 0 2 E C E C ( g n ir e e n i g n E n o it a c i n u m m o C d n a s c i n o r t c e l E , r e t u p m o C n o e c n e r e f n o C l a n o it a n r e t n I 7 1 0 2 8 7 9 : N B S
I -1-60595- 64 -9 7
t
n
e
m
n
g
il
A
f
o P
o
w
e
r
T
r
a
c
e
B
a
s
e
d
n
o W
a
v
e
l
e
t
A
n
a
l
y
s
i
s
d
n
a C
r
o
s
s
C
o
r
r
e
l
a
it
o
n
g
n
o
R
W
A
N
G
,
Qi-
m
i
n
g
Z
H
A
N
G
,
S
h
a
o
-
q
i
n
g
I
L
a
n
d
X
i
n
g
- u
y E
N
I
l a n o it a
N Universtiy fo Defense Technology, 410005,Changsha, Hunan,China
: s d r o w y e
K Waveletanalysis,Cross correlaiton,Ailgnment, Eucildeandistance.
t c a r t s b
A . In et h study fo poweranalysisattack, et h unaligned signals w illincrease et h difficulty fo s i s y l a n
a , causing et h attack si difficutl ot succeed. This paper presents a method fo powercurves t n e m n g i l
a based no waveletanalysis da n crosscorrelaiton. eT h methoduses et h wavelettransform ot e s i o n e
d et h originalpowertrace, da n then ailgn et h tracebased no et h crosscorrelaiton alignment . m h t i r o g l
a A endt h effect fo et h ailgnmentw asverified by Euclideandistance da Cn orrelati onPower s i s y l a n
A (CPA). T heexperimental results show that et h method nc a achieve good dataalignment t
c e f f
e da n improve et h attacksuccessrate.
Introduciton
h t i
W t he development fo telecommunication a ind ntegrated circuit techniques, encryption n
h c e
t ologies have found na increasingly wide utiilzation ni a ll fields. Most encryption si d e t n e m e l p m
i yb integratedcircuitchips. Cryptographicchipsecuritythreats ea r growing da n become a serious problem. A malicious tatacker nc a obtain et h k yey b monitoring et h physical leakage
n o i t a m r o f n
i such sa current ro voltage no et h p in,theseunconventionalattackmethods rf o getting et h y
e
k namedsidechannelattack(SCA). Poweranalysisattack si eo fn o et h commontypes fo SCA[ . 1] n
I et h process fo datacollection, et h effectivedata si often annihilated yb noise, da en d ou t et h T
V
P (ProcessVoltageTemperature)deviation,environmentbias,clock jitter da n otherfactors, time e c n e r e f f i
d between et h powertrace si various.Analyzing et h originaldatawtihoutalignmentw illlead o
t lower efficiency da n even attack fails. oS ti si particularly important ot eliminate et h noise da n n
g i l
a et h data. n
I et h field fo power analysisattack, et h common denoising methods ea r Principal Component ) A C P ( s i s y l a n
A [2 5~ ], Kalman filtering method[ , 6] empirical mode decomposition(EMD)[ , 7] h
t r u o
F -order cumulant method[ , 8] wavelet analysis[9,10] a nd e tc. T he wavelet analysis means e s o p m o c e
d et h noisysignals ni et h frequencyphase da n remove et h highfrequency par,twhich sh a e l b a r a p m o c n
i vad antages ni noiseelimination ni et h field fo poweranalysisattacks.Commonlyused m r o f e v a
w alignmentmethods ea r phasecorrelationalgorithm,leastsquaresmethod da n correlation t n e i c i f f e o
c method. tA presen,t et h most commonly used waveform alignment em thod ni power s i s y l a n
a si phase correlation algorithm. Howeve,r ti w ill occur matching rer or when processing s
e v r u
c w ithmultiplepointed peaks. T heAESencryptionalgorithmused ni ro u designw illproduce s
e v r u
c w ith multiplespikesduring et h encryption process.Therefore, rf eo t h firsttime, ew eu es t h s
s o r
c correlation ot perform et h curve alignmen ,t a end u es t h Euclidean distance ot check et h t n e m n g i l
a effec.t nI sthi pape,r et h wavealignmentmethod based no et h crosscorrelationalgorithm d
n
a waveletanalysis si a goodsoluti oont et h influence fo waveoffset da n noise no poweranalysis.
Theoreitc Analyssi
y c n e u q e r
F -based denoising methods include wavelet decomposition a nd traditional Fourier . m r o f s n a r
t Because et h Fouriertransformdoes tn o guarantee et h strict eo - on t - eo n correspondence ni e
h
t transition from et h frequency domain ot et h itmedomain, et h time domain information fo et h l
a n g i
s si los.t T hewavelet transform transforms et h signal from et h timedomain ot et h frequency , n i a m o
d e s u c o
f no usingwavelettransformdenoising.T hecrosscorrelationalignmentalgorithmcombines e
h
t Z-scorenormalizationmethodw eitht h crosscorrelationalgorithm ot align et h powertrace.
W eav l D oet e i gn isn
t e l e v a
W decomposition si et h conversion fo et h signalfromtimedomain ot itmedomain.Compared o
t et h Fouriertransform, et h wavelettransformwindow si basically ifxed, tb eu t h shape si variable, d
n
a et h waveletbasis nc ea b translated da n scaled ot approximate ya n details fo signa,l yb which ew e
t e l p m o
c et t eh im -frequencyanalysis fo signals. e
h
T powertracecollected yb poweracquistiion platform ea r recorded sa )r , (t WTr( τ) sa, i et h s
u o u n i t n o
c wavelettransform fo )r : (t
) ( , ) ( )
( ) ( r ) , ( T
W r aτ =
∫
R tψaτ tdt=<r t ψaτ t > (1)a si scailngfactor da n τ i est h translationfacto,rswitchi engo -n dimensional itmedomainsignals ot o
w
t -dimensional phase planes through et h two factors nc a show et h time-frequency properties fo l
a n g i
s s[11]. ψaτ( nt)i et h equaitonknown sa waveletbasis.
1 ( )
) (
τ
τ ψ
ψa t = t−
a
a (2)
t e l e v a
W denoising si na importantapplicaiton fo waveletdecomposition. tI decomposes et h signal )
t (
r ta differentscales da en t h signals become et bh s -u signals fo differentfrequencybands.Take et h y
s i o
n signalr(k) sa et h example ot explain who et h waveletdenoisingworks.
1 ,
1 , 0 )
( ) ( )
(k = f k +e k k= …,n−
r (3)
) k (
r si et h originalnoisysigna,l f )( sk i et h desiredsigna.l e )( sk i et h noise. e )( k usuallydistributed n
i et h highfrequencyp darta n f(k) usuallydistributed ni et wh lo frequencypar.tTherefore,after et h t
e l e v a
w decomposiiton fo et h signa,l ew select et h reasonable threshold ot deal w eith t h wavelet t
n e i c i f f e o
c fo t eh high-frequency par,t da n then reconstruct et h wavele,t thus ew nc a achieve et h e
s o p r u
p fo denoising. eT h basicflow si shown ni Figure1.
t e l e v a W
n o i t i s o p m o c e d
d l o h s e r h T
g n i s s e c o r p
t e l e v a W
n o i t c u r t s n o c e r
Theoriginal
l a n g i s r(k)
Figure 1. Waveletdenoisingflow.
① Waveletdecomposition:select et h appropriatewaveletbasis da n decompositionlevel, da n then
e h
t wavelet decomposiiton fo et h signals si carried o out t obtain et h wavelet decomposition s
t n e i c i f f e o
c fo eachleve.l
② Select threshold ot deal w tih high frequency decomposition coefficients: t he wavelet
t n e i c i f f e o
c fo desired signal si greater than wavelet coefficient fo noisesignal ni genera.l W a ith e
l b a n o s a e
r threshold, ew removenoise da n obtain et h detalis fo highfrequencysignals.
③ Signal reconstruction: ew reconstruct et h power trace w oith n noise yb disposing these t
n e i c i f f e o
c s w etihlin -basedwavelet.
rk si et h discretesampling data fo )r d(t a rkn =c0 . ,k Orthogonalwavelettransformsdecomposition a
l u m r o
2 , 1 ,
2 , 1 ,
1 , , 2 , 1 , 0
− −
− −
=
= −
=
∑
∑
k n n j k
j n
k n n j k
j n
h c c
N k
g d
d (4)
c,j ki sscalingcoefficien,t d,j ki swaveletcoefficien h d.t a g sn i a p fairo quadraturemirrorfilterbanks. j si decomposingleve.l N si discretesamplingnumbe.r Waveletreconstruction si et h inverseprocess
f
o waveletdecompostiion. eT h reconstructionformula si sa follow:
2 , 2
, ,
1 − −
− n=
∑
jn k n+∑
jn k n jn
n c h d g
c
(5)
t n e m n g il
A Algortihm
)
1 Normalizationalgorithm e
W standardize et h databefore et h cross-correlationcomputation.Datastandardization nc a realize e
h
t unification fo et h dataforma,t that’smeanaligning la el t h powertrace ta et h same referenceframe, h
c i h
w optimize et h effect fo alignment greatly. nI this pape,r ew standardize et h powertrace w ith Z-score standard zi a ntio algorithm. This method normalizes et h data through et h given mean da n
d r a d n a t
s deviaiton fo original power trace. T he processed data subject ot et h normaldistribuiton, h
c i h
w means et h mean si 1 da n standarddeviaiton si .1 Conversionformula si sa follow:
* =Χ−µ
Χ
σ (6)
μ si et h average fo la el t h sample,σ si et h standarddeviation fo lla sampledata. )
2 Crosscorrelationalgorithm n
I t eh field fo signal processing, cross correlation si a measure used ot represent et h similarity n
e e w t e
b otw signals. tI si usuallyused ot find et h characteristics fo na unknownsignal by comparing h
t i
w a known signa.l tI si a function about otw signals relative ot time da sn ometimesreferred sa g
n i d i l
s pointproduct. tI si applied ni bothpatternrecognition da n cryptanalysis. nI et h field fo signal ,
g n i s s e c o r
p since et h crosscorrelation algorithm nc a evaluate et h similartiy fo otw signals, ti w as n
e t f
o used ot achieve signal detection, identificaiton a nd extraction. T he core concept fo et h m
h t i r o g l
a si et h cross-correlaitonfunction. eT h cross- rco relationfunction si defined sa follow:
0
1
) ( ) ( m il ) (
∞
→ +τ
=
τ
∫
Ty
x x x t y t dt
R
T (7)
r o
F a finiteenergysignal ro a periodicsigna,l et h cross-correlationfunction nc ea b expressed :a s
[
]
1
0
1 [ ] [ ]
]
[ −
=
+ =
∑
Ny x
n
n m y m x n
R
N (8)
t a h
T ,i s x(m)remainstaitonary,y(m)l ,eftn da n then et oh tw sequences multiply yb poin .t fI et h n
o i t c n u
f reaches et h peak ta nn= 1, then et h offset fo et oh tw signals si n1. e
W recorded et h 10000setsofpowertrace sa r1( r2t), ( … rt) 1000( . t) T hecross-correlationbetween e
h
t otw powercurves is sa follow:
[
1 2]
2 1
1 [ ] [ ]
]
[n r m r m n
R
N +
=
∑
[
1 3]
3 1
1
] [ ] [ ]
[n r m r m n
R
N +
=
∑
(9) e
r e
H ew nc da fin et h offset x between tt es curve da en t h referencecurve, da n correct et h curvew ith t
e s f f
o .x That ,i es t h curve si alignedw eitht h standardcurve. )
n a e d i l c u
E distance si alsocalledEucildeanmetric,which refers ot et h truedistancebetween otw s
t n i o
p ni et m-h dimensionalspace. tI si oftenused ot measure et h proximtiy da n similartiybetween .
s t c e j b
o A sndthi property nc ea b used ot evaluate et lh aignmenteffects fo et oh tw curves. e
m u s s
A that Xi(X1i,Xi2...XiD) da n
D 2 1
j j j
j(X,X ...X )
X represent two power curves respectively, then e
h
t Euclideandistancebetween et oh tw powercurves si defined :a s
2
) (
= − =
− j
∑
D is jsi
i s
X X X
X
( 01 ) Xis da Xn jsrepresent et h points no et oh tw curvesrespectively.T hesize fo et h Europeandistance
n e e w t e
b et h two curvescharacterizes et h similartiy fo et h two curves. Before et h two curves ea r ,
d e n g i l
a et h simliarity si wlo da on s et h Euclideandistance si large.Afteralignmen,t et h similarity si ,
h g i
h da en t h European distance si shortened, et h shorter et h distance ,i es t h better et h alignment t
c e f f e .i s
t n e m i r e p x
E Environment da Pn rocess t
n e m i r e p x
E Environment
e h
T power acquistiion a nd analysis system used ni this experiment w eas s fl -designed yb o ur .
y r o t a r o b a
l Thissystem nc a accomplish et h acquistiion fo powertrace da n poweranalysisattack. eT h c
it a m e h c
s fo et h system si shown ni Figure2.
U D L e
p o c s o l li c s O
A G P F
l a r e h p i r e P
Circuits d r a o B t s e
T (LUD)
A G P F ADC
G A T J
d r a o B g n i l p m a S
R g n i l p m a S esistance
B S
U FPGAlogic
t x e t n i a l
P / CIphertext/ K ye
+ 21 V +1.0V
y l p p u s r e w o p l a n r e t x E
s u B I C P C
e r u g i
F 2. T eh schematic fo powerconsumptionacquisition da n analysissystem.
e h
T systemconsists fo et h hostcompute,r tt es board,powertracesamplingboard,JTAGwriter da n e
p o c s o l l i c s
o efiv parts. eT h operatingvoltage fo FPGA no ttes board si supplied yb a linearregulato.r e
W cascade a sampling resistance no et h powerpath. This sampilng resistanceconverted et h high y
c n e u q e r
f currentsignal oint voltagesigna.lA ndthen et h voltagesignalw asprocessed yb difference ,
d o h t e
m analog ot DigitalConverte,rspeedchange. tA l eastt h signalw aspassed ot upper-computer y
b P rCIf o storage.T het estboardconnectedw pithup e -rcomputerthroughJTAG.T the riggersignal d
n
a plaintextswereinputtedthroughJTAG,whichdetermine et h workingstate fo et h t estboard. eT h C
D
A module fo et h entirepoweracquistiionsystemconsists fo fourADCchipsw ith1.25Ghzsample .
e t a
r T heADCchip si LMH6881.T hesampling erat fo et h wholesystem si 5Ghz, da en t h sampling h
t d i w d n a
b si 2Ghzwhen et h amplificaitongain si 6db.
t n e m i r e p x
E Process
e h
T testencryptionchip si XILINXcompany'sKC7056FPGAchip.T heAES encryptionalgorithm s
a
w written ni thischip. eW used 10,000 s fetso plaintexts rf o testing, da en t h powerconsumption a
t a
d generated yb et h encryption process si collected yb et h above system. eW g ot 10000 power s
e v r u
r e t f
A acquiring et h powerconsumptiondata, et h resultingpowerconsumpitondata si preprocessed n
o et h Python platform. eW process et h waveletdenoising da n cross-correlationalignmentthrough e
h
t Python language no et h Python platform. Thist estuses et h Euclidean distance sa et h basis rf o g
n i g d u
j et h ailgnmenteffec,t da n quantifies et h alignmenteffec.tFinally, ew makeCPAattack in et h e
v o b
a -mentionedpowertrace acquistiion da n analysissystemw eitht eh p -r processedpowertrace da n e
h
t untreatedpowertracerespectively, da n compare et h results. eT h experimental wflo chart si shown n
i Figure3.
n o i t i s i u q c a r e w o P
t e l e v a W
g n i s i o n e d
m r o f e v a W
t n e m n g il a
A P
C CPA
d n a s i s y l a n A
n o s i r a p m o c
t
ne
mt
a
er
t
er
P
e r u g i
F .3 T eh experimentalprocess.
l a t n e m i r e p x
E Resutls da An nalyssi g
n is i o n e
D E ff Aect nalyssi
4 e r u g i
F )( a shows et h originalpowercurvewhic h w asgenerated yb et h first ts fe o plaintext ni et h S
E
A encryptionprocess. tI nc ea b seenfrom et h figurethat et h effectiveinformation si annihilated yb a tl fo o noise.Afterwaveletdenoising, et h powercurveshown ni Figure4( sb)i obtained. tI nc ea b
n e e
s from et h figurethat et h highfrequencynoise fo et h curve si obviouslyreduced da en t h effective a
t a
d information si cleare.r
) a
( ( b)
e r u g i
F .4 )( sa i et h originalpowercurve, )( sb i et h powercurveafterdenoising.
t n e m n g il
A Eff Aect nalyssi
e h
T 10,000 powercurves ea r normalized ni et h Python platform, aligned yb et h cross-correlation .
m h t i r o g l
a eW select et h curvecorresponding ot et h first ts fe o plaintexts sa et h standardcurve, et h r
e h t
o uc rves ea r cross-correlatedw .tithi Sinceeach curveconsists fo 5000points, et h programs ets e
h
t result fo et h cross-correlation calculation si 4999 when et oh tw curves ea r completely ailgned. 5
e r u g i
F si et h result fo et h cross-correlationcalculation fo et h standardcurvew tihitself. sA shown ni e
h
e r u g i
F .5 Standardcurvew iththeirowncross-correlationresults.
e h
T abscissacorresponding ot et h peakvalue calculated yb et h crosscorrelation si comparedw ith .
9 9 9
4 When et h abscissa si sles than4999shows et h curverigh,tneeds ot eb tl oef t achievealignmen.t n
O et h otherhand,when et h abscissa si greaterthan4999, et h curve si lef,t da tn i needs ot eb ishfted t
h g i
r ot align w eith t h standard curve. T he difference between et h abscissa da n 4999 si et h offset n
e e w t e
b et oh tw curves.Figure6( a)shows et h result fo cross-correlaiton between eo fn o et h curves d
n
a et h standardcurve. tI nc ea b seenthat et h curve reaches et h peakwhen et h abscissavalue si 4903, h
c i h
w means et h curve si offset 69 ot et th l ef relativestandardcurve. eW nc a ailgn et h curvew eitht h d
r a d n a t
s curve yb moving ti right yb 69 points. T hecomparison chartbefore da n afteralignment si shown ni Figure6( db)a n Figure6( . c)
) a
( )(b )(c
e r u g i
F 6. )( sa i et h result fo cross-correlation. )( sb i et h powertracebeforealignmen.t )
c
( si et h powertraceafteralignment.
k c e h
C ht e alignmenteffectw ithEuclideandistance, we choose et h Euclideandistance fo et ih f tr s n
e
t curvesw eitht h standardpowercurve 0 ot explain et h alignmenteffec.t A end t h results fo cross n
o i t a l e r r o
c algorithm ea r comparedw iththose fo phasecorrelaiton algorithm.T heresutls ea r shown n
i table .1
Table .1 Euclideandistance.
0 1 2 3 4 5 6 7 8 9 mean
e r o f e
b 0 140.58 140.16 135.03 136.26 138.8
4 143 0.2 146 1.9 143 5.2 149 3.2 148 0.1 s
s o r c
n o i t a l e r r o c
0 40.17 48.37 62.96 61.98 67.03 63.17 59. 11 40.25 47.51 54.51
e s a h p
n o i t a l e r r o c
0 99.47 53.74 72.09 61.98 98.43 63.17 99.30 40.50 99.75 76.49
e h
T values ofthefirst eil nn i et h table ea ,r 0 because et h firstcurve si et h standardcurve.Contrast e
h
t Euclidean distance before cross correlation alignment a nd afte,r ew find that et h average n
a e d i l c u
E distance si reduced from 140.18 ot 54.51 obviousl y. Comparing et h results fo cross n
o i t a l e r r o
c w ith phasecorrelation, ew nc ea s e that et h Eucildean distanceaftercrosscorrelation si y
l t n a c i f i n g i
s smaller t nh a that fo phasecorrelationtreatmen.tT heexperimentalresultsshowthat et h s
s o r
c correlationalgorithm si effective no et h curvealignmen,t da en t h processingeffect si superior ot e
h
t phasecorrelation.
t n e m n g i l a
n a e d i l c u E
e c n a t s i d
r e w o P
Preprocessi Eng ff Eect valua iton
We ma ed CPAattackw etiht eh p -r processedpowertrace da en t h untreatedpowertracerespecitvely. e
W foundthat et Ah CP attackeffect fo et h processeddata si obviouslybetterthanthat fo et h untreated .
a t a
d eT h analysisresults ea r shown ni Figure7( da)a in Fgure7( . b)
) a
( ( b)
Figure .7 )( sa i et h analysisresult fo untreateddata. )( sb i et h analysisresult fo preprocesseddata.
m o r
F Figure7( ea)w nca ’ tidenitfy et h corre ctkey. eT yh k e corresponding ot et h maximumspike si t
o
n et h correctkey, et h correct yk e even tn no i et h firstfew.B we nut c a clearlydistinguish et h correct y
e
k ni Figure7( , b) there si a veryobviousspike, et h peakcorresponding ot et yh k se i et h correctkey, h
c i h
w verified et eh eff ctiveness fo et h proposedmethod.
y r a m m u S
n
I order ot solve et h problemthat et h noise fo et h powertrace da en t h timedifferencebetween et h s
e v r u
c ea r variable,thispaperproposes a waveletthresholddenoisingmethod ot remove et h noise e
c n e r e f r e t n
i da a n cross-correlationmethod ot eliminate et h time differences da n achievealignmen.t s
i h
T method fo wavelet denoising combine w ith cross-correlation alignment si a en w attempt ot s
s e c o r p e r
p et h powertrace. yB comparing et h results fo CPA, ew findthat et h alignmentmethod nc a y
l t n a c i f i n g i
s improve et h attack efficiency da n successrate, thusverifying et h effectiveness fo et h d
o h t e m .
s e c n e r e f e R
] 1
[ C uh eJ , D gi i n G -uo ilang, D ge n G -ao ming, te .la Design a nd Realization fo Different Power s
i s y l a n
A rf o DES .[ J] Journal fo ChineseComputerSystems,2007,28(11):2070-2073. ]
2
[ Specht R., Heyszl J., Kleinsteuber M., te .la Improving nn -o profiledattacks no exponentiations d
e s a
b no clustering da n extracting leakage from multi-channel high-resolution me measurements /
] M
[ / Constructive Side-Channel Analysis a nd Secure Design. [S..l ]: Springer International ,
g n i h s i l b u
P 2015. 3
[ ] Cagli E., Dumas C., Prouff .E Enhancing Channel Attacks [M]// Smart Card Research a nd d
e c n a v d
A Applications.[S..l]:SpringerInternationalPublishing ,2015. ]
4
[ K ,im Y oK .H Using principal component analysis rf o Practical biasing fo power traces ot e
v o r p m
i poweranalysisattacks[C]//LectureNotes ni ComputerScience, lv . o 8565.2013: 91 -0 120. ]
5
[ C ia Chen, C nh e Y , un WAN W - nu n , ta e la . Correlaiton Power Analysis rf o AES Based- no l
a p i c n i r
P Component Analysis [ J]. Chengdu University fo Information Technology, 2015, 41(8): 1
0 1 -105.
] 6
[ Souissi Y., Guilley S., Danger J.L., te .la Improvement fo power analysis attacks using n
a m l a
K fliter. [C]//Proc fo IEEE International Conference no Acoustics, Speech, & Signal .
g n i s s e c o r
] 7
[ Feng M., Zhou Y., uY .Z EMD-based denoising rf o side-channel attacks a nd relationships n
e e w t e
b t he noises extracted w ith different denoising methods [C]//Proc fo International e
c n e r e f n o
C no Informaiton a nd Communicaitons Security. New York: Springer-Verlag, 2013: 9
5 2 -274.
] 8
[ eL T.H., Clediere ,J Serviere C., te .la Noisereduction ni sidechannelattack usingfourth-order t
n a l u m u
c .[ J] IEEETrans no InformationForensics & Security,2008,2(4): 07 -1 720. ]
9
[ Charvet X., Pelletier .H Improving et h DPAattack using Wavelettransform [C]//Proc fo NIST l
a c i s y h
P SecurityTestingWorkshop.2005. ]
0 1
[ Souissi Y., Elaabid M.A., Debande N., te .la Novelapplicaitons fo wavelettransform sbased e
d i
s -channelanalysis[C]//Proc fo N -on InvasiveAttackTesitngWorkshop.2011.
[ 11 ] B T.D., ui Chen .G Translaiton-invariantdenoising usingmultiwavelets[ J]. SignalProcessing, E
E E
