Differential Power Analysis

Differential Power AnalysisA paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun

Presentation by: Michelle Dickson

Power AnalysisIntroductionSimple Power Analysis (SPA)TheoryExperimental ResultsPreventionDifferential Power Analysis (DPA)Theory Experimental ResultsPreventionComments

IntroductionAbout the paperWritten by Paul Kocher, Joshua Jaffe, and Benjamin Jun of Cryptography Research, Inc in 1998This was the first introduction of power analysis based side channel attacks on cryptographic systemsAll analysis and experimentation was performed on a DES implementation

IntroductionPower AnalysisPower Analysis is a form of side channel attack in which operation and key material can be exposed through the measurement of a cryptographic devices power consumptionTo measure a circuits power consumption A small resistor (e.g. 50) is placed in series with the power or ground input An oscilloscope or other sampling device captures voltage drop across the resistorData is transferred to a PC for analysis

Simple Power AnalysisTheoryThis technique directly interprets power consumption measurements to expose information about an encryptor/decryptorA trace refers to a set of power consumption measurements taken across a cryptographic operationHigher resolution traces reveal more information about the circuits operationClaimSPA traces can reveal the sequence of instructions and can therefore be used to break cryptographic implementations in which execution path depends on the data being processed

Simple Power AnalysisExperimental ResultsThe figure below clearly shows the 16 rounds of a DES operation

Simple Power AnalysisExperimental ResultsA more detailed view shows small variations between the rounds28-bit DES key registers C & D are rotated once in round 2 and twice in round 3Discernable features typically caused by conditional jumps based on key bits and computational intermediates

Simple Power AnalysisExperimental ResultsAn even higher resolution view shows details of a single clock cycleComparison of trace through two regions shows visible variations between clock cycles caused by different processor instructionsUpper trace shows where a jump instruction is performedLower trace shows where a jump instruction is not performed

Simple Power AnalysisMotivation for PreventionBecause SPA can reveal the sequence of instructions executed, it can be used to break cryptographic implementations in which the execution path depends on the data being processed, such asDES key schedule computationsDES permutationsComparisonsMultipliersExponentiatorsPrevention TechniquesAvoid procedures that use secret intermediates or keys for conditional branching operationsCreative coding, performance penaltyImplement hard-wired symmetric cryptographic algorithms in hardwareSmall power consumption variations

Differential Power AnalysisTheoryIn addition to large-scale power variations addressed by SPA, there are effects correlated to the specific data values that are being manipulatedUsing statistical functions tailored to the target algorithm, these much smaller variations can be detected

Differential Power AnalysisDetailed TheoryA DPA selection function, D(C,b,Ks), computes the value of bit 0 b < 32 of the DES intermediate L at the beginning of the 16th round C is ciphertextKs is the 6 key bits entering the S box corresponding to bit bTo implement, an attacker Observes m encryption operations Captures m traces, each with k samplesRecords m ciphertext values

Differential Power AnalysisDetailed TheoryUsing the observation, the attacker computes a k-sample differential trace [1..k] by finding the difference between the average of the traces for which D(C,b,Ks) is one and the average of the traces for which D(C,b,Ks) is zeroFor each sample, the differential trace [j] is the average over the measured ciphertexts of the effect caused by the selector function D(C,b,Ks) on the power consumption measurement at the sample pointIf Ks is incorrect, the probability that D will yield the correct bit b is , so the trace components and D are uncorrelated. The result is that [j] approaches zero for large m.If Ks is correct, the computed value for D will equal the actual value of the target bit b with probability 1, making the selection function correlated to the bit. The result will be spikes in the differential trace where D is correlated to the value being processed.

Differential Power AnalysisClaimThe correct Ks can be identified from the spikes in the differential trace. Four values of b correspond to each S box, providing confirmation of key block guesses. Finding all 8 key block guesses yields the entire 48-bit round subkey. The remaining 8 key bits can be found by trial-and-error or by analyzing an additional round.

Differential Power AnalysisExperimental ResultsThe figure shows 4 traces prepared using known plaintexts entering a DES encryption functionThe top trace is power referenceNext trace is a correct key block guessLast two traces are incorrect key block guessesm = 1000 samples

Differential Power AnalysisExperimental ResultsA more detailed view shows the average effect of a single bit on detailed power consumption measurementsReference power consumption trace is on topStandard deviation of power consumption measurements is nextDifferential trace is lastm = 10,000

Differential Power AnalysisPreventionReduce signal sizes (still vulnerable to attacker with infinite samples)Constant execution path codeChoose operations that leak less information in their power consumptionBalance hamming weights and state transitionsPhysically shielding the deviceIntroduce noise into power consumption measurementsRandomize execution timing and orderDesign cryptosystems with realistic assumptions about the underlying hardwareNonlinear key update procedures can be employed to ensure that power traces cannot be correlated between transactionsHashingAggressive use of exponent and modulus multiplication processes Prevent attacker from gathering large numbers of samples

CommentsProsInnovative concepts, given the timeframe of the paperThe authors successfully demonstrate that power analysis attacks are a real security vulnerability that must be considered in new designs and fielded devicesConsThe authors claim that the attacks are (or can be) effective even if nothing is known about the encryption implementation; however, no evidence of this is presentedLikely due to the pioneering nature of the paper, it lacked the level of detail I would have desiredDiscussion of how to come up with a selection function?Quantitative comparisons for hardware vs. software implementations?Demonstration of performance improvement for suggested prevention methods?

Questions?Contact information:Michelle Dicksonmichelle.k.dickson@lmco.commkdickso@iastate.edu