Differential Power Analysis

attacks on AES
Kevin Meritt

Agenda
Side Channel Attacks
o Background

Power Analysis Attacks

o
o
o
o
o
o

Background
Overview
SPA Simple Power Analysis
AES
DPA Differential Power Analysis
CPA Correlation Power Analysis

Side Channel Attacks

Exploits information obtained from the physical
implementation of a cryptosystem

o power consumption, electromagnetic radiation, timing variations

If side channel data is related to operations involving

secret information, that information is vulnerable to
attack
May be used to break cryptosystems with no known
weaknesses against attacks at the algorithmic or
theoretical level, such as linear and differential
cryptanalysis
Some attacks may require deeper understanding of the
cryptosystem's underlying architecture, while others may
treat it as a black box
Analysis of instantaneous power consumption will be the
focus of this presentation

Side Channel Information

Indirect outputs from block cipher implementation [1]

Power Analysis Attacks

Power Analysis Attacks are a type of Side Channel Attack in
which an attacker measures the power consumption of a
cryptographic device during normal execution
An attempt is then made to uncover a relationship between
the instantaneous power consumption and secret key
information
Statistical methods for power analysis attacks published by
Paul Kocher in 1999
Original research focused on vulnerability of DES-based smart
cards, leading to the development of DPA-resistant devices
o
o
o

Not simply a theoretical attack

Successful attacks mounted on existing devices to reveal secret key information,
creating a serious risk to security
Enables the creation of duplicate cards, fraudulent payments, identity theft, etc.

Power Analysis Attack Basic Steps

Identify
o Determine a relationship between secret key information and
instantaneous power consumption
o Determine the required inputs to the system, the output values to be
measured, and when to capture them

Extract
o Develop method of extracting the state of the relationship information
o Collection of measurements called traces can be made in a non-invasive
manner while a system performs a cryptographic operation

Evaluate
o Use extracted information to determine all or part of the secret key
information

Simple Power Analysis

Attacker directly observes power trace waveform
to identify large, noticeable features and mark
regions of interest
o
o
o
o

Block cipher rounds, individual operations, instructions, etc.

Timing differences
Conditional branches
Example: RSA implementations may be broken by identifying differences
between squaring and multiplication operations

SPA is relatively easy to deter

o Avoid conditional execution that depends on secret information
o High frequency, low power operation
o Parallelization may obscure individual operations

SPA Attack on RSA implementation

RSA Conditional Branch

Power Trace for Advanced Encryption Standard

10 rounds of AES-128

Differential Power Analysis (DPA)

Uses statistical methods to find small variations that
may be overshadowed by noise or measurement
errors
Exploits information obtained from the physical
implementation of a cryptosystem

Differential Power Analysis Attack

Selection function D(C, b, Ks) computes value of target
bit b, given ciphertext C and key guess Ks
Collect m power traces of k samples each, T1:m[1:k] and
corresponding ciphertext values C1:m
Sort data into two groups:
o D(C, b, Ks) = 0
o D(C, b, Ks) = 1

If the key guess Ks is correct, the average power trace

for D(C, b, Ks) = 1 will be slightly higher at the point of
correlation and the average trace for D(C, b, Ks) = 0 will
be slightly lower
If the key guess Ks is incorrect, D(C, b, Ks) will equal the
correct bit value with probability P = , yielding
average traces that are approximately equal

Difference of means DPA Attack

The differential trace D[j] is computed as the
difference between the two average traces
o For an incorrect key guess Ks the D should approach zero
o For an correct key guess Ks the D should approach the target bit's power
contribution at the correlated sample(s)

Advanced Encryption Standard

AES Round Transformations[5]

Differential Power Analysis on AES

Select intermediate bit to analyze
o

Target the S-box in final round

Since SubBytes operates on each byte independently
XORed with final round key value

o
o

Ciphertext value is known

Make a guess for key byte

One set where computed bit is 1 and another where bit is 0

If the average depends on the selected bit, and the bit leaks, then a correlation
will be seen

Collect power traces and corresponding ciphertext values

Compute intermediate value
Partition power traces into 2 sets

Compute average of each set

Compute the difference between the averages

Repeat for other 255 key byte guesses using same power
measurements

DPA Evaluation Process

DPA with correct Key guess

DPA Evaluation Process (contd)

DPA with incorrect Key guess

Correlation Power Analysis on AES

Extension of DPA where a model of the power
consumption is created for use in the analysis phase
of an attack
Model needs to approximate the power
consumption of the target cryptographic device
during an encryption operation.
The resulting power predicted by the model will
then be correlated to the actual measured power
consumption using a key hypothesis.
The highest peak of the correlation plot gives the
correct key hypothesis

Power Models
Hamming weight model assumes amount of
power consumed is proportional to the number of
bits that are logic '1' during an operation
o the greater the number of bits that are set will result in a larger amount of
power consumed

Hamming distance assumes the number of logic

transitions during a cryptographic operation is
proportional to power consumption
o If a bit is static during an operation, then it is assumed that it will not
contribute to the power.
o Assume that 0 to 1 and 1 to 0 transitions consume the same amount
of power.

CPA using Pearsons Correlation Coefficient

reflects the degree of
linear relationship
between two variables X
and Y
covariance measure of
how much 2 random
variables change
together
coefficient value ranges
from +1 to -1

o +1 indicates that there is a

perfect positive linear relationship
o -1 indicates there is a perfect
negative linear relationship
o 0 indicates there is no linear
relationship

Pearsons Sample Correlation Coefficient

For a series of n
measurements of X and Y,
Pearson correlation can be
estimated by the sample
correlation coefficient rxy
x-bar and y-bar sample
means of x and y
sx and sy sample standard
deviations of x and y
xi measured power samples
yi calculated power values
from Hamming distance
model
If a correlation occurs then
there will be a spike in the
graph for the correct key
byte value

Correlation Power Analysis on AES

Identify sensitive data register for attack
o

Target the register in data path prior to SubBytes transformation

Data transition of 8-bit register

If a correlation occurs then there will be a spike in the graph for the correct key byte
value

Use Hamming distance power model

Collect power traces and corresponding ciphertext values

Make a guess for key byte
Compute Hamming distance of data transition for each
ciphertext value
Partition power traces into groups associated with calculated
Hamming values
Use Pearsons sample correlation coefficient equation to
determine the correlation between the power and the
sensitive data
Repeat for other 255 key byte guesses using same power
measurements

CPA Attack

Typical AES Hardware implementation

AES CPA Correlation

Showing correct key byte guess of 160

References
[1] P. Kocher, J. Jaffe, and B. Jun, Differential power analysis,
proceedings of CRYPTO 99, Lecture Notes in Computer
Science, vol. 1666, Springer, pp. 388397, 1999.
[2] F.-X. Standaert, Introduction to Side-Channel Attacks, in
Secure Integrated Circuits and Systems, pp. 2744, Springer,
2009
[3] W. Hnath, J. Pettengill, Differential Power Analysis SideChannel Attacks in Cryptography, Major Qualifying Project,
Worcester Polytechnic Institute, April 2010
[4] S. Shah, R. Velegalati, J. Kaps, D. Hwang, Investigation of
DPA Resistance of Block RAMs in Cryptographic
Implementations on FPGAs, International Conference on
Reconfigurable Computing and FPGAs (ReConFig) 2010,
pp.274-279, Dec. 2010.
[5] National Institute of Standards and Technology (NIST) of U.S.
Department of Commerce, FIPS 197: Advanced Encryption
Standard, Nov. 2001.