Correlation Power Analysis with a Leakage Model
11 Aug 2004-pp 16-29
TL;DR: A classical model is used for the power consumption of cryptographic devices based on the Hamming distance of the data handled with regard to an unknown but constant reference state, which allows an optimal attack to be derived called Correlation Power Analysis.
Abstract: A classical model is used for the power consumption of cryptographic devices. It is based on the Hamming distance of the data handled with regard to an unknown but constant reference state. Once validated experimentally it allows an optimal attack to be derived called Correlation Power Analysis. It also explains the defects of former approaches such as Differential Power Analysis.
Citations
More filters
16 Apr 2009
TL;DR: In this paper, the authors propose a framework for the analysis of cryptographic implementations that includes a theoretical model and an application methodology based on commonly accepted hypotheses about side-channels that computations give rise to.
Abstract: The fair evaluation and comparison of side-channel attacks and countermeasures has been a long standing open question, limiting further developments in the field. Motivated by this challenge, this work makes a step in this direction and proposes a framework for the analysis of cryptographic implementations that includes a theoretical model and an application methodology. The model is based on commonly accepted hypotheses about side-channels that computations give rise to. It allows quantifying the effect of practically relevant leakage functions with a combination of information theoretic and security metrics, measuring the quality of an implementation and the strength of an adversary, respectively. From a theoretical point of view, we demonstrate formal connections between these metrics and discuss their intuitive meaning. From a practical point of view, the model implies a unified methodology for the analysis of side-channel key recovery attacks. The proposed solution allows getting rid of most of the subjective parameters that were limiting previous specialized and often ad hoc approaches in the evaluation of physically observable devices. It typically determines the extent to which basic (but practically essential) questions such as "How to compare two implementations? " or "How to compare two side-channel adversaries? " can be answered in a sound fashion.
934 citations
10 Aug 2008
TL;DR: This work builds a distinguisher that uses the value of the Mutual Information between the observed measurements and a hypothetical leakage to rank key guesses and demonstrates that the model and the attack work effectively in an attack scenario against DPA-resistant logic.
Abstract: We propose a generic information-theoretic distinguisher for differential side-channel analysis. Our model of side-channel leakage is a refinement of the one given by Standaert et al.An embedded device containing a secret key is modeled as a black box with a leakage function whose output is captured by an adversary through the noisy measurement of a physical observable. Although quite general, the model and the distinguisher are practical and allow us to develop a new differential side-channel attack. More precisely, we build a distinguisher that uses the value of the Mutual Information between the observed measurements and a hypothetical leakage to rank key guesses. The attack is effective without any knowledge about the particular dependencies between measurements and leakage as well as between leakage and processed data, which makes it a universal tool. Our approach is confirmed by results of power analysis experiments. We demonstrate that the model and the attack work effectively in an attack scenario against DPA-resistant logic.
618 citations
TL;DR: This paper examines how information leaked through power consumption and other side channels can be analyzed to extract secret keys from a wide range of devices and introduces approaches for preventing DPA attacks and for building cryptosystems that remain secure even when implemented in hardware that leaks.
Abstract: The power consumed by a circuit varies according to the activity of its individual transistors and other components As a result, measurements of the power used by actual computers or microchips contain information about the operations being performed and the data being processed Cryptographic designs have traditionally assumed that secrets are manipulated in environments that expose no information beyond the specified inputs and outputs This paper examines how information leaked through power consumption and other side channels can be analyzed to extract secret keys from a wide range of devices The attacks are practical, non-invasive, and highly effective—even against complex and noisy systems where cryptographic computations account for only a small fraction of the overall power consumption We also introduce approaches for preventing DPA attacks and for building cryptosystems that remain secure even when implemented in hardware that leaks
574 citations
Additional excerpts
...Similarly, if CPA is successful at recovering the key, additional leakage modes may also be present....
[...]
...It can also be used for black-box evaluations as long as there is some correlation between the actual leakages of the device and the leakage model being used for CPA....
[...]
...5.1 Correlation power analysis Correlation power analysis (CPA) [37] involves evaluating the degree of correlation between variations within the set of measurements and a model of device leakage that depends on the value of (or a function of) one or more intermediates in the cryptographic calculation....
[...]
...Correlation power analysis (CPA) [37] involves evaluating...
[...]
...In contrast to CPA, template attacks build a model from actual power measurements or simulations....
[...]
15 May 2011
TL;DR: A very compact hardware implementation of AES-128, which requires only 2400 GE, is described, to the best of the knowledge the smallest implementation reported so far and is still susceptible to some sophisticated attacks having enough number of measurements.
Abstract: Our contribution is twofold: first we describe a very compact hardware implementation of AES-128, which requires only 2400 GE. This is to the best of our knowledge the smallest implementation reported so far. Then we apply the threshold countermeasure by Nikova et al. to the AES S-box and yield an implementation of the AES improving the level of resistance against first-order side-channel attacks. Our experimental results on real-world power traces show that although our implementation provides additional security, it is still susceptible to some sophisticated attacks having enough number of measurements.
479 citations
TL;DR: In this article, a recent line of research has investigated new profiling approaches mainly by applying machine learning techniques and obtained results are commensurate and in some particular cases better, compared to template attack.
Abstract: Template attack is the most common and powerful profiled side channel attack. It relies on a realistic assumption regarding the noise of the device under attack: the probability density function of the data is a multivariate Gaussian distribution. To relax this assumption, a recent line of research has investigated new profiling approaches mainly by applying machine learning techniques. The obtained results are commensurate, and in some particular cases better, compared to template attack. In this work, we propose to continue this recent line of research by applying more sophisticated profiling techniques based on deep learning. Our experimental results confirm the overwhelming advantages of the resulting new attacks when targeting both unprotected and protected cryptographic implementations.
371 citations
References
More filters
15 Aug 1999
TL;DR: In this paper, the authors examine specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. And they also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.
Abstract: Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.
6,757 citations
TL;DR: In this paper, the authors examined the noise characteristics of the power signals and developed an approach to model the signal-to-noise ratio (SNR) using a multiple-bit attack.
Abstract: This paper examines how monitoring power consumption signals might breach smart-card security. Both simple power analysis and differential power analysis attacks are investigated. The theory behind these attacks is reviewed. Then, we concentrate on showing how power analysis theory can be applied to attack an actual smart card. We examine the noise characteristics of the power signals and develop an approach to model the signal-to-noise ratio (SNR). We show how this SNR can be significantly improved using a multiple-bit attack. Experimental results against a smart-card implementation of the Data Encryption Standard demonstrate the effectiveness of our multiple-bit attack. Potential countermeasures to these attacks are also discussed.
1,554 citations
14 May 2001
TL;DR: This work describes electromagnetic experiments conducted on three different cmos chips, featuring different hardware protections and executing a des, an alleged comp128 and an rsa, where the complete key material was successfully retrieved.
Abstract: Although the possibility of attacking smart-cards by analyzing their electromagnetic power radiation repeatedly appears in research papers, all accessible references evade the essence of reporting conclusive experiments where actual cryptographic algorithms such as des or RSA were successfully attacked
This work describes electromagnetic experiments conducted on three different cmos chips, featuring different hardware protections and executing a des, an alleged comp128 and an rsa In all cases the complete key material was successfully retrieved
1,362 citations
IBM1
TL;DR: It is shown that not only can EM emanations be used to attack cryptographic devices where the power side-channel is unavailable, they can even beused to break power analysis countermeasures.
Abstract: We present results of a systematic investigation of leakage of compromising information via electromagnetic (EM) emanations from CMOS devices. These emanations are shown to consist of a multiplicity of signals, each leaking somewhat different information about the underlying computation. We show that not only can EM emanations be used to attack cryptographic devices where the power side-channel is unavailable, they can even be used to break power analysis countermeasures.
778 citations
12 Aug 1999
TL;DR: It is shown that it is possible to build an implementation that is provably DPA-resistant, in a "local" and restricted way (i.e. when - given a chip with a fixed key - the attacker only tries to detect predictable local deviations in the differentials of mean curves).
Abstract: Paul Kocher recently developped attacks based on the electric consumption of chips that perform cryptographic computations. Among those attacks, the "Differential Power Analysis" (DPA) is probably one of the most impressive and most difficult to avoid.In this paper, we present several ideas to resist this type of attack, and in particular we develop one of them which leads, interestingly, to rather precise mathematical analysis. Thus we show that it is possible to build an implementation that is provably DPA-resistant, in a "local" and restricted way (i.e. when - given a chip with a fixed key - the attacker only tries to detect predictable local deviations in the differentials of mean curves). We also briefly discuss some more general attacks, that are sometimes efficient whereas the "original" DPA fails. Many measures of consumption have been done on real chips to test the ideas presented in this paper, and some of the obtained curves are printed here.
631 citations