Side channel analysis

ECE 5930

power-based side-channel attacks:

1. simple power analysis
2. differential power analysis
3. correlation analysis
ignore paper title

correlational attack:
given plaintext and ciphertext, find key

correlational attack
(based on register state)

procedure:
1. acquire device
2. identify where in computation key is introduced
3. obtain traces for many encryptions of data (know
plaintext but not key)

4. make guess for subset of key

5. based on known register state (from plain/cipher text),
compare actual power usage to power used by
guess
6. power usage validates guess (repeat for remaining portion of
key)

of an attack on the system. To determine whether such a weakness exists, we

DES implementation used by the DPA Contest trace aquisition board, specifically
[9]. Figure 10 shows how the DES routine is implemented on the trace aquisition

where is key revealed in DES computation?

LE i1

RE i1
32 bits

32 bits

Expansion Permutation

The Feistel Func

F( RE i1 ,

48 bits

Round Key
48 bits
Substitution with 8 Sboxes
32 bits
Permutation with PBox

LE

The DPA Contest trace aquisition board DES co-processor layout. Designed for
ution scheduled at one round per clock cycle. [9]

RE

DES hardware used in DPA challenge:

is figure, we can see that there is a single
register
(LR) thatinto
gets updated
1.data
load
block
LRfigure is from Lecture 3 of Lecture Note
Figure 4: This
and which holds the intermediate results of the DES operation. This register is
Computer and Network Security by Avi Kak
2. round ops and store into LR

correlation attack

plaintext

(known plaintext; unknown key)

(assuming round one)

LE i1

1. if know s-box input, know Ki

2. guess Ki (one at a time) and XOR
with E(PT) to get s-box input
3. calculate s-box output for
guess
4. see if guess matches expected
power consumption

RE i1
32 bits

32 bits

Expansion Permutation

The Feistel Function

F( RE i1 , K i )

48 bits

Round Key K
48 bits
Substitution with 8 Sboxes
32 bits
Permutation with PBox

48 bits produced by XORing the output of the Expansion

Permutation and the Round Key

LE

RE

48 bits

e.g. guess for s-box one manifested in

HD(R0(9,17,23,31),R1(9,17,23,31))

Figure 4: This figure is from Lecture 3 of Lecture Notes on

S1
S2
S3
S6
Computer and Network Security byS4Avi Kak S5

S7

S8

note: P-box permutes bits

1-> 9;
2->17;
3->23;
4->31

19

remember: only one register for LR

assume: know plaintext, ciphertext, and key

define: h = HD(R0,R1)
verifying HD model:
1. will know R0 and R1
2. for each trace in dataset:
a. calculate HD
b. find Pmax
c. avg. Pmax for each HD

i.e. is max power related to HD of LR register?

which contain that sensitive data value. The resulting plot is shown in Figure

verifying HD model
(does HD correlate with power?)

1. will know R0 and R1

2. for each trace in dataset:
Figure 11: Power consumption versus Hamming distance.
a.
calculate
HD
good
that Pmax
s show
a clearevidence
relationship between
the sensitive data and the power consumpb.
find
Pmax
is first
correlated
HDa higher Hamming distance results
cuit during the
DES round. Into
general,
c. avg.
for each HD
consumed in the DES encryption process. This verifies the
utility Pmax
of the Ham-

onsumed in the DES

encryption
process.
This verifies the u
verifying
HD model,
contd
(does HD correlate with power and where?)
odel for this specific DES implementation. Based on this
rmine a sample correlation between the power consumptio
ata. We calculate the correlation between the power trace
n trace using
Pearsons
sample
correlation
coefficient,
give
average
Pearson sample
(over traces)
j=1:20e3
correlation coefficient:
(sb)
n
i=1 (hi

h(sb) )(pi (tj ) p(tj ))

rsb (trjsb) =
(n 1) h p(tj )
standard
standard
deviation
trace #
(over traces of sample point j)
deviation
(over traces)
lue
tj is givenhas= p(t
note: across all traces of a point
HD(R0,R1)
j ) and the st
1. correlate h w/ each sample point; repeat above for each j
2. know
so know
h
t a point t is given
as key and input
. For
each
trace i, there exists sen

in each power trace for 1000 total power traces (the correlation improves as more traces are
used, 1000 traces is sufficient to produce high correlation values). The results are shown in
(where does register write occur?)
Figure 12.

verifying HD model, contd

h = HD(R0,R1)

h correlated w/ each sample point

Figure 12: The correlation between the first round sensitive data and the power traces for each
point j in the power traces.

1000 traces

verifying
HD
model,
contd
ar relationship between
the
sensitive
data
and
the
power
co
(is s-box output correlated to power?)
he first DES round. In general, a higher Hamming distance
n the DES encryption process. This verifies the utility of th
his specific DES implementation. Based on this informati
ample correlation between the power consumption and th
traces
alculate the correlation between the power500
trace
and the s
sing Pearsons sample correlation coefficient, given by:
(h

h )(p (t ) p(t ))
rsb =
(n

1)
h profiling,
p(tj )we can conclude that a basic
sed on the information gained from this power

(sb)the first round

n between
e 13: The correlation
each output
(sb) sensitive data and the power traces fors-box1
i j
j
j in the power trace.
these bits
i=1
i

h=
HD(R0(9,17,23,31),R1(9,17,23,31))

ntial power analysis attack is possible on the DES system used to create the DPA
only
need
look atoutlines
points the details of how to retrieve key bits from
st powernote:
traces.
The
nexttosection

at/near Pmax when doing corr in future

manifested in

correlational attack
(based on register state)

procedure:
1. acquire device
2. identify where in computation key is introduced
3. obtain traces for many encryptions of data (know
plaintext but not key)

4. make guess for subset of key

5. based on known register state (from plain/cipher text),
compare actual power usage to power used by
guess
6. power usage validates guess (repeat for remaining portion of
key)

carrying out attack

(one s-box at a time)
ar relationship between the sensitive data and the power co
he first DES round. In general, a higher Hamming distance
s-box1: input bits are PT(7, 57, 49, 41, 33 25) XOR K1
n the DES encryption process. This verifies the utility of th
1.
for
all
2^6
combinations
of
K1,
calculate
s-box
inputs
his specific DES implementation. Based on this informati
and their outputs
ample
correlation
between
the
power
consumption
and
th
2.R1(9,17,23,31) = SBOX1 XOR L0(9,17,23,31) and we
alculate the correlation between the power traceknow
and the
L0 s
3. calculate
HD
for all possible
R1(9,17,23,31)s
sing Pearsons
sample
correlation
coefficient,
given by:vs
R0(9,17,23,31) and correlate to power traces
(at/near Pmax)

rsb =

(sb)
n
i=1 (hi

h(sb) )(pi (tj ) p(tj ))

(n 1) h p(tj )
h=
HD(HD(R0(9,17,23,31),R1(9,17,23,31)))

correlation attack
(known plaintext; unknown key)
LE i1

RE i1
32 bits

32 bits

Expansion Permutation

The Feistel Function

F( RE i1 , K i )

48 bits
Round Key K

48 bits
Substitution with 8 Sboxes
32 bits
Permutation with PBox

1. for all 2^6 combinations

of K1, calculate s-box
inputs and their outputs
2.R1(9,17,23,31) = SBOX1
XOR L0(9,17,23,31) and
we know L0
3. calculate HD for all
possible R1(9,17,23,31)s vs
R0(9,17,23,31) and
correlate to
power traces

48 bits produced by XORing the output of the Expansion

Permutation and the Round Key

LE

RE

48 bits
i

Figure 4: S1
This figureS2is from Lecture
3 ofS4Lecture S5
Notes on S6
S3
Computer and Network Security by Avi Kak
19

S7

S8

there will exist a peak in the correlation which corresponds to the correct key. The results
for a single S-box after 500 power traces are seen in Figure 14. This shows the correct key
guess as a spike in the correlation at guess 14 (which tells us the correct subkey for this
S-box is 13).

correlation attack: sbox one

correct key guess

Figure 14: The correlation between the power information and the sensitive data for each 6-bit
key guess in a single S-box.

correlation for 500 traces

The process is repeated for each S-box to create a table of correlation coefficients con-

correlation is the correct key. An example plot for all 8 S-boxes is shown in Figure 15. This
shows the correct 6-bit key values for the first round subkey (56 11 59 38 0 13 25 55) as
peaks in the correlation.
(after finding which points s-box HD is correlated with)

correlation attack: repeat for all s-boxes

Figure 15: The correlation between the sensitive data and the power information for all 8 S-boxes.

could use brute force after a number of s-boxes found