Differential Power Analysis
Attack on Smart Card
2002. 10. 8.
ICE615 Network Security
20022122 Hwasun Chang
Index
1. Introduction
2. Simple Power Analysis
3. DPA Overview
4. DPA Procedure for DES
5. DPA Result Example
6. Other Power Attacks
7. DPA Countermeasures
8. Future Works
Reference
2
1. Introduction
- Attack techniques for cryptographic algorithms
 Algorithm in isolation
Differential Cryptoanalysis, Linear Cryptoanalysis
 Side channel attacks
3
2. Simple Power Analysis
 Interpret power consumption measurement
 What is learned: device’s operation, key material
 Base: power consumption variance of uP instructions
 DES operation by smart card
4
3. DPA Overview





Introduced by P. Kocher and colleagues
More powerful and more difficult to prevent than SPA
Base: semiconductor logic ← transistor ← different
power consumption for different state (0 or 1)
Data collection phase and data analysis phase
Procedure
1. Gather many power consumption curves
2. Assume a key value
3. Divide data into two groups(0 and 1 for chosen bit)
4. Calculate mean value curve of each group
5. Correct key assumption → not negligible difference
5
4. DPA Procedure for DES
1. Make power consumption measurement of about 1000
2.
3.
4.
5.
6.
7.
8.
9.
DES operations, 100000 data points / curve,
(Plaintexti, Curvei)
Assume a key for a S-box of first round
Calculate first S-box first bit output for each plaintext
using the assumed key
Divide the measurement into 2 groups (output 0 and 1)
Calculate the average curve of each group
Calculate the difference of two curves
Assumed correct key → spikes in the differential curve
Repeat 2-7 for other S-boxes
Exhaustive search for 8 bits of key
6
5. DPA Result Example
Average Power
Consumption
Power Consumption
Differential Curve
With Correct Key Guess
Power Consumption
Differential Curve
With Incorrect Key Guess
Power Consumption
Differential Curve
With Incorrect Key Guess
7
6. Other Power Attacks
1. Binary power analysis (by ABDM)
2. Direct power anlaysis (by ABDM)
3. Higer-order DPA (by Kocher)
: combine one or more samples within a single power
trace
8
7. DPA Countermeasures (1)



By Adi Shamir
Two capacitors as the power isolation element
Disadvantage: difficulty in manufacturing
9
7. DPA Countermeasures (2)



By S. Almanei
Another processor working on parallel with the actual
processor
Disadvantage: increase in production cost, more
memory and power
10
7. DPA Countermeasures (3)



By Hardware
• Random register renaming - MMS
• 1-of-n encoded circuits - Moore
By Software for Symmetric Algorithm
• Replacing each intermediate variable depending on
input or output by k variables - GP, Willich
• Masking before processing, unmasking after
processing – ITT, CG,
• Transformed S-box and masking – AG
By Software for Asymmetric Algorithm
• Transforming the curve in ECC - JT
• Using the Jacobi Form in ECC - LS
11
8. Future Works



More study
• Higher Order DPA
• Software Countermeasure for Symmetric Algorithm
Mount DPA on Commercial Smart Cards
Make an idea
• Software countermeasure
• For symmetric algorithm
• Efficient and Easy to Implement
12
References
1.
2.
3.
4.
5.
6.
Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Differential Power Analysis”,
Advances in Cryptology – CRYPTO ’99, LNCS 1666, Aug. 1999, pp. 388397
Kouichi Itoh, Masahiko Takenaka, and Naoya Torii, “DPA Countermeasure
Based on the Masking Method”, ICICS 2001, LNCS 2288, 2002, pp. 440-456
Louis Goubin, Jacques Patarin, “DES and Differential Power Analysis”,
Proceedings of Workshop on Cryptographic Hardware and Embedded
Systems, Aug. 1999, pp. 158-172
Jean-Sebastien Coron, Louis Goubin, “On Boolean and Arithmetic Masking
against Differential Power Analysis”, CHES 2000, LNCS 1965, 2000, pp.
231-237
Mehdi-Laurent Akkar, Christophe Giraud, “An Implementation of DES and
AES, Secure against Some Attacks”, CHES 2001, LNCS 2162, 2001, pp.
309-318
D. May, H.L. Muller, and N.P. Smart, “Random Register Renaming to Foil
DPA”, CHES 2001, LNCS 2162, 2001, pp. 28-38
13
References
S. Almanei, “Protecting Smart Cards from Power Analysis Attacks”,
http://islab.oregonstate.edu/koc/ece679cahd/s2002/almanei.pdf, May. 2002
8. Adi Shamir, “Protecting Smart Cards from Passive Power Analysis with
Detached Power Supplies”, CHES 2000, LNCS 1965, 2000, pp. 71-77
9. P. Y. Liardet, N. P. Smart, “Preventing SPA/DPA in ECC Systems Using the
Jacobi Form”, CHES 2001, LNCS 2162, 2001, pp. 391-401
10. Marc Joye, Christophe Tymen, “Protections against Differential Analysis for
Elliptic Curve Cryptography”, CHES 2001, LNCS 2162, 2001, pp. 377-390
7.
14
Q&A
Thank you!
15