стр. 18 |

ply with consumption constraints especially on au- looks roughly like a capacitive charge and dis-

tonomous equipments, like mobile phones. Power charge response.

analysis has been included into most certiп¬Ѓcation A careful study of several traces of a same code

processes regarding products dealing with infor- with various input data shows certain locations

mation security such as smart cards. where power trace patterns have different heights.

The electrical consumption of any electronic de- The concerned cycles indicate some data depen-

vice can be measured with a resistor inserted be- dence also called information leakage. They may

tween the ground or Vcc pins and the actualground be magniп¬Ѓed by a variance analysis over a large

in order to transform the supplied current into a number of executions with random data. For in-

voltage easily monitored with an oscilloscope. stance, by ciphering many random plaintexts with

Within a micro-controller the peripherals con- a secret-key algorithm, it is possible to distinguish

sume differently. For instance writing into non- the areas sensitive to input messages from the con-

volatile memory requires more energy than stant areas that correspond to the key schedule.

reading. Certain chips for smart cards enclose a

crypto-processor, i.e., a particular device dedicated

INFORMATION LEAKAGE MODEL: The charac-

to speciп¬Ѓc cryptographic operations, which gen-

terisation of data leakage (namely, п¬Ѓnding the re-

erally entails a consumption increase. The con-

lationships between the data and the variability of

sumption trace of a program running inside a

consumption) has been investigated by several re-

micro-controller or a microprocessor is full of in-

searchers. The most common model consists in cor-

formation. The signal analysis may disclose lots

relating these variations to the Hamming weight

of things about the used resources or about the

of the handled data, i.e., the number of nonzero

process itself. This illustrates the notion of side

bits. Such a model is valid for a large number of

channel as a source of additional information.

Fig. 2. Information leakage

572 Side-channel analysis

8

Hamming distance from data to reference B8h

7

6

5

4

3

2

1 Data byte

0

0 50 100 150 200 250

240 Power consumption

230

220

210

200

190

180

170

160

150 Data byte

0 50 100 150 200 250

Fig. 3. Transition model

STATISTICAL ANALYSES: With information leak-

devices. However it can be considered as a special

case of the transition model which assumes that age models in mind, it is possible to designsta-

the energy is consumed according to the number of tistical methods in order to analyse the data

bits switched for going from one state to the next leakage. They require a large amount of power

one. This behaviour is represented by the Ham- traces assigned to many executions of the same-

ming distance between the data and some a priori code with varying data, generally at random, and

unknown constant, i.e., the Hamming weight of make use of statistical estimators such as aver-

the data XOR-ed with this constant. ages, variances and correlations. The most famous

As shown in the next picture (Figure 3), for an method is due to Paul Kocher et al. and is called

8-bit micro-controller, the transition model may Differential Power Analysis (DPA).

seem rough but it sufп¬Ѓces to explain many situ- Basically the purpose of DPA is to magnify

ations, provided that the reference constant state the effect of a single bit inside a machine word.

is known. In most microprocessors this state is ei- Suppose that a random word in a -bit proces-

ther an address or an operating code. Each of them sor is known and uniformly distributed. Suppose

has a speciп¬Ѓc binary representation and therefore further that the associated power consumption

a different impact in the power consumption: this obeys the Hamming-weight model. On average the

Hamming weight of this word is /2. Given N

is why each cycle pattern is most often different

from its neighbours. words, two populations can be distinguished ac-

Some technologies systematically go through a cording to an arbitrary selection bit: the п¬Ѓrst pop-

ulation, S0 , is the set of t words whose selection

clear вЂњall-zerosвЂќ state that explains the simpler

bit is 0 and the second population, S1 , is the set

Hamming-weight model.

Fig. 4. Bit tracing (upper curve: power consumption of a single execution; two lower curves: DPA curves respectively

tracing the п¬Ѓrst and last data bit of a targetted process)

Side-channel analysis 573

of NвЂ“t words whose selection bit is 1. On average, k bitsize(d )

the words of set S0 will have a Hamming weight y x

of ( в€’ 1)/2 whereas the words of set S1 will have for i = k в€’ 2 downto 0 do

a Hamming weight of ( + 1)/2. The same bias

y 2 (mod n)

y

can be seen through the corresponding power con-

y . x (mod n)

if (bit i of d is 1) then y

sumption traces since it is supposed to be corre-

endfor

lated with the Hamming weight of the data. Let

return y

C0 and C1 respectively denote the averaged power

consumption traces of the blue curvesets S0 and

Fig. 5. Square-and-multiply exponentiation algorithm

S1 . The DPA trace is deп¬Ѓned as the difference

C0 в€’ C1 .

section explains how to turn a side-channel anal-

The resulting DPA curve has the property of

ysis into an attack.

erecting bias peaks at moments when the selec-

tion bit is handled. It looks like noise everywhere

SPA-Type Attacks

else: indeed, the constant components of the signal

are cancelled by the subtraction whereas dynamic

A п¬Ѓrst type of power attacks is based on Simple

ones are faded by averaging, because they are not

Power Analysis (SPA). For example, when applied

coherent with the selection bit.

to an unprotected implementation of an RSA pub-

This approach is very generic and applies to

lic key encryption scheme, such an attack may re-

many situations. It works similarly with the tran-

cover the whole private key (i.e., signing or decryp-

sition model. Of course the weight of a single selec-

tion key) from a single power trace.

tion bit is relatively more important in processors

Suppose that a private RSA exponentiation,

with short words like 8-bit chips. If the machine

y = x d mod n (see modular arithmetic), is carried

word is larger, the same DPA bias can be obtained

out with the square-and-multiply algorithm (see

by increasing the number of trials.

also exponentiation algorithms). This algorithm

A п¬Ѓrst application of DPA is called bit tracing. It

processes the exponent bits from left to right. At

is a useful reverse engineering tool for monitoring

each step there is a squaring, and when the pro-

a predictable bit during the course of a process. In

стр. 18 |