Information Technology Reference
In-Depth Information
Fig. 15.
A outline of the DPA procedure for QCA circuits.
and a subkey are XORed before being passed to the S-box transformation. All
possible combinations of
S
0
-box inputs are simulated by QCAPro and the cor-
responding power consumption values are provided in Table
6
, where the left
vertical column of the table represents the current input and the top horizontal
row represents the next input.
Following the DPA attack steps, the Serpent sub-module is attacked and two
correlation results are shown in Figs.
16
and
17
. It can be seen that the correct
key guess in each case is clearly distinguishable from wrong key guesses after
1000 inputs. Since one subkey can be revealed, the whole Serpent key set can
also be revealed using this power analysis attack.
To illustrate that all of the possible subkeys from “0000” to “1111” will result
in a distinguishable correlation coecient, they were applied to the Serpent sub-
module and DPA attacks were carried out. The results are shown in Fig.
18
.All
subkey correlation coecients vary between 0.16 and 0.25 and the number of
power points required to reveal the subkey from the incorrect key guesses varies
between 200 and 2000. Therefore, with just 2000 power points all of the Serpent
subkeys can be revealed. In Fig.
18
, for each subkey applied to the sub-module,
the correlation coecients of all key guesses are shown in the vertical direction,
which are chosen when the number of power points is 2000. For example, the
correlation coecients for all key guesses when the correct subkey is 4 (SK = 4)
or 13 (SK = 13) in Fig.
18
is obtained by a cross section of Figs.
16
or
17
taken at 2000 power points. For every case, each correct key guess may have
Search WWH ::
Custom Search