Cryptography Reference
In-Depth Information
Fig. 1.3
The power consumption of a microprocessor while computing a modular exponentiation
lower power consumption corresponds to a squaring operation and the higher power
consumption corresponds to a multiplication. If we denote a squaring operation as
S
and a multiplication as
M
, then the series of operations in Fig.
1.3
is
SMSMSMSSSSSSSSSMSMSMSMSSSSSSSSSSSSSMSMSMSMSM
.
These directly correspond to the first 41 bits of the exponent used to generate the
power consumption trace in Fig.
1.3
, which, from the sequence of operations, can be
identified as
111100000000111100000000000011111
.
1.3.2 Case Study: AES Encryption
Implementations of block ciphers in small embedded devices are another example of
where SPA can be straightforwardly applied in order to identify individual operations
or trigger a fault insertion apparatus. Differential fault analysis attacks typically target
a specific round of a block cipher. Hence, solutions that allow determining the exact
time at which these operations are computed will be useful in this context. In this
section we use the Advanced Encryption Standard (AES) as an example. In this
section multiplications are considered to be polynomial multiplications over
F
2
8
modulo the irreducible polynomial
x
8
x
4
x
3
1. It should be clear from
the context when a mathematical expression contains integer multiplication.
The structure of the Advanced Encryption Standard (AES) [142], as used to per-
form encryption, is illustrated in Algorithm 1.2. Note that we restrict ourselves to
considering AES-128 and that the description omits a permutation typically used to
convert the plaintext
P
+
+
+
x
+
=
(
p
0
,
p
1
,...,
p
15
)
(
256
)
and key
K
=
(
k
0
,
k
1
,...,
k
15
)
(
256
)
into a 4
4 array of bytes, known as the state matrix. For example, the 128-bit
plaintext input block
P
and 128-bit ciphertext
C
are arranged as
×
