Cryptography Reference
In-Depth Information
Fig. 1.6 The power consumption of a microprocessor while evaluating the file access rights on a
GSM SIM. The red trace corresponds to a successful file access and the blue trace corresponds to
an unsuccessful file access
is implemented as a loop there will be a test at the end of each round to determine if
ten rounds have been computed. Another example would be file access rights. Some
devices, such as GSM SIMs, consist of a file structure with associated file access
conditions. In Fig. 1.6 the power consumption of a SIM that allows access to an
arbitrary file is plotted in red, and the power consumption of the same SIM that
denies access to an arbitrary file is plotted in blue. Superposing the traces, as in
Fig. 1.6 , would allow an attacker to determine the moment that file access is granted
or denied by the microprocessor.
1.4 Differential Power Analysis
Differential power analysis (DPA) is a natural extension of SPA, in which the adver-
sary conducts intensive data acquisition (e.g. thousands of traces) in order to recover
a cryptographic key. This process usually starts by selecting the subkeys s that are
to be recovered by the attack. In the context of block ciphers (our running example),
these subkeys typically correspond to small parts (e.g. bytes) of the master key. Then,
the attack can be described as a combination of the following three steps [269]:
1. For different plaintexts x i and subkey candidates s , the adversary predicts some
intermediate values in the target implementation. For example, one could predict
S-box outputs z i and get values
s
i
s )
.
2. For each of these predicted values, the adversary models the side-channel leak-
age. For example, if the target block cipher is executed on a CMOS-based
microprocessor, the model is typically the Hamming weight ( HW ) of the pre-
dicted values. One then obtains the modelled leakage m s
i
v
=
S
(
x i
s
i
.
3. For each subkey candidate s , the adversary finally compares the modelled leak-
ages with the acquisitions produced with the same plaintexts x i and a subkey,
using a statistical distinguisher of his choice. One commonly chosen distinguisher
is Pearson's correlation coefficient [72], i.e. an attacker computes the correlation
between the modelled leakage and each point in the acquired traces.
=
HW
(v
)
Search WWH ::




Custom Search