Cryptography Reference
In-Depth Information
In first-order DPA attacks against unprotected devices, each
m
s
i
is compared with
a single point in the traces. Hence, the comparison step is independent of all other
points in the acquired trace. In practical attacks, this comparison is applied to many
points in the leakage traces and the subkey candidate that performs best is selected
by the adversary.
Note also that many distinguishers can be used to detect data dependencies in
the leakages. Classical solutions include Kocher's difference of means test [240],
Pearson's correlation coefficient [72] and template attacks [82].
1.4.1 Profiled Fault Triggering with DPA
If the effectiveness of SPA in triggering a fault insertion against certain classes of
devices becomes limited, it is alternatively possible to exploit DPA for this purpose.
However, it is important to note that using DPA implies a modification of the attack
scenario. That is, while SPA-based triggering techniques could be used “on the fly”,
DPA usually makes sense as a preparation stage, to be applied before the application
of a fault attack. In fact, most successful DPA attacks come both with the identification
of the points of interest in a trace, and with secret key information.
An example is shown in Fig.
1.7
, where the lower trace is a single power consump-
tion trace taken during the computation of an AES on an ARM7 microprocessor
(as previously considered in Sect.
1.3
). The upper trace shows the correlation
between the Hamming weight of the output of one byte of the SubBytes function and a
series of power consumption traces. The peaks in the correlation trace show at which
points in the power consumption trace the predicted byte is manipulated by the
microprocessor. This complements the information one can observe using SPA. The
first peak corresponds to where the first byte is produced in the SubBytes function
and indicates which of the 16 peaks corresponds to that byte being produced. The
subsequent peaks in the correlation trace indicate the points in time where the same
byte is manipulated in the MixColumns function.
Note that if the key is unknown, only the intermediate values after the first (and
before the last) round(s) can initially be predicted by the adversary, i.e. before the
diffusion in the cipher makes them dependent on too many key bits. But once a single
successful DPA has been applied (i.e. once a master key is known), it is possible to
predict any intermediate value in the cipher and consequently to detect its precise
execution time for a subsequent fault attack.
1.5 Advanced Scenarios
The previous sections discuss case studies in which power analysis can be used to
complement fault injection, essentially for enhancing the triggering aspects. How-
ever, most embedded devices for security applications are now protected with various
