Cryptography Reference
In-Depth Information
Finally, in the fourth set of experiments we analyze for each of the error detec-
tion/correction circuits how the success rate of an adversary (exploiting the corre-
lation coefficients and the Hamming weight) varies as a function of the model used
during the attack. These experiments show whether the additional information avail-
able to the attacker can be beneficial even if the attacker is unaware of the presence
of the specific error detection and correction code.
15.4.1 Evaluating the Effects of the Added Check Bits on Kocher's
Difference of Means DPA
The goal of these experiments is twofold: determine whether the redundancy added
to a cryptographic circuit affects the effectiveness of the classical Kocher's DPA,
and find out whether the redundancy bits themselves are susceptible to this attack
as are the data bits. We also want to explore whether the choice of a particular error
detection code influences the results. We thus performed Kocher's DPA attack on
various implementations of the AES S-box, with and without error detection.
For the reference circuit, we mounted Kocher's DPA attacks targeting, one by
one, all the output bits of the S-box. In the attacks on implementations that include
a fault detection circuit, we distinguished between two cases: in the first case we
targeted only the eight output bits of the S-box, mimicking the situation in which the
attacker is unaware of the presence of the error detection circuit; in the second case,
we included in our hypothesis the redundancy bits, assuming that the attacker knows
about the specific error detection check bits that have been added to the S-box. All
these attacks were performed directly on the noise-free power traces produced by
the SPICE-level simulator described in Sect.
15.3
.
Figures
15.4
and
15.5
show the results of a Kocher's DPA attack on one output bit
of the AES S-box in the reference circuit and on the same bit of the S-box with an
added error detection circuit based on complementary parity bits, respectively. The
differential trace corresponding to the correct key is plotted in black, while all the
others are in gray. As can be seen, during the computation of the output that corre-
sponds to the initial part of the graph (approximately up to 1,000 ps), the presence of
the parity bits seems to make the attack more difficult. However, when the result is
stored into the register (at about 1,750 ps) the peak is, in both cases, of approximately
the same height. The above situation repeats itself for all the other codes. Since the
adversary typically targets the point that yields the highest probability of succeeding
with the DPA attack, and since this point is usually the time when the computed value
is stored into the register, we can conclude that the presence of an error detection
circuit does not substantially affect Kocher's DPA.
The situation is slightly different when the adversary attacks one of the redundant
check bits. When the target bit (used as selection function) generates two sets that
contain approximately the same number of elements (as in the case of the parity bit,
the complementary parity, the Hamming code and the dual parity), the value of the
