Cryptography Reference
In-Depth Information
15.4.2 Evaluating the Effects of Check Bits on Pearson's
Correlation-Based DPA
The second set of experiments focused on Pearson's correlation coefficient DPA,
which uses Hamming weight with the goal of finding out whether one of the circuits
is easier to attack than the others. Another objective is exploring whether knowl-
edge of the presence of an error detection circuit can be exploited by the attacker.
We performed a series of correlation-based DPA attacks against all the considered
implementations of the AES S-box. It is important to notice that since we reset
the circuit after each computation, the Hamming weight and the Hamming distance
models would yield exactly the same results.
In the case of AES, the attacker usually hypothesizes all the eight output bits
of the S-box. However, when the S-box is extended to provide error detection or
correction, the number of output bits is higher than 8. Since the correlation value
changes depending on the number of bits included in the hypothesis, it is worth-
while exploring the effects of the added check bits in two cases: when the adversary
hypothesizes only the eight output bits of the AES S-box (i.e., the attacker is unaware
of the presence of an error detection circuit) and when the adversary hypothesizes all
the output bits, including the check bits (i.e., the attacker is aware of the particular
error detection code used).
As in the previous series of experiments, we performed our evaluation on the
noise-free traces produced by the SPICE-level simulator and we considered the circuit
depicted in Fig.
15.1
. Furthermore, as in the case of Kocher's DPA, since the traces
obtained by simulation are noise-free and the size of the S-box is eight bits, we can
fully characterize the device by simulating all the 256 input plaintexts for each of
the 256 possible keys.
The first series of attacks was performed including in the attack hypothesis all the
bits of the target register. This corresponds to the situation where the adversary is
aware of the particular error code used. Then, we included in the attack hypothesis
only the eight output bits of the S-box, i.e., we assumed that the adversary is unaware
of the presence of an error detection circuit.
Figures
15.6
and
15.7
show the results of a Pearson's correlation coefficient DPA
attack on the output of the AES S-box in the reference circuit and on the output of
the S-box with an added error detection circuit based on double parity, respectively,
when the presence of the error detection code is unknown to the attacker. The figures
show the time period during which the outputs of the S-box and, when present, the
check bits, are computed (approximately up to 2,500 ps), and the time interval in
which the results and the check bits are stored into the register (approximately from
2,500 to 3,000 ps).
As can be seen, this is the best situation for the attacker, and this is confirmed by the
high values of the correlation coefficients for the time intervals which correspond
to the register write operations. In fact, in the attack mounted when the presence
of the error correction code was known to the attacker, all the circuits showed a
correlation value approximately equal to 1. Additionally, when the presence of the
