Instead of the first article on DPA attacks in 1999 [1], the so-called difference-of-means method, the correlation coefficient has been considered to analyze our data and the leakage information. The following is the general strategy
5
that how to attack the cryptography devices successfully [4].
Step 1:
Prepare plaintexts or ciphertexts and choose an intermediate result at a fixed time of the algorithm.
The first step of a DPA attack for attacks is to prepare a large number of plaintexts or ciphertexts. The plaintexts or ciphertexts are known random data values.
Then choose an intermediate result of the cryptography algorithm that is executed by the attacked device. The intermediate result presents a function f (d, k) of the algorithm, where d is the plaintext or ciphertext, and k is part of the key. What function the attacker choose, what the corresponding fixed time should be take into account.
Figure 2.2: Step1: Prepare the plaintexts or ciphertexts.
6
Step 2:
Measure the power consumption.
The second step of DPA attack for an attacker is to get the power consumption trace of the cryptography device executing the encryption or decryption with D random data blocks. The corresponding data value d that is involved in the intermediate result need to be confirmed. We present the data values in this way, d = (d1, …, dD)’, where di is the data value in the ith executing run. The attacker measures each power trace during each of the runs. Corresponding to the data blocks di, we write the power trace as ti = (ti, 1, …, ti, T), where T is the length of time, or the number of sample points according to the measurement equipment. The attacker gets a power trace due to each of the D data blocks. So the traces can be presented as a D × T matrix T.
Figure 2.3: Step 2: Measure the power trace corresponding to the data blocks.
7
Step 3:
Calculate the hypothetical intermediate value.
Here, we list all possible choice of keys as vector k = (k1, …, kK), where K means the total numbers of possible choices for k, and we refer to k as key hypotheses.
After preparing the data blocks d and the key hypotheses k well, the attacker can calculate the hypothetical intermediate values through f (d, k) in the cryptographic algorithm with D data blocks and K key hypotheses. This calculation results in a matrix V, which size is D × K. The elements in V denote as vi,j = f (di, ki), where i = 1 to D and j = 1 to K.
Figure 2.4: Step 3: Calculate the hypothetical intermediate value.
8
From the matrix V, it is not hard to realize that each column of V has been calculated based on the same key hypothesis. Because that k includes all possible key hypotheses, the correct key used in the cryptographic device is the one of the element in k. The key used in the cryptographic device is written as kck. Hence, kck is what the attacker is eager for.
Step 4:
Simulate intermediate values to power consumption values.
This step is to map the hypothetical intermediate values V to hypothetical power consumption values H. For the purpose, the attacker simulates the intermediate values by some power model methods. Some power model method will be mentioned in following section. The power consumption values hi,j are simulated from hypothetical intermediate values vi,j through one of these power model methods.
Figure 2.5: Step 4: Generate hypothetical power consumption values.
9
The efficiency of the DPA attack strongly depends on the power model simulation. And the quality of the simulation depends on the knowledge of the attacker from the attacked device. The attacker should choose a power model that can make the simulation more closely to the actual power consumption characteristics of the attacked device. The more closely the simulation is, the more effective the DPA attack is.
Step 5:
Compare the hypothetical power consumption values with the power traces.
Reviewing the above four steps, we have the V, the hypothetical intermediate value matrix, H, the hypothetical power consumption matrix, and T, the power trace matrix. In this step, the attacker compares the each column hi of H with each column ti of T. this means the hypothetical power consumption values of each key hypothesis are compared with the recorded power traces at every time interval. After comparing H and T, the result is a matrix R of size K × T, where the element ri,j is the result from the columns hi and tj. This comparison is based on some statistical analysis mentioned later.
10
Figure 2.6: Step 5: Compare the hypothetical power consumption values with the power traces.
The power traces correspond to the power consumption of the attacked device when the device executes the algorithm with D data blocks. The device will calculate the intermediate value vck. The recorded power traces also depend on the intermediate values at some time interval. We write this time interval as ct that means the column tct is the power consumption corresponding to the vck. And the hypothetical power consumption values hck are simulated based on vck. Therefore, the columns hck and tct
are related strongly, and the result from these two columns hck and tct is the highest value in R, written as rck,ct. Other values are not as high as rck,ct because the other columns of H and T are not so strongly related.
11
Figure 2.7: The five steps of DPA attacks.