52 Things: Number 40: What is normally considered the difference between SPA and DPA?

This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. We continue with our side-channel track and discuss the differences between a side-channel attack and a fault attack.

Power or Electromagnetic (EM) analysis attacks divide into two types of attacks, Simple Power Analysis (SPA) or Differential Power Analysis (DPA). Both of these types of attack work using either electromagnetic or power traces of a device but vary fundamentally in the number of power of traces they require and how these traces are analysed. Before examining the differences between these attacks, it is worth looking at what a power/EM trace is.

Power traces

The power of CMOS circuits can either be static or dynamic. Static power consumption is the power consumed when the circuit is static (ie. no switching is taking place) and is typically small. Dynamic power consumption is the power consumed by the switching that occurs in the circuit between 0 and 1 or 1 and 0. Dynamic power consumption is typically the greatest contributor to power consumption in a circuit and as it depends on the data being processed by the circuit. Dynamic power consumption comes from two factors. The first is the capacitance charging current and the second is the short-circuit current. Each CMOS cell has a load capacitance connected to the output of the cell. This load capacitance includes the wires that connect the cells to subsequent cells and also the input capacitances of the cells. 

A CMOS cell draws current from the power rail $V_{dd}$ to charge these capacitances which in turn leads to power consumption according to $P = \alpha f C_l V_{dd}^2$, where $\alpha$ is the average number of $0 \rightarrow 1$ transitions which occur every clock cycle. \cite{dpabook}. This charging happens when there is a switch from $0 \rightarrow 1$ at the output. When there is a switch from $1 \rightarrow 0$, the current is drawn from $C_L$ to $gnd$ via the NMOS and not $V_{dd}$. The second part of the contribution to power consumption is the short circuit current. This occurs during a switch when it is moving from $0 \rightarrow 1$ and $1 \rightarrow 0$ and occurs when both the pmos and nmos transistors are conduction at the same time - though this happens very briefly. This power consumption is in accordance with $P_{sc} = \alpha f V_{dd} I_{peak} t_{sc}$, where $I_{peak}$ is the current peak during switching and $t_{sc}$ is the time for which the short circuit exists. [1].

Understanding these two points of dynamic power consumption we can see that all switching $1 \rightarrow 0$ and $0 \rightarrow 1$ will consume power through the short circuit current, however switching from $0 \rightarrow 1$ will consume more power due to the charging of the load capacitance. If we are able to measure the power consumption (or EM field as current of varying strength will produce an EM field of equal variance allowing the measurement of the EM field to give a measurement of power consumption) of a device accurately we can therefore determine the number of switches which will let us look inside the device in two ways. First by allowing us to determine a particular operation (a multiplier for instance may require more switches than an x-or gate for instance) and secondly, and more crucially, the data being operated on by the operation, as this may affect the switching.

SPA and DPA Attacks

The main difference between SPA attacks and DPA attacks is the number of traces required. SPA attacks typically use one or very few traces whereas DPA attacks use many. They also vary in the way they exploit the dynamic power consumption of the device with SPA attacks identifying sequences of operations, however they can also exploit data dependency as in the case of templating attacks for instance. This is illustrated by the well known SPA attack on the square and multiply algorithm for binary expansion in RSA. Here, if the binary value in the exponent is 0, the value is squared and if it is a 1 then the value is squared and multiplied. Viewing this on a single trace it is possible to see the shape of a square operation and the shape of a square and multiply operation and thus read of each bit of the key as a 0 or a 1. The beauty of this attack is that only a single trace is required to make this observation, making it an SPA attack.

DPA attacks on the other hand exploit only the data dependency element of the power consumption by using multiple traces and statistical techniques. They focus on the data dependency of the power consumption and work by creating hypotheses of how much switching (and therefore change in power consumption) there will be for given data. These hypotheses are known as leakage models and are usually hamming weight or hamming distance. If this leakage model is correct, the power traces should reveal information being processed according to it, although in reality this is always combined with noise which distorts the data/power relationship. In DPA attacks, secret data values being operated on can be determined by estimating them and seeing if the representation of them according to a leakage model correlates to a number of different power traces. A DPA attack therefore requires a number of traces – the number can vary between as few as 50 to thousands depending on the level of noise and accuracy of the measurements.

[1] Mangard, Stefan, Elisabeth Oswald, and Thomas Popp. Power analysis attacks: Revealing the secrets of smart cards. Vol. 31. Springer Science & Business Media, 2008.