This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography':
a set of questions compiled to give PhD candidates a sense of what they
should know by the end of their first year. We continue with our
side-channel track and discuss the differences between a side-channel
attack and a fault attack.
Power or Electromagnetic (EM) analysis
attacks divide into two types of attacks, Simple Power Analysis (SPA)
or Differential Power Analysis (DPA). Both of these types of attack
work using either electromagnetic or power traces of a device but
vary fundamentally in the number of power of traces they require and
how these traces are analysed. Before examining the differences
between these attacks, it is worth looking at what a power/EM trace
is.
Power traces
The power of CMOS circuits can either be static or dynamic. Static power consumption is the power consumed when the circuit is static (ie. no switching is taking place) and is typically small. Dynamic power consumption is the power consumed by the switching that occurs in the circuit between 0 and 1 or 1 and 0. Dynamic power consumption is typically the greatest contributor to power consumption in a circuit and as it depends on the data being processed by the circuit.
Dynamic power consumption comes from two factors. The first is the capacitance charging current and the second is the short-circuit current. Each CMOS cell has a load capacitance connected to the output of the cell. This load capacitance includes the wires that connect the cells to subsequent cells and also the input capacitances of the cells.
A CMOS cell draws current from the power rail $V_{dd}$ to charge these capacitances which in turn leads to power consumption according to $P = \alpha f C_l V_{dd}^2$, where $\alpha$ is the average number of $0 \rightarrow 1$ transitions which occur every clock cycle. \cite{dpabook}. This charging happens when there is a switch from $0 \rightarrow 1$ at the output. When there is a switch from $1 \rightarrow 0$, the current is drawn from $C_L$ to $gnd$ via the NMOS and not $V_{dd}$.
The second part of the contribution to power consumption is the short circuit current. This occurs during a switch when it is moving from $0 \rightarrow 1$ and $1 \rightarrow 0$ and occurs when both the pmos and nmos transistors are conduction at the same time - though this happens very briefly. This power consumption is in accordance with $P_{sc} = \alpha f V_{dd} I_{peak} t_{sc}$, where $I_{peak}$ is the current peak during switching and $t_{sc}$ is the time for which the short circuit exists. [1].
Understanding these two points of dynamic power consumption we can see that all switching $1 \rightarrow 0$ and $0 \rightarrow 1$ will consume power through the short circuit current, however switching from $0 \rightarrow 1$ will consume more power due to the charging of the load capacitance. If we are able to measure the power consumption (or EM field as current of varying strength will produce an EM field of equal variance allowing the measurement of the EM field to give a measurement of power consumption) of a device accurately we can therefore determine the number of switches which will let us look inside the device in two ways. First by allowing us to determine a particular operation (a multiplier for instance may require more switches than an x-or gate for instance) and secondly, and more crucially, the data being operated on by the operation, as this may affect the switching.
SPA and DPA Attacks
The main difference between SPA
attacks and DPA attacks is the number of traces required. SPA attacks
typically use one or very few traces whereas DPA attacks use many.
They also vary in the way they exploit the dynamic power consumption
of the device with SPA attacks identifying sequences of operations, however they can also exploit data dependency as in the case of
templating attacks for instance. This is illustrated by the well
known SPA attack on the square and multiply algorithm for binary
expansion in RSA. Here, if the binary value in the exponent is 0, the value
is squared and if it is a 1 then the value is squared and multiplied.
Viewing this on a single trace it is possible to see the shape of a
square operation and the shape of a square and multiply operation and
thus read of each bit of the key as a 0 or a 1. The beauty of this
attack is that only a single trace is required to make this
observation, making it an SPA attack.
DPA attacks on the other hand
exploit only the data dependency element of the power consumption by
using multiple traces and statistical techniques. They focus on the
data dependency of the power consumption and work by creating
hypotheses of how much switching (and therefore change in power
consumption) there will be for given data. These hypotheses are known
as leakage models and are usually hamming weight or hamming distance.
If this leakage model is correct, the power traces should reveal
information being processed according to it, although in reality this
is always combined with noise which distorts the data/power
relationship. In DPA attacks, secret data values being operated on
can be determined by estimating them and seeing if the representation
of them according to a leakage model correlates to a number of
different power traces. A DPA attack therefore requires a number of
traces – the number can vary between as few as 50 to thousands depending on the level of noise and accuracy of the
measurements.
[1] Mangard, Stefan, Elisabeth Oswald, and Thomas Popp. Power analysis attacks: Revealing the secrets of smart cards. Vol. 31. Springer Science & Business Media, 2008.
No comments:
Post a Comment