Power analysis

Power analysis
A diagram of differential power analysis.
An attempt to decode RSA key bits using power analysis. The left peak represents the CPU power variations during the step of the algorithm without multiplication, the right (broader) peak - step with multiplication, allowing to read bits 0, 1.

In cryptography, power analysis is a form of side channel attack in which the attacker studies the power consumption of a cryptographic hardware device (such as a smart card, tamper-resistant "black box", or integrated circuit). The attack can non-invasively extract cryptographic keys and other secret information from the device.

Simple power analysis (SPA) involves visually interpreting power traces, or graphs of electrical activity over time. Differential power analysis (DPA) is a more advanced form of power analysis which can allow an attacker to compute the intermediate values within cryptographic computations by statistically analyzing data collected from multiple cryptographic operations. SPA and DPA were introduced in the open cryptologic community in 1998 by Cryptography Research's Paul Kocher, Joshua Jaffe and Benjamin Jun.[1]

Contents

Simple power analysis

Simple power analysis (SPA) is a side-channel attack which involves visual examination of graphs of the current used by a device over time. Variations in power consumption occur as the device performs different operations. For example, different instructions performed by a microprocessor will have differing power consumption profiles. As a result, in a power trace from a smart card performing a DES encryption, the sixteen rounds can be seen clearly. Similarly, squaring and multiplication operations in RSA implementations can often be distinguished, enabling an adversary to compute the secret key. Even if the magnitude of the variations in power consumption are small, standard digital oscilloscopes can easily show the data-induced variations. Frequency filters and averaging functions (such as those built into oscilloscopes) are often used to filter out high-frequency components.

Differential power analysis

Differential power analysis (DPA) is a side-channel attack which involves statistically analyzing power consumption measurements from a cryptosystem. The attack exploits biases varying power consumption of microprocessors or other hardware while performing operations using secret keys. DPA attacks have signal processing and error correction properties which can extract secrets from measurements which contain too much noise to be analyzed using simple power analysis. Using DPA, an adversary can obtain secret keys by analyzing power consumption measurements from multiple cryptographic operations performed by a vulnerable smart card or other device.

High-order differential power analysis

High-Order Differential Power Analysis (HO-DPA) is an advanced form of DPA attack. HO-DPA enables multiple data sources and different time offsets to be incorporated in the analysis. HO-DPA is less widely practiced than SPA and DPA, as the analysis is complex and most vulnerable devices can be broken more easily with SPA or DPA.[2]

Power analysis and algorithmic security

Power analysis provides a way to "see inside" otherwise 'tamperproof' hardware. For example, DES's key schedule involves rotating 28-bit key registers. Many implementations check the least significant bit to see if it is a 1. If so, the device shifts the register right and prepends the 1 at the left end. If the bit is a zero, the register is shifted right without prepending a 1. Power analysis can distinguish between these processes, enabling an adversary to determine the bits of the secret key.

Implementations of algorithms such as AES and triple DES that are believed to be mathematically strong may be trivially breakable using power analysis attacks. As a result, power analysis attacks combine elements of algorithmic cryptanalysis and implementation security.

Standards and practical security concerns

For applications where devices may fall into the physical possession of an adversary, protection against power analysis is generally a major design requirement. For example, FIPS 140-3 requires power analysis countermeasures for cryptographic devices bought to the U.S. government. Power analysis have also been reportedly used against conditional access modules used in pay television systems.[3]

The equipment necessary for performing power analysis attacks is widely available. For example, most digital storage oscilloscopes provide the necessary data collection functionality, and the data analysis is typically performed using conventional PCs. Commercial products designed for testing labs are also available.[4]

Preventing simple and differential power analysis attacks

Power analysis attacks cannot generally be detected by a device, since the adversary's monitoring is normally passive. In addition, the attack is non-invasive. As a result, physical enclosures, auditing capabilities, and attack detectors are ineffective. Instead, cryptosystem engineers must ensure that devices' power variations do not reveal information usable by adversaries.

Simple power analysis can easily distinguish the outcome of conditional branches in the execution of cryptographic software, since a device does different things (consuming different power) depending on whether the conditional branch is taken. For this reason, care should be taken to ensure there are no secret values which affect the conditional branches within cryptographic software implementations. Other sources of variation, such as microcode differences, branches introduced by compilers, and power consumption variations in multipliers, also commonly lead to SPA vulnerabilities.

Differential power analysis is more difficult to prevent, since even small biases in the power consumption can lead to exploitable weaknesses. Some countermeasure strategies involve algorithmic modifications such that the cryptographic operations occur on data that is related to the actual value by some mathematical relationship that survives the cryptographic operation. One approach involves blinding parameters to randomize their value. Other countermeasure strategies to reduce the effectiveness of DPA attacks involve hardware modifications: varying the chip internal clock frequency has been considered to desynchronize electric signals, which lead in return to algorithmic enhancements of traditional DPA. [5], [6]


Patents

U.S. and international patents[7] covering countermeasures to power analysis attacks are licensed by Cryptography Research.

References

  1. ^ P. Kocher, J. Jaffe, B. Jun, "Differential Power Analysis," technical report, 1998; later published in Advances in Cryptology - Crypto 99 Proceedings, Lecture Notes In Computer Science Vol. 1666, M. Wiener, ed., Springer-Verlag, 1999.
  2. ^ Paul Kocher, Joshua Jaffe, Benjamin Jun, "Introduction to Differential Power Analysis and Related Attacks (1998)"
  3. ^ [1] http://www.hackhu.com
  4. ^ [2] http://www.cryptography.com/technology/dpa/workstation.html
  5. ^ Xavier Charvet, Herve Pelletier, "Improving the DPA attack using wavelet transform (2005)"
  6. ^ Jasper van Woudenberg, Mark Witteman, Bram Bakker "Improving differential power analysis by elastic alignment (2011)"
  7. ^ [3] http://www.cryptography.com/technology/dpa/licensing.html

Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • power analysis — a statistical procedure used to determine the number of subjects in a study required to show a significant difference at a predetermined level of significance and size of effect; it is also used to determine the power of a test from the sample… …   Medical dictionary

  • Differential power analysis — Analyse de consommation (cryptographie) En cryptanalyse de matériel cryptographique, l analyse de consommation consiste à étudier les courants et tensions entrants et sortants d un circuit dans le but de découvrir des informations secrètes comme… …   Wikipédia en Français

  • Power optimization (EDA) — Power optimization refers to the use of electronic design automation tools to optimize (reduce) the power consumption of a digital design, while preserving the functionality.Introduction and historyThe increasing speed and complexity of today’s… …   Wikipedia

  • Power — (englisch für Kraft, Macht, Energie) oder Teststärke beschreibt in der Statistik die Aussagekraft eines statistischen Tests. Die Teststärke gibt an, mit welcher Wahrscheinlichkeit ein Signifikanztest zugunsten einer spezifischen… …   Deutsch Wikipedia

  • Analysis of variance — In statistics, analysis of variance (ANOVA) is a collection of statistical models, and their associated procedures, in which the observed variance in a particular variable is partitioned into components attributable to different sources of… …   Wikipedia

  • Power system simulation — models are a class of computer simulation programs that focus on the operation of electrical power systems. These computer programs are used in a wide range of planning and operational situations including: #Long term generation and transmission… …   Wikipedia

  • Power systems CAD — refers to computer aided design (CAD) software tools that are used to design and simulate complex electrical power systems. Such power systems are typically found in mission critical facilities such as computer data centers, network operations… …   Wikipedia

  • Power chord — Component intervals from root perfect fifth root …   Wikipedia

  • Analysis of covariance — (ANCOVA) is a general linear model with one continuous outcome variable and one or more factors. ANCOVA is a merger of ANOVA and regression for continuous variables. ANCOVA tests whether certain factors have an effect on the outcome variable… …   Wikipedia

  • Power system protection — is a branch of electrical power engineering that deals with the protection of electrical power systems from faults through the isolation of faulted parts from the rest of the electrical network. The objective of a protection scheme is to keep the …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”