Di erential Power Analysis
Paul Ko cher, Joshua Ja e, and Benjamin Jun
Cryptography Research, Inc.
870 Market Street, Suite 1088
San Francisco, CA 94102, USA.
http://www.cryptography.com
E-mail: fpaul,josh,[email protected].
Abstract. Cryptosystem designers frequently assume that secrets will
b e manipulated in closed, reliable computing environments. Unfortu-
nately, actual computers and micro chips leak information ab out the op-
erations they pro cess. This pap er examines sp eci c metho ds for analyz-
ing p ower consumption measurements to nd secret keys from tamp er
resistant devices. We also discuss approaches for building cryptosystems
that can op erate securely in existing hardware that leaks information.
Keywords: di erential p ower analysis, DPA, SPA, cryptanalysis , DES
1 Background
Attacks that involvemultiple parts of a security system are dicult to predict
and mo del. If cipher designers, software develop ers, and hardware engineers do
not understand or review each other's work, security assumptions made at each
level of a system's design may b e incomplete or unrealistic. As a result, security
faults often involve unanticipated interactions b etween comp onents designed by
di erent p eople.
Many techniques have b een designed for testing cryptographic algorithms in
isolation. For example, di erential cryptanalysis[3] and linear cryptanalysis[8]
can exploit extremely small statistical characteristics in a cipher's inputs and
outputs. These metho ds have b een well studied b ecause they can b e applied by
analyzing only one part of a system's architecture | an algorithm's mathemat-
ical structure.
A correct implementation of a strong proto col is not necessarily secure. For
example, failures can b e caused by defective computations[5, 4] and information
leaked during secret key op erations. Attacks using timing information[7,11]as
well as data collected using invasive measuring techniques[2 , 1] have b een demon-
strated. The U.S. government has invested considerable resources in the classi-
ed TEMPEST program to prevent sensitive information from leaking through
electromagnetic emanations.
2 Intro duction to Power Analysis
Most mo dern cryptographic devices are implemented using semiconductor logic
gates, which are constructed out of transistors. Electrons ow across the sili-
Michael Wiener (Ed.): CRYPTO'99, LNCS 1666, pp. 388-397, 1999. Springer-Verlag Berlin Heidelberg 1999
Differential Power Analysis 389
con substrate when charge is applied to घor removed fromङ a transistor's gate,
consuming p ower and pro ducing electromagnetic radiation.
To measure a circuit's p ower consumption, a small घe.g., 50 ohmङ resistor
is inserted in series with the p ower or ground input. The voltage di erence
across the resistor divided by the resistance yields the current. Well-equipp ed
electronics labs have equipment that can digitally sample voltage di erences at
extraordinarily high rates घover 1GHzङ with excellent accuracy घless than 1क
errorङ. Devices capable of sampling at 20MHz or faster and transferring the
data to a PC can b e b ought for less than $400.[6]
Simple Power Analysis घSPAङ is a technique that involves directly interpret-
ing p ower consumption measurements collected during cryptographic op erations.
SPA can yield information ab out a device's op eration as well as key material.
Figure 1: SPA trace showing an entire DES op eration.
A trace refers to a set of p ower consumption measurements taken across a
cryptographic op eration. For example, a 1 millisecond op eration sampled at 5
MHz yields a trace containing 5000 p oints. Figure 1 shows an SPA trace from a
typical smart card as it p erforms a DES op eration. Note that the 16 DES rounds
are clearly visible.
Figure 2: SPA trace showing DES rounds 2 and 3.
Figure 2 is a more detailed view of the same trace showing the second and
390 P. Kocher, J. Jaffe, and B. Jun
third rounds of a DES encryption op eration. Many details of the DES op eration
are now visible. For example, the 28-bit DES key registers C and D are rotated
once in round 2 घleft arrowङ and twice in round 3 घright arrowsङ. In Figure
2, small variations b etween the rounds just can b e p erceived. Many of these
discernable features are SPAweaknesses caused by conditional jumps based on
key bits and computational intermediates.
Figure 3 shows even higher resolution views of the trace showing p ower con-
sumption through two regions, each of seven clo ck cycles at 3.5714 MHz. The
visible variations b etween clo ck cycles result primarily from di erences in the
power consumption of di erent micropro cessor instructions. The upp er trace in
Figure 3 shows the execution path through an SPA feature where a jump in-
struction is p erformed, and the lower trace shows a case where the jump is not
taken. The p ointofdivergence is at clo ck cycle 6 and is clearly visible.
Figure 3: SPA trace showing individual clo ck cycles.
Because SPA can reveal the sequence of instructions executed, it can b e used
to break cryptographic implementations in which the execution path dep ends
on the data b eing pro cessed. For example:
DES key schedule: The DES key schedule computation involves rotating 28-
bit key registers. A conditional branch is commonly used to check the bit
shifted o the end so that \1" bits can b e wrapp ed around. The resulting
power consumption traces for a \1" bit and a \0" bit will contain di erent
SPA features if the execution paths take di erent branches for each.
DES p ermutations: DES implementations p erform a variety of bit p ermuta-
tions. Conditional branching in software or micro co de can cause signi cant
Differential Power Analysis 391
power consumption di erences for \0" and \1" bits.
Comparisons: String or memory comparison op erations typically p erform a
conditional branch when a mismatch is found. This conditional branching
causes large SPA घand sometimes timingङ characteristics.
Multipliers: Mo dular multiplication circuits tend to leak a great deal of infor-
mation ab out the data they pro cess. The leakage functions dep end on the
multiplier design, but are often strongly correlated to op erand values and
Hamming weights.
Exp onentiators: A simple mo dular exp onentiation function scans across the
exp onent, p erforming a squaring op eration in every iteration with an addi-
tional multiplication op eration for each exp onent bit that is equal to \1".
The exp onent can b e compromised if squaring and multiplication op erations
have di erentpower consumption characteristics, take di erent amounts of
time, or are separated by di erent co de. Mo dular exp onentiation functions
that op erate on two or more exp onent bits at a time mayhave more complex
leakage functions.
3 Preventing SPA
Techniques for preventing simple p ower analysis are generally fairly simple to
implement. Avoiding pro cedures that use secret intermediates or keys for condi-
tional branching op erations will mask manySPAcharacteristics. In cases such
as algorithms that inherently assume branching, this can require creative co ding
and incur a serious p erformance p enalty.
Also, the micro co de in some micropro cessors cause large op erand-dep endent
power consumption features. For these systems, even constant execution path
co de can have serious SPA vulnerabilities.
Most घbut not allङ hard-wired hardware implementations of symmetric cryp-
tographic algorithms have suciently small p ower consumption variations that
SPA do es not yield key material.
4 Di erential Power Analysis of DES Implementations
In addition to large-scale p ower variations due to the instruction sequence, there
are e ects correlated to data values b eing manipulated. These variations tend to
b e smaller and are sometimes overshadowed by measurement errors and other
noise. In such cases, it is still often p ossible to break the system using statistical
functions tailored to the target algorithm.
Because of its widespread use, the Data Encryption Standard घDESङ will
b e examined in detail. In each of the 16 rounds, the DES encryption algorithm
p erforms eightSbox lo okup op erations. The8Sboxes each take as input six
key bits exclusive-ORed with six bits of the R register and pro duce four output
bits. The 32 S output bits are reordered and exclusive-ORed onto L. The halves
L and R are then exchanged. घFor a detailed description of the DES algorithm, see [9].ङ
392 P. Kocher, J. Jaffe, and B. Jun
The DPA selection function D घC ; b; K ङ is de ned as computing the value of
s
bit 0 ऊ b< 32 of the DES intermediate L at the b eginning of the 16th round for
ciphertext C , where the 6 key bits entering the S b ox corresp onding to bit b are
6
represented by0ऊ K < 2 . Note that if K is incorrect, evaluating D घC ; b; K ङ
s s s
1
will yield the correct value for bit b with probability P ए for each ciphertext.
2
To implement the DPA attack, an attacker rst observes m encryption op-
erations and captures p ower traces T [1::k ] containing k samples each. In
1::m
addition, the attacker records the ciphertexts C .Noknowledge of the plain-
1::m
text is required.
DPA analysis uses p ower consumption measurements to determine whether a
key blo ck guess K is correct. The attacker computes a k -sample di erential trace
s
ࣽ [1::k ]by nding the di erence b etween the average of the traces for which
D
D घC ; b; K ङ is one and the average of the traces for which D घC ; b; K ङ is zero.
s s
Thus ࣽ [j ] is the average over C of the e ect due to the value represented
D 1::m
by the selection function D on the p ower consumption measurements at p oint
j . In particular,
P P
m m
घ1 D घC ;b;K ङङ T [j ] D घC ;b;K ङT [j ]
i s i i s i
i=1 i=1
P P