Di erential Power Analysis Paul Ko cher, Joshua Ja e, and Benjamin Jun Cryptography Research, Inc. 607 Market Street, 5th Flo or San Francisco, CA 94105, USA. http://www.cryptography.com E-mail: fpaul,josh,beng@cryptography .com . Abstract. Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortu- nately, actual computers and micro chips leak information ab out the op- erations they pro cess. This pap er examines sp eci c metho ds for analyz- ing p ower consumption measurements to nd secret keys from tamp er resistant devices. We also discuss approaches for building cryptosystems that can op erate securely in existing hardware that leaks information. Keywords: di erential p ower analysis, DPA, SPA, cryptanalysis, DES 1 Background Attacks that involvemultiple parts of a security system are dicult to predict and mo del. If cipher designers, software develop ers, and hardware engineers do not understand or review each other's work, security assumptions made at each level of a system's design may b e incomplete or unrealistic. As a result, security faults often involveunanticipated interactions b etween comp onents designed by di erent p eople. Manytechniques have b een designed for testing cryptographic algorithms in isolation. For example, di erential cryptanalysis[3] and linear cryptanalysis[8] can exploit extremely small statistical characteristics in a cipher's inputs and outputs. These metho ds have b een well studied b ecause they can b e applied by analyzing only one part of a system's architecture | an algorithm's mathemat- ical structure. A correct implementation of a strong proto col is not necessarily secure. For example, failures can b e caused by defective computations[5,4] and information leaked during secret key op erations. Attacks using timing information[7,11]as well as data collected using invasive measuring techniques[2,1]have b een demon- strated. The U.S. government has invested considerable resources in the classi- ed TEMPEST program to prevent sensitive information from leaking through electromagnetic emanations. 2 Intro duction to Power Analysis Most mo dern cryptographic devices are implemented using semiconductor logic gates, which are constructed out of transistors. Electrons ow across the sili- con substrate when charge is applied to (or removed from) a transistor's gate, consuming p ower and pro ducing electromagnetic radiation. To measure a circuit's power consumption, a small (e.g., 50 ohm) resistor is inserted in series with the power or ground input. The voltage di erence across the resistor divided by the resistance yields the current. Well-equipp ed electronics labs have equipment that can digitally sample voltage di erences at extraordinarily high rates (over 1GHz) with excellent accuracy (less than 1% error). Devices capable of sampling at 20MHz or faster and transferring the data to a PC can b e b ought for less than $400.[6] Simple Power Analysis (SPA) is a technique that involves directly interpret- ing p ower consumption measurements collected during cryptographic op erations. SPA can yield information ab out a device's op eration as well as key material. Figure 1: SPA trace showing an entire DES op eration. A trace refers to a set of power consumption measurements taken across a cryptographic op eration. For example, a1 millisecond op eration sampled at 5 MHz yields a trace containing 5000 p oints. Figure 1 shows an SPA trace from a typical smart card as it p erforms a DES op eration. Note that the 16 DES rounds are clearly visible. Figure 2: SPA trace showing DES rounds 2 and 3. Figure 2 is a more detailed view of the same trace showing the second and 2 third rounds of a DES encryption op eration. Many details of the DES op eration are now visible. For example, the 28-bit DES key registers C and D are rotated once in round 2 (left arrow) and twice in round 3 (right arrows). In Figure 2, small variations between the rounds just can be perceived. Many of these discernable features are SPAweaknesses caused by conditional jumps based on key bits and computational intermediates. Figure 3 shows even higher resolution views of the trace showing p ower con- sumption through two regions, each of seven clo ck cycles at 3.5714 MHz. The visible variations between clo ck cycles result primarily from di erences in the power consumption of di erent micropro cessor instructions. The upp er trace in Figure 3 shows the execution path through an SPA feature where a jump in- struction is p erformed, and the lower trace shows a case where the jump is not taken. The p oint of divergence is at clo ck cycle 6 and is clearly visible. Figure 3: SPA trace showing individual clo ckcycles. Because SPA can reveal the sequence of instructions executed, it can b e used to break cryptographic implementations in which the execution path dep ends on the data b eing pro cessed. For example: DES key schedule: The DES key schedule computation involves rotating 28- bit key registers. A conditional branch is commonly used to check the bit shifted o the end so that \1" bits can be wrapp ed around. The resulting power consumption traces for a \1" bit and a \0" bit will contain di erent SPA features if the execution paths takedi erentbranches for each. DES p ermutations: DES implementations p erform a variety of bit p ermuta- tions. Conditional branching in software or micro co de can cause signi cant 3 power consumption di erences for \0" and \1" bits. Comparisons: String or memory comparison op erations typically p erform a conditional branch when a mismatch is found. This conditional branching causes large SPA (and sometimes timing) characteristics. Multipliers: Mo dular multiplication circuits tend to leak a great deal of infor- mation ab out the data they pro cess. The leakage functions dep end on the multiplier design, but are often strongly correlated to op erand values and Hamming weights. Exp onentiators: A simple mo dular exp onentiation function scans across the exp onent, p erforming a squaring op eration in every iteration with an addi- tional multiplication op eration for each exp onent bit that is equal to \1". The exp onent can b e compromised if squaring and multiplication op erations have di erentpower consumption characteristics, take di erent amounts of time, or are separated by di erent co de. Mo dular exp onentiation functions that op erate on two or more exp onent bits at a time mayhave more complex leakage functions. 3 Preventing SPA Techniques for preventing simple power analysis are generally fairly simple to implement. Avoiding pro cedures that use secret intermediates or keys for condi- tional branching op erations will mask manySPAcharacteristics. In cases such as algorithms that inherently assume branching, this can require creative co ding and incur a serious p erformance p enalty. Also, the micro co de in some micropro cessors cause large op erand-dep endent power consumption features. For these systems, even constant execution path co de can have serious SPA vulnerabilities. Most (but not all) hard-wired hardware implementations of symmetric cryp- tographic algorithms have suciently small p ower consumption variations that SPA do es not yield key material. 4 Di erential Power Analysis of DES Implementations In addition to large-scale p ower variations due to the instruction sequence, there are e ects correlated to data values b eing manipulated. These variations tend to be smaller and are sometimes overshadowed by measurement errors and other noise. In such cases, it is still often p ossible to break the system using statistical functions tailored to the target algorithm. Because of its widespread use, the Data Encryption Standard (DES) will b e examined in detail. In each of the 16 rounds, the DES encryption algorithm p erforms eight S box lo okup op erations. The 8S boxes each takeasinput six key bits exclusive-ORed with six bits of the R register and pro duce four output bits. The 32 S output bits are reordered and exclusive-ORed onto L. The halves L and R are then exchanged. (For a detailed description of the DES algorithm, see [9].) 4 The DPA selection function D (C; b; K ) is de ned as computing the value of s bit 0 b<32 of the DES intermediate L at the b eginning of the 16th round for ciphertext C , where the 6 key bits entering the S b ox corresp onding to bit b are 6 represented by0 K < 2 . Note that if K is incorrect, evaluating D (C ; b; K ) s s s 1 for each ciphertext. will yield the correct value for bit b with probability P 2 To implementtheDPA attack, an attacker rst observes m encryption op- erations and captures power traces T [1::k ] containing k samples each. In 1::m addition, the attacker records the ciphertexts C .Noknowledge of the plain- 1::m text is required. DPA analysis uses p ower consumption measurements to determine whether a key blo ckguessK is correct. The attacker computes a k -sample di erential trace s [1::k ]by nding the di erence between the average of the traces for which D D (C ; b; K ) is one and the average of the traces for which D (C ; b; K ) is zero. s s Thus [j ]istheaverage over C of the e ect due to the value represented D 1::m by the selection function D on the p ower consumption measurements at p oint j . In particular, P P m m D (C ;b;K )T [j ] (1 D (C ;b;K )) T [j ] i s i i s i i=1 i=1 P P [j ]= D m m D (C ;b;K ) (1 D (C ;b;K )) i s i s i=1 i=1 P P m m D (C ;b;K )T [j ] T [j ] i s i i i=1 i=1 P 2 : m m D (C ;b;K ) i s i=1 If K is incorrect, the bit computed using D will di er from the actual target s bit for ab out half of the ciphertexts C .