Power analysis

From Wikipedia, the free encyclopedia

In cryptography, power analysis is a form of side channel attack in which the attacker studies the power consumption of a cryptographic hardware device (such as a smart card, tamperproof "black box", microchip, etc). It can yield information about what the device is doing, and sometimes even some key material. It was introduced in the open cryptologic community in 1998 by Paul Kocher, Joshua Jaffe and Benjamin Jun^[1], though it was known to the intelligence community well before that.^[2]

Differential power analysis is an extension of power analysis that can allow an attacker to compute the intermediate values of data blocks and key blocks.

Contents 1 Basics 2 Preventing power analysis attacks 3 Differential power analysis 4 References

[edit] Basics

Examining graphs of time against current used by a device can often show exactly what the device is doing at a given point. For example, on a graph of a smart card performing a DES encryption, the sixteen rounds can be seen clearly.

The currents passing through a device are usually small, but electronics laboratories usually possess equipment precise and accurate enough to measure them reliably and frequently. It is reasonable for a cryptosystem designer to assume that an adversary will have access to such equipment.

Power analysis does not seek to find weaknesses in algorithms or protocols so much as in their implementations. It provides a way to "see inside" otherwise 'tamperproof' hardware. For example, DES's key schedule involves rotating 28-bit key registers. In order to save time, most implementations simply check the least significant bit to see if it is a 1. If so, it divides the register by two and prepends the 1 at the left end. Power analysis can show the difference between a register with a 1 and a register with a 0 at the end when this happens. This can leak information about key material. DES's permutations, usually clumsily implemented in software, reveal even more information through conditional branches.

[edit] Preventing power analysis attacks

Power analysis can most easily distinguish conditional branches in the execution of the cryptographic program since a device does different things (requiring different power) depending on which conditional branch is executed. For this reason, care should be taken to ensure there should be no differences (from a power perspective) in the conditional branches within cryptographic software implementations. All rotations, permutations and logical operations (such as XOR) should take the same time and draw equivalent power, no matter what the input.

There are, however, some algorithms with inherently significant branching. To eliminate information leakage from these, software engineers may have to be very creative. This creative engineering may cause a performance reduction (in speed typically), and will almost always require greater development effort, which must be weighed against the possibility of power analysis.

An alternative, in some cases, is to use a hard-wired hardware cryptographic device. Their power consumption can vary very little, due to their construction. However, in the case of smart cards, for example, it is not always possible to replace software implementations with hardware implementations.

Another alternative involves algorithmic modifications such that the cryptographic operations occur on data that is related to the actual value by some mathematical relationship that survives the cryptographic operation. This is called blinding, and usually implies an algorithm that is based on number theory, such as factoring or discrete logarithms.

[edit] Differential power analysis

Differential power analysis (DPA) is a method of attacking a cryptosystem which exploits the varying power consumption of microprocessors while executing cryptographic program code. It is a side-channel attack. Using statistical analysis of the power consumption measurements of many runs of a given cryptographic algorithm, it may be possible to infer information on a secret key stored on a smart card.

[edit] References

1. ^ P. Kocher, J. Jaffe, B. Jun, "Differential Power Analysis," technical report, 1998; later published in Advances in Cryptology - Crypto 99 Proceedings, Lecture Notes In Computer Science Vol. 1666, M. Wiener, ed., Springer-Verlag, 1999.
2. ^ NSA R21 Informal Technical Report R21-TECH-30-95, "Capstone (MYK-80) Specifications", 14 August 1995; see heading "Random Power Fluctuations".