# "Investigations of Power Analysis Attacks on Smartcards"\*

Thomas S. Messerges Motorola Labs Motorola tomas@ccrl.mot.com *Ezzy A. Dabbish* Motorola Labs Motorola dabbish@ccrl.mot.com *Robert H. Sloan*<sup>1</sup> Dept. of EE and Computer Science University of Illinois at Chicago sloan@eecs.uic.edu

\* Proceedings of USENIX Workshop on Smartcard Technology, May 1999, to appear.

1. Partially supported by NSF Grant CCR-9800070.



# **Summary of Presentation**

- Motivation for this research review underlying issues
- Review power analysis attacks:
  - Simple Power Analysis (SPA)
  - Differential Power Analysis (DPA)
  - Show results
- Noise analysis results Statistical model
- Introduce multiple-bit DPA and results
- Discuss design goals for countermeasures
- Future work and concluding remarks
- Presentation slides available at:

http://www.eecs.uic.edu/~tmesserg/papers.html





# **Related Attacks**

- Timing Measurements
- Fault Insertion
- EM Emissions
- Other "side-channel" attacks (Kelsey, et. al. ESORICS '98)

# **Motivations for Our Research**

- Understand principles of how power analysis works
- Evaluate existing power analysis attacks
- Examine effectiveness of new, more powerful attacks
- Develop a statistical model to describe power analysis attacks
- Quantify the extent of a threat that actual power analysis attacks may pose
- Evaluate countermeasures to attacks





# **Previous Power Analysis Work**

### **P. Kocher, J. Jaffe, and B. Jun**:

"Introduction to Differential Power Analysis and Related Attacks," http://www.cryptography.com/dpa/technical, 1998.

### J. Kelsey, B. Schneier, D. Wagner, and C. Hall:

"Side Channel Cryptanalysis of Product Ciphers," in Proceedings of *ESORICS* '98, Springer-Verlag, September 1998, pp. 97-110.

















# Simple Power Analysis – Summary

- 1. Run a single encryption
- 2. Acquire power consumption data
- 3. Convert power data to Hamming weight data
- 4. Solve for the C and D bits (i.e., the key bits)

# Conclusions

- Adversary needs knowledge of the implementation to mount the attack
- Easy to protect against (reduce power emissions, prevent attacker from learning implementation ...)

# Differential Power Analysis (DPA) (Kocher, et. al.)

- Knowledge of implementation is not required
- Statistical approach "amplifies" power information





## **Review DPA Attack on DES**

- 1. Guess 6-bits of  $K_{16}$
- 2. Initialize:  $A_1 = A_0 = 0$
- 3. Get a CTO and power trace
- 4. Reverse-calculate the *D* bit
- 5. If (D = 1) then add power trace to A<sub>1</sub> else add power trace to A<sub>0</sub>
- 6. If not enough averages goto 3.
- 7. DPA Bias Signal:  $T = A_1 A_0$

### **Defining the D Function**



 $CTO_{L} = D \oplus SBOX(K16 \oplus R16)$   $\int Solve \text{ for } D$   $D = CTO_{L} \oplus SBOX(K16 \oplus CTO_{R})$ 

- Smartcard must calculate D at some time say at time  $j^*$
- The expected power consumption when D=1 is greater than when D=0:

 $E[S(j^*) | D = 1] > E[S(j^*) | D = 0]$ 

•  $A_0$  and  $A_1$  are estimates of the expected power consumption:

$$A_0 \approx E[S(n) | D = 0] \text{ and } A_1 \approx E[S(n) | D = 1]$$





## **Review DPA Attack on DES**

- 1. Guess 6-bits of  $K_{16}$
- 2. Initialize:  $A_1 = A_0 = 0$
- 3. Get a CTO and power trace
- 4. Reverse-calculate the *D* bit
- 5. If (D = 1) then add power trace to A<sub>1</sub> else add power trace to A<sub>0</sub>
- 6. If not enough averages goto 3.
- 7. DPA Bias Signal:  $T = A_1 A_0$

# **DPA Signal Noise**

noise(n) = E[S(n)] - S(n)

Motorola Labs

$$182 \text{ Khz peaks}$$
noise(n): 
$$182 \text{ Khz peaks}$$
Close-up: 
$$4 \text{ Mhz}$$
Power 4 Mhz Clock Edges 5 pectrum: 
$$4 \text{ Mhz}$$

$$8 \text{ Mhz}$$

$$12 \text{ Mhz}$$

- 182 KHz "beat" frequency
- Noise at clock edges
- Quantization noise
- External noise
- Internal noise
- Algorithm noise

$$\boldsymbol{x}(\boldsymbol{j}) = \sum_{\boldsymbol{i}} \boldsymbol{c}_{\boldsymbol{i}} F(\boldsymbol{j} - \boldsymbol{j}_{\boldsymbol{i}})$$

# **Filtering the Noise** Averaging reduces the noise Use "Matched Filter" to reduce the noise Original Matched Filtered **DPA Signal Filter DPA Signal** (SNR = 17.3)(SNR = 23.2)Improvement is small

 Use knowledge of noise properties to get cleaner DPA signal (i.e. noise is maximum at clock edges)

#### Averaging is the Best Way to Reduce Noise

Noise Signal:  

$$E\left[T[j]|(j \neq j^{*})\right] = 0$$

$$var\left[T[j]|(j \neq j^{*})\right] = \frac{4\sigma^{2} + \alpha m\varepsilon^{2}}{N}$$

$$E\left[T[j^{*}]\right] = \varepsilon$$

$$var\left[T[j^{*}]\right] = \frac{4\sigma^{2} + (m-1)\varepsilon^{2}}{N}$$

**Theoretical Voltage SNR** =  $\frac{\sqrt{N\epsilon}}{\sqrt{8\sigma^2 + \epsilon^2(\alpha m + m - 1)}}$ 

Motorola Labs

#### **Noise Model vs. Experimental Results**



 $\sigma = 7.5 \text{ mV} \qquad \varepsilon = 6.5 \text{ mV} \qquad m = 8$ 

 $N = 1000 \qquad \alpha = 0$ 

#### **Theoretical Voltage SNR = 7.5**



### **How Many Samples Are Needed?**

1. Solve for *N*: 
$$N = \frac{8\sigma^2 + \varepsilon^2(\alpha m + m - 1)}{\varepsilon^2 \cdot SNR^2}$$

2. Determine parameters for a specific smartcard:

 $\sigma = 7.5 \text{ mV} \qquad \varepsilon = 6.5 \text{ mV} \qquad m = 8 \qquad \alpha = 0$ 

#### 3. Assign SNR:

4. Calculate *N*:

Theoretical Minimal Number of Samples: N = 40

## **Maximizing the DPA Signal**



## **4-Bit DPA Description**



**D** = SBOX(K16  $\oplus$  R16)  $\int R16$  is part of CTO<sub>R</sub> **D** = SBOX(K16  $\oplus$  CTO<sub>R</sub>)

# **4-Bit DPA Attack**

- 1. Guess 6-bits of  $K_{16}$
- 2. Initialize:  $A_1 = A_0 = 0$
- 3. Get a CTO and power trace
- 4. Reverse-calculate the *D*
- 5. If (D = 1111) then add power trace to  $A_1$ else if (D = 0000) then add power trace to  $A_0$ else do nothing
- 6. If not enough averages goto 3.
- 7. DPA Bias Signal:  $T = A_1 A_0$



Page 27



# **Our DPA Attack Results**

| Attack<br>Type:  | 1-bit DPA | 4-bit DPA | 8-bit DPA                                                                          | Address<br>DPA |  |
|------------------|-----------|-----------|------------------------------------------------------------------------------------|----------------|--|
| Signal<br>Level: | 9.3 mV    | 38.5 mV   | 79.5 mV                                                                            | 74.4 mV        |  |
|                  |           | • \       | Voltage SNR<br>larger                                                              | tis 8 times    |  |
|                  |           | • /       | <ul> <li>Attacker needs fewer<br/>power signals to break the<br/>system</li> </ul> |                |  |
|                  |           |           |                                                                                    |                |  |
|                  |           | Motorolal | aha                                                                                |                |  |

### **Diminishing Returns for Multiple-Bit DPA**

Attacker needs more power signals:





# **Future Work**

- Examine other symmetric key algorithms
- Examine public-key algorithms
- Design modified algorithms
- Develop more advanced modeling methods
- Design countermeasures

# Summary of Results

- Source of power biases is examined
- Demonstrated successful power analysis attacks
- Proved multiple-bit DPA leads to a new and more powerful attack
- Modeled the noise characteristics

Designers need to consider the power analysis attacks outlined in this paper when designing secure smartcard systems