Side Channel Attacks: SPA

Questions and Answers

In the context of side-channel analysis, what fundamentally constitutes 'leakage' from an electronic device?

• The direct observation of memory addresses and register values during active cryptographic operations.
• The measured variations in the execution time of cryptographic algorithms due to processor load.
• Any observable correlation between the state of data manipulated within the device and a physical characteristic of the device's operation, which can be exploited by an adversary. (correct)
• The unintentional emission of electromagnetic radiation that directly reveals the encryption key.

Which of the following is the MOST accurate definition of a Simple Power Analysis (SPA) attack?

• A side-channel attack that makes direct interpretations about the operations being performed by a device based on visual inspection of one, or very few, power consumption measurements. (correct)
• A side-channel attack that involves statistically analysing a large number of power traces to identify correlations between power consumption and data processed within a cryptographic device.
• An attack which utilises advanced signal processing techniques to isolate, amplify, and analyse faint electromagnetic emanations to determine the cryptographic key.
• An attack that uses complex mathematical models, like the Hamming weight model, to predict power consumption based on known encryption keys.

During a Simple Power Analysis (SPA) attack on an RSA implementation, an attacker observes a repeating pattern of 'square-and-multiply' operations. Which of the following can the attacker MOST likely determine?

• The exact sequence of modular exponentiations performed during the RSA operation; information to deduce the private exponent bits. (correct)
• The memory addresses accessed during the RSA operation, revealing the location of the stored private key.
• The precise prime factors, $p$ and $q$, used to generate the RSA modulus $N$, enabling immediate key recovery.
• The precise power consumption of individual transistors within the crypto module.

In the context of RSA exponentiation, which implementation detail presents a potential side-channel vulnerability that an attacker could exploit?

The conditional execution of the modular multiplication operation, which depends on the value of the exponent bits. (A)

What is the primary objective of a Differential Power Analysis (DPA) attack?

To analyze small variations in power consumption across multiple cryptographic operations to extract information about the secret key. (B)

In the context of Differential Power Analysis (DPA), what is meant by a 'leakage model'?

A mathematical function predicting a device's power consumption based on a specific intermediate value and known key. (A)

In a Correlation Power Analysis (CPA) attack, an attacker correlates predicted power consumption values, derived from a leakage model, with actual power traces acquired from a cryptographic device. Which statistical metric is MOST commonly used to measure this correlation?

The Pearson correlation coefficient, which quantifies to the extent to which two datasets are related. (C)

During a Differential Power Analysis (DPA) attack against an AES implementation, an attacker aims to target the output of the SubBytes transformation in the first round. What property should be considered when selecting this intermediate value?

It should be a function of both the input plaintext and a portion of the secret key. (A)

Considering a DPA attack scenario, which of the following serves as the MOST compelling rationale for targeting an intermediate value immediately prior to a non-linear transformation (such as an S-box)?

The intermediate value is maximally correlated to both plaintext and key data and its diffusion properties are not yet fully developed, thus simplifying correlation analyses. (D)

When executing a Differential Power Analysis (DPA) attack, what impact does increasing the number of power traces have on the success of the attack?

It enhances the statistical significance of correlations, leading to increased accuracy in key recovery. (C)

In the context of side-channel analysis, what is the difference between masking and hiding countermeasures?

Masking conceals intermediate values, while hiding focuses on making the power, electromagnetic, or timing characteristics independent of those intermediate values and operations. (A)

Consider a cryptographic implementation protected against side-channel attacks using Boolean masking. If $x$ represents the sensitive intermediate variable and $r_1, r_2, r_3$ are random masks, which of the following expressions correctly implements a second-order Boolean masking scheme?

$x \oplus r_1 \oplus r_2 \oplus r_3$ (C)

Which countermeasure technique is MOST effective at the transistor level to mitigate side-channel leakage?

Employing special logic styles like Wave Dynamic Differential Logic (WDDL) to balance power consumption, independent of the processed data. (D)

How does algorithmic randomization, as a countermeasure against side-channel attacks, operate?

By randomly altering the sequence of operations used to perform cryptographic computations. (B)

Which of the following countermeasures is MOST likely to protect against side-channel attacks at the protocol level?

Limiting the number of uses for each session key. (D)

In a masked implementation, a sensitive variable $x$ is masked with a random value $r$, resulting in $x \oplus r$. If an attacker performs a first-order DPA attack, to what extent will this masking likely prevent the attacker from extracting information?

It eliminates the first-order vulnerability, forcing the attacker to employ higher-order DPA techniques like second-order DPA. (A)

What distinguishes a collision attack from a standard statistical Differential Power Analysis (DPA) attack?

Collision attacks exploit the statistical overlap of power traces resulting from equivalent intermediate values across separate encryptions. (C)

Which of the following is a characteristic feature of horizontal attacks compared to vertical Simple Power Analysis (SPA) and Differential Power Analysis (DPA) techniques?

Horizontal attacks combine information from multiple side-channel measurements of the same operation to refine key hypotheses; SPA and DPA use traces from different operations. (C)

Under what condition might a hardware implementation utilize 'dummy operations' as a countermeasure against side-channel analysis?

To create uniform power consumption profiles by performing computations independent of data processing. (C)

If an engineer aims to safeguard an AES implementation against Differential Power Analysis (DPA) employing a correlation-based distinguisher, which choice will be MOST efficacious in reducing sensitivity to power analysis?

Choosing the target to have increased stochastic behaviour, ensuring an unpredictable power model. (C)

Flashcards

What is Leakage?

An observable relationship between a device's value manipulation and a side channel controlled by an adversary.

Simple Power Analysis (SPA)

Attacks based on analyzing one or a few power consumption measurements to discover data-dependent operations.

SPA on Symmetric Algorithms

The number of rounds reveals the key length of the symmetric algorithm.

SPA on Asymmetric Algorithms

Information about the key or implementation details of asymmetric algorithms may be leaked.

Collision Attacks

An advanced SPA technique that exploits collisions in cryptographic operations to reveal key information.

Differential Power Analysis (DPA)

Attacks exploiting the data dependency of power consumption by analyzing numerous traces at fixed moments to recover cryptographic keys.

Target Intermediate Value

A chosen point within a cryptographic algorithm's execution, often related to key material or sensitive data.

Leakage Model

A predictive model linking intermediate values to power consumption, essential for DPA attacks.

Side-Channel Distinguisher

A function that analyzes predicted and actual power consumption to distinguish correct key guesses from incorrect ones.

Side-Channel Countermeasures

Techniques to disrupt side channel attacks by obscuring the relationship between data and power consumption.

Masking

A technique to conceal intermediate values by combining them with random values, making power consumption independent of the actual data.

Hiding

Techniques to eliminate the relationship between power consumption and computation by making power usage uniform or randomized.

Study Notes

Introduction to Side Channel Attacks

• Side channel attacks is presented by Ileana Buhan in March 2024

Leakage

• Leakage refers to any observable link between the value manipulated by a device and a side channel controlled by an adversary, specifically for electronic devices

Simple Attacks (SPA)

• Simple Power Analysis attacks are based on one or a few measurements
• Used to discover data or instruction dependent operations
• Symmetric attacks use the number of rounds determining the key length
• Symmetric attacks use number of memory accesses
• Asymmetric attacks target the key (ECC/RSA)
• Implementation details of asymmetric attacks include vannila RSA and RSA-CRT
• Key length is a target of asymmetric attacks
• Simple power analysis can be used to determine the PIN verification attempt of a device
• An SPA attack of RSA can visually display the secret exponent using power traces

SPA Attack Summary

• SPA attacks are not simple, and require detailed knowledge about the implementation
• An advanced option is called collision attacks
• Protecting against RSA means sticking to regularity in computation
• The advanced form of SPA attacks today is called horizontal attacks
• SPA attacks are used to enable more complex physical attacks

Collision Attack

• Colliding values can reduce the values to possible keys

Differential Attacks (DPA)

• DPA attacks exploit the data dependency of power consumption for cryptographic devices
• DPA uses a large number of traces to analyze the power consumption at a fixed moment
• The moment in time refers to the function of the processed data
• The steps include choosing the target intermediate value
• Measure traces, known plaintext or ciphertext
• Calculate hypothetical intermediate values
• Choose the leakage model
• Recover key using a side channel distinguisher
• A good intermediate value for block ciphers include S-box out and round-out

Steps of Differential Power Analysis

• Determine the target intermediate value: V(i,j) = f(k(i), m(j))
• Measure power traces with alignment
• Calculate hypothetical intermediate values from known possible values
• Map intermediate values to power values by measuring Leakage Model
• Compares intermediate value power traces

DPA Attack Summary

• Choice of leakage model is key to a successful attack
• Includes choice of distinguisher
• The most powerful distinguisher is the Correlation Coefficient
• The most intuitive distinguisher is the Difference of Means (DOM)
• Includes DPA vs CPA
• Security order is an unprotected implementation and univariate

Countermeasures

• Include special logic styles at the transistor level (WDDL, SABL)
• Platform level countermeasures include redundancy, adding jitter, and noise
• Program level includes dummy instructions and randomized order
• Algorithmic level depends on algebraic operations
• Protocol level involves key usage limits and session keys
• Masking includes a random mask concealing every intermediate value
• Power consumption depends on masked values and not actual values; masking is algorithmic
• Hiding involves making power consumption independent of the intermediate values and operations, uniform, or randomized
• Examples include special logic styles, randomization in time domain, and lowering SNR