Power analysis
|
In cryptography, power analysis is a form of side channel attack in which the attacker studies the power consumption of a cryptographic hardware device (such as a smart card, tamperproof "black box", microchip, etc). It can yield information about what the device is doing, and sometimes even some key material. It was introduced in 1999 by Paul Kocher, Joshua Jaffe and Benjamin Jun.
Differential power analysis is an extension of power analysis that can allow an attacker to compute the intermediate values of data blocks and key blocks.
Basics
Examining graphs of time against current used by a device can often show exactly what the device is doing at a given point. For example, on a graph of a smart card performing a DES encryption, the sixteen rounds can be seen clearly.
The currents passing through a device are usually small, but electronics laboratories usually possess equipment precise and accurate enough to measure them reliably and frequently. It is reasonable for a cryptosystem designer to assume that an adversary will have access to such equipment.
Power analysis does not seek to find weaknesses in algorithms or protocols so much as in their implementations. It provides a way to "see inside" otherwise 'tamperproof' hardware. For example, DES's key schedule involves rotating 28-bit key registers. In order to save time, most implementations simply check the least significant bit to see if it is a 1. If so, it divides the register by two and prepends the 1 at the left end. Power analysis can show the difference between a register with a 1 and a register with a 0 at the end when this happens. This can leak information about key material. DES's permutations, usually clumsily implemented in software, reveal even more information through conditional branches.
Preventing Power Analysis Attacks
Power analysis can most easily distinguish conditional branches in the execution of the cryptographic program since a device does different things (requiring different power) depending on which conditional branch is executed. For this reason, care should be taken to ensure there should be no differences (from a power perspective) in the conditional branches within cryptographic software implementations. All rotations, permutations and logical operations (such as XOR) should take the same time and draw equivalent power, no matter what the input.
There are, however, some algorithms with inherently significant branching. To eliminate information leakage from these, software engineers may have to be very creative. This creative engineering may cause a performance reduction (in speed typically), and will almost always require greater development effort, which must be weighed against the possibility of power analysis.
An alternative, in some cases, is to use a hard-wired hardware cryptographic device. Their power consumption can vary very little, due to their construction. However, in the case of smart cards, for example, it is not always possible to replace software implementations with hardware implementations.
References
- P. Kocher, J. Jaffe, B. Jun, "Differential Power Analysis," Advances in Cryptology - Crypto 99 Proceedings, Lecture Notes In Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999.