Side Channel Attack Model
Side channel attacks breaks the security of systems by exploiting signals that are unknowingly emitted during the execution of cryptographic operation such as power
FIGURE 8.3 A Simple Side Channel Attack Model.
consumption, memory and timing information, EM emanation etc as shown in the Figure 8.3. These so-called physical attacks do not necessarily aim at mathematical weaknesses of algorithms or implementations but rather take advantage of physically observable or manipulable parameters. After gathering side channel information they are further processed. By performing several iterations on this data the attacker collects lot of information and is successful in extracting the secret key. Figure 8.3 represents the process of extracting the data. Attacker observes the power consumption of device and captures waveforms. Bits Os and Is are easily distinguishable from the power waveforms leading to key extraction.
Classification of side channel attacks
Side channel attacks are called “side channel” because they do not intrude actively but take part passively without tampering with the device. The person will not even know about the attack. Figure 8.4 shows the categorization of side channel attacks. Side channel attacks can be categorized as: Active and Passive attacks.
“Active attacks are more harmful as compared to passive attacks.”
The literature categorizes side channel attacks as Active vs Passive attacks.
220.127.116.11 Active vs Passive Attacks:
They aim at inducing faults in a circuit to get slightly different or erroneous behavior. There are several means to inject faults into a circuit, either by modifying chips’ parameters or by modifying its external environment: variation in clock frequency, under powering, over powering, glitches, laser shots, etc . Passive attacks are based on observation of information leaked during normal operation of device such as power consumption, EM waves, temperature,
FIGURE 8.4 Categorization of Side Channel Attacks.
sound, etc. These attacks can retrieve secret data using statistical analysis, which are discussed later.
• Power attacks. As shown in Figure 8.3, attacker tries to capture the information from the target device. Resistor is connected across the target device. Since
From the above equation, we can easily find out power traces and can find out the secret key. Attacker doesnot need to discover the exact power consumption, he just needs to determine when target is consuming more power and when less.
18.104.22.168 Invasive vs Non-invasive:
Invasive attacks are the ones which require direct access to the chip. They are penetrative attacks, which leave tamper evidence of attack or even destroy the device. They may harm the chip physically leaving the device damaged permanently. Non- invasive attacks are less destructive as compared to invasive attacks and they do not harm the chip physically. They are also known as non-penetrative attacks. In this, attacker interacts with the device via its interface (voltage, current, I/O, etc.). They just observe and manipulate the device without physical harm to it . These types of attacks leave no evidence of attack. The device remains undamaged. Skorobogatov and Anderson add a new distinction with what they call semi-invasive attacks. It is a kind of attack which is less destructive than invasive one. In this, it requires depackaging of the chip but they do not tamper with passivation layer - they do not require electrical contact to metal surface.
FIGURE 8.5 Classification of Side Channel Attacks.
Between invasive and non-invasive, non-invasive attacks are interesting because the equipment and hardware specific knowledge necessary to perform them is minimal. Strong expertise is not required to perform such types of attacks. This is why these types of attacks are gaining a lot of attention in the scientific community. Figure 8.5 shows classification of side channel attacks.
Power Analysis Techniques
There are various power analysis techniques as discussed below :
- 1. SPA (Simple Power Analysis)
- 2. DPA (Differential Power Analysis)
- 3. CPA(Correlation Power Analysis)
- 4. MIA(Mutual Information Analysis)
- 5. Horizontal & Vertical power analysis
- 6. CIA (Combined Implementation Attacks)
- 8.4.1 Simple Power Analysis and Differential Power Analysis
These techniques were proposed in 1999 [9,10]. Simple power analysis is done by adversary to reveal secret information just by observing the power waveforms. Data is leaked through side channels such as timing, power, EM waves, etc., as shown in Figure 8.6. It simply involves interpreting power traces or graphs during normal
FIGURE 8.6 Side Channel Analysis DPA Attack.
execution . Small set of power traces with relevant information are obtained directly from trace patterns.
Attacker captures the waveforms and compares them with leaked information. By using hamming weight distance model the secret key is revealed. This is a basic technique used to do analysis. After this much more advanced techniques arrived.
Figure 8.6 shows how an attacker can steal the secret key by doing simple analysis such as SPA. Figure 8.7 shows a RSA asymmetric cryptographic standard used for key exchange. It uses modular exponentiation as its basis. RSA is implemented using a method where a square function is used if the key byte is odd, and square and multiply is used if the key byte is even. An attacker by observing the waveform can guess these operations of square and multiply and can get information about the
FIGURE 8.7 Example of Side Channel Attack on Crypto Function .
secret key. Others techniques such as DPA or more advanced techniques can also be used for easy recovery
Advantage. Small traces are required.
Disadvantage. Lots of manual effort is required along with detailed supervision.
8.4.2 Differential Power Analysis
It was introduced by Paul Kocher [13, 14]. This is an advanced method as compared to SPA in which the attacker uses statistical properties of traces in order to recover secret data. It is based on the evaluation of many traces with varying input data for the targeted algorithm. Then a brute force attack with additional information is performed on a part of the algorithm. Hence, it is also called a divide and conquer strategy.
- 22.214.171.124 Basic Approach of DPA. It is a statistical technique which takes several power consumption traces of a cryptographic device as one of its inputs and determines the validity of a guess made on the cipher key. This attack relies on the assumption that a correlation exists between the device operation and the power consumed by the device while performing that operation. DPA is a powerful attack because it is non-invasive, it does not require expensive equipment and it is independent of the algorithm implementation.
- 126.96.36.199 Steps to perform DPA : It can be divided into two steps:
- 1. Measurement phase;
- 2. Evaluation Phase.
- 188.8.131.52 Countermeasure against DPA: Power consumption of the device should be made independent of data since they are correlated.
- • Noise generators.
- • Insertion of random delays which will further makes power measurement task for attacker more time consuming and difficult.
- • Another approach is to randomize the intermediate results.
- • Masking: It can be applied at algorithm level or gate level.
- 8.4.3 Correlation Power Analysis
An improved DPA technique. In CPA [15, 28, 29] based power attacks, an adversary encrypts multiple plaintexts and measures the power consumption during the encryption (Figure 8.8). He then constructs a power model based on hamming weight (HW) or hamming distance (HD) of intermediate state(s) by using the plaintexts and a guess for the target key byte. The measured power traces are correlated with the power model and the highest correlation reveals the secret key byte.
For linear power model, Pearson’s correlation coefficient is a good choice . 
FIGURE 8.8 Concept of CPA.
- 184.108.40.206 Steps to Perform CPA Attack
- 1. The intermediate value is chosen.
- 2. Based on chosen values power traces are measured
- 3. Choose a power model.
- 4. Calculate the hypothetical intermediate value and corresponding hypothetical power consumption.
- 5. Apply the statistic analysis between measured power consumption and hypothetical power consumption. The value having highest correlation will be considered as secret key.
- 8.4.4 Mutual Information Analysis
It is one of the most established techniques. Techniques discussed before are quite complicated and they need to consider many factors while doing power analysis such as:
- • Device power consumption characteristics;
- • Attackers power model;
- • The distinguisher by which measurements and model predictions are compared;
- • The quality of the estimations.
In contrast to CPA, MIA can capture non-linear dependencies between predicted power consumption and measured values and hence improve the success rate of side channel attacks in certain situations .
8.4.5 Horizontal and Vertical Power Attack
A different kind of evaluation method called horizontal and vertical power analysis is also there which is based on detecting and utilizing correlations within a single trace, e.g., to identify the processing of similar values in a cryptographic algorithm . These methods apply to both symmetric and asymmetric cryptographic primitives.
According to literature review, all kinds of countermeasures become ineffective if attacks are performed with modus operandi called Horizontal. Classic attacks require several traces; however, these kinds of attacks require single observation trace. Colin Walter at CHES 2001 originally introduced these attacks . Vertical attack differs from horizontal attack in the way that information is obtained from different algorithm executions.
8.4.6 Combined Implementation Attack
Different kinds of attacks such as side channel attacks and fault injection attacks are considered as separate attacks . Adversary may successfully combine them to overcome countermeasures against them. This category is known as combined implementation attack .
220.127.116.11 Basic Principle of Combining Active and Passive Attacks
By injecting a fault, the computation of the device gets disturbed; further it becomes possible to realize a passive attack on the perturbed execution. The fault is detected at the end of the command. The secret value has already been recovered using classic power analysis. Fault countermeasures are only active after the end of the computation.
-  Other models: difference of means, mutual information.