Investigation of Simple and Differential Power Analysis

The goal of this project is a thorough investigation of cryptanalytic attacks known as power attacks and of corresponding countermeasures. More and more applications (e.g. the electronic purse, E-government, pay TV, digital signature creation) rely on hardware security tokens, like smart cards. Because the values that are protected by smart cards are steadily increasing, smart cards are a preferred target of attacks. Power attacks, as they have been introduced by Paul Kocher in 1998, currently pose the most serious practical threat against smart cards. These attacks are based on the fact that the power consumption of a smart card, which can be measured with a digital oscilloscope, leaks information about the secret key. Ad hoc countermeasures against these attacks have been proposed, but are either very expensive to implement in practice or do not provide a sufficient level of protection. The goals of this project are the independent analysis of countermeasures on current smart cards on the one hand, and the development of secure cryptographic hardware on the other hand. For this purpose, not only existing attacks and countermeasures are evaluated and extended, but also new attacks and countermeasures are developed. The analysis and development is done using a secure hardware design flow that has been developed at the IAIK: Attacks and countermeasures are analyzed at different levels of abstraction that range from high-level simulations to physical measurements on a test chip that implements newly developed countermeasures. To analyze which power attacks pose a practical threat - simple power-analysis attacks are improved and analyzed using new approaches based on Markov processes and neural networks - differential power-analysis attacks (single order and higher order) are enhanced and evaluated in attacks on ad hoc countermeasures. Countermeasures are analyzed and developed - using logic styles with balanced power consumptions - based on data randomization The project will be performed in cooperation with the K.U. Leuven in Belgium, which is one of very few other research institutions besides the IAIK that has the equipment and the knowledge to do research on power attacks.

Security tokens, like smart cards, are used in more and more applications to protect digital data from unauthorized access. Therefore, it is very important for these applications that the used security tokens cannot be manipulated or forged. In order to prevent manipulation and forgery, security tokens need to be in particular protected against simple and differential power-analysis attacks. These attacks exploit the fact that the power consumption of a security token leaks information about the secret key that is used by the token. During the last years, several countermeasures against power-analysis attacks have been proposed. However, no ultimate countermeasure has been found so far. The goals of this project have been to perform an independent analysis of countermeasures against power-analysis attacks and to develop hardware with countermeasures against these attacks. One of the main results of the project is that we have been able to show that a quite popular countermeasure, called "masking", does not provide sufficient protection against differential power-analysis (DPA) attacks, if it is implemented in static CMOS. Static CMOS is the most popular method to implement digital circuits. We have shown that there are problems with masked implementations in static CMOS based on a theoretical analysis as well as based on power measurements of a chip that has been designed and manufactured in cooperation with ETH Zurich, Switzerland. Another important result of the project is a statistical analysis of the effectiveness of so-called hardware countermeasures. We have derived a calculation method that enables designers to assess the resistance of their security tokens against DPA attacks throughout the design process. This calculation method complements existing methods such as performing simulations and the fabrication of prototypes. A chip implementing different low-cost hardware countermeasures against DPA attacks has also been designed and manufactured in the context of this project. An important result of the project is furthermore our secure masking scheme for the Advanced Encryption Standard (AES). The masking scheme we have developed is not only secure against first-order DPA attacks, but is also smaller than comparable masking schemes that have been published.