Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [dpa]

A DPA (or differential power analysis) is a cryptanalysis method based on analysis of the correlation between the power consumption of a chip (in a smart card for example) and the secret key it contains during cryptographic computations.

15 questions
9
votes
2 answers

Conditions for a successful Differential Power Analysis attack

From this paper, there are two conditions for a successful DPA attack: i) there exists an intermediate variable in the implementation that is correlated with the power consumption and ii) this variable exclusively depends on the plaintext (or…
vhl
  • 233
  • 1
  • 8
7
votes
2 answers

How does the split mask countermeasure work on AES?

I am trying to understand the split mask countermeasure which is a masking method to avoid side channel attacks. Let's first describe the principle and then try to apply it to AES. I found this paper which analyses this method. First, I will quote…
Raoul722
  • 3,003
  • 3
  • 23
  • 42
6
votes
2 answers

power consumption in a XOR

I'm trying to understand how a XOR affect traces of power consumption in a Differential Power Analysis on smartcards. What's the difference in energy radiated in a $1 \oplus 1$ and in a $0 \oplus 1$? If I understand correctly we have a XOR gate, and…
David 天宇 Wong
  • 1,595
  • 11
  • 27
5
votes
1 answer

Protecting Ed448 against DPA and fault attacks

There are some papers (1, 2) describing fault attacks in EdDSA. One suggested countermeasure is to add randomness to the input of the first hash call, which outputs a scalar. This paper describes a DPA attack against EdDSA, and suggests a similar…
Conrado
  • 6,614
  • 1
  • 30
  • 45
5
votes
2 answers

How to prevent power analysis on software level?

When attacking RSA with Square&Multiply, one can figure out the secret key by looking at the exponentiation algorithm itself. To prevent this in software, we could use dummy multiplications after each square. Yet, there are attacks like correlation…
user109190
  • 51
  • 1
4
votes
1 answer

Why should the input value on a DPA attack be non-constant?

I actually was wondering if anyone could help me out with the following problem: Let's assume we are attacking the first SubBytes() operation on AES with the help of a differential power analysis attack, for a DPA attack we need to know the…
Daniel Brolli
  • 43
  • 4
3
votes
1 answer

How does DPA work on AES?

I am really not much of a crypto guy so I don't really get how a differential power analysis on AES works. Can somebody explain it to me how it basically works?
AdelPoint
  • 133
  • 4
3
votes
1 answer

DPA Attack on HMAC SHA-256

I have read the paper Differential Power Analysis of HMAC SHA-2 in the Hamming Weight Model and I want to understand the DPA Attack. In section 3.2.1 Path 1 (page 4) there is written: The last remaining parts H$^{(0)}$ and C$^{(0)}$ can be…
Zlatan
  • 31
  • 2
2
votes
0 answers

Security of bit shift in Serpent

As far I know, the Serpent cipher is the only cipher that uses legit bit shifts (<<) along with circular left shift (<<<) (correct me if I am wrong). I have two questions on it: What security advantage added by bit shift? Why is it used in the…
hardyrama
  • 2,288
  • 1
  • 17
  • 41
2
votes
0 answers

How do we perform second order differential power analysis attack?

I have read papers which describe that the power traces(acquired from a side channel resistant implementation like masking) need to be centered and squared, then a correlation needs to be performed with the hypothetical power model to perform second…
ShanRe
  • 39
  • 2
2
votes
1 answer

Higher-Order Side Channel Security and Mask Refreshing: linear function?

I currently read about this paper: https://eprint.iacr.org/2015/359.pdf and I wanted to implement Algorithm 4 / Algorithm 5 on my own. There is one thing I cannot understand: where does function g come from (used in Algorithm 4)? It is said to be a…
今天春天
  • 307
  • 2
  • 8
1
vote
2 answers

RSA: Should the generation of random data used for primes include zero

When generating random data that is later tested for primality, should the random data include the value 0x0? I would have thought that primes that do not include zero's are a subset of the set of primes that do - and therefore make keys generated…
Nick Robinson
  • 11
  • 1
1
vote
1 answer

Side Channel Analysis (CorrPA), comparison between HW-results and measured power traces

I think I have missed something very fundamental. I am trying to understand the step in DPA where you compare your hypothetical power consumptions with your measured ones. The Matrix H with Matrix T. Matrix T is of size D x T, where D is the number…
Aard
  • 11
  • 1
1
vote
0 answers

Issue with understanding Side Channel Attacks

I am currently working on Side Channel Attacks (SCA) on Kyber and Dilithium. I have found myself quite confused with side channel, because so much is mentionned all the time. For instance, I don't understand when to use distinguishers, when to use…
rerouille
  • 71
  • 1
0
votes
1 answer

Can we use a hash-based stream cipher against DPA attacks?

There have been lots of DPA researches against block ciphers. I was wondering if we use a cryptographically secure hash of an incremental counter as a stream cipher, will it withstand DPA attacks? Ciphertext = Plaintext ⊕ HASH(counter) My…
adieux
  • 21
  • 2