1

Abstract— In this paper, techniques to perform power analysis attacks to snatch confidential data from cryptographic circuits are quantitatively compared. In particular, the popular Differen-tial Power Analysis (DPA) and Correlation Power Analysis (CPA) techniques are compared in terms of their effectiveness, explicitly considering both precharged and static logic styles. The analytical evaluation of the main parameters related to the attack allows for better understanding the differences between the two techniques, in contrast to qualitative comparisons that were re-cently published. Simulation results and experimental measure-ments on an FPGA implementation of the Advanced Encryption Standard (AES) algorithm are presented to validate the theoreti-cal results.

Index Terms—Correlation Power Analysis (CPA), Differential Power Analysis (DPA), Advanced Encryption Standard (AES), Power Analysis Attacks, Cryptographic circuits.

I. INTRODUCTION HE wide diffusion of portable devices (e.g. Smart cards, PDAs, Smartphones) that are able to store confidential

data has focused the attention of designers on information se-curity issues [1]. Even if these devices are usually protected with cryptographic algorithms, their power consumption (i.e., the current provided by the supply) depends on the internally processed data, hence it reveals a significant amount of infor-mation about the secret key that is used to perform encryption and decryption. Hence, various Power Analysis attacks that exploit this dependence have been proposed to recover the se-cret key [2]. Among these attacks, the Differential Power Analysis (DPA, first presented in the literature in 1999 [3]) and the Correlation Power Analysis (CPA, first presented in 2004 [4]) are very popular in snatching the secret key, and are considered to be a major threat to the information security, since they are non-invasive, easily-automated, require little knowledge of the cryptographic algorithm specific implemen-tation and can be performed with inexpensive equipment [2]-[7]. The more recent CPA technique is usually claimed to be

Manuscript received June 1, 2008. M. Alioto is with the Information Engineering Department (DII), Universi-

ty of Siena, Via Roma 56, 53100, Siena, Italy. Phone: +39 0577 234632; fax: +39 0577 233602; e-mail: malioto@dii.unisi.it

M. Poli and S. Rocchi are with the Information Engineering Department (DII), University of Siena, Via Roma 56, 53100, Siena, Italy (e-mail: {poli, rocchi}@dii.unisi.it).

more effective than DPA in recovering the secret cryptograph-ic key that is stored in crypto-devices [4]-[7]. Unfortunately, previous analyses have been carried out only qualitatively, hence it is not clear in which cases CPA is to be preferred to DPA, and how much advantage it exhibits over DPA.

In this paper, a comparative analysis of DPA and CPA at-tacks is presented. This analysis focuses on the main parame-ters that are of interest in practical attacks, which are analyti-cally derived and compared. Theoretical results are validated by means of simulations as well as experimental DPA and CPA attacks on an FPGA implementation of the Advanced Encryption Standard.

II. A REVIEW OF DPA AND CPA ATTACKS The procedure to carry out DPA or CPA attacks mainly

consists of three phases. In the first phase, an attacker serially injects random but known inputs and acquires samples of the power consumption (with ,

) dissipated by the circuit during the encryption (decryp-tion) of .

In the second phase, the adversary chooses an internal -bit signal that is under attack. This signal must be physically evaluated within the cryptographic circuit at a given point of time , hence in general is a function of the input and the secret key (i.e., . As it is usually as-sumed, the adversary knows the cryptographic algorithm used in the attacked circuit but not its specific hardware implemen-tation, hence he knows the function from the algorithm but does not know the point of time . Then, the attacker esti-mates the circuit power dissipated at to physically evaluate according to a power model pc that obviously de-pends on the output signal [7]

(1)

where it was considered that . In practical at-tacks, the power model function pc in (1) is usually chosen as the Hamming weight Wi of (i.e., the num-ber of bits equal to 1 in ), since it provides reasonably accurate power estimations [2]-[7]. It is worth nothing that

is a function of the secret key , and thus it must be eva-luated guessing the value of . Therefore, all possible values of must be guessed and hence correctly estimates the

Power Analysis Attacks to Cryptographic Cir-cuits: a Comparative Analysis of DPA and CPA

Massimo Alioto, Massimo Poli, Santina Rocchi DII �– University of Siena

Siena �– Italy e-mail: {malioto, poli, rocchi}@dii.unisi.it

T

2008 International Conference on Microelectronics

1-4244-2370-5/08/$20.00 ©2008 IEEE 333

2

power consumption at only under the correct guess of [2]-[7].

The two phases above described are performed in both DPA and CPA attacks. The two techniques differ in the third phase, as discussed in the following. When a DPA attack is carried out, the adversary guesses and classifies each power trace into the set if , into the set if , and discards it if [2]-[3], [7]. Then the average power consumption waveform ( ) in the set ( ) is evaluated

(2)

being ( ) the number of power traces that are classified in the set ( ). The absolute difference is usually referred to as the differential power trace and its value in (which is non-zero, since and are dif-ferently affected by ) is usually called the DPA spike

. (3)

whereas for , since and are not affected by . This explains the well-known fact that has a spike at that stands out from the other much lower values [3] (see, for example, the differential power traces in Figs. 1a-1b that were experimentally obtained in the cases dis-cussed in Section IV). On the other hand, when is incorrect-ly guessed, a lower spike is observed since incorrectly estimates the power consumption and hence the power traces are erroneously classified into sets and [2]-[3], [7].

Similarly, when a CPA attack is performed, the adversary guesses and evaluates the correlation coefficient between and the collected power traces for each , which by definition is [4]-[6]

(4a)

where

. (4b)

As in DPA attacks, a spike appears in at (i.e., ) since the estimated power is strongly corre-

lated with the measured power , whereas much lower values are observed for since is no longer evaluated, hence is incorrelated to . Again, when is incorrect-ly guessed, a lower spike is observed since incorrectly estimates the power consumption at and hence they are less correlated [4]-[6].

From the previous considerations, DPA (CPA) attacks are successful if the spike obtained with the correct guess can be distinguished from the others. This occurs when the spike of DPA ( of CPA) under the correct guess is sufficiently greater than the maximum spike ( ) under a wrong guess,

i.e. if the Inter-Signal Signal-to-Noise Ratio in (5a) ( in (5b)) is greater than unity [2], [9]-[10]

(5a)

(5b)

Furthermore, consider that the power dissipation associated with the internal signal does not represent the entire con-sumption of the circuit, but only the data dependent part. All other power contributions (e.g. the power consumption com-ing from blocks of circuit that are not processing secret data, external noise, �…) are independent of , and their effect on the DPA (CPA) spike can be modeled as an uncorrelated zero-mean additive noise with standard deviation [2]-[7]. Hence, in practical cases, the spike ( ) can be detected only if it is significantly greater than the typical noise range. Accordingly, an Intra-Signal Signal-to-Noise Ratio ( ) is usually defined as the ratio between the spike ( ) and the additive noise standard deviation [2]-[3], [7]

(6a) (6b)

In practical DPA (CPA) attacks, the spike detection is possible when ( ) is much greater than unity, typi-cally in the order of 10. This is achieved when a sufficiently high number of inputs N is considered, as the standard devia-tion of tends to decrease when increasing N [7].

III. COMPARISON OF DPA AND CPA

In the following, parameters , , and ( , , and ) related to

DPA (CPA) attacks are evaluated considering two common logic styles: precharged and static logic.

A. DPA versus CPA in precharged logic circuits In precharged logic circuits, the power dissipated at by

the -bit signal is proportional to the number of zeroes of [9]. Hence, assuming with no loss of generality that a

unit energy is dissipated by a single bit equal to , the power dissipated at is equal to being the Hamming weight of . Under this condition, and assuming that sig-nal under attack is equal to the XOR of the input Ii and the targeted subkey k (i.e., , as occurs in most practical attacks [7]), from the analysis performed by the same authors in [9], the DPA spike ( ) under a correct (an in-correct) guess ( ) of the key is given by

(5a)

(5b)

where is the Hamming distance between and (i.e., the number of wrong bits in ).

As regards the CPA spike ( ) under a correct (an incor-rect) guess ( ) of the key, it can be easily calculated by fol-

334

3

lowing the procedure in [4], and results to

(6a) (6b)

As it is clear from (5b) and (6b), the highest spike among all possible wrong key guesses is obtained when , i.e. it is associated to the wrong keys that differ from correct key by only one bit. Accordingly, by substituting (5a)-(6a) and (5b)-(6b) with into (5a)-(5b), for DPA attacks on precharged logic circuits turns out to be the same as that of CPA attacks and equal to

. (7)

This means that CPA and DPA attacks have the same SNRINTER, hence CPA does not have any advantage over DPA from the SNRINTER point of view. Hence, the claimed advan-tage of CPA can only concern under an assigned number of inputs N. Actually, in practical attacks is a requirement ( is needed to detect the spike from the noise), and the effectiveness of the attack can be evaluated by the minimum number N of inputs (i.e., power traces) that is required to achieve the specified

. Obviously, the higher is N, the less effective is the attack since it entails a greater effort.

According to the above considerations, N needed to achieve =10 was evaluated for both DPA and CPA tech-

niques. The power consumption associated with the evaluation of (as assumed before) was eva-luated with circuit simulations, and an additive noise was introduced to model the contribution of the other blocks. In particular, the noise contribution is assumed to be 0%, 11%, 33%, 67%, 97% and 99% of the overall circuit power con-sumption. The resulting minimum number of collected power traces is reported in Table I. From this table, the num-ber of collected power trace needed for DPA attacks to achieve the typical value is always higher than or equal to the number needed for CPA attacks. However the ratio is typically about 1.3, hence the number of power traces to achieve the same in DPA attacks is greater than that of CPA by 30%. Hence, CPA attacks require a slightly lower effort, but the advantage over DPA attacks is rather modest.

B. DPA versus CPA in static logic circuits In static logic circuits, the power dissipated at to

evaluate signal is proportional to the number of transitions between the previous value and the cur-rent value [10]. However, an attacker has no informa-tion on the previous state even if the algorithm un-der attack is well known. As a consequence, in practical at-tacks the power consumption at is estimated again by simp-ly using the Hamming weight of the current state . Therefore, assuming again with no loss of generality that a unit energy is dissipated by a single transition, that

, and using the model in [10] developed by the same authors, the DPA spike ( ) under a correct (an

TABLE I SIMULATED FOR PRECHARGED LOGIC ( =10)

DPA CPA

noise

0% 100 3.1 2.6 1.20 100 1.0 0.8 1.22 1.0

11% 120 3.0 2.3 1.29 100 1.0 0.8 1.25 1.2

33% 220 3.0 2.4 1.28 180 0.8 0.6 1.20 1.2

67% 1800 2.7 2.1 1.30 1100 0.3 0.2 1.18 1.6

97% 297000 3.2 2.5 1.29 216000 0.021 0.018 1.17 1.4

99% 5600000 2.9 2.3 1.28 4700000 0.005 0.004 1.25 1.2

incorrect) guess ( ) of the key is given by [10]

(8a)

(8b)

being the number of wrong bits in wrong key guesses. The CPA spike ( ) under a correct (an incorrect) guess

( ) of the key can be easily obtained by following the ana-lytical approach in [4], and is equal to

(9a) (9b)

Finally, as in the case of precharged logic, by substituting (8a)-(9a) and (8b)-(9b) with into (5a)-(5b), the

for DPA attacks results to be the same as that of CPA attacks and equal to

. (10)

Comparison of (7) and (10) shows that, from the point of view, there is no difference between DPA and CPA attacks for both the considered logic styles. Hence, as was dis-cussed in the previous subsection, the claimed advantage of CPA must be evaluated in terms of the number N of power traces that is required to achieve a given .

Simulations on static logic were performed as described in Subsection A, and results are reported in Table II. From this table, results for static logic are essentially the same as those of precharged circuits in Table I. In particular, the ratio

is typically about 1.2, hence the number of power traces to achieve the same in DPA attacks is greater than that of CPA by 20%. Again, CPA attacks require a slightly lower effort compared to DPA, but the advantage over DPA attacks is marginal.

IV. EXPERIMENTAL RESULTS DPA and CPA attacks were performed on the AES-128 al-

gorithm implemented in an Altera Cyclone�™ FPGA. The number of collected power traces to achieve the condition

was found to be =50,000 ( =43,000) for a DPA (CPA) attack. Hence the ratio

is 1.16, which is close to the value predicted by simulations. This confirms that the advantage of CPA over

335

4

TABLE II

SIMULATED FOR STATIC LOGIC ( =10) DPA CPA

noise

0% 480 1.4 1.1 1.31 390 0.5 0.4 1.28 1.2

11% 510 1.4 1.1 1.28 410 0.5 0.5 1.12 1.2

33% 1140 1.3 1.1 1.19 620 0.4 0.3 1.33 1.8

67% 6470 1.3 1.0 1.30 5270 0.1 0.1 1.12 1.2

97% 1023000 1.7 1.3 1.33 1002000 0.010 0.008 1.19 1.0

99% 13730000 1.8 1.3 1.33 11840000 0.003 0.002 1.29 1.2

TABLE III

MEASURED DPA AND CPA SPIKE FOR A CORRECT AND A 1-BIT WRONG KEY

predicted measured err %

DPA

in (8a) 1.505 1.432 -4.85%

in (8b) 1.129 1.094 -3.10%

in (10) 1.333 1.308 -1.88%

C

PA in (9a) 1.000 0.999 -1.13%

in (9b) 0.750 0.810 8.00%

in (10) 1.333 1.233 -7.51%

DPA that is claimed by previous papers [4]-[7] is only mar-ginal.

The experimental differential power trace (normalized cor-relation coefficient) under the correct key and that under a 1-bit wrong key are plotted in Fig. 1a (Fig. 1b). The predicted

, , , , in eqs. (8a), (8b), (9a), (9b), (10) which are reported in Tab. III, differ from their measured val-ues by approximately -4.9%, -3.1%, -1.9%, -1.1%, 8%, -7.5%, respectively. Hence, simulation and experimental results are in good agreement.

A further difference between DPA and CPA is that the measured DPA spike is almost independent of the noise lev-el, whereas the CPA spike depends on it. As predicted by (7) and (10), the is always higher then unity and thus the correct key is always recognizable from all possible guesses of the key.

V. CONCLUSION In this paper, a comparative analysis between the main pa-

rameters of the Differential Power Analysis (DPA) and the Correlation Power Analysis (CPA) attacks on precharged and static logic circuits has been presented. The comparison showed that DPA and CPA attacks are equivalent from the

point of view, whereas CPA attacks are slightly better than DPA attacks since they require a lower number of collected power traces to achieve a targeted . To be more specific, to achieve the typical value , DPA attacks need on the average a number of collected power traces that is 30% greater than that required by CPA attacks. Apparently, this is a marginal advantage, hence the claimed advantage of CPA over DPA in previous paper [4]-[6] is ac-

tually rather modest in both precharged and static logic. This was also experimentally verified with real attacks on an Altera Cyclone�™ FPGA implementation of the AES-128 algorithm. Results showed that the theoretical and simulation results were in good agreement with the experimental results.

REFERENCES [1] W. Rankl and W. Effing, Smart Card Handbook. John Wiley and Sons,

Inc., 1999. [2] T. S. Messerges, E. A. Dabbish, R. H. Sloan, �“Examining Smart-Card

Security under the Threat of Power Analysis Attacks,�” IEEE Trans. on Computers, vol. 51, no. 5, pp. 541-552, May 2002.

[3] P. Kocher, J. Jaffe, B. Jun, �“Differential Power Analysis,�” Proc. of CRYPTO’99, pp. 388-397, 1999.

[4] E. Brier, C. Clavier, F. Olivier, �“Correlation power analysis with a lea-kage model,�” Proc. of CHES’04, pp. 16-29, 2004.

[5] J. J. Fournier, �“Vector microprocessors for cryptography,�” University of Cambridge, Computer Laboratory, PhD thesis, Tech. rep., Oct. 2007.

[6] M. Tunstall, N. Hanley, R. P. McEvoy, C. Whelan, C. C. Murphy, W. P. Marnane, �“Correlation Power Analysis of Large Word Sizes,�” Proc. of ISSC’07, pp. 145�–150, 2007.

[7] S. Mangard, E. Oswald, and T. Popp, Power analysis attacks: Revealing the secrets of smart cards. Springer-Verlag, 2007.

[8] J. Rabaey, A. Chandrakasan, B. Nikolic, Digital Integrated Circuits (A Design Perspective), Prentice Hall, 2003.

[9] M. Alioto, M. Poli, S. Rocchi, V. Vignoli, �“Power Modeling of Pre-charged Address Bus and Application to Multi-bit DPA Attacks to DES Algorithm,�” Proc. of PATMOS'06, pp. 593-602, 2006.

[10] M. Alioto, M. Poli, S. Rocchi, �“A General Model for Differential Power Analysis Attacks to Static Logic Circuits,�” Proc. of ISCAS’08, pp. 3346-3349, Seattle (USA), May 2008.

Diff

eren

tial P

ower

Tra

ce

Fig. 1a �– DPA Differential Power Trace under the correct key and that under a 1-bit wrong key.

Nor

mal

ized

Corr

elat

ion

Coef

ficie

nt

Fig. 1b �– CPA Normalized Correlation Coefficient under the correct key and that under a 1-bit wrong key.

1.5

1

0.5

0

0.5

1

1.5

0 25 50 75 100 125 150 175 200 225 250 275 300 325

correctkey

1.432

1.5

1

0.5

0

0.5

1

1.5

0 25 50 75 100 125 150 175 200 225 250 275 300 325

1bitwrongkey

time (ns)

1.094

1.5

1

0.5

0

0.5

1

1.5

0 25 50 75 100 125 150 175 200 225 250 275 300 325

correctkey

0.999

1.5

1

0.5

0

0.5

1

1.5

0 25 50 75 100 125 150 175 200 225 250 275 300 325

1bitwrongkey

time (ns)

0.810

336