Power Analysis Attacks on Secure Embedded Systems

The power consumption of any hardware circuit (cryptographic ASICs or processors running
cryptographic software) is a function of the switching activity at the wires inside it.
Since the switching activity (and hence, power consumption) is data dependent, it is not
surprising that the key used in a cryptographic algorithm can be inferred from the power
consumption statistics gathered over a wide range of input data. These attacks are called
power analysis attacks and have been shown to be very effective in breaking embedded
systems such as smartcards. Power analysis attacks are categorized into two main classes:
Simple Power Analysis (SPA) attacks and Differential Power Analysis (DPA) attacks.

SPA attacks rely on the observation that in some systems, the power profile of
cryptographic computations can be directly used to reveal cryptographic information. For
example, Figure 1 shows the power consumption profile for an ASIC implementing the DES
algorithm. From the profile, one can easily identify the 16 rounds of the DES algorithm.
While SPA attacks have been useful in determining higher granularity information such as
the cryptographic algorithm used, the cryptographic operations being performed, etc.,
they require reasonably high resolution to reveal the cryptographic key directly. In
practice, SPA attacks have been found be useful in augmenting or simplifying brute-force
attacks. For example, it has been shown in that the brute-force search space for a SW DES
implementation on an 8-bit processor with 7 Bytes of key data can be reduced to 2^40 keys
from 2^56 keys with the help of SPA.

Figure 1: The power consumption profile of a custom hardware implementation
of the DES algorithm

DPA attacks employ statistical analysis to infer the cryptographic key from power
consumption data. These attacks use the notion of differential traces (difference between
traces) to overcome the disadvantages of measurement error and noise associated with SPA
techniques. DPA has been shown to be highly robust and effective in extracting keys from
several embedded systems, not limited to smartcards. Recent approaches such as enhance the
effectiveness of DPA attacks by providing techniques that improve the signal to noise
ratio. While the initial DPA attacks targeted DES implementations, DPA has also been used
to break public-key cryptosystems.

Attacks on Secure Embedded Systems

At the top level, attacks are classified into three main categories based on their functional objectives.

• Privacy attacks: The objective of these attacks is to gain knowledge of sensitive information stored,
  communicated, or manipulated within an embedded system.
• Integrity attacks: These attacks attempt to change data or code associated with an embedded system.
• Availability attacks: These attacks disrupt the normal functioning of the system by mis-appropriating
  system resources so that they are unavailable for normal operation.

A second level of classification of attacks on embedded systems is based on the agents or means used to
launch the attacks. These agents are typically grouped into three main categories as shown in Figure 1:

Figure 1: Taxonomy of attacks on embedded systems

1. Software attacks : which refer to attacks launched through software agents such as viruses,
   trojan horses, worms, etc.
2. Physical or Invasive attacks : which refer to attacks that require physical intrusion into the system
   at some level (chip, board, or system level).
3. Side-channel attacks : which refer to attacks that are based on observing properties of the system
   while it performs cryptographic operations, e.g., execution time, power consumption, or behavior in the
   presence of faults.

The agents used to launch attacks may either be passive in the sense that they do not interfere in any
manner with system execution (e.g., merely probe or observe certain properties), or may actively
interfere with the target system’s operation. Integrity and availability attacks require interference
with the system in some manner, and hence can be launched only through active agents.

It bears mentioning that, although we have classified attacks into various categories for the sake of
understanding. In practice, attackers often use a combination of various techniques to achieve their
objectives. For example, physical attacks may be used as a pre-cursor to side-channel attacks
(removing a chip’s packaging before observing the values on global wires within the chip). Our
classification is also by no means exhaustive, nor is it intended to be — the ingenuity of attackers
who invariably come up with new schemes to break security is arguably the greatest challenge to
tamper-resistant design.