DPA Countermeasures FAQ

Answers to Common Questions About Tamper Resistance and DPA

1. What are Simple Power Analysis and Differential Power Analysis?

Simple Power Analysis ( SPA) and Differential Power Analysis (DPA) are attacks which are performed by measuring the power consumption of a device as it operates, and then using these measurements to determine secret information (such as secret keys and/or user PINs). These robust attacks are often called “external monitoring attacks”, as they are non-invasive and use observations of a device’s power consumption during its operation.

SPA attacks recover the secret keys from direct observation of individual power consumption measurements. They are most effective when there is a significant amount of sensitive information leakage.

DPA attacks employ statistical techniques to extract information from multiple power consumption measurements. They are highly effective at extracting secrets even when the information available within any individual measurement is much smaller than unknown electrical activity, measurement error, and other noise sources.

With both SPA and DPA, the device under attack performs its ordinary cryptographic processing operations. As a result, the attacks generally cannot be stopped through traditional anti-tamper mechanisms such as intrusion sensors or other attack detectors.

SPA and DPA are effective against small single-chip devices, large SoCs, and multi-chip products. For systems where the cryptographic processing is only a small contributor to the overall variation in power consumption, DPA is typically required.

2. What do these attacks achieve?

Attackers who successfully attack a cryptographic device using SPA or DPA typically extract the secret keys used by the device. With this information the attacker gets access to all the system secrets and capabilities that were available to the device. For example, these keys can enable adversaries to decrypt or forge messages, issue rogue certificates, create unauthorized digital signatures, impersonate/clone a device, or perform other malicious activities. DPA has also been used to reverse engineer implementations of proprietary cryptosystems. As a result, power analysis countermeasures are required for tamper resistant products.

3. How hard is it to implement power analysis attacks against an unprotected product?

SPA and DPA attacks are normally classified as requiring a low to moderate degree of attacker sophistication. The hardware typically used for the process consists of a PC and a digital storage oscilloscope. Suitable oscilloscopes are widely available, and sell for under $500 used. Once automated, SPA attacks are virtually instantaneous, and typical DPA attacks on unprotected devices take a few minutes to a few hours to complete.

4. What products are vulnerable?

SPA and DPA attacks primarily target cryptographic implementations in hardware and embedded systems, though related attacks using electromagnetic radiation also work against cryptographic software running on PCs and servers. Chips vulnerable to SPA and DPA range from simple ICs such as RFID devices and smart cards to large chips such as field programmable gate arrays (FPGAs), system on chips (SoCs) and ASICs. The attacks also work against multi-chip systems, such as hardware security modules (HSMs) and mobile telephones.

Countermeasures to power analysis attacks are required for security in any product which needs to protect cryptographic keys from external tampering. Relevant applications and industries include secure access and ID cards, SIM cards, payment devices, storage products (such as secure USB flash devices), pay television set-top boxes, optical disc players, audiovisual decoders, mobile phones, FPGAs, VPN appliances, secure radios, satellites, and government/military products.

5. Are smart cards the only type of device that can be attacked??

No. Power analysis attacks are a threat to any device that processes sensitive information and requires tamper resistance. Successful real world attacks have been documented against very large secure semiconductor devices and multi-chip products, and can be achieved regardless of a product’s physical enclosure. Larger products have more timing variability and uncorrelated electrical activity, but DPA attacks can extract keys from even extremely noisy measurements.

The smart card industry was the first major industry to widely adopt countermeasures due to the magnitude of the threat to the financial and personal data they contain.

6. What algorithms can be broken using SPA and DPA?

Implementations of all cryptographic algorithms, both symmetric and asymmetric, are susceptible to SPA and DPA attacks. Power analysis attacks have been implemented against products using DES, AES, MISTY, SHA, Diffie-Hellman, RSA, Elliptic Curves, as well as proprietary algorithms.

Cryptographic algorithms are normally designed to be secure against attackers who can access the inputs and/or the outputs of the algorithm, but not the secret keys or information about computational intermediates. SPA and DPA work by measuring the power consumption of a device, which provides measurements correlated to computational intermediates, thus violating the assumptions behind the security guarantees provided by the algorithm.

7. Can SPA and DPA be used to attack systems over the Internet?

No. SPA and DPA attacks require that attackers have special hardware attached to (or at least physically near) the target device. As a result, SPA and DPA are not normally a threat to typical Internet-based security applications, such as web browsing and e-mail.

8. How were SPA and DPA discovered?

Cryptography Research initiated an ambitious research project in the mid-1990’s to understand the challenges involved in building secure semiconductors. Simple Power Analysis and Differential Power Analysis, as well as the countermeasures to these attacks, were discovered as part of this research.

Our research team’s backgrounds bridge many levels of secure system design, including transistor physics, ASIC engineering, software development, cryptographic algorithms, and protocols. Traditionally, system designers focused only on individual layers of a system design, but the multi-disciplinary scope of our research project enabled the team to identify power analysis as a potential area of concern, then perform the lab work required to ascertain that the issue was in fact a serious vulnerability.

After discovering power analysis, the research team undertook a major effort to identify solutions to the problem. This research led to the invention of the countermeasures used to protect products.

9. Who discovered these attacks?

SPA and DPA and related attacks were discovered at Cryptography Research by Paul Kocher, Joshua Jaffe, and Benjamin Jun.

10. Can SPA and DPA attacks be prevented?

Yes. Defending against SPA and DPA is quite feasible. Cryptography Research discovered SPA and DPA in the 1990s, and licenses the fundamental patents covering techniques for securing systems against these attacks. Each year, billions of chips are manufactured with countermeasures licensed from CRI under these patents. Many of these products are certified and tested by independent laboratories which validate that power analysis countermeasures have been implemented correctly.

(For additional information about DPA countermeasures, click here.)

11. Is a patent license from CRI necessary to make, use, sell, offer for sale or to import products with countermeasures against SPA and DPA?

Yes. Cryptography Research discovered SPA and DPA and has developed and patented the fundamental countermeasures for preventing DPA attacks. Cryptography Research owns more than sixty five U.S. and international patents, granted and pending, covering countermeasures for SPA and DPA attacks. Over 4.5 billion products security chips are made each year with SPA and DPA countermeasures licensed from Cryptography Research. (For additional information about licensing, click here.)

12. What other research has been conducted on SPA and DPA?

Since Cryptography Research’s discovery of SPA and DPA in the 1990s, a vast amount of research has been conducted on this topic by government, commercial, and academic groups around the world. In the non-classified literature, over 1,800 academic papers cite Cryptography Research’s original paper introducing DPA, and over a third of the research papers presented at the Computer Hardware and Embedded Systems (CHES) conference during the last ten years have focused on DPA attacks.

The book entitled "Power Analysis Attacks - Revealing the Secrets of Smartcards" by Stefan Mangard, Elisabeth Oswald, and Thomas Popp provides a good introduction to the research on power analysis.

13. What related attacks are known?

Attacks using electromagnetic radiation are known to be practical against some systems. Any monitoring technique that provides information correlated to the internals of cryptographic operations could also be used to break systems.