Before an attack was performed on a physical system it was first done in simulation. Section 5.3.1.1 describes a correlation attack on Modelsim simulation of a
VHDL design of an AES chip. Section 5.3.1.2 discusses the use of Matlab to simulate a realistic but simplified model of a device being subjected to power analysis. This allows investigation into properties of the attack that would otherwise take a prohibitively long time.
5.3.1.1 FPGA Power Estimation
As shown in [60] the number of bit transitions inside the registers of an FPGA gives a reasonable estimation of the power consumption at that time. For this reason a program was written that could accept an FPGA design file and use it to produce a file containing the number of bit changes within all registers in the design on each successive clock cycle. Details of the program are given below.
The program parses post-synthesis VHDL files and extracts the names of the registers in the design. The program then writes a test bench containing the key to be extracted and a list of plaintexts. Additionally a Modelsim script file is written that loads the design and a test bench, runs the simulation and records the values in the registers at each delta time into a file. This file is then read, and the number of transitions in a given clock cycle is counted. This information is used to perform DPA on the design using the method described in section 4.3.2.2, to extract the key that was specified in the test bench. In this example 742 traces were required to extract all 16 bytes of the key.
The first byte of the key had the decimal value 43. In Figure 5-1 the correlation between the consumption matrix and the prediction matrix for the first byte of the key is shown for all 256 possible values of the key, the value with the highest correlation is 43, this means that the correct value for the first key byte can be correctly identified.
In Figure 5-1 it can be seen that there are a series of distinct levels that the values of the correlation take. This is due to the effect discussed in section 4.3.5.1. Each time the Hamming distance between the key guess and the correct key is increased, the correlation falls by a fraction equal to the number of bits in the key guess, in this case 8. This can be seen in Figure 5-1 as the correlation when the key guess is 42 is approximately the same as when it is 47, both having a Hamming distance of 1 away from 43. When half the bits are incorrect there is a correlation of
approximately 0, and when all bits are incorrect the correlation is negatively correlated by the same amount as the largest peak.
Figure 5-1: Graph showing the correlation of the 256 key guesses for a correlation attack on the power estimation of an AES FPGA with 1,000 traces.
5.3.1.2 Matlab Simulations of the Consumption Model
The simulated attack described in section 5.3.1.1 takes a significant amount of time. The majority of this is taken up by the Modelsim simulation, as to be sure that enough register transition data was collected 4,000 plaintexts were used, this took over 2.5 hours on a 3 GHz Pentium 4. Using Matlab it is possible to simulate a correlation attack on AES much faster and so investigate a wider variety of properties of the attack, such as the affect of the SNR and number of traces on the results of the correlation.
In the AES design that was attacked using a Modelsim simulation in section 5.3.1.1 there were 516 registers, 128 are used for storing the data relevant to the attack, the rest are not used at all during the targeted clock cycle of the encryption. This may seem to imply that there is no noise in the measurements, but this is not true. All of the bytes are calculated in parallel but each one is targeted individually and the data is independent so the data from one byte appears as noise when attacking another. This means that the signal-to-noise ratio of this system is 0.25. The Matlab
model to simulate an attack randomly generates 16 1-byte integers for the plaintext and XORs them with a 16 byte key and then sums the Hamming weight of each number. This value is entered into the consumption matrix. The prediction matrix is the Hamming weight of all 256 possible key values XORed with the randomly generated plaintext value of the target byte.
Figure 5-2: Graph showing the correlation of the 256 key guesses for the Matlab model of a correlation attack on AES.
The first byte of the key had the decimal value 43. In Figure 5-2 the correlation between the consumption matrix and the prediction matrix for the first byte of the key is shown for all 256 possible values of the key, the value with the highest correlation is 43, this means that the correct value for the first key byte can be correctly identified.
The signal to noise ratio can be improved by combining data from two key bytes. This does increase the size of the key-space that must be exhaustively searched from 28 to 216. The value of the 2-byte section of the key that was being targeted was 0x2B7E or 11,134 in decimal notation. In Figure 5-3 the correlation between the consumption matrix and the prediction matrix for the first byte of the key is shown for all 65,536 possible values of the key, the value with the highest correlation is 11,134, this means that the correct value for the first two key bytes has been correctly identified. As stated in section 4.3.5.1 the correlation of the correct key choice is related to the signal to noise ratio of the system, as this has been increased from
16 1 to
8
1 the value of the maximum correlation as calculated by equation (4-15) becomes 1/3. Like Figure 5-1, Figure 5-3 also has a regular pattern in the values of the correlation, with key guesses that have the same Hamming distance from the correct value having the same correlation. The only difference is that in this example there are 2 bytes, and so 17 different possible values for the Hamming distance between the correct and incorrect values.
Figure 5-3: Graph showing the correlation of the 65,536 key guesses for the Matlab model of a correlation attack on 2 bytes of AES (2B 7E) with 1,000 traces.