DPA on n-Bit Sized Boolean and Arithmetic Operations and Its Application to IDEA, RC6, and the HMAC-Construction

  • Kerstin Lemke
  • Kai Schramm
  • Christof Paar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3156)


Differential Power Analysis (DPA) has turned out to be an efficient method to attack the implementations of cryptographic algorithms and has been well studied for ciphers that incorporate a nonlinear substitution box as e.g. in DES. Other product ciphers and message authentication codes are based on the mixing of different algebraic groups and do not use look-up tables. Among these are IDEA, the AES finalist RC6 and HMAC-constructions such as HMAC-SHA-1 and HMAC-RIPEMD-160. These algorithms restrict the use of the selection function to the Hamming weight and Hamming distance of intermediate data as the addresses used do not depend on cryptographic keys. Because of the linearity of the primitive operations secondary DPA signals arise. This article gives a deeper analysis of the characteristics of DPA results obtained on the basic group operations XOR, addition modulo 2 n and modular multiplication using multi-bit selection functions. The results shown are based both on simulation and experimental data. Experimental results are included for an AVR ATM163 microcontroller which demonstrate the application of DPA to an IDEA implementation.


DPA Boolean and arithmetic operations IDEA RC6 HMAC-construction 


  1. 1.
    Chari, S., Jutla, C., Rao, J.R., Rohatgi, P.: A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards. In: Proceedings of the second AES conference, pp. 135–150 (1999)Google Scholar
  2. 2.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  3. 3.
    Messerges, T., Dabbish, E., Sloan, R.: Investigation of Power Analysis Attacks on Smartcards. In: USENIX Workshop on Smartcard Techonolgy, USENIX Association, pp. 151–161 (1999)Google Scholar
  4. 4.
    Mayer-Sommer, R.: Smartly Analyzing the Simplicity and the Power of Simple Power Analysis on Smartcards. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 78–92. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Aigner, M., Oswald, E.: Power Analysis Tutorial, available at
  6. 6.
    Oswald, E., Preneel, B.: A Theoretical Evaluation of some NESSIE Candidates regarding their Susceptibility towards Power Analysis Attacks, October 4 (2002), available at
  7. 7.
    Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Side Channel Cryptanalysis of Product Ciphers. Journal of Computer Security 8(2-3), 141–158 (2000)Google Scholar
  8. 8.
    Brier, E., Clavier, C., Olivier, F.: Optimal Statistical Power Analysis, IACR Cryptology ePrint Archive, Report 2003/152, available at:
  9. 9.
    Goubin, L.: A sound method for switching between boolean and arithmetic masking. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 3–15. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Coron, J.-S., Tchulkine, A.: A New Algorithm for Switching from Arithmetic to Boolean Masking. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 89–97. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Lai, X., Massey, J.L.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991)Google Scholar
  12. 12.
    Rivest, R.L., Robshaw, M.J.B., Sidney, R., Yin, X.L.: The RC6TM Block Cipher, Version 1.1, August 20 (1998)Google Scholar
  13. 13.
    Bellare, M., Canetti, R., Krawczyk, H.: Message Authentication using Hash Functions — The HMAC Construction. RSA Laboratories’ CryptoBytes 2(1) (1996)Google Scholar
  14. 14.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  15. 15.
    Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: A Strengthened Version of RIPEMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 71–82. Springer, Heidelberg (1996), Google Scholar
  16. 16.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  17. 17.
    ATmega163 ATmega163L, 8-bit AVR Microcontroller with 16K Bytes In-System Programmable Flash, Rev. 1142E-AVR-02/03, Atmel, available at

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Kerstin Lemke
    • 1
  • Kai Schramm
    • 1
  • Christof Paar
    • 1
  1. 1.Communication Security Group (COSY), Department of Electrical Engineering and Information SciencesRuhr-Universität BochumGermany

Personalised recommendations