Differential Power Analysis of HMAC Based on SHA-2, and Countermeasures

  • Robert McEvoy
  • Michael Tunstall
  • Colin C. Murphy
  • William P. Marnane
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4867)


The HMAC algorithm is widely used to provide authentication and message integrity to digital communications. However, if the HMAC algorithm is implemented in embedded hardware, it is vulnerable to side-channel attacks. In this paper, we describe a DPA attack strategy for the HMAC algorithm, based on the SHA-2 hash function family. Using an implementation on a commercial FPGA board, we show that such attacks are practical in reality. In addition, we present a masked implementation of the algorithm, which is designed to counteract first-order DPA attacks.


Hash Function Message Authentication Code Compression Function Transport Layer Security Correlation Power Analysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  2. 2.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Chaves, R., Kuzmanov, G., Sousa, L., Vassiliadis, S.: Improving SHA-2 hardware implementations. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 298–310. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Coron, J.-S., Tchoulkine, A.: A new algorithm for switching from arithmetic to boolean masking. In: D.Walter, C., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 89–97. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol, Version 1.1. RFC 4346 (April 2006),
  7. 7.
    Golić, J.D.: Techniques for random masking in hardware. IEEE Transactions on Circuits and Systems — I 54(2), 291–300 (2007)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Goubin, L.: A sound method for switching between boolean and arithmetic masking. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 3–15. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Lemke, K., Schramm, K., Paar, C.: DPA on n-bit sized boolean and arithmetic operations and its application to IDEA, RC6, and the HMAC-Construction. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 205–219. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    Lenstra, A.K.: Further progress in hashing cryptanalysis (white paper) (February 2005),
  12. 12.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007)zbMATHGoogle Scholar
  13. 13.
    Mangard, S., Pramstaller, N., Oswald, E.: Successfully attacking masked AES hardware implementations. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 157–171. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. 14.
    Manral, V.: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH). RFC 4835 (April 2007),
  15. 15.
    Neiße, O., Pulkus, J.: Switching blindings with a view torwards IDEA. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 230–239. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    National Institute of Standards and Technology. FIPS PUB 180-2. Secure Hash Standard (August 2002)Google Scholar
  17. 17.
    National Institute of Standards and Technology. FIPS PUB 198. The Keyed-Hash Message Authentication Code (HMAC) (March 2002)Google Scholar
  18. 18.
    Okeya, K.: Side channel attacks against HMACs based on block-cipher based hash functions. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 432–443. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Okeya, K., Iwata, T.: Side channel attacks on message authentication codes. In: Molva, R., Tsudik, G., Westhoff, D. (eds.) ESAS 2005. LNCS, vol. 3813, pp. 205–217. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Schellekens, D., Preneel, B., Verbauwhede, I.: FPGA vendor agnostic true random number generator. In: FPL 2006. 16th International Conference on Field Programmable Logic and Applications, pp. 139–144. IEEE (August 2006)Google Scholar
  21. 21.
    Steinwandt, R., Geiselmann, W., Beth, T.: A theoretical DPA-based cryptanalysis of the NESSIE candidates FLASH and SFLASH. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 280–293. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Tunstall, M., Hanley, N., McEvoy, R., Whelan, C., Murphy, C.C., Marnane, W.P.: Correlation power analysis of large word sizes. In: IET Irish Signals and Systems Conference (ISSC) 2007. IEEE (submitted, 2007)Google Scholar
  23. 23.
    Xilinx. Spartan-3 Generation FPGA User Guide (July 2007),

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Robert McEvoy
    • 1
  • Michael Tunstall
    • 1
  • Colin C. Murphy
    • 1
  • William P. Marnane
    • 1
  1. 1.Department of Electrical & Electronic EngineeringUniversity College CorkIreland

Personalised recommendations