On Second-Order Differential Power Analysis
Differential Power Analysis (DPA) is a powerful cryptanalytic technique aiming at extracting secret data from a cryptographic device by collecting power consumption traces and averaging over a series of acquisitions. In order to prevent the leakage, hardware designers and software programmers make use of masking techniques (a.k.a. data whitening methods). However, the resulting implementations may still succumb to second-order DPA. Several recent papers studied second-order DPA but, although the conclusions that are drawn are correct, the analysis is not.
This paper fills the gap by providing an exact analysis of second-order DPA as introduced by Messerges. It also considers several generalizations, including an extended analysis in the more general Hamming-distance model.
KeywordsSide-channel analysis differential power analysis second-order attacks
- 1.Triangle of coefficients of Gandhi polynomials. In: On-Line Encyclopedia of Integer Sequences, http://www.research.att.com/projects/OEIS?Anum=A036970
- 2.Triangle of coefficients of a companion polynomial to the Gandhi polynomial. In: On-Line Encyclopedia of Integer Sequences, http://www.research.att.com/projects/OEIS?Anum=A083061
- 8.Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
- 10.Knuth, D.E.: The Art of Computer Programming, 3rd edn. Fundamental Algorithms, vol. 1. Addison Wesley, Reading (1997)Google Scholar
- 11.Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
- 15.Rivest, R.L., Robshaw, M.J.B., Sideney, R., Yin, Y.L.: The RC6 block cipher. RSA Laboratories, v1.1, August 20 (1998)Google Scholar