Multi-target DPA Attacks: Pushing DPA Beyond the Limits of a Desktop Computer

摘要

Following the pioneering CRYPTO '99 paper by Kocher et al., differential power analysis (DPA) was initially geared around low-cost computations performed using standard desktop equipment with minimal reliance on device-specific assumptions. In subsequent years, the scope was broadened by, e.g., making explicit use of (approximate) power models. An important practical incentive of so-doing is to reduce the data complexity of attacks, usually at the cost of increased computational complexity. It is this trade-off which we seek to explore in this paper. We draw together emerging ideas from several strands of the literature - high performance computing, post-side-channel global key enumeration, and effective combination of separate information sources - by way of advancing (non-profiled) 'standard DPA' towards a more realistic threat model in which trace acquisitions are scarce but adversaries are well resourced. Using our specially designed computing platform (including our parallel and scalable DPA implementation, which allows us to work efficiently with as many as 2~(32) key hypotheses), we demonstrate some dramatic improvements that are possible for 'standard DPA' when combining DPA outcomes for several intermediate targets. Unlike most previous 'information combining' attempts, we are able to evidence the fact that the improvements apply even when the exact trace locations of the relevant information (i.e. the 'interesting points') are not known a priori but must be searched simultaneously with the correct subkey.