DPA Mapped to Spectral Analysis

22 November 1999

To: cryptography@c2.net
Subject: Re: DPA mapped to spectral analysis
Date: Sun, 21 Nov 1999 11:21:45 +0000
From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>

"Marcus Leech" wrote on 1999-11-19 19:45 UTC:

> Has anyone considered experimenting with DPA (Differential Power
> Analysis), but using spectral data, instead of power consumption?
>
> Different operations will produce different EM spectra, and so the attack
> should work, given suitable selection of frequency range. This could
> potentially allow the bad guy to attack a card without having access to
> the card, using a suitably directional antenna, etc.
>
> Does anyone have an all-software simulator for Kocher's DPA attack?

We are working on experiments along such lines. The information carrying components of the power spectrum extend even for a 3.5 MHz clock microcontroller well into the VHF range, where meter-long cables become good antennas. (Note that normal spectrum analysers are useless for such studies, because they provide you only with the spectrum of the entire power line, and they do not show you the much weaker information-carrying components in it are are only of interest here.)

We are pretty certain that the currents and path lengths on the chip itself are orders of magnitude too small to be picked up by any practical form of antenna (unless perhaps you are in a very well-shielded environment and use some esoteric helium-cooled lowest-noise antennas), even if long-time averaging is performed. However, this is not the case for currents on all the lines that leave the chip surface.

Our experimental target is at the moment the PIC16F84 microcontroller. It is in many aspects fully comparable to a smartcard controller (it is in fact used in some smartcards), but assembler-level development kits for it are much more easily openly available then for other smartcard processors and we do not want to have to ask our students to sign manufacturer NDAs before they can join the project. The PIC has also more I/O ports than a normal smartcard CPU, which simplifies triggering the oscilloscope during measurements, and it has a reasonably simple architecture. We have been working with an 8-bit 200 MHz storage scope so far, which is more than sufficient for performing a number of attacks, but in order to fully characterize the spectral properties of the leaking information, we will now use a new 8-bit 2 GHz scope as well.

Our interest in the EM aspects is not specific to smartcards. For smartcards, you can usually get easily galvanic access to the connectors, and for most attacks, direct microprobing of the chip surface is the easiest approach anyway. However, EM attacks on microcontrollers are a first step towards better understanding the CPU EM emissions of other more complex embedded security applications, eventually even workstation-class systems. That's where compromising emanations will really become interesting.

Some related earlier publications are on

http://www.cl.cam.ac.uk/Research/Security/tamper/

especially

http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf

http://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf

Markus

Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK
Email: mkuhn@acm.org, WWW: <http://www.cl.cam.ac.uk/~mgk25/>