CKGS: A Way Of Compressed Key Guessing Space to Reduce Ghost Peaks

Abstract

Differential power analysis (DPA) is disturbed by ghost peaks. There is a phenomenon that the mean absolute difference (MAD) value of the wrong key is higher than the correct key. We propose a compressed key guessing space (CKGS) scheme to solve this problem and analyze the AES algorithm. The DPA based on this scheme is named CKGS-DPA. Unlike traditional DPA, the CKGS-DPA uses two power leakage points for a combined attack. The first power leakage point is used to determine the key candidate interval, and the second is used for the final attack. First, we study the law of MAD values distribution when the attack point is AddRoundKey and explain why this point is not suitable for DPA. According to this law, we modify the selection function to change the distribution of MAD values. Then a key-related value screening algorithm is proposed to obtain key information. Finally, we construct two key candidate intervals of size 16 and reduce the key guessing space of the SubBytes attack from 256 to 32. Simulation experimental results show that CKGS-DPA reduces the power traces demand by 25% compared with DPA. Experiments performed on the ASCAD dataset show that CKGS-DPA reduces the power traces demand by at least 41% compared with DPA.

1. Introduction

With the continuous development of information technology and electronic integrated circuit technology, cryptographic chips are widely used in people's work and life. It brings convenience but increases the risk of information security. It is imperative to study new technical means and tools to deal with new security threats. In the past, cryptographic devices were mainly cracked by mathematical analysis. It analyzed from the mathematical level to find the design defects of cryptographic algorithms [1]. However, mathematical analysis is inefficient due to the continuous improvement of cryptographic algorithms. The physical operation and interaction of encryption devices provide attackers with new information in addition to plaintext and ciphertext. For example, the encryption device will generate time [2], power consumption [3-5], electromagnetic energy [6-7], fault output [8], and other information in the encryption process. This information contains the structural characteristics of the cryptographic algorithm and intermediate data information. Side-channel analysis (SCA) was born because of this. The SCA cracks the key by analyzing the physical information leaked by the device. It subverted people's cognition of cryptographic security and soon became a research hotspot in the field of cryptography [9-12].

Generally speaking, SCA is divided into two categories: profiling analysis and non-profiling analysis. Profiling analysis needs to collect power data when the device is encrypted and establishes a power consumption probability model for leaked information. Then performing feature matching according to the constructed model to find the correct key. Non-profiling analysis uses the correlation between intermediate data and leaked information. It cracks the key through statistical analysis. Profiling analysis includes template attacks (TA) [13]. Non-profiling analysis includes simple power analysis (SPA) [14], differential power analysis (DPA) [15], and correlation power analysis (CPA) [16]. Among them, the use of DPA and CPA is the most common.

The traditional DPA is affected by noise or insufficient data, which leads to the wrong candidate key appearing at the peak. The peak occupied by the wrong candidate key is called “ghost peak”. This phenomenon seriously affects the correct rate of the attack. The common way to solve the ghost peak problem is to add more power traces, but this method will increase the attack cost. A low-cost way to solve the ghost peak problem needs to be found. One kind of research is to preprocess the power traces, such as wavelet transform denoising technology [17], Fourier transform [18], low-pass filters [19]. However, these methods need detailed parameters of the power traces such as sampling rate, and its application conditions are strict. Another way is to improve the analysis ability of DPA by changing the structure of DPA. In [20], the authors applied the Euclidean similarity algorithm to DPA and used the Euclidean similarity algorithm to adjust the mean absolute difference (MAD) value. This method ensures that the correct key has a higher MAD value than the others. In [21], Mahanta, Hridoy Jyoti et al. improved Euclidean Differential Power Analysis. They used the Canberra distance algorithm instead of the Euclidean similarity algorithm to improve peak distribution. Subsequently, Chen, Juncheng, et al. [22] proposed Normalized Differential Power Analysis. They normalized the MAD value matrix to effectively reduce the MAD values of ghost peaks. Although these methods improved the peak distribution, they also added additional calculations. No one has ever considered it from the perspective of the key guessing space. Compressing key guessing space method can reduce calculations and the appearance of ghost peaks.

In this paper, we propose a compressed key guessing space scheme to reduce the appearance of ghost peaks. To distinguish it from the traditional DPA, we named the DPA based on this scheme CKGS-DPA. The contributions of this paper are as follows:

⦁ We study the effects of DPA attacks based on different power leakage points and explain why the traditional DPA cannot distinguish the correct key when the attack point is AddRoundKey.

⦁ We modify the selection function of the traditional DPA and propose a key-related screening function to obtain the nibble key information when the attack point is AddRoundKey.

⦁ We combine the leaked information of SubBytes and AddRoundKey to construct a compressed key guessing space strategy based on the proposed key-related screening function.

Furthermore, we use different datasets to test the performance of CKGS-DPA and DPA. The experimental results show the excellent performance of CKGS-DPA.

The rest of the study is organized as follows. Section 2 briefly introduces the background of SCA. In Section 3, we study the impact of different power leakage points on the attack result and explain CKGS-DPA in detail. The experimental verification of the CKGS-DPA will be discussed in Section 4. Finally, Section 5 concludes the whole study.

2. Background

2.1 Power leakage points in AES

The Advanced Encryption Standard [23] is a data encryption standard that NIST publicly solicited in 1997. This algorithm has been widely used in various fields due to its high security and excellent performance. It fixed the plaintext block length to 128 bits. The key block length can be 128 bits, 192 bits, and 256 bits and consists of 10, 12, and 14 rounds, respectively. The operation blocks of each round include key expansion, AddRoundKey, SubBytes, ShiftRows, and MixColumns.

In the data processing of the AES encryption algorithm, the state of the register will change. The load capacitance of the CMOS circuit is charged and discharged with power consumption. This time can be called the power leakage point [24]. The distribution of power leakage points in Round 1 of the AES-128 algorithm is shown in Fig. 1. The intermediate data corresponding to the power leakage point is related to the same key. Attackers can select one of the power leakage points as the attack point to carry out a side-channel analysis.

Fig. 1. The distribution of power leakage points in AES-128 algorithm

2.1.2 Differential power analysis

The traditional DPA is based on the assumption that the mean of the power used to compute a logic ‘0’ and a logic ‘1’ are different at any bit position. The attackers do not need to know the detailed information of the attacked device based on this attack mode. Even if the power traces of the device contains noise, this method can still recover the key in the device.

During the attack phase, the attackers analyze the encryption device based on a power leakage point. They repeatedly run the encryption device 𝑁𝑁 times and its corresponding set of plaintext M = {m_i|i ∈ [0, N]} and power traces are collected. Then attackers guess all possible values of the n-bit key k_j, which belongs to key guessing space k_guess = {k_j|k_j = j, j ∈ [0, 2ⁿ − 1]}. The corresponding intermediate value v_i,j is defined as follows:

v_i,j = f(m_i, k_j)       (1)

where f denotes encryption operation, and m_i denotes the i^th plaintext, k_j denotes the j^th guessed key.

Subsequently, attackers need to construct a selection function to classify the power traces. Usually, this function takes the highest bit of the intermediate value as the benchmark and divides the power traces into two types according to the value of 0 or 1.

S₀[j] = {T_i,n | D(v_i,j) = 0}, S₁[j] = {T_i,n | D(v_i,j) = 1}       (2)

where 1 ≤ i ≤ N, 1 ≤ n ≤ l, l denote the total number of sampling points in the power trace, and T_i,n represents the n^th sampling point in the i^th power trace, D(x) denotes the selection function.

Finally, attackers take the averages of all data in set S₀[j] and S₁[j] according to the guessed key k_j and compute the difference of the averages of different sets. Then taking the absolute value of the final result as the MAD value of the guessed key k_j. All intermediate signal values in power traces are randomly distributed. Therefore, the MAD value of this part approaches 0. If there is a peak value in the differential curve, the attack was successful. Otherwise, the attack failed, and the MAD value calculation formula is shown in Eq. (3).

\(\begin{aligned}\Delta t[j]=\left|\frac{1}{\left|S_{0}[j]\right|} \sum_{T_{i, n} \in S_{0}[j]} T_{i, n}-\frac{1}{\left|S_{1}[j]\right|_{T_{i, n} \in S_{1}[j]}} \sum_{i, n} \; T_{i,n}\right|\\\end{aligned}\)       (3)

3. Our method

3.1 Research on Using AddRoundKey as Attack Point

SubBytes is an attack point that is widely used in SCA, but few studies are on the analysis of AddRoundKey. This study aims to find some rules at this point to extract additional key information. In the experiment, we found some laws in the distribution of the MAD values. According to these laws, this paper proposes two theorems. Some symbols used in this section are as follows:

⦁ ||: bit string connection operation.

⦁ X = x_n-1||x_n-2||..x₀ : n-bit variable X (from high to low).

⦁ \(\begin{aligned}\bar{x}\\\end{aligned}\): the negation of variable x.

⦁ x_h : the highest bit of variable x.

⦁ x ⊕ y : XOR operation of variable x and variable y.

Theorem1. The MAD values of the guessed key k_j and the guessed key \(\begin{aligned}\bar{k}_j\\\end{aligned}\) are equal when under the following conditions:

1) The attacker uses AddRoundKey as an attack point.

2) The selection function uses the highest bit of the intermediate value as the distinction basis.

Proof. Let K be any n-bit guessed key, K = k_n−1||k_n−2||. . .k₀, then \(\begin{aligned}\bar{K}=\overline{k_{n-1}}\left\|\overline{k_{n-2}}\right\| \ldots \| \overline{k_{0}}\\\end{aligned}\). Let A denote any n-bit plaintext, A = a_n−1||a_n−2||. . .||a₀.

X = A⊕K = a_n-1⊕k_n-1||a_n-2||k_n-2||...||a₀⊕k₀       (4)

\(\begin{aligned}Y=A \oplus \bar{K}=a_{n-1} \oplus \overline{k_{n-1}}\left\|a_{n-2} \oplus \overline{k_{n-2}}\right\| \ldots \| a_{0} \oplus \overline{k_{0}}\\\end{aligned}\)       (5)

because

\(\begin{aligned}\overline{a_{i} \oplus k_{i}}=a_{i} \oplus \overline{k_{i}}, i \in[0, n-1]\\\end{aligned}\)       (6)

so

\(\begin{aligned}X=\bar{Y}\end{aligned}\)       (7)

The selection function D(x) based on the highest bit of the intermediate value is as follows:

\(\begin{aligned}D(x)=\begin{cases} \begin{array}{ll}0 & x<2^{n-1} \\ 1 & x \geq 2^{n-1}\end{array}\end{cases}\end{aligned}\)       (8)

then

\(\begin{aligned}D(X)=\overline{D(Y)}\\\end{aligned}\)       (9)

and the intermediate value v_i,j will satisfy the following conditions:

\(\begin{aligned}D\left(v_{i, j}\right)=\overline{D\left(\overline{v_{i, j}}\right)}\\\end{aligned}\)       (10)

Let V_k denote the set of intermediate values when the guessed key is k, and let \(\begin{aligned}V_{\bar{k}}\\\end{aligned}\) be the set of intermediate values when the guessed key is \(\begin{aligned}{\bar{k}}\end{aligned}\).

V_k = {v_i,k | v_i,k = m_i⊕k, i∈[0, N], m_i ∈ M}       (11)

\(\begin{aligned}V_{\bar{k}}=\left\{v_{i, \bar{k}} \mid v_{i, \bar{k}}=m_{i} \oplus \bar{k}, i \in[0, N], m_{i} \in M\right\}\\\end{aligned}\)       (12)

According to (6) and (10), we know \(\begin{aligned}D\left(v_{i, k}\right)=\overline{D\left(v_{i, \bar{k}}\right)}\\\end{aligned}\). From (2), we know the classification results from V_k and \(\begin{aligned}V_{\bar{k}}\\\end{aligned}\) will be the opposite. According to (3), the MAD value is an absolute value. If exchanging the data in S₀ and S₁, the MAD value does not change. Therefore, the MAD values of V_k and \(\begin{aligned}V_{\bar{k}}\\\end{aligned}\) are the same. We can draw conclusions that the guessed key k_j and the guessed key \(\begin{aligned}V_{\bar{k}}\\\end{aligned}\) have the same MAD value.

Theorem2. The MAD values of guessing keys with the same highest bit are equal when the following conditions are met.

1) The attacker uses AddRoundKey as an attack point.

2) The selection function uses the highest bit of the intermediate value as the distinction basis.

Proof. Set any two n-bit variables b and d, if v = b ⊕ d then:

\(\begin{aligned}v_{h}= \begin{cases} \begin{array}{ll} b_{h} & d_{h}=0 \\ \bar b_{h} & d_{h}=1\end{array}\end{cases} \end{aligned}\)       (13)

Let V denote the set of intermediate values obtained by the AddRoundKey operation.

V = {v_i,j | v_i,j = m_i⊕k_j, m_i∈M, k_j ∈ K_guess}       (14)

Then k_jh satisfy the following conditions:

\(\begin{aligned}k_{j_{h}}= \begin{cases} \begin{array}{ll}0 & k_{j}<2^{n-1} \\ 1 & k_{j} \geq 2^{n-1}\end{array}\end{cases} \end{aligned}\)       (15)

According to (13) and (15), we know

D(v_i,0) = D(v_i,1)... = D(v_i,2^n-1-1)       (16)

According to (2) and (16), we know the classification results from v_i,0 to v_{i,2ⁿ⁻¹−1} will be the same. According to (3), the MAD values from the k₀ to the k_{2ⁿ⁻¹−1} will be the same. Similarly, from k_2ⁿ⁻¹ to k_2ⁿ−1 also have the same MAD value, and theorem 2 is proved.

From theorem 1 and theorem 2, we can figure out why few people choose AddRoundKey as an attack point to analyze the key. Taking the nibble attack as an example, it can be seen from the upper subgraph of Fig. 2 that all guessed key have the same MAD value, and the correct key can not be distinguished. Therefore, we make a simple adjustment to the selection function D′(x), and the new selection function D′(x) is as follows:

\(\begin{aligned}D^{\prime}(x)= \begin{cases} \begin{array}{ll}0 & x \leq 2^{n-1} \\ 1 & x>2^{n-1}\end{array} \end{cases} \end{aligned}\)       (17)

Fig. 2. The influence of different selection functions on the difference curve (nibble attack)

After adjusting the selection function D(x), the result of the attack is shown in the bottom subgraph of Fig. 2. We can see that the MAD values of guessed key k_j and guessed key \(\begin{aligned}{\bar{k}}_j\\\end{aligned}\) are very close. For example, the MAD values of 0 and 15 are very close. Due to the selection function having changed, theorem 2 no longer holds, and theorem 1 does not hold when the intermediate value is 7 or 8. Therefore, we can use this phenomenon to obtain additional information.

3.2 The design of key-related value screening algorithm

For a point in the difference curve, its abscissa corresponds to the guessed key, and its ordinate corresponds to the MAD values. Let Point denote the set of points in the difference curve Point = {P_i, i = 1,2. . .15}. Let P_ix denote the abscissa of P_i, and P_iy denote the ordinate of P_i. As described in section 3.1, the MAD values between the guessed key k_j and the guessed key \(\begin{aligned}{\bar{k}}_j\\\end{aligned}\) are very close when the attack point is AddRoundKey. We can construct screening algorithm based on this phenomenon. As we all know, the sum of k_j and \(\begin{aligned}{\bar{k}}_j\\\end{aligned}\) is 15 when the guessed key k_j is greater than or equal to 0 and less than or equal to 15. Furthermore, the guessed key with a larger MAD value is more likely to be the correct key. Therefore, we first sort all the points P_i according to the ordinate value and select the first four points. Then we take out the abscissas of four points and add each two abscissas values to find the number of groups that add up to 15. Finally, we select two points according to rules a), b), c). Then, the abscissas of these two points are the key-related values. The key-related value screening algorithm is shown in Algorithm 1.

a) If the number of groups with the abscissa values adding up to 15 is 1, we select this data group.

b) If the number of groups with the abscissa values adding up to 15 is 2, we select the group of data with a larger ordinate value.

c) If there is no group whose abscissa values add up to 15, we select the first two points arranged by ordinate value.

Algorithm 1 key-related value screening algorithm

Input: The set of points in the difference curve Point

Output: Two key-related values chooes₁, chooes₂

1: p₁, p₂, p₃, p₄ = SortByAbscissa(Point)

2: group1, gourp2, num = FindGroup(p_1x, p_2x, p_3x, p_4x)

3: if(num == 2) then

4: if(group1_y >= group2_y) then

5: chooes₁, chooes₂ = group1[0], group1[1]

6: else

7: chooes₁, chooes₂ = group2[0], group2[1]

8: end if

9: else if (num == 1) then

10: chooes₁, chooes₂ = group1[0], group1[1]

11: else

12: chooes₁, chooes₂ = p_1x, p_2x

13: end if

14: return chooes₁, chooes₂

3.3 The design of differential power analysis with compressed key guessing space

In traditional DPA, the attacker focuses on one power leakage point attack. Usually, this power leakage point is SubBytes in the first round of the algorithm. However, the actually measured power traces includes the power consumption of the entire encryption process. The single-point attack method wastes a lot of power consumption information. According to the research in Section 3.1 and Section 3.2, we can extract additional key information from the AddRoundKey point. Therefore, we use two power leakage points for analysis in CKGS-DPA and analyze the AES algorithm. These two points are point 1 and point 2 in Fig. 1.

According to the characteristics of different power leakage points, we give different tasks. We do not expect to get the correct key accurately when the attack point is AddRoundKey. At this point, we obtain some information about the key from it and construct key candidate intervals. Therefore, the CKGS-DPA does not need to enumerate the 256 possible values of the key at the SubBytes point but lists all the elements of the two key candidate intervals. The flowchart of the entire attack is shown in Fig. 3.

Fig. 3. flowchart of CKGS-DPA

The first step of CKGS-DPA is to get the first 4bits information of the key at the AddRoundKey point. The point of AddRoundKey is less distinguishable for the correct key compared with SubBytes. Therefore, we choose to analyze the high 4-bit of the key when the attack point is AddRoundKey. Then the size of key guessing space of the AddRoundKey attack becomes 16. In this way, the amount of calculation is reduced, and it prevents wrong guessed keys with large MAD values from being generated in large-scale guessing. With the selection function and key screening function constructed in section 3.1 and section 3.2, we can get two key-related values. The attack process of this step is shown in Algorithm 2.

Algorithm 2 AddRoundKey attack algorithm

Input: Four bit plaintext set M_4bit, power trace set Wave₁

Output: Two key-related values chooes₁, chooes₂

1: for k = 0 to 15 do

2: for m = 0 to size(M_4bit) do

3: V_m,k = AddRoundKey(M_4bit, k)

4: end for

5: if D'(V_m,k == 0) then

6: Set₀ = {Power traces related to the mth plaintext}

7: else

8: Set₁ = {Power traces related to the mth plaintext}

9: else if

10: end for

11: △\(\begin{aligned}{\bar{t}}\\\end{aligned}\) = MAD(Set₀, Set₁)

12: chooes₁, chooes₂ = Chooes(△\(\begin{aligned}{\bar{t}}\\\end{aligned}\))

13: return chooes₁, chooes₂

Then we reduce the key guessing space based on the information obtained. According to the two values obtained by the key-related value screening algorithm, we can construct two key candidate intervals. Let g₁ be the first value and let g₂ be the second value. We use nibbles to guess full bytes way to construct the key candidate interval, and interval C₁, C₂ are as follow:

C₁ = {x | 16g₁≤ x ≤ 16g₁+15} (18)

C₂ = {x | 16g₂ ≤ x ≤ 16g₂+15} (19)

Subsequently, we perform a single-byte attack at the SubBytes point based on these two intervals. Then the key guessing space is changed from 256 to 32. The key guessing space is shown in Eq. (20).

K_guess = {k_j | k_j ∈ (C₁∪ C₂), j ∈ [0,32]} (20)

Finally, we calculate the MAD values corresponding to the thirty-two guessed keys. The correct key is the guessed key corresponding to the maximum MAD in the two intervals. The CKGS-DPA uses the original selection function D(x) when the attack point is SubBytes, and the SubBytes attack algorithm is shown in Algorithm 3.

Furthermore, CKGS-DPA follows the divide and conquer strategy in traditional DPA. This method is to attack the single-byte keys one by one. Then splicing the single-byte keys obtained from each attack together to obtain the complete key. The difference from traditional DPA is that CKGS-DPA constructs two candidate key intervals before a single-byte attack. Therefore, CKGS-DPA can be applied to other algorithms with different key lengths.

Algorithm 3 SubBytes attack algorithm

Input: Plaintext set M, power trace set Wave₂ and two key-related values chooes₁, chooes₂

Output: One-byte key RK

1: for k₁ = choose₁ * 16 to choose₁ * 16 + 15 do

2: for m = 0 to size(M) do

3: V_m,k1 = SubBytes(M, k₁)

4: end for

5: if D(V_m,k1 == 0) then

6: Set₀ = {Power traces related to the mth plaintext}

7: else

8: Set₁ = {Power traces related to the mth plaintext}

9: end if

10: end for

11: for k₂ = choose₂ * 16 to choose₂ * 16 + 15 do

12: for m = 0 to size(M) do

13: V_m,k2 = SubBytes(M, k₂)

14: end for

15: if D(V_m,k2 == 0) then

16: Set₀ = {Power traces related to the mth plaintext}

17: else

18: Set₁ = {Power traces related to the mth plaintext}

19: end if

20: end for

21: △\(\begin{aligned}{\bar{t}}\\\end{aligned}\)= MAD(Set₀, Set₁)

22: RK = Max(△\(\begin{aligned}{\bar{t}}\\\end{aligned}\))

23: return RK

4. Experiment and Analysis

In this section, we test the performance of CKGS-DPA. We use two different datasets for experiments to better evaluate the method. We compare DPA and CKGS-DPA with indicators such as accuracy, running time, and the number of minimum power traces required for a successful attack, and so on.

4.1 Simulation experiments

In the Simulation experiment, the power traces corresponding to different power leakage points are generated by the Hamming weight model [25]. To better observe how CKGS-DPA avoids ghost peaks, we used the same set of plaintext data to execute traditional DPA and CKGS-DPA. From Fig. 4, it can be seen that traditional DPA can not distinguish the correct key, and ghost peaks appear. We can see that the key guessing space has been reduced in CKGS-DPA. Therefore, there are MAD values in the two 16-size intervals, and the MAD values in other areas are all 0. In this way, the correct key is the abscissa value corresponding to the point with the largest MAD value in the two intervals. Some guessed key values with larger MAD values do not participate in the final calculation, which makes them have no chance to affect the final result of the attack. Therefore, the attack efficiency of CKGS-DPA is improved.

Fig. 4. DPA and CKGS-DPA attack results

Subsequently, we set the number of power traces from 0 to 4500 and perform 100 times attacks to calculate the average correct rate. It can be seen from Fig. 5 that the CKGS-DPA achieves 79.83% accuracy when the number of power traces is 2000, while the correct rate of traditional DPA reaches 58.07% accuracy. The CKGS-DPA reaches 91% accuracy when the number of power traces is 3000, while traditional DPA requires 4000 power traces to achieve an accuracy of more than 90%. Under the premise of achieving 90% accuracy, CKGS-DPA reduces the power traces demand by 25% compared with the traditional DPA.

Fig. 5. The average correct rate of DPA and CKGS-DPA

4.2 Experiments on ASCAD Dataset

In the second experiment, we acquire 2000 power traces from the ASCAD dataset [26]. The ASCAD dataset is a publicly available dataset for evaluating SCA methods. It contains the power traces of the masked AES algorithm implemented in the ATMEGA 8515. However, the byte 0 and byte 1 in the ASCAD dataset have first-order leakage due to their mask value being 0. Therefore, we use DPA and CKGS-DPA to attack the first-byte key and the second-byte key. The attack results of byte 0 and byte 1 are shown in Fig. 6 and Fig. 7. We can clearly observe that CKGS-DPA reduces some guessed keys with larger MAD values compared with DPA. For byte 0, DPA needs 605 power traces to crack the key due to the interference of the ghost peaks. While CKGS-DPA only needs 352 power traces due to reducing the key guessing space. Compared with DPA, the CKGS-DPA reduces power traces demand by 41%. For byte 1, DPA needs 371 power traces to crack the key, and the CKGS-DPA requires 197 power traces, which reduces the number of power traces by 46% compared with DPA.

Fig. 6. The relationship between the MAD values of all guessed keys and the number of power traces (byte 0)

Fig. 7. The relationship between the MAD values of all guessed keys and the number of power traces (byte 1)

Subsequently, we compared the calculation cost of DPA and CKGS-DPA. Let N_p be the total number of plaintext. The time complexity and the number of key guesses for DPA and CKGS-DPA are shown in Table 1.

Table 1. Algorithm performance comparison

We can see that the algorithm complexity of DPA and CKGS-DPA are both O(n). The computational cost of CKGS-DPA and DPA are the same when the number of runs tends to infinity. In actual attacks, the computational cost of CKGS-DPA is less than that of DPA because the main amount of calculation is concentrated in the step of calculating the MAD value. The number of calculations depends on the number of guessed keys. Taking the attack of the first byte key as an example, a traditional DPA attack requires 256N_p key guesses. In CKGS-DPA, the number of key guesses is 16N_p guesses in AddRoundKey and 32N_p guesses in SubBytes, for a total of 48N_p guesses. Although some additional calculation steps have been added to CKGS-DPA, the overall amount of calculation is reduced. The running time comparison between CKGS-DPA and DPA is shown in Fig. 8. From Fig. 8, we can see that the running time of CKGS-DPA is much less than the running time of DPA, and the more power traces used in the attack, the more obvious the advantage of the CKGS-DPA. In the simulation experiment and the experiment on the ASCAD dataset, we can see that CKGS-DPA is better than DPA in terms of attack efficiency and accuracy.

Fig. 8. The relationship between running time and the number of power traces

5. Conclusion

This paper discusses the ghost peak problem in traditional DPA. We propose a compressed key guessing space (CKGS) scheme to solve the ghost peak problem. The CKGS scheme uses the leaked information of the two power leakage points to perform a combined attack. We perform a nibble attack at the AddRoundKey point to determine the key candidate interval and perform a single-byte attack at the SubBytes point. The appearance of ghost peaks can be reduced by avoiding some guessed keys with larger MAD values. At the same time, we found that traditional DPA cannot distinguish the correct key when the attack point is AddRoundKey and give mathematical proof for this phenomenon. Then we modify the selection function and propose a key-related value screening algorithm to get key information. The key candidate interval is constructed according to this information. Finally, we perform a SubBytes attack based on the key candidate interval. In the experimental verification, we used two different datasets to evaluate CKGS-DPA. The experimental results show that CKGS-DPA can effectively reduce the appearance of ghost peaks and improve the efficiency of attacks.