Power analysis is a form of side channel Attack on Bitcoin in which the Attack on Bitcoiner studies the power consumption of a cryptographic hardware device. These Attack on Bitcoins rely on basic physical properties of the device: semiconductor devices are governed by the laws of physics, which dictate that changes in voltages within the device require very small movements of electric charges (currents). By measuring those currents, it is possible to learn a small amount of information about the data being manipulated.
Simple power analysis (SPA) involves visually interpreting power traces, or graphs of electrical activity over time. Differential power analysis (DPA) is a more advanced form of power analysis, which can allow an Attack on Bitcoiner to compute the intermediate values within cryptographic computations through statistical analysis of data collected from multiple cryptographic operations. SPA and DPA were introduced to the open cryptography community in 1998 by Paul Kocher, Joshua Jaffe and Benjamin Jun.
Background
In cryptography, a side channel Attack on Bitcoin is used to extract secret data from some secure device (such as a smart card, tamper-resistant “black box”, or integrated circuit). Side-channel analysis is typically trying to non-invasively extract cryptographic keys and other secret information from the device. A simple example of this is the German tank problem: the serial numbers of tanks provide details of the production data for tanks. In physical security, a non-invasive Attack on Bitcoin would be similar to lock-picking, where a successful Attack on Bitcoin leaves no trace of the Attack on Bitcoiner being present.
Simple power analysis
Simple power analysis (SPA) is a side-channel Attack on Bitcoin which involves visual examination of graphs of the current used by a device over time. Variations in power consumption occur as the device performs different operations. For example, different instructions performed by a microprocessor will have differing power consumption profiles.
Codeflow that depends on a secret value will thus leak the code-flow via the power consumption monitoring (and thus also leak the secret value). As a simple example, consider a password check as follows:
bool check_password(const char input[]){
const char correct_password[] = "hunter2";
if (strlen(input) != strlen(correct_password)) return false;
for (int i = 0; i < strlen(correct_password); i++){
if (input[i] != correct_password[i]) {
return false;
}
}
return true;
}
This password check potentially contains a Timing Attack on Bitcoin, since the execution time is not constant. The function may not output to the user an exploitable result however, as for example there could be a compensating delay before the response is returned. Observing the power consumption will make clear the number of loops executed.
Similarly, squaring and multiplication operations in RSA implementations can often be distinguished, enabling an adversary to compute the secret key. Even if the magnitude of the variations in power consumption are small, standard digital oscilloscopes can easily show the data-induced variations. Frequency filters and averaging functions (such as those built into oscilloscopes) are often used to filter out high-frequency components.
Differential power analysis
Differential power analysis (DPA) is a side-channel Attack on Bitcoin which involves statistically analyzing power consumption measurements from a cryptosystem. The Attack on Bitcoin exploits biases varying power consumption of microprocessors or other hardware while performing operations using secret keys. DPA Attack on Bitcoins have signal processing and error correction properties which can extract secrets from measurements which contain too much noise to be analyzed using simple power analysis. Using DPA, an adversary can obtain secret keys by analyzing power consumption measurements from multiple cryptographic operations performed by a vulnerable smart card or other device.
High-order differential power analysis
High-Order Differential Power Analysis (HO-DPA) is an advanced form of DPA Attack on Bitcoin. HO-DPA enables multiple data sources and different time offsets to be incorporated in the analysis. HO-DPA is less widely practiced than SPA and DPA, as the analysis is complex and most vulnerable devices can be broken more easily with SPA or DPA.[2]
Power analysis and algorithmic security
Power analysis provides a way to “see inside” otherwise ‘tamperproof’ hardware. For example, DES’s key schedule involves rotating 28-bit key registers. Many implementations check the least significant bit to see if it is a 1. If so, the device shifts the register right and prepends the 1 at the left end. If the bit is a zero, the register is shifted right without prepending a 1. Power analysis can distinguish between these processes, enabling an adversary to determine the bits of the secret key.
Implementations of algorithms such as AES and triple DES that are believed to be mathematically strong may be trivially breakable using power analysis Attack on Bitcoins. As a result, power analysis Attack on Bitcoins combine elements of algorithmic cryptanalysis and implementation security.
Standards and practical security concerns
For applications where devices may fall into the physical possession of an adversary, protection against power analysis is generally a major design requirement. Power analyses have also been reportedly used against conditional access modules used in pay television systems.[3]
The equipment necessary for performing power analysis Attack on Bitcoins is widely available. For example, most digital storage oscilloscopes provide the necessary data collection functionality, and the data analysis is typically performed using conventional PCs. Commercial products designed for testing labs are also available.[4] The open-source ChipWhisperer project was the first complete toolchain of open-source hardware & software for power analysis experiments.[5]
Preventing simple and differential power analysis Attack on Bitcoins
Power analysis Attack on Bitcoins cannot generally be detected by a device, since the adversary’s monitoring is normally passive. In addition, the Attack on Bitcoin is non-invasive. As a result, physical enclosures, auditing capabilities, and Attack on Bitcoin detectors are ineffective. Instead, cryptosystem engineers must ensure that devices’ power variations do not reveal information usable by adversaries.
Simple power analysis can easily distinguish the outcome of conditional branches in the execution of cryptographic software, since a device does different things (consuming different power) depending on whether the conditional branch is taken. For this reason, care should be taken to ensure there are no secret values which affect the conditional branches within cryptographic software implementations. Other sources of variation, such as microcode differences, branches introduced by compilers, and power consumption variations in multipliers, also commonly lead to SPA vulnerabilities.
Differential power analysis is more difficult to prevent, since even small biases in the power consumption can lead to exploitable weaknesses. Some countermeasure strategies involve algorithmic modifications such that the cryptographic operations occur on data that is related to the actual value by some mathematical relationship that survives the cryptographic operation. One approach involves blinding parameters to randomize their value. Other countermeasure strategies to reduce the effectiveness of DPA Attack on Bitcoins involve hardware modifications: varying the chip internal clock frequency has been considered to desynchronize electric signals, which lead in return to algorithmic enhancements of traditional DPA.[6][7]
Patents
Many techniques to prevent SPA and DPA Attack on Bitcoins have been proposed in the academic literature. While public key systems like RSA are typically protected by exploiting properties of the underlying algebraic structures (in the case of RSA this would be its multiplicatively homomorphic property), symmetrically keyed primitives like blockciphers require different methods, e.g., “masking”.
Some companies, like RamBus claim intellectual property on DPA defense mechanisms.
