| Foreword | p. xi |
| Preface | p. xiii |
| Notation | p. xvii |
| Glossary | p. xxi |
| Introduction | p. 1 |
| Cryptography and Cryptographic Devices | p. 1 |
| Attacks on Cryptographic Devices | p. 3 |
| Power Analysis Attacks | p. 6 |
| Countermeasures Against Power Analysis Attacks | p. 11 |
| Summary | p. 13 |
| Cryptographic Devices | p. 15 |
| Components | p. 15 |
| Design and Implementation | p. 17 |
| Design Steps | p. 17 |
| Semi-Custom Design | p. 19 |
| Logic Cells | p. 22 |
| Types of Logic Cells | p. 22 |
| Complementary CMOS | p. 24 |
| Summary | p. 25 |
| Power Consumption | p. 27 |
| Power Consumption of CMOS Circuits | p. 27 |
| Static Power Consumption | p. 28 |
| Dynamic Power Consumption | p. 29 |
| Glitches | p. 32 |
| Power Simulations and Power Models for Designers | p. 34 |
| Analog Level | p. 34 |
| Logic Level | p. 35 |
| Behavioral Level | p. 37 |
| Comparison | p. 38 |
| Power Simulations and Power Models for Attackers | p. 38 |
| Hamming-Distance Model | p. 39 |
| Hamming-Weight Model | p. 40 |
| Other Power Models | p. 42 |
| Comparison | p. 43 |
| Measurement Setups for Power Analysis Attacks | p. 43 |
| Typical Measurement Setups | p. 44 |
| Power Measurement Circuits and EM Probes | p. 45 |
| Digital Sampling Oscilloscopes | p. 48 |
| Examples of Measurement Setups | p. 49 |
| Quality Criteria for Measurement Setups | p. 53 |
| Electronic Noise | p. 54 |
| Switching Noise | p. 55 |
| Summary | p. 58 |
| Statistical Characteristics of Power Traces | p. 61 |
| Composition of Power Traces | p. 61 |
| Characteristics of Single Points | p. 62 |
| Electronic Noise | p. 63 |
| Data Dependency | p. 65 |
| Operation Dependency | p. 70 |
| Leakage of Single Points | p. 70 |
| Signal and Noise | p. 70 |
| Signal-to-Noise Ratio | p. 73 |
| Characteristics of Power Traces | p. 79 |
| Correlation | p. 79 |
| Multivariate-Gaussian Model | p. 81 |
| Compression of Power Traces | p. 82 |
| Relevant Points of Power Traces | p. 83 |
| Examples | p. 85 |
| Confidence Intervals and Hypothesis Testing | p. 86 |
| Sampling Distribution | p. 87 |
| Confidence Intervals | p. 88 |
| Confidence Interval and Hypothesis Test for [mu] | p. 89 |
| Confidence Interval and Hypothesis Test for [mu][subscript x] - [mu][subscript y] | p. 93 |
| Confidence Interval and Hypothesis Test for p | p. 95 |
| Confidence Interval and Hypothesis Test for p[subscript o] - p[subscript i] | p. 97 |
| Summary | p. 98 |
| Simple Power Analysis | p. 101 |
| General Description | p. 101 |
| Visual Inspections of Power Traces | p. 102 |
| Example for Software | p. 103 |
| Template Attacks | p. 105 |
| General Description | p. 105 |
| Template Building Phase | p. 106 |
| Template Matching Phase | p. 107 |
| Example for a MOV Instruction | p. 109 |
| Example for the AES Key Schedule | p. 111 |
| Collision Attacks | p. 112 |
| Example for Software | p. 113 |
| Notes and Further Reading | p. 114 |
| Differential Power Analysis | p. 119 |
| General Description | p. 119 |
| Attacks Based on the Correlation Coefficient | p. 123 |
| Examples for Software | p. 124 |
| Examples for Hardware | p. 129 |
| Calculation and Simulation of Correlation Coefficients | p. 136 |
| Examples for Software | p. 138 |
| Examples for Hardware | p. 142 |
| Assessing the Number of Needed Power Traces | p. 146 |
| Rule of Thumb | p. 147 |
| Examples | p. 148 |
| Alternatives to the Correlation Coefficient | p. 150 |
| Difference of Means | p. 151 |
| Distance of Means | p. 153 |
| Generalized Maximum-Likelihood Testing | p. 154 |
| Template-Based DPA Attacks | p. 155 |
| General Description | p. 155 |
| Examples for Software | p. 157 |
| Notes and Further Reading | p. 158 |
| Hiding | p. 167 |
| General Description | p. 167 |
| Time Dimension | p. 168 |
| Amplitude Dimension | p. 169 |
| Methods to Implement Hiding | p. 171 |
| Architecture Level | p. 172 |
| Software | p. 172 |
| Hardware | p. 173 |
| Cell Level | p. 175 |
| General Description of DRP Logic Styles | p. 176 |
| Constant Power Consumption of DRP Logic Styles | p. 178 |
| Semi-Custom Design and DRP Logic Styles | p. 180 |
| Examples of DRP Logic Styles | p. 182 |
| Sense Amplifier Based Logic | p. 183 |
| Wave Dynamic Differential Logic | p. 189 |
| Notes and Further Reading | p. 194 |
| Attacks on Hiding | p. 201 |
| General Description | p. 201 |
| Time Dimension | p. 202 |
| Amplitude Dimension | p. 203 |
| DPA Attacks on Misaligned Power Traces | p. 205 |
| Reasons for Misalignment | p. 205 |
| Alignment of Power Traces | p. 206 |
| Preprocessing of Power Traces | p. 209 |
| Examples | p. 212 |
| Attacks on DRP Logic Styles | p. 216 |
| Balanced Complementary Wires | p. 216 |
| Unbalanced Complementary Wires | p. 219 |
| Notes and Further Reading | p. 219 |
| Masking | p. 223 |
| General Description | p. 223 |
| Boolean vs. Arithmetic Masking | p. 224 |
| Secret Sharing | p. 225 |
| Blinding | p. 225 |
| Provable Security | p. 226 |
| Architecture Level | p. 226 |
| Software | p. 227 |
| Hardware | p. 231 |
| Cell Level | p. 236 |
| General Description of Masked Logic Styles | p. 236 |
| Semi-Custom Design and Masked Logic Styles | p. 238 |
| Examples of Masked Logic Styles | p. 238 |
| Masked Dual-Rail Precharge Logic | p. 238 |
| Notes and Further Reading | p. 242 |
| Attacks on Masking | p. 245 |
| General Description | p. 245 |
| Second-Order DPA Attacks | p. 246 |
| DPA Attacks | p. 247 |
| Multiplicative Masking | p. 247 |
| Mask Reuse Attacks | p. 249 |
| Biased Mask Attacks | p. 250 |
| Second-Order DPA Attacks on Software Implementations | p. 250 |
| Preprocessing | p. 251 |
| DPA Attacks on the Preprocessed Traces | p. 252 |
| Example for Masked AES | p. 254 |
| Example for Masked and Shuffled AES | p. 256 |
| Second-Order DPA Attacks on Software Implementations Using Templates | p. 257 |
| Templates Before Preprocessing the Traces | p. 257 |
| Templates for Preprocessing the Traces | p. 259 |
| Templates After Preprocessing the Traces | p. 259 |
| Template-Based DPA Attacks | p. 260 |
| General Description | p. 261 |
| Example for Masked AES | p. 262 |
| Second-Order DPA Attacks on Hardware Implementations | p. 263 |
| Preprocessing | p. 264 |
| DPA Attacks on Preprocessed Traces | p. 265 |
| Example for a Masked S-Box | p. 265 |
| Example for MDPL | p. 266 |
| Notes and Further Reading | p. 267 |
| Conclusions | p. 273 |
| Specific Conclusions | p. 274 |
| General Conclusions | p. 280 |
| Appendices | p. 283 |
| DPA Article by Kocher et al. | p. 283 |
| Background | p. 283 |
| Introduction to Power Analysis | p. 284 |
| Preventing SPA | p. 286 |
| Differential Power Analysis of DES Implementations | p. 286 |
| Differential Power Analysis of Other Algorithms | p. 290 |
| Preventing DPA | p. 291 |
| Related Attacks | p. 292 |
| Conclusions | p. 292 |
| The Advanced Encryption Standard | p. 295 |
| Algorithm | p. 296 |
| Structure of the AES Encryption | p. 296 |
| Round Transformation | p. 297 |
| Key Schedule | p. 299 |
| Software Implementation | p. 301 |
| Microcontrollers | p. 301 |
| AES Assembly Implementation | p. 302 |
| Hardware Implementation | p. 303 |
| Encryption Core | p. 304 |
| S-Box | p. 306 |
| References | p. 397 |
| Author Index | p. 329 |
| Topic Index | p. 335 |
| Table of Contents provided by Ingram. All Rights Reserved. |
