DPA Contest 2008/2009

DPA contests home

Introduction

Rules

Download

Documentation

Traces Tables

Participate

Hall of Fame

Frequently Asked Questions

Rules of the Contest

The goal of the contest is to write the best attack algorithm on a given set of power consumption traces. The different implementations will be compared against each others. The ranking will be published on the Hall of Fame part of the web site.

Comparison Criterion

In order to build an objective ranking of the algorithms being committed by the hardware security community, we have to specify on which criterion will be evaluated these algorithms. The only criterion that we consider relevant is the unique traces count needed to guess the key. If for instance one trace is fetched twice from the database, then it counts for only one single access. The traces come with some meta-information, such as the corresponding plaintext, key and cryptogram; all this supplemental information can be used, apart from the key, of course.

In addition, the key guess has to be stable. This means that we expect the algorithm to continuously keep its correct key when continuing to accumulate more traces. We arbitrarily fixed a threshold at 100 iterations with the good key. So, if the algorithm finds the good key, and keep it for at least 100 iterations, we consider that it has definitely found the key, and that it won't change its mind. Thus, the traces count needed to find the key including the 100 stable iterations is the mark we'll give to an algorithm.
To be completely sure that your algorithm has converged on the correct key, we recommend that you check that the key guess remains stable while exhausting all the 81k+ traces from the secmatv1_2006_04_0809 acquisition campaign.

Although a so-called `brute force' search would be possible (by checking out only one or a few couple of traces), we expect the players to be fair :-) For sure, an exhaustive key search could indeed by run on special purpose cryptanalytic hardware/software, such as:

• the `DES cracker', designed by the EFF (Refer to the book Cracking DES by O'reilly, ISBN 13: 9781565925205), or
• the `COPACOBANA', designed jointly by the Ruhr University of Bochum and the Christian-Albrechts University Kiel, or
• the `distributed.net' software running on idle PCs connected over the internet.

However, those systems are an overkill to win the DPA contest. And anyway, if DES was replaced by triple DES with two or three keys, a known plaintext side-channel attack would still succeed, while the cryptanalytic hardware/software listed above would not be powerful enough to explore the 2^{2 x 56} or 2^{3 x 56} key space. In the current reference implementation, the attack is a mixed of side-channel and brute-force search:

• 6 x 8 = 48 bits of the key, corresponding to the first round sub-key, are retrieved by a side-channel analysis, while
• the remaining 8 bits are searched exhaustively.

We insist that the players do not use more brute force for more than those 8 bits.

Evolution of the DPA contest rules

As discussed in this article by the UCL (F.-X. Standaert et al. in IACR eprint # 2008/517), the rules of the DPA contest should evolve to better take into account the necessary statistical evaluation of successful attacks.
We are, of course, open to any other suggestion regarding the contest rules. The abovementioned evolution proposal is really sound (it has been scrutinized by many peer reviewers), and will therefore be enforced as soon as next year.
As for this 2008-2009 year, a debriefing about evaluation metrics suitable for side-channel attacks will be conducted at Lausanne during http://www.chesworkshop.org/ 2009.

Reference Traces

In order to compare objectively the efficiency of the DPA algorithms, they have to be checked against the same traces sets. Thus, we made publicly available a power consumption traces database, where these traces are organised by acquisition campaigns. Each campaign has been stored in a table, where each entry contains a trace with it's related informations (clear message, key, cryptogram and date). Every traces of an acquisition campaign, has been measured in exactly the same configuration (platform setup, probes sensitivity, temperature, ...). The traces that can be used for the contest are stored in the tables described in the Tables section.

Reference Implementation

We provide a DPA reference implementation in Python, which is based on the partitioning algorithm published by Paul Kocher. This program can be downloaded in the Download section. The source code is available, with all methods needed to access the traces in the database, as well as methods allowing you to compute the value of a message anywhere in the DES datapath. You can use some parts of this code to implement your own DPA algorithm.

Participating to the Contest

To participate to the contest, you just have to send us an email by following the instructions given in the Participate section. We will open a new branch in the repository where you will be able to submit your source code. This branch will be readable by the whole community, but modifiable only by yourself. When your implementation is ready, just send us your results by email (e.g. the output.txt file generated by the application). Then after an independent check (can the results be reproduced from the submitted source code?), your results will be published in the Hall of Fame section.

/ Twitter account: DPAContest / Announcement mailing list