DPA contests home

Introduction

AES-256 RSM (v4)

AES-128 RSM (v4.2)

Tools

Participate

Frequently Asked Questions

Acknowledgments

Hall of fame

The results of the evaluation of the submitted attacks on the private database will be published on this page.

Participants

Results

Participant Submission date Key found Max PGE < 10 Key found (stable) Max PGE stable < 10 Time/Trace (ms) Attack type Description
Liran Lerman
Université Libre de Bruxelles, Belgium		 19/09/2013 22 13 22 13 24 ms Profiling Description below
Amir Moradi
RUB, Germany		 02/10/2013 174 148 174 148 305 ms Non Profiling Description below
Tang Ming
Wuhan University, China		 03/11/2013 763 465 990 482 271 ms Non Profiling
Zheng Kanghong
DSO National Laboratories, Singapore
Sebastian Kutzner
Physical Analysis and Cryptographic Engineering (PACE)
Temasek Laboratories
Nanyang Technological University, Singapore		 07/11/2013 69 55 78 55 261 ms Non Profiling Description below
Tang Ming, Qiu Zhenlong, Peng Hongbo, Wang Xin, Li Yanbin, Xiang Xiao
School of Computer, Wuhan University, China
Attack v2		 21/11/2013 140 56 297 115 8 ms
Tang Ming, Qiu Zhenlong, Peng Hongbo, Wang Xin, Li Yanbin, Xiang Xiao
School of Computer, Wuhan University, China
Attack v3		 21/11/2013 177 103 212 143 11 ms
Heorhi Liasneuski
Belarusian State University, Belarus		 01/12/2013 38 15 38 23 5 ms Profiling Description below
Source code
Liu Junrong, Guo Zheng, Sui Yijie, Shen Xiangxiang, Wang Weijia, Xu Sen
Shanghai Jiao Tong University, China 		03/12/2013 125 110 148 123 940 ms Non profiling Description below
Tang Ming, Xiang Xiao, Chen Xiaobing, Qiu Zhenlong, Chen Zhenling
School of Computer, Wuhan University, China
 05/12/2013 627 197 673 260 32,000 ms Profiling
Liu Junrong, Guo Zheng, Sui Yijie, Shen Xiangxiang, Wang Weijia, Xu Sen, Bao Sigang
SJTU-SHHIC Co-Lab of Data Security and Protection, Shanghai Jiao Tong University, China		 20/12/2013 110 106 162 112 160 ms Non profiling Description below
Yongbin Zhou, Lin Meng, Hailong Zhang, Yingxian Zheng, Mingliang Feng
State Key Laboratory of Information Security, Institute of Information Engineering,
Chinese Academy of Sciences, China
2nd-order CPA Attack 		20/12/2013 236 154 367 177 2300 ms Non profiling Description below
Yongbin Zhou, Lin Meng, Hailong Zhang, Yingxian Zheng, Mingliang Feng
State Key Laboratory of Information Security, Institute of Information Engineering,
Chinese Academy of Sciences, China
1st order CPA attack I 		20/12/2013 14 8 14 12 333 ms Description below
Yongbin Zhou, Lin Meng, Hailong Zhang, Yingxian Zheng, Mingliang Feng
State Key Laboratory of Information Security, Institute of Information Engineering,
Chinese Academy of Sciences, China
1st order CPA attack II 		20/12/2013 14 8 14 12 332 ms Description below
Yongbin Zhou, Lin Meng, Hailong Zhang, Yingxian Zheng
State Key Laboratory of Information Security, Institute of Information Engineering,
Chinese Academy of Sciences, China
 27/12/2013 2 1 2 1 9,359 ms Profiling Description below
Heorhi Liasneuski, Stanislau Piatrusha
Belarusian State University, Belarus		 08/01/2014 7 5 7 5 5 ms Profiling Description below
Source code
Benoît Gérard
DGA, France 		10/01/2014 15 6 15 6 2 ms Profiling Description below
Ofir Weisse, Yossi Oren, Avishai Wool
Cryptography and Network Security Lab, Tel-Aviv University, Israel
This attack has been evaluated with only 10 traces 		26/01/2014 5 5 55,000 ms Profiling Description below
Liran Lerman
Université Libre de Bruxelles, Belgium		 16/02/2014 7 6 7 6 10 ms Profiling
Anonymous (K) 24/02/2014 136 102 141 106 8,500 ms Non Profiling
Frank Schuhmacher
Segrids, Germany		 26/02/2014 1 1 1 1 5 ms Profiling Description below
Source code
Hideo Shimizu
Toshiba Corporation Corporate Research & Development Center, Japan		 28/02/2014 1 1 1 1 30 ms Profiling Description below
Xavier Bodart, Liran Lerman
Université Libre de Bruxelles, Belgique		 06/03/2014 21 17 21 17 400 ms Profiling Description below
Anonymous
 09/03/2014 1,100 1,100 1,100 1,100 350 ms Non Profiling Description below
Tsunato Nakai, Daiki Tsutsumi, Takaya Kubota, Mitsuru Shiozaki, Takeshi Fujino
Ritsumeikan University, Japan		 10/03/2014 43 31 43 31 450 ms Non Profiling Description below
Source code
Anonymous
 26/03/2014 15 15 19 19 50 ms Non Profiling Description below
Zdenek Martinasek, Ondrej Zapletal
Faculty of Electrical Engineering and Communication, Brno University of Technology, Czech Republic		 01/04/2014 23 19 28 19 1,100 ms Profiling Description below
Yongbin Zhou, Yingxian Zheng, Hailong Zhang, Guangjun Fan, Lin Meng
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, China		 08/04/2014 1 1 1 1 21,000 ms Profiling Description below
Liu Junrong, Zeng Zhong, Guo Zheng, Gu Dawu, Xu Sen, Wang Weijia
SJTU-SHHIC Co-Lab of Data Security and Protection, Shanghai Jiao Tong University, China		 09/06/2014 6 4 6 4 5 ms Profiling Description below
Li Yang, Wang Weiqi, Zhang Chi
Shanghai Fudan Microeletronics Group Company Limited, China		 17/09/2014 1 1 1 1 50,000 ms Profiling Description below
Zhang Chi, Li Yang, Wang Weiqi
Shanghai Fudan Microeletronics Group Company Limited, China		 28/10/2014 52 20 52 30 2,000 ms Non Profiling Description below
Source code

The attacks submitted on AES-256 RSM implementation are evaluated on only one key due to the size of an acquisition campaign.

Key

Description of the attacks by their authors

Liran Lerman (Université Libre de Bruxelles), Belgium (September 19, 2013)

Article at CARDIS 2014

Amir Moradi (RUB), Germany (October 2, 2013)

The attack which is a normal CPA exploits a univariate first-order leakage. The power model used in the CPA is the bits of XOR between Sbox input and output. The reason for such leakage is due to the specific way that the input and output masks of the Sboxes are selected, i.e., input mask: M_i, output mask M_{i+1}.

A more extensive description of the attack is available in the paper Detecting Hidden Leakages (ePrint 2013/842, to appear at ACNS 2014). In this paper, the attack is also improved (by exploiting optimally the unbalance of mask differences), and some hints to plug the first-order leakage are given.

Zheng Kanghong (DSO National Laboratories) & Sebastian Kutzner (Nanyang Technological University), Singapore (November 7, 2013)

Our attack targets the Hamming Weight of the base masks. When 16 bytes of the base masks are read during the initial AddRoundKey operation, their EM/power levels can be exploited to guess the rotation offset used. The greatest difference between 2 adjacent bytes suggests a m15-m0 pair.

Heorhi Liasneuski (Belarusian State University), Belarus (December 1, 2013)

The main idea of the attack is: using the Hamming weight power consumption model at the moment when an address to the subbyte search tables appears at an address bus, determine for every byte of the key its "probability" to produce this address weight. So, for every trace:

  1. Determine an offset (using address to mask bytes).
  2. Calculate for every value of byte of the key its predicted address weight deflection from the factual weight and sum it with previous one.
  3. Check for correctness (try to cipher the plain text) the 4 most probable byte values of the 6 most uncertainty byte of the key.

Liu Junrong, Guo Zheng, Sui Yijie, Shen Xiangxiang, Wang Weijia, Xu Sen (Shanghai Jiao Tong University), China (December 3, 2013)

  1. Firstly, we calculate the correlation between the Hamming weight of Moffset,Moffset+1,...,Moffset+i,...,Moffset+15 and power consumption. We find there is a large correlation in a point of the power trace, donating as the P1i(0<=i<=15). Moreover, there is a negative correlation after 12 points P1i, donation as P2i(0<=i<=15). Through the observation of the mask M= [0 15 54 57 83 92 101 106 149 154 163 172 198 201 240 255], it can be summarized that the hamming weight of all masks is 4 except the o and ff. In addition, the o and ff are adjacent. So the mask has a big probability to be ff when the P1i and P2i have the biggest difference, by which we can calculate the offset. For example, when the (P1i-P2i)-( P1i+1-P2i+1) is the largest, the mast of point i is FF, and offset+15=i.(since ff is the last one at beginning).
  2. Knowing the offset, we can attack the S box by using CPA. We choose 30 points for every S-Box for attacking. The hamming weight of S(x+k)+M can be calculated for each k since we know the M

Liu Junrong, Guo Zheng, Sui Yijie, Shen Xiangxiang, Wang Weijia, Xu Sen, Bao Sigang (SJTU-SHHIC Co-Lab of Data Security and Protection, Shanghai Jiao Tong University), China (December 20, 2013)

This version is an improvement of the previous one, which firstly fix the offset of the mask and mount a traditional first order DPA. There are two aspects improved. First one is selecting some more effective attack point. The other one is taking the situations that the misalignment between test trace and public trace into consideration. We opt the range of offset to mount a best attack.

Yongbin Zhou, Lin Meng, Hailong Zhang, Yingxian Zheng, Mingliang Feng (State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences), China (December 20, 2013)

2nd-order CPA Attack

Our proposed attack belongs to 2nd-order CPA attack by considering the joint leakages at two specific moments when the output of i_th masked_SBox and the blinding of (i+1)_th byte plaintext are manipulated respectively. Basically, our proposed attack works mainly due to the following important fact:

Masked_SBox(x_i XOR k_i XOR m_(i+offset)) XOR (x_(i+1) XOR m_(i+1+offset)) = (SBox(x_i XOR k_i) XOR m_(i+1+offset)) XOR (x_(i+1) XOR m_(i+1+offset)) = SBox(x_i XOR k_i) XOR x_(i+1), where masks m_(i+offset) and m_(i+1+offfset) virtually have no effects at all.

1st-order CPA Attack I

Our proposed attack belongs to 1st-order CPA attack by guessing the random offset in one given trace. Basically, the guessing process is based on finding the maximal difference.

1st-order CPA Attack II

Our proposed attack belongs to 1st-order CPA attack by guessing the random offset in one given trace. Basically, the guessing process is based on pattern matching technique.

Yongbin Zhou, Lin Meng, Hailong Zhang, Yingxian Zheng (State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences), China (December 27, 2013)

Our proposed attack belongs to typical template attack. And the templates we use for each key byte are built from 9 datasets of public power traces published by DPA Contest v4.

Heorhi Liasneuski, Stanislau Piatrusha (Belarusian State University), Belarus (January 8, 2014)

It's the improved version of the previous attack that utilizes not only the address to the subbyte look-up tables but also the value of the found byte.

Benoît Gérard (DGA), France (January 10, 2014)

The attack is composed of two steps and is a profiled attack.

  1. For each trace the masking index is recovered
  2. A standard template attack is performed

For 1, 16 points are considered in the trace. They leaks the value of a loop index starting at the masking index value (the offset). A correlation is the performed between these 16 points and the 16 vectors obtained by computing Hamming weights of the index for the 16 possible offset values. On the available training traces, this technique never fails.

Concerning 2, two points are considered for each Sbox, one leaking the input and one the output. Attention has not be paid to dimension reduction (as in the attack proposed for DPA contest V2) thus the current attack could be drastically improved using such technique.

Notice that step 1 could be performed in a non-profiled setting by adaptively improving the point selection.

Ofir Weisse, Yossi Oren, Avishai Wool (Cryptography and Network Security Lab, Tel-Aviv University), Israel (January 26, 2014)

The attack is a mix of template attack trained on only 400 traces, and a novel constraint solver.

Extracting the offset is done by trying to all 16 mask possibilities, computing plain xor mask values, and then calculating the probability of those 16 bytes according to the template learned and the given trace. The mask which gave the highest probability is the correct one.

The extraction of the key is done by feeding the partial, imperfect classification results of the template-classifier into a custom built constraint solver. This gives several thousand key candidates. Intersecting these key candidates with candidates from a second trace usually narrow the size of the candidates group down to 1.

Frank Schuhmacher (Segrids), Germany (February 26, 2014)

The DPA counter measure of the AES implementation is based on a random mask offset j in 0...15.

I use one Template matrix to disclose -- in a first step -- the mask offset j and -- in a second step -- for each sbox 0...15, one Template matrix to dislose the subkey for that sbox.

The second step uses the result of the fist step.

Before looking for a given trace, into which template it fits, the trace is transformed using a transformation matrix. The transformation is the combination of two linear mappings: the first is a "pre-whitening", the second is a projection to the first 10 principal components of the signal covariance matrix.

The attack adapts methods presented by Joachim Schüth at the 24th SmartCard Workshop to a target with high signal noise ratio.

Hideo Shimizu (Toshiba Corporation Corporate Research & Development Center), Japan (February 28, 2014)

Our method is simple application of basic template attack. We attack the mask and the output of sbox concurrently, and combine the results to obtain key.

Xavier Bodart, Liran Lerman (Université Libre de Bruxelles), Belgique (March 6, 2014)

The attack is divided in two steps. First step focuses on the discovery of the offset used during the encryption. To realize such a thing, the attack uses a profiled procedure based on the stochastic attack which uses non-linear models based on Support Vector Machine. Once the offset is estimated, the idea is simply to apply a classical Correlation Power Analysis, using Pearson correlation targeting the Hamming weight of the output of each SBox of the first round.

Anonymous (March 9, 2014)

This attack is a collision attack. It uses Pearson's correlation to detect collisions, which leads to the difference between 2 bytes of the key. We recover the difference between byte0 and the remaining key bytes. This reduces the key space to 256, and the full roundkey can be recovered with a brute force attack.

Tsunato Nakai, Daiki Tsutsumi, Takaya Kubota, Mitsuru Shiozaki, Takeshi Fujino (Ritsumeikan University), Japan (March 10, 2014)

The attack is one of Non Profiling attacks utilizing hamming distance (HD-) CPA with a guess of the random offset. First, we calculated F-test using plain texts and (<) 45 traces to find points of masking operation, since the random masking value is loaded soon near loading plain text. And, this attack guesses the random offset of each trace by calculating the correlation coefficients between hamming weight and the points of masking operation. Next, this attack operates CPA using the guessed hamming distance (between masked input and masked output) in order to reveal the secret key. In this attack, the correct answer rate (correct random-offset rate) was about 77%.

Anonymous (March 26, 2014)

We attempt to recover the offset for each trace. The power traces leak the Hamming Weight (HW) of each offset,and so we can choose 16 points in time that correspond to the offset for each trace. We correlate these 16 points against the 16 possible HW vectors. The offset is taken to be the location of the max correlation. Once the offset is known, we can launch a standard first-order DPA attack, attacking the SBOX output.

Zdenek Martinasek, Ondrej Zapletal (Faculty of Electrical Engineering and Communication, Brno University of Technology), Czech Republic (April 1, 2014)

The attack consists of two steps. In the first step the offset value is revealed. For this purpose, the attack uses a profiled procedure based on neural networks. The second step performs Correlation Power analysis targeting the output of the AES SubBytes function.

Yongbin Zhou, Yingxian Zheng, Hailong Zhang, Guangjun Fan, Lin Meng (State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences), China (April 8, 2014)

Our proposed attack belongs to PCA based template attack by guessing the random offset in one given trace. The attack consists of the following two consecutive steps: step1) a template matrix is used to reveal the random offset; and step2) a PCA based template matrix is used to reveal the subkey for the targeted sbox.

Liu Junrong, Zeng Zhong, Guo Zheng, Gu Dawu, Xu Sen, Wang Weijia (SJTU-SHHIC Co-Lab of Data Security and Protection, Shanghai Jiao Tong University), China (June 9, 2014)

This is a profiling attack based on Support Vector Machine(SVM) technologies. The attack targets include the offset, the input and output of each S-box. For each target, we extracted 320 feature points in the power traces. Our attack method involves two stages - the learning phase and the attack phase. In the learning phase, we dedicated SVM classification to classify 8000 traces, and learned the SVM classifiers for all the attack targets. When all the classifiers finished training, these classifiers can be used to predict the the actual values of all the targets in the test traces. Finally, we combine the predictions for the offset, the input and output of each S-box to determine the key byte for each S-box. And the 16 key bytes forms the first 128 bits of the entire AES key.

Li Yang, Wang Weiqi, Zhang Chi (Shanghai Fudan Microeletronics Group Company Limited), China (September 17, 2014)

We built templates for both mask offset and sbox. As for sbox, both inputs and outputs templates are built so that by compareing the guessed key based on sbox input and that on output, we managed to retrieve the correct key using only one trace with almost 100% probablity(we have tested it with 2000 traces available on the contest website that was not used to build templates. the accuracy is exactly 1.

Zhang Chi, Li Yang, Wang Weiqi (Shanghai Fudan Microeletronics Group Company Limited), China (October 28, 2014)

We find that the mask Ox00 always turns up after OxFF (except that the offset is 0). And their hammingweight are 0 and 8. So there are a salient fall between them. We can retrieve the offset by distinguishing the position of the fall. And then we can calculate the hamming weight of the output of the sboxs just like treating simple AES algorithm. And since these traces have been aligned, we can choose a few of points to reduce the calculation.