Correlation Power Analysis (CPA) Technical Guide

Basic Principles

Correlation Power Analysis (CPA), also known as power attack, is a side-channel power analysis method. It operates by establishing correlations between hypothetical models and actual power consumption to derive the correct data model. The key is determined by selecting the value with the highest correlation.

How to Use CPA to Decrypt Encryption Keys

1. Finding Leakage Points

Power analysis typically focuses on processes with the highest power consumption. In AES, for example, the SubBytes operation consumes noticeably more power due to the presence of S-box and table lookups. The first round is often targeted since it involves the original key.

Important Note: We focus on leakage points where power consumption is most obvious, particularly after S-box lookup. This is because:

Registers show distinct power consumption P_{data} during value assignment
At the assembly level, S-box operations require multiple move instructions for value retrieval and decoding
The matrix operations after S-box cause power leakage due to large matrix movements
The magnitude of high-low level transitions (0-1) increases significantly during these operations

2. Measuring Actual Power Consumption

Using AES-128 as an example:

Select N plaintexts and group them into 128-bit blocks (typically arranged as 16 bytes in a 4x4 matrix)
Set variable PT_i (plaintext divided into 16 groups), example:
1
32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34
Where PT_0=32, PT_1=43, etc.
Obtain the power trace T = D * T and establish the power matrix:

$ T={t’0={t{0,1},…,t’_{0,T}}} $

This represents D total power traces, each containing T sampling points.

3. Modeling Power Consumption for Intermediate/Leakage Values

For AES analysis:

Set up a hypothetical key set:

$K=(k1,...,K_k), where \ k ∈ 2^8$
Choose a matrix shape corresponding to the plaintext (N * k)
Calculate model power consumption at leakage point:

$HW(f(T*K))$

Note: For each BYTE, the power intermediate value matrix is N * K (simplified)

4. Mapping Linear Correlation Calculation

Create a mapping between modeled and actual power consumption matrices:

For the nth trace with plaintext PT_n:
- Intermediate value/hypothetical power matrix = $HW(sbox(PT_n,K))$
- Corresponding to $T_n={t'_n={t_{n,1},...,t'_{n,T}}}$
Calculate correlation using the formula:

$r_{ij} = \frac{\sum_{i=0}^N (h_{N,i} - \bar{h_{N,i}})(T_{N,i} - \bar{T_{N,i}})}{\sqrt{\sum_{d=1}^D (h_{i,j} - \bar{h}_{i,j})^2} \sqrt{\sum_{d=1}^D (T_{i} - \bar{T}_{i})^2}}$

Where:
- $r_{ij}$ represents the score at point J when the key is i
- i={0,…,256}, j∈{0,T}

5. Implementation Example

Using plaintext:

1	32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34

And key:

1	00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f

Implementation steps:

Randomly select plaintexts p_1,p_2,…,p_N
Record traces (voltage v, T samples per trace)

For each byte (1:16):

1
2
3

For k = 0:255 (all possible keys)
    For sampling point m = 0:M
        Calculate correlation

Final correlation power matrix shape: 255:M

Example analysis of element (1,1):
- Value = cor(HW(:N,0),T(:N,0))
- Physical meaning: correlation between hypothetical key 0’s Hamming Weight with all traces and actual power curve at point 0
- N (trace count) is crucial for correlation attack effectiveness

Important Considerations

Correlation Definition:
- Uses Pearson binary correlation between hypothetical and real power consumption
- Analysis performed across entire curve
- Proven that correlations between different leakage points are random
Implementation Notes:
- Must maintain precise correspondence between hypothetical and real power consumption
- Compare correlation scores between each row and guessed values
- Proper timing and synchronization are crucial for accurate results

CPA（相关功耗分析）基本原理

CPA，即相关功耗分析，也称为功耗攻击。它是一种功耗分析侧信道方式，通过建立假设模型与实际功耗的相关性，来推导出正确数据的模型，并选出相关性最大的值来确定密钥。

如何使用CPA解密加密密钥

寻找泄漏点：通常考虑功耗消耗最大的过程。例如在AES中，SubBytes由于sbox存在，查表进栈耗能明显，而由于密钥是原始密钥，选取第一轮相对容易。

注意我们关注的泄漏点都是功耗比较明显的地方，比如SBOX之后的查找。这是因为寄存器在赋值的时候，数据功耗会相对明显 $P_{data}$ .
理解：
这里我们可以用汇编层以下的代码去理解
比如SBOX 会多次运用move指令取值译码
SBOX之后的矩阵同样会mova大矩阵导致功耗泄露，这里的0 1（高低电平转换量级就会增加）
测量实际功耗：（以AES-128为例）
1. 选择N个明文并分组，每组128位（通常分为16字节，4x4矩阵）。设置变量 $PT_i$ （明文分为16组），例如：
  
  32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34
  
  $PT_0=32$ ， $PT_1=43$ ，依此类推。
  
  然后我们获取此明文的功耗迹T= D * T，并设置对应功耗矩阵T= $\{t'_0={t_{0,1},...,t'_{0,T}}\}$ ，表示总共对应的D条能量迹，每条能量迹有个T个采样点。
确定中间/泄露值的建模功耗：

对于AES而言，由于第一轮SBOX存在密钥原始值和明文的暴露，我们选取SBOX过程作为我们攻击的过程。
1. 设定一组假设密钥集合K=( $k1,...,K_k$ ),其中 $k \in 2^8$
2. 选择与明文对应的矩阵形状，这里为得到假设密钥集合N * k
3. 计算泄漏点的模型功耗，这里即 HW（ $f（T*K)$ ））
  
  说明对于每个BYTE，这个功耗中间值矩阵为 N * K,这里简化了
映射线性相关度计算（实际值与假设值之间）：

我们将上述功耗和已经得到的真实功耗矩阵做一个映

以一条功耗曲线为例，取第n条trace，对应的明文为 $PT_n$ 那么他的中间值/假设功耗矩阵即HW( $sbox(PT_n,K)$ 对应的 $T_n$ = ${t'_n={t_{n,1},...,t'_{n,T}}}$

利用下面的相关性公式计算. 我们求出这条曲线上每个点（J）的相关性得分，注意,由于目前只有一条曲线，那我们的均值和标准差

$r_{ij} = \frac{\sum_{i=0}^N (h_{N,i} - \bar{h_{N,i}})(T_{N,i} - \bar{T_{N,i}})}{\sqrt{\sum_{d=1}^D (h_{i,j} - \bar{h}_{i,j})^2} \sqrt{\sum_{d=1}^D (T_{i} - \bar{T}_{i})^2}}$

数据说明， $r_{ij}$ i是代表密钥为i，能量迹在J点的得分

显然 $i={0,..256},j\in{0,T}$
以一个明文为例：32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34，密钥为 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
编码实现：
1. 随机选择明文， $p_1,p_2,..p_N$ ，记录迹象（即电压v，每个能量迹T有$T个T采样）。
2. 对于字节 = 1:16（猜测每个密钥字节）
  1
  2
  3
  对于k = 0:255（所有猜测分类）
  对于采样点m = 0:M
  因此，最后的相关性性功耗矩阵形状为255：M
3. 以具体的第一个元素举例（1，1）
  这个值是cor (HW（：N，0）,T(:N,0)) [物理意义为，假设密钥0与所有trace 的HW 与实际的功耗曲线 0 点相关性， N trace 数量，这也是影响相关性攻击的关键] for CPA code
  
  正确的攻击点与正确的功耗

注意：相关性的定义清楚和牢记

皮尔逊二元相关性我们这里具象的是假设功耗与真实功耗
我们具体计算的时候是整条曲线做相关性分析（且这里已有结论证明不同泄露点之间相关性随机）
因此，实际工程代码中，我们要注意假设功耗与真实功耗的对应,然后才是对比每行相关性与猜测值相关性的比分。