Hi, I need some advice on an analysis I am doing for my research. Disclosure: I don’t have much background in security. My research focuses on computer hardware. So any advice/suggestions you have for me would be much appreciated.
I am trying to carry out a power side channel analysis on the CW-NANO platform. I am trying to attack the modulus operation, which seems to be most typically implemented as a division to get the remainder. For the M0 CPU used in the CW-NANO, division is implemented in software. Looking at the assembly code, this operation is implemented as a sequence of shifts and subtracts.
In my case, the dividend
a is known to the attacker already. So its just a matter of finding the divisor
b to recover the remainder (i.e.,
r = a%b) . First, I did a test to see if the number of cycles required would vary based on the dividend (a) and the divisor (b). Here is a table of the time taken (in CPU cycles) for different combinations of
a/b on the ARM-M0 CPU.
Its therefore pretty easy to establish the range of
b based on the time taken for division. Next, I wanted to see, for the range of values which take the same amount of time, is the power trace different? So, I captured traces of
200/b and then subtracted the average of all traces and plotted them. Here is that graph:
To me, it seems like there are significant differences based on the value being used. A few caveats: 1) I plotted only powers of 10 for simplicity but ideally, I’d like this to work for all values of
b and 2) I took 100 traces for each
b value and they are all identical.
My question is: how should I go about ‘predicting’ the value of
b given a trace? I’m not sure CPA is the right approach since there isn’t a single ‘peak’ similar to the Hamming weight. Would multi-variate CPA work? Or should I try to train some type of classification model to see if that can predict the value? Thank you!