Need help understanding DPA

in the DPA algorithm I am having a bit of a hard time understanding why we select the LSB of the output of the sbox table and then separating the traces depending on if the LSB == 0/1. How does calculating the max( mean(onesarray)-mean(zerosarray)) help us find the correct byte.

Our best attempt at explaining DPA is in our sca101 labs.
You may find it useful to read Kocher’s original DPA paper:


There’s no particular reason to pick the LSB. You can pick any other bit and the attack should work the same way. You could even do a full 0xFF (HW = 8) vs 0x00 (HW = 0), though you’d end up throwing most of your traces out since those Hamming weights are pretty rare. Basically, we’re just looking for a way to skew the averages of the Hamming weights of our two groups. If we’ve grouped our traces correctly (i.e. our key guess is right), we should also see this difference in averages reflected in the power traces. If not, the average between the two groups should be roughly equal.


Sure, so the trick is that if we get alot of difference between zerosarray and onesarray then we most likely have found the correct key. Whereas if the difference is minimal then most likey we picked a wrong one!

1 Like