Side-Channel Power Analysis Series - Part 4 of 7
| Part | Title | Status |
|---|---|---|
| 1 | The Gap Between Mathematical Security and Physical Reality |  |
| 2 | Why Does Power Consumption Leak Secrets? | |
| 3 | AES - Understanding What We Are Attacking | |
| 4 - You are here | SPA, DPA and CPA - The Attack Ladder | |
| 5 | Hardware Setup and First Connection - Let’s Actually Do This | |
| 6 | Compiling Firmware, Setting Up Capture and Getting Your First Real Power Trace | |
| 7 | I Stole an AES Key by Watching a Chip’s Power Consumption | |
← Previous: Part 3: AES - Understanding What We Are Attacking | Next → Part 5: Hardware Setup and First Connection
Part 4 of 5 in the Side-Channel Power Analysis series
Okay so if you have been following this series from the beginning, you now know a lot of things already.
You know that power consumption leaks information about what the chip is doing. You know that more 1s in a value means more power consumed. You know what Hamming Weight is. You know how AES works internally and why we attack Round 1.
Now the real question - how do we actually use all of that to find the secret key?
That is exactly what this blog is about.
There are three attack types - SPA, DPA, and CPA. Think of them as a ladder. Each rung exists because the one below it failed on harder targets. By the end of this blog you will understand all three. And more importantly, you will understand why we need CPA to attack AES.
What I Found Confusing (And Now Don’t)
When I first heard “SPA, DPA, CPA” - I had no idea what these were. Three different attacks? Why three? Can’t you just do one?
The answer is - each one was invented to solve a problem the previous one couldn’t handle. Once you see that, the ladder makes perfect sense.
The Attack Ladder - Why Three Levels Exist
Let me give you an analogy first.
Imagine you are trying to find out someone’s ATM PIN just by watching them.
Level 1 - you stand behind them and directly watch their fingers. You see them press 4 keys. You got the PIN. Simple. Direct. Works only if you can see clearly.
Level 2 - you cannot see their fingers. So you watch 100 different people use the same ATM and notice that the machine responds slightly differently depending on what they press. You compare the responses. You find the pattern.
Level 3 - you build a model of exactly how the machine should respond for every possible PIN. Then you measure how well your model matches what you actually observed. Most precise. Works even when there is noise.
That is the ladder.
- SPA = Level 1 - Simple Power Analysis
- DPA = Level 2 - Differential Power Analysis
- CPA = Level 3 - Correlation Power Analysis
Each one needs more effort than the one before. But each one also works on harder targets.
SPA - Simple Power Analysis
Full form: Simple Power Analysis
SPA is the most basic attack. You capture one power trace and you read the secret directly from it by just looking at the shape.
Now you might be thinking - how can you read a secret just by looking at a graph?
Here is how it works on RSA.
RSA does two types of operations when encrypting - squaring and multiplication. And here is the key thing - multiplication consumes more power than squaring. Noticeably more. Visibly more on a trace.
So if the key bit is 1 - the chip does both squaring AND multiplication. Big spike on the trace.
If the key bit is 0 - the chip does squaring only. Small spike on the trace.
You literally read the key bit by bit just by looking at the spike heights.
Big spike = bit is 1. Small spike = bit is 0. That simple.
Why SPA Fails on AES
Now here is where it gets interesting.
In RSA, every key bit causes a visibly different operation. Bit 1 does multiplication. Bit 0 does squaring only. The operations are structurally different. You can see them with your eyes.
In AES, every byte goes through the same operations regardless of what the key value is. AddRoundKey, SubBytes, ShiftRows, MixColumns - these always happen. Whether your key byte is 0x00 or 0xFF, the trace looks the same to the eye.
RSA trace - clearly readable. AES trace - uniform. Looks like a wall of spikes with no obvious pattern.
The difference in AES is tiny. Hidden in noise. Not visible to the eye.
So one trace is not enough. We need statistics. That is why SPA fails on AES and we move to DPA.
DPA - Differential Power Analysis
Full form: Differential Power Analysis
When SPA fails, we do not give up. We collect many traces and use statistics to find the pattern.
Here is an analogy that helped me understand this.
Imagine a classroom of 1000 students. You want to know if eating breakfast makes students taller on average. You cannot directly check who ate breakfast. But you split them by shoe size - big shoe on one side, small shoe on the other. You measure the average height of both groups. You subtract.
If shoe size is related to breakfast habits - a real difference appears. If shoe size has nothing to do with breakfast - the difference is zero.
That is exactly DPA.
How DPA Works on AES - Step by Step
You capture 1000 power traces. Each trace used a different random plaintext. You saved all the plaintexts.
Step 1 - Make a guess.
You guess that the first byte of the key is 0x2B.
Step 2 - Calculate for each trace.
For each trace, you take the plaintext byte, XOR it with your guess 0x2B, pass it through the S-Box, and look at the last bit of the result. You get either 0 or 1.
Step 3 - Split into two groups.
Traces where the last bit was 1 → Group A. Traces where the last bit was 0 → Group B.
Step 4 - Average and subtract.
Average all Group A traces together. Average all Group B traces together. Subtract one from the other.
If 0x2B was the wrong guess → your split was random → the difference is a flat line → nothing.
If 0x2B was the correct guess → your split was meaningful → a spike appears in the difference.
That spike is the key leaking out.
Step 5 — Try all 256 possible values.
You repeat this for all 256 possible values of the first key byte. The one that produces a spike — that is your real key byte. Then you repeat for all 16 bytes of the key.
Why More Traces = Stronger Attack
You might be wondering - why do we need 1000 traces? Can we do it with 10?
Here is the thing. One AES trace looks like noise. The real signal is buried inside it. Too small to see.
When you average 500 traces from Group A, the random noise cancels out. The tiny real signal survives. Same for Group B. Now when you subtract - the real difference becomes visible as a spike.
More traces = more averaging = noise cancels better = cleaner spike = stronger attack.
That is why DPA needs hundreds of traces. One is never enough.
CPA - Correlation Power Analysis
Full form: Correlation Power Analysis
CPA is the modern standard. It is what ChipWhisperer is built for. It is what actually breaks AES in practice.
DPA was a big step forward. But it had a weakness - it only used the last bit of the S-Box output to split traces into two groups. That throws away a lot of information.
CPA uses all the information. Instead of splitting into groups, it calculates a correlation score directly.
What is Correlation?
Before I explain CPA fully, I need to explain correlation - because I had no idea what this word meant when I started.
Forget power traces for a second.
Imagine you track two things every day for a month. How many hours you slept. And how energetic you felt the next day.
Every day you write it down.
- Slept 8 hours → felt very energetic
- Slept 4 hours → felt very tired
- Slept 7 hours → felt pretty good
- Slept 3 hours → felt exhausted
You notice — every time sleep goes up, energy goes up. Every time sleep goes down, energy goes down. They move together.
That is high correlation.
Now imagine tracking sleep and how many clouds are in the sky. Some days you sleep well and there are lots of clouds. Some days you sleep badly and the sky is clear. No pattern. They do not move together.
That is zero correlation.
Correlation is just a score that answers one question: do these two things move together?
- Score close to 1 → yes, they move together
- Score close to -1 → they move in opposite directions
- Score close to 0 → no relationship
No formula needed. Just the idea.
How CPA Works on AES — Step by Step
Step 1 - Capture 1000 traces. Save all plaintexts.
Step 2 - Guess one key byte. Start with 0x00.
Step 3 - Calculate predicted power for each trace.
For each trace - take the plaintext byte, XOR with your guess, pass through S-Box, count the number of 1s in the result. That count is your predicted power number. This is Hamming Weight - we already learned this in Blog 2.
You do this for all 1000 traces. Now you have 1000 predicted power numbers on paper.
Step 4 - Compare predicted vs actual using correlation.
You now have two lists:
- List 1 → your predicted power numbers (calculated on paper from your guess)
- List 2 → the actual power measurements from the chip
You ask - do these two lists move together?
When your predicted number goes up, does the actual chip power also go up? If yes — high correlation. Your guess was likely correct.
If there is no pattern - low correlation. Wrong guess.
Step 5 - Try all 256 possible values for that key byte.
You repeat steps 2 to 4 for all 256 possible values. Each guess gets a correlation score.
Step 6 - Highest score wins.
The key guess that produces the highest correlation with the real power measurements - that is your real key byte.
Step 7 - Repeat for all 16 bytes.
AES-128 has a 16-byte key. You run this process 16 times. Each time you recover one byte. After 16 rounds - you have the full 128-bit key.
Why We Only Attack Round 1
You might be asking - AES does 10 rounds. Why do we only look at Round 1?
Because Round 1 is where the key fingerprint is still visible. The plaintext XOR key has just happened. The S-Box has just run. The data has not been scrambled through 9 more rounds yet.
By Round 10 everything is so mixed up that the key signal is buried beyond recovery. Round 1 is the weakest point. That is why we attack it.
CPA vs DPA - What is the Difference?
Both do the same core thing - collect many traces, make a guess, check if the guess is correct.
But:
DPA splits traces into two groups based on one bit. Rough. Needs more traces. Less precise.
CPA uses all the information from the Hamming Weight - not just one bit. Calculates correlation directly. More precise. Needs fewer traces.
CPA replaced DPA as the standard because it works faster and more reliably.
Why ChipWhisperer is Built for CPA
ChipWhisperer does everything we described above automatically.
It captures the traces. It saves the plaintexts. It runs the CPA calculation for all 256 guesses for all 16 key bytes. It plots the correlation scores. The tallest spike on the graph — that is your key byte.
In Blog 5 we will actually do this. Connect the CW-Lite ARM to the CW303 target board. Capture real traces. Run the CPA attack. Watch the key appear on screen.
Everything we learned in this blog - you will see it happen live.
What I Found Confusing (And Now Don’t)
“Why do we need to XOR with our guess?” Because we are trying to simulate what the chip computed inside. We do not know the real key. So we guess it and simulate the computation on paper. Then we check if our simulation matches reality.
“Why does correlation work?” Because if our guess was correct, our predicted power numbers will follow the same pattern as the real chip measurements. They will move together. That is exactly what correlation measures.
“Why 256 guesses per byte?” One byte = 8 bits = 256 possible values (0x00 to 0xFF). We try all of them. The best match is the answer.
“Why not just brute force the full key?” AES-128 has a 128-bit key. Brute forcing all possible values would take longer than the age of the universe. CPA attacks one byte at a time. 16 × 256 = 4096 guesses total. That is very fast.
What We Learned - Glossary
SPA (Simple Power Analysis) - reading the secret key directly from one power trace by looking at spike shapes. Works on RSA. Does not work on AES.
DPA (Differential Power Analysis) - collecting many traces, splitting them into two groups based on a key guess, averaging each group, subtracting to find a spike. The spike reveals the correct key guess.
CPA (Correlation Power Analysis) - the modern standard. For each key guess, predicts what the power should look like using Hamming Weight, then calculates how well that prediction matches real measurements. Highest correlation = correct key.
Correlation - a score that measures how well two things move together. Close to 1 means strong relationship. Close to 0 means no relationship.
Hamming Weight - the count of 1s in a binary value. More 1s = more power consumed by the chip. This is how we predict power from a key guess.
Hypothesis testing - making a guess, predicting what should happen if the guess is correct, then checking reality. CPA is built on this idea.
Key byte recovery - in CPA we recover the key one byte at a time. 16 bytes total for AES-128.
What is Coming in Blog 5
Blog 5 is where everything gets real.
We will take the CW-Lite ARM, connect it to the CW303 target board, and run an actual CPA attack. We will capture real power traces, run the correlation calculation, and watch the AES key appear on screen byte by byte.
All the theory from this blog — you will see it working on real hardware.
→ Blog 5: ChipWhisperer Setup and First Capture
If this blog helped you understand SPA, DPA, and CPA — share it with someone who is just starting out in hardware security. We were all beginners once.