Changes

Here we will assume the attack has a power trace <math>t_{dAddRoundKey(state,j}</math>w[0, where <math>j = Nb-1,2,\cdots,T</math> is the time index in the trace, and <math>d = 1,2,\cdots,D</math> is the trace number. Thus the attacker makes <math>D</math> measurements, each one <math>T</math> points long. If the attacker knew ''exactly'' where a cryptographic operation occurred, they would need to only measure a single point such that <math>T=1</math>. For each trace <math>d</math>, the attacker also knows the plaintext or ciphertext corresponding to that power trace, defined as <math>p_d</math>.])

Assume also the attacker has a model of how the power consumption of the device depends on some intermediate value. For example the attacker could assume the power consumption of a microcontroller was dependent on the hamming weight of the intermediate value. We will define <math>h_{d,i} for round = l1 step 1 to Nr–1 SubBytes( w( p_d, i state))< //math>, where <math>l-- Attack this point in round 1! ShiftRows(xstate)</math> is the leakage model for a given intermediate value MixColumns(state) AddRoundKey(state, and <math>w[round*Nb, (p, iround+1)</math> generates an intermediate value given the input plaintext and the guess number <math>i = *Nb-1,2,\cdots,I</math>.])end for

This intermediate value will be selected to depend on the input plaintext and a small portion of the secret key. For example with AESSubBytes(state)ShiftRows(state)AddRoundKey(state, w[Nr*Nb, each byte of the plaintext is XOR'd with each byte (subkeyNr+1)*Nb-1]) of the secret key. In this example we would have:

out = state<blockquote/pre>This might look pretty complex, but we only need to worry about one part of the algorithm. After the first <mathcode>lSubBytes(x) = HammingWeight(x)</mathcode>step, the state is effectively<mathpre>w// State after AddRoundKey(p, i) and SubBytes()state = p \oplus i</math>sbox[in ^ key]</blockquotepre>This implies that the input plaintext where <mathcode>psbox</mathcode> is being attacked a single byte at a time, which means lookup table used in AES. This is an effective point to attack. If we are attacking know that a single byte of the AES key at a time. While we still need to enumerate all possibilities for this subkey, we now only have plaintext is <math>16 \times 2^8p_d</math> instead of <math>2^{128}</math> possibilities for AES-128., then our modeled power consumption will be

We will be next using the correlation coefficient to look for a linear relationship between the predicted power consumption <math>l(x)</math> and the measured power consumption <math>t_h_{d,ji}</math>. For this reason it is desirable to have a non-linear relationship between <math>w(p, = \text{sbox}[p_d \oplus i)]</math> and either <math>p</math> or <math>i</math>, as we will otherwise see a linear relationship for all values of <math>i</math>. In this case we take advantage of the non-linear substitution boxes (S-Boxes) in the algorithm, which are simply lookup tables which have been selected to have minimal possible correlation between the input and output. The emphasis on minimum possible correlation between input and output is a requirement to avoid certain linear cryptographic attacks.

FinallyThen, we can calculate proceed with the correlation coefficient for each point attack as described above. Since we are attacking one byte of the key at a time, we will have to try <math>jI = 2^8</math> over all traces <math>D</math>, values for each of the possible subkey values <math>I</math>. Then, as there are 16 bytes in the following: <blockquote>key, so our attack will take <math>{r_{i,j}} = 16 \frac{{\sum\nolimits_{d = 1}times 2^D {\left[ {\left( {{h_{d,i}} - \overline {{h_i}} } \right)\left( {{t_{d,j}} - \overline {{t_j}} } \right)} \right]} }}{{\sqrt {\sum\nolimits_{d 8 = 1}^D {{{\left( {{h_{d,i}} - \overline {{h_i}} } \right)}^2}} \sum\nolimits_{d = 1}^D {{{\left( {{t_{d,j}} - \overline {{t_j}} } \right)}^2}} } }12}</math></blockquote>time. This is simply Pearson's correlation coefficient, given belowan enormous improvement over trying every possible key, where which would take <math>X = p</math>, and <math>Y = t</math>: <blockquote><math>{\rho _{X,Y}} = \frac{{{\mathop{\rm cov}} \left( {X,Y} \right)}}{{{\sigma _X}{\sigma _Y}}} = \frac{{E\left[ {\left( {X - {\mu _X}} \right)\left( {Y - {\mu _Y}} \right)} \right]}}{{\sqrt {E\left[ {{{\left( {X - {\mu _X}} \right)}2^2}} \right]} \sqrt {E\left[ {{{\left( {Y - {\mu _Y}} \right)}^2}} \right]} }128}</math></blockquote>The problem of finding a known signal in a noisy measurement exists in many other fields beyond side-channel analysis. These two equations are referred to as the ''normalized cross-correlation'', and frequently used in digital imaging for matching a known `template' to an image, e.g. finding the location of some specific item in a photo of a roomtime.