DPA on Modular Addition Sample Clauses

DPA on Modular Addition. To attack a full addition we need to guess 64 unknown bits. This leaves us with 264 possible candidates. As it is not feasible to correlate the traces with this number of key candidates, we apply a divide-and-conquer strategy similar to the one in [27]. We pick an 8-bit part of the computation result called the sensitive variable. We start the attack on a 64-bit word with the least significant 8 bits of the words. We craft the selection function S(M, k∗) as follows for k16, where M is part of the input message (w[9], w[14]) and k∗ is the key byte we make a hypothesis on. S(M, k∗)k16, bit 0−7 ← ((σ1(w[14]) + w[9]) mod 28)+ k∗ (9) Next, we create the table V containing all possible intermediate values by adding k∗ 0,..., 255 to each 8-bit message. The addition of k∗ is not reduced by 28, that means the intermediate values have a length of at most 9 bits. The trace set contains T traces, each trace consists of N time samples and there are 256 key