Practical Aspects of Vertical Side-Channel

Analyses on HMAC-SHA-2

Lukas Vlasak1[0000−0003−1141−2388] , Antoine Bouvet1[0000−0002−4364−8371] , and

Sylvain Guilley2,3[0000−0002−5044−3534]
Secure-IC S.A.S., Cesson-Sévigné, France, [email protected]
1

Secure-IC S.A.S., Paris, France, [email protected]

2

Télécom Paris, Paris, France, [email protected]

3

Abstract. Cryptographic hashing with secret key is widely used for

message authentication, e.g., in the popular HMAC protocol. This algo-
rithm is a suitable target for vertical Side-Channel Analyses. In practice,
such analyses involve various attacks on intermediate computations to
recover security critical information. If the hash function is SHA-2, an
attacker compares an expected leakage model of modular addition and
logical AND operations, with the side-channel activity. In both cases,
there are practical constraints that lead to errors in correlation-based
analyses and make security assessment dicult. This becomes even more
apparent when the target of evaluation is not theoretical values but a
real device. We discuss these practical aspects and show a real evaluation
on an embedded implementation.

Keywords: Side-Channel Analysis · SHA-2 · HMAC · Leakage model ·

Correlation Power Analysis · Normalized Inter-Class Variance ·

1 Introduction

Side-Channel Analyses (SCAs) have been extensively discussed on block ci-

phers. In this context, the Advanced Encryption Standard (AES) is considered a
paragon representing symmetrical cryptography. Nevertheless, other algorithms
also use secret keys and should therefore be equally protected. The Keyed-Hash
Message Authentication Code (HMAC) (RFC 2104) is one of them. This pro-
tocol has multiple applications such as authentication or key derivation. It is
a symmetric primitive that uses the secret key in combination with a cryp-
tographic hash function to ensure authenticity and integrity of the messages.
Interestingly, owing to the nature of the hash functions, the exploitation turns
out to be non-trivial. Several attack steps are required to extract the secret key
on a word-by-word basis. However, the existing literature does not describe the
necessary details for this analysis to succeed in practice. For example, SHA-256
involves the non-bijective AND function and linearly dependent modular addi-
tions. The importance of Points of Interest (PoIs) detection in this context has
not suciently been reported.
2 L. Vlasak et al.

Related Works. The side-channel attack paths on HMAC have been discussed
in the state-of-the-art. McEvoy et al. [15] present a complete theoretical at-
tack on this scheme using Dierential Power Analysis (DPA) in a Hamming
Distance leakage model. This approach is generalized for a Hamming Weight
leakage model and developed by Belaïd et al. [1]. Schuhmacher [19] further ex-
plores attacking the last round of SHA-2. Belenky et al. [2] present a template
attack on a parallel hardware design. Benoit and Peyrin [3] present analyses for
multiple candidates for the successor SHA-3. Oswald et al. [18] present attack-
ing possibilities for SHA-1. PoI-detection has been widely used to improve SCA.
Kim et al. [12] describe the usage of PoI to practically perform vertical SCA on
RSA. Zheng et al. [21] stress the importance of PoI detection in practical SCA.
Jungk and Bhasin [11] use Normalized Inter-Class Variance (NICV) to improve
their SCA of the ChaCha20 stream cipher. They also use a leakage model based
on prior results to analyze modular additions. Furthermore, Do et al. [7] present
two new techniques to extract PoI.
Contributions. In this paper, we propose some adjustments to the existing
methodology for vertical SCAs on HMAC-SHA-2, and extend it to an applicable
level in a leakage assessment context. We explore some practical constraints of
SCAs on modular additions and logical AND operations and use PoI detection
to make them exploitable. Indeed, we successfully apply our analysis method-
ology to electro-magnetic (EM) traces acquired on an STM32 Nucleo device,
and show how the security evaluation of a target implementing HMAC-SHA-2
can be conducted. Besides, we establish that classical vertical SCAs as DPA [13]
or Correlation Power Analysis (CPA) [5] are realistic threats to hashing-based
cryptography.
Outline. Section 2 recalls the HMAC-SHA-2 protocol, and describes the attack
path. Then, we expose the problems inherent to SCAs on modular addition
and logical AND operations. In Sec. 3 we show real experiments conducted on
an embedded SHA-2 software implementation. All SCAs required to break the
secret key have been performed, providing examples of both, analyses targeting a
modular addition and a logical AND operation. A comparison of our analysis and
latest template analyses with respect to Common Criteria exigences is given in
Sec. 4. We discuss the results and improvement possibilities in Sec. 5. Conclusions
are given in Sec. 6.

2 Side-channel evaluation of HMAC-SHA-2

2.1 Preliminaries
Notations. Let x, y ∈ {0, 1}∞ be sequences of bits and n ∈ N an integer. We
write x || y the concatenation of x and y . The rotation by n bits to the right on
x is denoted x ≫ n. For a bitwise logical AND (resp. OR) between the words
x and y , we write x ∧ y (resp. x ∨ y ). The ⊕ symbol denotes a bitwise eXclusive
OR (XOR). The
(resp. ) symbol denotes an addition (resp. subtraction) in
Z/232 Z or (Z/232 Z)n .
 Practical Aspects of Vertical Side-Channel Analyses on HMAC-SHA-2 3

Fig. 1. Diagram of the SHA-256 compression function.

SHA-256 The Secure Hash Algorithm (SHA)-256 hash function [6] takes an
input message M of arbitrary length and returns a 256-bit sequence. For that
purpose, the message is split into N blocks of 512-bit size M = M0 || ... || MN −1 .
A compression function then operates on each block one by one.
The compression function fh : {0, 1}(512) × {0, 1}(256) → {0, 1}(256) takes
two inputs: the message block Mn and a recursively dened chaining-value
CVn , where CV0 is a xed initial vector IV , and ∀n ∈ {1, ..., N }, we have
CVn = fh (Mn−1 , CVn−1 ). This function is called repeatedly until the nal di-
gest d = CVN = fh (MN −1 , CVN −1 ) has been reached. During the compres-
sion, the algorithm operates on 32-bit words. The intermediate hash values are
8 words that we call A(r) , B (r) , C (r) , D(r) , E (r) , F (r) , G(r) , H (r) , for each round
r ∈ {0, ..., 64}. Also, each message block is extended to 64 32-bit words, and
since we are only analyzing one block, we write Mn = W1 || ... || W16 . These
words are expanded with the help of an ExpansionFunction to obtain one word
per round. There are also 64 constants K1 , ..., K64 which are used at each round.
In addition, A, B, C ∈ {0, 1}32 being words, SHA-2 uses the following basic
functions:

 P0 (A) = (A ≫ 2) ⊕ (A ≫ 13) ⊕ (A ≫ 22),

P

 1 (A) = (A ≫ 6) ⊕ (A ≫ 11) ⊕ (A ≫ 25),

 Ch(A, B, C) = (A ∧ B) ∨ (¬A ∧ C),
 Maj(A, B, C) = (A ∧ B) ∨ (A ∧ C) ∨ (B ∧ C).

The compression function of SHA-256 is given in Algorithm 1, which is also

illustrated in the schematic Fig. 1.
4 L. Vlasak et al.

Input : Message block W1 , ..., W16 ,

Chaining value A(0) , B (0) , C (0) , D(0) , E (0) , F (0) , G(0) , H (0)
Output : Chaining value
A(0)
A(64) , B (0)
B (64) , C (0)
C (64) , D(0)
D(64) ,
E (0)
E (64) , F (0)
F (64) , G(0)
G(64) , H (0)
H (64)
1 (W1 , ..., W64 ) = ExpansionFunction(W1 , ..., W16 ) // Precomputation of the 64
round words
2 for r = 0 to 63 do
3 T1 = H (r)
1 (E (r) )
Ch(E (r) , F (r) , G(r) )
Kr+1
Wr+1
P

4 T2 = 0 (A(r) )
Maj(A(r) , B (r) , C (r) )

P

5 H (r+1) = G(r)
6 G(r+1) = F (r)
7 F (r+1) = E (r)
8 E (r+1) = D(r)
T1
9 D(r+1) = C (r)
10 C (r+1) = B (r)
11 B (r+1) = A(r)
12 A(r+1) = T1
T2
13 return (A(0) , ..., H (0) )
(A(64) , ..., H (64) )
Algorithm 1: SHA-256 compression function.

HMAC In the HMAC algorithm [14], a secret key k∗ and a hash function h
are used to authenticate messages of arbitrary size. First, the key is padded
to the correct block size with an inner padding ipad = 0x36,...,0x36. The
messages are concatenated with this padded key and hashed. Then, the same
key is padded again with an outer padding opad = 0x5C,...,0x5C, which is
concatenated again with the result of the previous computation, and hashed
again.
HM ACh (M, k ∗ ) = h((k ∗ ⊕ opad) || h((k ∗ ⊕ ipad) || M )) (1)

We dene the hashed padded keys k1 and k2 as follows:

(
(1)
k1 = CV1 = h(k ∗ ⊕ ipad)
(2)
k2 = CV1 = h(k ∗ ⊕ opad)

The aim of the analysis is to recover k1 and k2 , for nally being able to forge
Message Authentication Codes (MACs) without knowing the key.
To obtain all parts of k1 (and k2 ), one must perform a series of SCAs on
dierent intermediate values of the second hash-block of each call of the hash
function. Though two keys must be recovered, we analyze only the situation for
k1 without loss of generality, since the analysis of k2 itself is identical [1].
 Practical Aspects of Vertical Side-Channel Analyses on HMAC-SHA-2 5

Table 1. The vertical SCAs that must be performed for this attack, with alternatives
(6b and 7b) for some target values (resp. 6 and 7).

Attack CSP Targeted operation Known parameter

(1)
SCA 1 δ (0) T1 = δ (0)
W1 W1
(0) (1) (1) (0) (1)
SCA 2 D E = T1
D T1
(1) (1) (1) (1)
SCA 3 T2 A(1) = T1
T2 T1
SCA 4 F (1) E (1) ∧ F (1)
in Ch E (1)
SCA 5 G(1) ¬E (1) ∧ G(1) in Ch ¬E (1)
SCA 6 B (1)
A (1)
∧B (1)
in Maj A(1)
SCA 7 C (1) A(1) ∧ C (1) in Maj A(1)
(2)
SCA 8 H (1) T1 = H (1)
(1) (1)
(1) (2) (2) (1) (2)
SCA 9 D E = T1
D T1
(4) (4)
SCA 6b D(3) E (4) = T1
D(3) T1
(3) (3)
SCA 7b D(2) E (3) = T1
D(2) T1

2.2 Analysis strategy

In the considered situation, the hash function h is SHA-256, but the general
analysis path can possibly be adapted for any hash function of the SHA-2 family.
The list of the necessary CPAs is given in Table 1. The attacks are enumerated in
the rst column. The second one shows the attacked Critical Security Parameter
(CSP). In the third column we show the attacked operation and in the last one
the variable parameter known by the attacker. The CPAs 1 to 8 are the ones
described by Belaïd et al. [1]. When all these CPAs are successful, the evaluator
knows A(0) = B (1) , B (0) = C (1) , D(0) , E (0) = F (1) , F (0) = G(1) and G(0) = H (1) .
For the sake of clarity, we dene δ (i) and (i) as follows:
δ (i) = H (i)
Σ1 (E (i) )
Ch(E (i) , F (i) , G(i) )
Ki+1
(i) = Σ1 (E (i) )
Ch(E (i) , F (i) , G(i) )
Ki+1
Wi+1

Note that there is a misleading formulation in the original paper. Belaïd et al. [1]
say that C (0) and H (0) could be computed through the already recovered values,
which is untrue. While this is valid for
(1)
H (0) = T1 (Σ1 (E (0) )
Ch(E (0) , F (0) , G(0) )
K1
W1 ),

we gain only partial knowledge about C (0) from

(1)
T2 = Σ0 (A(0) )
Maj(A(0) , B (0) , C (0) ).

Only the bits where A(0) 6= B (0) can be obtained systematically. One could argue
that, if the security of a device depends on less than 32 secret bits, it can be
6 L. Vlasak et al.

Fig. 2. The schematic analysis path. To recover the hashed key (chaining value), one
targets the second hash-block, where the rst words W1 , ..., W16 correspond to the rst
512 bits of the known message M. The red values are directly targeted with an SCA,
while the blue values can be obtained indirectly (i.e. by substitution) from the recovered
parameters. The orange value can be computed in the end from known parameters.

compromised through brute force, but this would only work if there were not
two consecutive series of SCAs that must succeed until one is able to verify the
correctness of her assumptions. In our opinion, this is not sucient since C (0)
can not be computed by substitution, and in addition is unnecessary, since we
are able to carry out a 9th CPA in the second round of the compression function.
Here, we can gain absolute knowledge about D(1) which is C (0) .
Belaïd et al. [1] have already established that attacks on modular addition
converge faster than on logical AND. In addition, as we will discuss later, the
inherent structure of the logical AND operations present constraints that make
it practically more dicult to analyze. Therefore we have been looking for al-
ternatives in the analysis path for replacing CPAs 4, 5, 6 and 7 (computed on
logical AND operations) by CPAs on modular additions. We have found such
alternatives for SCAs 6 and 7 by recovering the value D in higher rounds.
We dierentiate public parameters that are possibly known, and parameters
that the security depends on, which are called CSP. Every value, except from the
messages Wi and the constants Ki for i ∈ {1, ..., 64}, are CSP in this context. To
recover a xed CSP via SCA, it must be involved in an operation that contains
a variable public parameter or known CSP. It is noteworthy that there are no
more xed CSP after the 4th round, hence all 8 words of k1 must be recovered
before that round. We give a schematic analysis path in Fig. 2.
Most of the targeted operations are situated in the rst two rounds, the
alternative path 7b is performed during the 3rd round and 6b during the 4th one.
To perform the alternative analyses of CPAs 6 and 7, one must still be able to
 Practical Aspects of Vertical Side-Channel Analyses on HMAC-SHA-2 7

recover F (1) and G(1) . We can not obtain δ (2) as in the rst round, because in
the higher rounds this particular value is not a xed CSP anymore.

2.3 Side-channel evaluation of the internal SHA-2 operations

Assuming that the Hamming Weight (HW) of a computations outcome can
be recognized in the power consumption, we have studied the theoretical leak-
ages of both, modular addition and logical AND operations. For any word
w = w0 , ..., wN −1 ∈ {0, 1}N , the HW is dened as the number of strictly positive
bits:
N
X −1
HW (w) = wi .
i=0
To get more realistic results, we applied a Gaussian distributed random noise
X ∼ N (0, σ) with mean 0 and standard deviation σ = 5 to the traces. For an
operation ◦ and a, b ∈ Z/232 Z, we dened the theoretical side-channel activity
as:
31
X
HW (◦(a, b)) = ◦(a, b)i + X.
i=0
For the analysis, we xed one of the two entries of each operation, and chose
N ∈ N random and varying values for the other parameter. Then we recovered
the xed value using a CPA with an evolving HW leakage model, depending on
the targeted operation. All words are composed of 32 bits which we have split
into sub-words of dierent sizes s of 1, 2, 4 or 8 bits. For the two operations,
we dene a learning leakage model which uses the knowledge about the already
recovered bits.
In the following, let k ∈ Z/232 Z be the CSP that we want to recover, and
m = m0 , ..., mN −1 ∈ (Z/232 Z)N the vector of known variable words that the
CSP is interacting with. For all sub-parts of the CSP that are indexed with
s }, the HW leakage model LMi takes a hypothesis k ∈ {0, ..., 2 − 1}
0
i ∈ {0, ..., 32 s

and uses it on the corresponding part of the message, from the Least Signicant
Bit (LSB) to the Most Signicant Bit (MSB). This is then compared to the
theoretical traces. For i ∈ {0, ..., N } the HW leakage model is computed as:
HW (◦(k 0 , m0 ≫ s · i mod 2s ))
 

LMi (k 0 , m) =  .. (2)
. .
 

HW (◦(k 0 , mN −1 ≫ s · i mod 2s ))
At every step, the most likely key k̂i is recovered via CPA and is then used to
improve the following analyses. The evolutive leakage model ELMi is dened
as:
i−1
(3)
X
ELMi (k 0 , m) = LMi (k 0 , m) + ELMj (k̂j0 , m).
j=0
We will show the theoretical results of these analyses for both cases, and
discuss some problematic behavior that can be observed, when the same analyses
are naively applied on real traces of the HMAC protocol.
8 L. Vlasak et al.

Fig. 3. CPA on a value (k = 30) that is involved in multiple additions with zoom on
true key hypothesis. In case of only one addition (blue), there is a clear correlation peak
0
at the correct value (k = 30). With two additions (yellow), the peak is less signicant,
while with three additions (red), the peak does not correspond to the correct value
0
(maximum correlation for k = 31).

Modular addition For an arbitrary but xed value w ∈ Z/232 Z, the addition
with w is a bijective function:

Z/232 Z −→ Z/232 Z
x 7−→ w
x = w + x (mod 232 ) (4)

When using the HW leakage model on the modular addition, the CPA on the
theoretical traces detects the CSP with 10 − 100 traces. Using hypotheses on
more bits at a time leads always to faster results.The converging success rate
for dierent s can be seen in Fig. 5a. In this ideal setting the result is not
surprising, but when a parameter is used in multiple operations in a row, the
correlation might be inuenced. We stated a problematic behavior of the HW
leakage model, when the analyzed value is used in multiple additions. For two
additions, the maximum correlation did still occur in the target value, but the
correlation peak of other candidates became more signicant. For three or more
additions, the maximum value did not correspond to the analyzed parameter.
The correlations of an experiment with a xed 6-bit value k = 30 is given in
Fig. 3. The theoretical traces were generated by adding k to a random vector of
known values m0 , ..., mN and two xed disturbing factors, d0 = 15 and d1 = 59.
For other values we obtained similar results. In some cases the value k could still
be recovered, but the example shows that the leakage model does not always
lead to the correct key.
 Practical Aspects of Vertical Side-Channel Analyses on HMAC-SHA-2 9

Another attribute of this operation is the linearity. In a realistic attack sit-

uation, there are many other points that may depend on the known public pa-
rameter. Such values when used before or after the targeted operation are going
to provoke correlation peaks for arbitrary incorrect hypotheses.
In the specic SHA-2 case, the rst SCA targeting δ (0) uses a known variable
parameter W1 , which by itself is already used during the ExpansionFunction.
Furthermore the following values all can be obtained by the addition with a
constant to W1 :
 T1(1)
 E (1) = F (2) = G(3) = H (4)
 A(1) = B (2) = C (3) = D(4)
These problems do not occur in the theoretical analysis, since we are analyzing
only the one temporal instance that happened to be exactly the target opera-
tion. But during the computation of SHA-2 many modular additions involve a
previously analyzed CSP. Therefore we can not simply choose the highest overall
correlation to determine the most likely key. Instead, we must use PoI detection
that we describe in Sec. 3.2 in order to nd the exploitable points in time.

Logical AND The logical AND operation is dened bitwise for a, b ∈ {0, 1} as
1 if and only if a = b = 1. Otherwise the result is 0.

∧ : {0, 1} × {0, 1} −→ {0, 1}

b0 , b1 7−→ b0 ∧ b1 (5)
We dene the logical AND for a xed value w = [w0 , ..., w31 ] ∈ {0, 1}32 :
∧w : {0, 1}32 −→ {0, 1}32
x 7−→ w ∧ x = [(xi ∧ wi )i∈{0,...,31} ] (6)
This function is not bijective which is the major problem, when it comes to
SCA. At any position where the hypothetical CSP is 0, all information about
the variable parameter gets erased in the leakage model. In a bitwise analysis,
one has basically only one hypothesis (k = 1). It can not be evaluated for
the 0 hypothesis, since the observed correlation is merely due to random noise.
Regardless if it is higher or lower than the correlation of the 1 hypothesis, there
is no information gain from such a result. Only the evidence for the 1 hypothesis
is used to recover the secret bits. In Fig. 4, we see the theoretical outcome of
such an analysis. The entire secret parameter can be recovered by observing the
high and low phases of the correlation.
Another issue with logical AND operations is the context where these oper-
ations are used. In case of Maj, the expressions in question can be replaced by
equivalent computations with dierent intermediate results (see Example 1).
10 L. Vlasak et al.

Fig. 4. Example of CPA applied on logical AND, with 1 hypothesis, compared to the
real key bits. The real key bits can be guessed by classifying maximum correlation
results. Correlations above the dened threshold correspond to the 1 value, while cor-
relations below correspond to 0.

Example 1. We can express the Maj function in dierent equivalent ways:

Maj(A, B, C) = (A ∧ B) ⊕ (A ∧ C) ⊕ (B ∧ C)
= (A ∧ B) ∨ (A ∧ C) ∨ (B ∧ C)
= (A ∨ B) ∧ (A ∨ C) ∧ (B ∨ C)
= (A ∧ B) ∨ (C ∧ (A ⊕ B))
We do not always know which of the expressions have been used in the underlying
implementation, and even if we did, some compilers (in case of software) may
eventually compute the value with another expression. This makes it desirable to
replace the SCA on logical AND operations by analyses on modular additions.
Just as for the modular addition, we tested the logical AND operation in a
theoretical context with the HW leakage model but we accepted all 0 values, if
no other hypothesis did show any signicant correlation. The resulting success
rate for dierent s is given in Fig. 5b. We see that, here, about 10, 000 traces are
required to guarantee a successful exploitation when using several bits at a time.
Interestingly, the bitwise analysis is much faster (100 − 1, 000 traces), unlike in
the case of modular addition, where the bitwise analysis was the least eective.

3 Experimental results

The approach in [1] describes how a vertical SCA can be performed. However, as
there is no specication given about the implementation or the device performing
the SHA-2 computation, we assume that the results are of purely theoretical
nature. Our theoretical analyses of basic operations in Sec. 2.3 show the same
results. This means that the side-channel activity is estimated with the same
consumption model that is later used to analyze this operation. To get more
realistic results, a Gaussian noise is added to this model. But proceeding in this
manner implies that the activity does not contain other points than the PoIs.
This section treats a real situation for a HMAC-SHA-256 embedded software,
to which the analysis has been applied.
 Practical Aspects of Vertical Side-Channel Analyses on HMAC-SHA-2 11

(a) SCAs on the modular addition. (b) SCAs on the logical AND.
Fig. 5. The success rate of the analysis with the modular addition (left) and logical
AND (right), and the HW leakage model for 1 bit, 2 bits, 4 bits, and byte-wise corre-
lation with rising number of traces. All analyses converge eventually. Bigger subkeys
lead to faster results, except for the bitwise AND leakage model, which converges much
faster.

3.1 Experimental setup

The whole attack path has been tested on a real scenario. Our target is a basic
unprotected SHA-2 C implementation used in the HMAC-SHA-2 context. More
precisely, the SHA-2 messages were randomly chosen, while the HMAC key was
xed to a specic value. This padded, then hashed, key leads to the following
SHA-2 chaining value:
A = 6699d416, B = ba662d99, C = a374edda, D = a32bbf29,
E = d5bc7a2e, F = eeb700b3, G = 732617d2, H = a4c49928.
The target runs on an embedded CPU, the Target Of Evaluation (TOE)
being an STM32 NUCLEO-F334R8 with a Cortex M3 chip (Fig. 6). 50, 000 EM
traces of the rst ten SHA-2 rounds (over 64) have been acquired using a Langer
EMV-Technik RF-U 5-2 probe, and with a sampling rate of 2 GSa/s. Figure 7
is a screenshot of the used oscilloscope during acquisitions. It also shows one
of the acquired SHA-2 EM activity traces. Not only can we see the repeating
patterns, also a comparison with the later detected leakages (Sec. 3.2) permits
us to conrm the delimitation of the dierent SHA-2 rounds.

3.2 Point of Interest detection

Because of the linearity of the processed operations, the targeted values are
arithmetically close to other processed values. Take for example a xed key-
12 L. Vlasak et al.

Fig. 6. The STM32 Nucleo used for the EM acquisitions. The probe is put over the
10th round's end.
chip, and the CN7 pin is used for triggering the SHA-2 start and

Fig. 7. The SHA-2 traces have been acquired on a Keysight MXR404A oscilloscope.
The red signal corresponds to the SHA-2 activity, while the blue signal corresponds to
the trigger which delimitates the rst ten SHA-2 rounds, zoomed in and highlighted in
gray and white.

dependent value x and a known variable y , the sum x
y is processed, hence

it will be recognizable with an appropriate leakage model. But if another value
y
x̂ is also processed, we can not know if we have found the correct x or the
false friend x̂. In particular when x̂ = 0, we have y
x̂ = y , which is a value that
usually appears in the side-channel activity.
For handling this issue, we detect the PoI in advance to determine at which
point in time the actual value is used. In this way, we can focus on the correla-
 Practical Aspects of Vertical Side-Channel Analyses on HMAC-SHA-2 13

tion peak at the PoI even if it is not the highest peak compared to other time
samples. We can detect PoIs using general leakage detection metrics like Welsh's
t-test [20], NICV [4] or Pearson-χ2 [17]. This way, there is no need to evaluate
the correlation at every point in time, but only where the CSP really leaks.
Modular addition. We have used the NICV, which can detect leakages through
operations that involve a variable parameter. For each CPA, we perform an NICV
on the known parameter (Fig. 8a), and we evaluate the CPA results only at the
points where leakages have been detected. Since for every target node multiple
PoIs have been detected, the CPA trace was evaluated at multiple samples at
once, taking the bit value indicated by the majority of the PoIs. This makes it
preferable to perform the analysis bitwise rather than bytewise, even though the
theoretical attack was faster when performed on bytes.
Logical AND It is necessary to conduct PoIs detection of logical AND operations
within a White-Box context (or with a particular proling phase on a controlled
clone device). Indeed, in this case, the NICV is not sucient for detecting the
best sample for a leakage evaluation (Fig. 8b and Fig. 9a). Therefore, we propose
another way, which basically consists of the CPAs classication according to the
real subkey value (0 or 1 within a bitwise analysis). When sorting the CPA traces
with respect to the real CSP, we can see that, at some samples, the correlations
of the 1 hypothesis split up according to the true values. This is the PoI where
the bitwise analysis can be performed. The area of ±20 time-samples around the
PoI of B (1) is illustrated in Fig. 9c. When the PoIs are detected, one can easily
recover any CSP with the strategy described in Sec. 2.2. We show the results of
the embedded SHA-2 software analysis in the following section.

3.3 Leakage evaluation

For the leakage evaluation, we carried out the analysis within a White-Box con-
text. In other words, we have used the knowledge about the secret parameters
to nd PoIs and evaluated the leakages for the possibility of exploitation. We do
not claim that an attacker has these resources to carry out a White-Box prol-
ing then exploiting phases 4 . Therefore, the hereafter presented analyses should
rather be seen as a practical application within a security evaluation context.
The evolutive leakage model ELM (3) is conrmed in a real SCA experiment
with an unprotected software implementation on the STM32 Nucleo. When ex-
perimenting on our leakage model in practice, we observe that it can even pass
beyond the NICV in some cases, which is unusual. This, we assume is because
for later subkeys the accumulated correct information about earlier ndings is
taken into account, while the NICV evaluates leakages of one subkey only. While
a more profound analysis of this observation would be interesting, it is out of
the scope of this work.
4
This is also the sense of the Common Criteria quotations, where rating tables are
used for estimating the Target Of Evaluation resistance against an attacker who
would have particular means. Common Criteria call this the attack potential.
14 L. Vlasak et al.

(a) Leakage detection on modular addition.

(b) Leakage detection on logical AND.

Fig. 8. PoI detection with NICV, for both a modular addition (here H (1) ) and a logical
(1)
AND operation (B ).

All target nodes have been analyzed and the CSP could have been recovered
with the exception of one bit in the SCA-5, and one bit in the SCA 7b (which can
be recovered by the SCA 7 anyway). We give SCA-8 with the bytewise analysis
of H (1) as an example for a modular addition, and SCA-6 with a bitwise analysis
of B (1) as an example for a logical AND. The best round to analyze a CSP is not
necessarily the round when it is computed. In case of H (1) every related value
is situated in round 1, while B (1) = C (2) = D(3) can be analyzed in one of the
subsequent rounds. Since the targeted and other linearly dependent values, are
processed in all rounds from round 0 to round 3, one can observe leakages in all
these rounds.
When the PoIs are detected, one can easily recover any CSP with the strategy
described in Sec. 2.2. We show the results of the embedded SHA-2 software
analysis in the following paragraphs.

CPA-8: bitwise analysis on modular addition. Figure 8a shows the NICV result.
There is a peak at the 5792nd time sample and some other related activities in
the area between the samples 4500 and 6800. These peaks conrm the presence
of values related to the CSP. In Fig. 10, we see how one particular bit of H (1) is
recovered at the PoIs. Even though the highest correlation peak often indicated
the correct key value, this was not always the case as one can see from the rst
graph, hence the necessity of using the majority of the PoIs and not only one.
 Practical Aspects of Vertical Side-Channel Analyses on HMAC-SHA-2 15

(a) Leakage detection on B (1) using the NICV (zoom).

(b) CPA on B (1) : the correct key bit can not be distinguished from
the wrong one using the maximum CPA value.

(c) Zoom on the CPA on B (1) at the PoI (10761) with 1 hypothesis:
correlation curves can be classied according to the correct key bit.

Fig. 9. The bitwise analysis of a logical AND (targeting B (1) ). The NICV is used for
detecting the PoI, which is then used for classifying the CPA curves according to the
correct key bit.
16 L. Vlasak et al.

(a) CPA results of subkey 13, which is equal to 0.

(b) CPA results of subkey 13, at 20 detected PoI.

Fig. 10. The bitwise analysis of H (1) with the use of NICV peaks (see Fig. 8a) as PoIs.
One can see that the correct hypothesis (red curves) almost always is a little bit higher
than the wrong hypothesis (gray curves). But at some points, the wrong key guess can
even provide the highest correlation.

Thus, all bits of

H (1) = 732617d2
which is 01110011001001100001011111010010 when separated into bits, count-
ing from right to left, have been found correctly following this method.
CPA-6: bitwise analysis on logical AND. As expected, the 0 hypothesis can
only detect random correlation at low level, whereas the 1 hypothesis leads to
correlation peaks all over the area of interest (Fig. 9b). When we look closer at
the PoI, we can see that the traces are distributed into high and low correlation
classes with respect to the CSP bits at the PoI. In Fig. 11 we can see how all
bits of B (1) are recovered, as at the PoI the high activity indicates that the bit
is 1, and the low activity is 0.
From LSBs to MSBs, we get the bits sequence
01100110100110011101010000010110
which is
B (1) = A(0) = 6699d416,
the correct CSP. All key parts have been successfully analyzed using the same
method as we show in the next section.
 Practical Aspects of Vertical Side-Channel Analyses on HMAC-SHA-2 17

Fig. 11. CPA on logical AND with 1 hypothesis compared to the real key bits.

4 Comparison

In this section we compare our results with dierent approaches. First we observe
the shortcomings of a naive application of a classical CPA - that is, a CPA
which ranks the hypotheses by maximum correlation values without considering
the PoIs. After that, we provide quotation results for SCAs, on two HMAC-
SHA-2 use-cases (proled and unproled) to highlight the ndings of our paper
regarding the quotation of the dierent hurdles we identied in the attack.

Comparison to naive CPA. Using the approach described in our paper, we can
observe a success rate converging to 100% when evaluating the target with a
rising number of traces in Fig. 12. We see that the logical AND converges much
faster than the modular addition. However, since it was analyzed in a White-Box
context one can not really draw the conclusion that these are easier. In compar-
ison a classical CPA does not evolve to a better result for neither operation. In
case of the logical AND the best hypothesis is always the one that does not erase
any information about the variable parameter - which is ffffffff. Therefore
the detected correct bits are all the bits that are 1 and we obtain the HW.
All key parts and alternatives have been analyzed using both methods. The
results for all targeted operations compared to the case when adapting a classical
CPA are summarized in Fig. 13 a). On the one hand, with our method every
key value has been recovered, with the exception of 1 bit. Also the alternative
modular addition 7b failed to recover 1 bit. However, this has been found on
the original logical AND analysis. The classical CPA on the other hand does
not recover a single key part entirely with this amount of recorded side-channel
activity. The convergence graphs suggest that there is no improvement when
adding more traces, which can be explained by linear dependencies, ghost peaks
and other structural problems we described in Sec.2.3. In conclusion, the evalu-
ation at PoIs is a crucial aspect of the analysis and not a mere improvement of
an otherwise functional methodology.

Comparison to template attacks. Hereafter, we compare the attack potential of

an unproled attack that is suggested by the works of McEvoy et al. [15] and
18 L. Vlasak et al.

(a) CPAs on H (1) (Mod. addition). (b) CPAs on B (1) (Logical AND).
Fig. 12. Success rates of CPAs on both modular addition and logical AND operation,
on real EM traces. Our approach with PoI detection and ELM (3) (red) converges
to 100%. The classical CPA with peak correlation using also ELM (blue) does not
converge.

32
SCA 1 (
) 19 32
A
32 32
SCA 2 (
) 30
32
32 B
SCA 3 (
) 29 32
HMAC-SHA-2 attacks

k1

32 32
SCA 4 (∧) C
Recovered words of

15
32
31
SCA 5 (∧) 17 32
D
32 32
SCA 6 (∧) 19
32
32 E
SCA 7 (∧) 17 32

32 31
SCA 8 (
) 16 F
32
32
SCA 9 (
) 31 32
G
32 32
SCA 6b (
) 25
32
31 H
SCA 7b (
) 28 32

0 8 16 24 32 0 8 16 24 32
Number of broken bits (32-bit words) Number of broken bits (32-bit words)

Our bitwise CPAs Classical bitwise CPA Template attack

(a) Our CPA vs classical CPA (b) Our CPA vs template attack

Fig. 13. Result of the dierent SCAs involved in the HMAC-SHA-2 attack path, using
50, 000 EM traces. They have been tested with our enhanced bitwise CPAs for modular
addition and logical AND, and with classical bitwise CPA. The recovered key parts
A, B, C, D, E, F, G, H are compared to the ones recoverable through template attacks
on a hardware implementation.

Belaïd et al. [1], and that's practicability is discussed and improved throughout
this paper to a template attack as proposed by Belenky et al. [2]. A direct
comparison (Fig. 13 b)) of the eectiveness i.e. with regard of required traces
 Practical Aspects of Vertical Side-Channel Analyses on HMAC-SHA-2 19

does not make a lot of sense, since the two approaches handle very dierent
use cases. While our correlation based method is only applicable on software
implementations, the template attack handles a parallel hardware design, which
might not even be fully exploitable by CPA due to values that are "hidden in the
combinational logic" [2]. However, as we have shown the our method requires
about 50k traces for the PoI detection and exploitation of 99.6% of the CSP bits.
The template approach uses 3M traces to build 100% exploitable templates and
requires at least 400k traces for a complete exploitation.
Therefor, we leverage the rating factors of Common Criteria, as per [10,
Tab. 12, page 29]. This table leverages Common Criteria (CC) v3, because it
makes the dierence between identication and exploitation phases. Besides, we
opt for the Joint Interpretation Library (JIL) version because it uses a sixth
criteria, namely the availability of open samples, which is a prerequisite of the
template attack [2]. In Tab. 2 the quotation for the attacks are compared.
We attributed a lower score to the unproled attacks in the identication
phase of the "elapsed time" category, since PoI detection using NICV or compa-
rable metrics are much easier to perform then data collection, removal of incor-
rect traces, and building the templates. On the other hand the exploitation of
existing templates are almost instantaneous and require a low amount of traces.
The "expertise" required for templates is slightly more than for correlation at-
tacks. Both template analyses and correlation analyses are largely described in
the open literature. However, we have demonstrated in this paper that unpro-
led analyses require an educated choice of leakage models. Both, "Knowledge
of TOE" and "Access to TOE" are basic in ether case. The only required knowl-
edge is the knowledge of the algorithm to attack and only one sample (the
attacked one) is required for the exploitation phase for both unproled and pro-
led attacks. Equipment is required in both identication (proling stage) and
exploitation (matching/attacking stage) for the proled attack, whereas there is
no identication phase for unproled attacks. Considering the rating of "Open
samples", as the key is the most precious asset, we rate it as "critical" in the
template attack, namely with 9 points. There is no such need for unproled
attacks. Based on this analysis, we notice that unproled attacks constitute an
easier attack path (16 points) than proled attacks (23 points). Notice that the
scores in Tab. 2 are only valid for vanilla implementations of HMAC-SHA-2.
As soon as countermeasures are applied, the scores will rise, however wee deem
it reasonable to assume, that the eorts increase similarly for unproled and
proled attacks.

5 Discussion

As stated before, this methodology is not a new attack but a White-Box evalua-
tion method for vertical unproled SCA mitigation. It cannot directly be used to
maliciously exploit leakages, as it requires knowledge about the key, to establish
the PoI where the logical AND operations are targeted. However, a vertical side-
channel attack might still be possible. In an evaluation context it is very useful
20 L. Vlasak et al.

Table 2. Quotation of the unproled and proled SCAs on HMAC-SHA-2.

HMAC-SHA-2
Factor Unproled analysis Proled analysis
(from [1] and this paper) (from [2])
Identication Exploitation Identication Exploitation
Elapsed time 1 3 3 0

Expertise 5 2 2 2

Knowledge of TOE 0 0 0 0

Access to TOE 0 0 0 0

Equipment 1 4 3 4

Open samples 0 - 9 -

Subtotal 7 9 17 6

Grand total 16 23
Rating Basic Enhanced-Basic

to understand which are the practical constraints in such an analysis because,

generally, a naive implementation of a correlation-based attack does not succeed.
A topic that deserves to be explored more fundamentally is the learning
leakage model and the nature of misleading correlation peaks when multiple ad-
ditions are involved. We have presented both briey as they motivate a more
sophisticated evaluation method. We also have not elaborated on masked or
otherwise protected implementations of HMAC-SHA-2. For evaluations of such
protections, one can use our method by evaluating his target with all coun-
termeasures deactivated. When the analysis is successful, the masking can be
reactivated and one can observe if the analysis becomes more dicult, or even
impossible. Analyzing protected implementations and the possibilities to adapt
CPA for hardware designs could be subject of future work.

6 Conclusions

We have shown on real EM emanations that vertical SCAs on HMAC-SHA-2

targets are not only theoretical, but can be carried out in practice. The required
modications for improving the theoretical analysis have been identied as PoI
detection and evidence-based bitwise leakage models. As our methodology works
on unprotected implementations and is easy to apply in a White-Box context, it
can be used to evaluate the eectiveness of implemented countermeasures against
SCA. To thoroughly apply such a testing method is of particular importance as
our discussion about Common Criteria suggests. Generally unproled attacks
are easier than proled attacks. They are thus a main threat to consider and
must be taken into account when evaluating a HMAC-SHA-2 implementation.
 Practical Aspects of Vertical Side-Channel Analyses on HMAC-SHA-2 21

References

1. Belaïd, S., Bettale, L., Dottax, E., Genelle, L., Rondepierre, F.: Dierential power
analysis of HMAC SHA-1 and HMAC SHA-2 in the hamming weight model. In:
Obaidat, M.S., Holzinger, A., Filipe, J. (eds.) E-Business and Telecommunications
- 11th International Joint Conference, ICETE 2014, Vienna, Austria, August 28-
30, 2014, Revised Selected Papers. Communications in Computer and Information
Science, vol. 554, pp. 363379. Springer (2014)., https://doi.org/10.1007/978-3-
319-25915-4_19
2. Belenky, Y., Dushar, I., Teper, V., Chernyshchyk, H., Azriel, L., Kreimer, Y.: First
Full-Fledged Side Channel Attack on HMAC-SHA-2. In: Bhasin, S., Santis, F.D.
(eds.) Constructive Side-Channel Analysis and Secure Design - 12th International
Workshop, COSADE 2021, Lugano, Switzerland, October 25-27, 2021, Proceed-
ings. Lecture Notes in Computer Science, vol. 12910, pp. 3152. Springer (2021).,
https://doi.org/10.1007/978-3-030-89915-8_2
3. Benoît, O., Peyrin, T.: Side-Channel Analysis of Six SHA-3 Candidates. In: CHES.
Lecture Notes in Computer Science, vol. 6225, pp. 140157. Springer (August 17-20
2010), Santa Barbara, CA, USA
4. Bhasin, S., Danger, J.L., Guilley, S., Najm, Z.: NICV: Normalized Inter-Class Vari-
ance for Detection of Side-Channel Leakage. In: International Symposium on Elec-
tromagnetic Compatibility (EMC '14 / Tokyo). IEEE (May 12-16 2014), Session
OS09: EM Information Leakage. Hitotsubashi Hall (National Center of Sciences),
Chiyoda, Tokyo, Japan
5. Brier, É., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model.
In: Joye, M., Quisquater, J. (eds.) Cryptographic Hardware and Embedded Sys-
tems - CHES 2004: 6th International Workshop Cambridge, MA, USA, August
11-13, 2004. Proceedings. Lecture Notes in Computer Science, vol. 3156, pp. 16
29. Springer (2004)., http://dx.doi.org/10.1007/978-3-540-28632-5_2
6. Dang, Q.H., et al.: Secure hash standard (2015),
https://doi.org/10.6028/NIST.FIPS.180-4
7. Do, N.T., Hoang, V.P., Pham, C.K.: Low complexity correlation power analysis
by combining power trace biasing and correlation distribution techniques. IEEE
Access 10, 1757817589 (2022)
8. Elaabid, M.A., Guilley, S.: Portability of Templates. Journal of Cryptographic
Engineering 2(1), 6374 (2012), dOI: 10.1007/s13389-012-0030-6
9. ISO/IEC JTC 1/SC 27/WG 3: ISO/IEC 20085-1:2019 (en). Information technol-
ogy Security techniques  Test tool requirements and test tool calibration meth-
ods for use in testing non-invasive attack mitigation techniques in cryptographic
modules  Part 1: Test tools and techniques (2019)
10. Joint Interpretation Library: Application of Attack Potential
to Smartcards and Similar Devices, Version 3.1 (June 2020),
https://www.sogis.eu/documents/cc/domains/sc/JIL-Application-of-Attack-
Potential-to-Smartcards-v3-1.pdf
11. Jungk, B., Bhasin, S.: Don't fall into a trap: Physical side-channel analysis of
chacha20-poly1305. In: Design, Automation & Test in Europe Conference & Exhi-
bition (DATE), 2017. pp. 11101115. IEEE (2017)
12. Kim, H., Kim, T.H., Yoon, J.C., Hong, S.: Practical second-order correlation power
analysis on the message blinding method and its novel countermeasure for rsa.
ETRI journal 32(1), 102111 (2010)
22 L. Vlasak et al.

13. Kocher, P.C., Jae, J., Jun, B.: Dierential power analysis. In: Proceedings of
the 19th Annual International Cryptology Conference on Advances in Cryp-
tology. pp. 388397. CRYPTO '99, Springer-Verlag, London, UK, UK (1999),
http://dl.acm.org/citation.cfm?id=646764.703989
14. Krawczyk, H., Bellare, M., Canetti, R.: Hmac: Keyed-hashing for message authen-
tication. Tech. rep. (1997)
15. McEvoy, R., Tunstall, M., Murphy, C.C., Marnane, W.P.: Dierential power anal-
ysis of hmac based on sha-2, and countermeasures. In: Information Security Ap-
plications: 8th International Workshop, WISA 2007, Jeju Island, Korea, August
27-29, 2007, Revised Selected Papers 8. pp. 317332. Springer (2007)
16. Montminy, D.P., Baldwin, R.O., Temple, M.A., Laspe, E.D.: Improving cross-
device attacks using zero-mean unit-variance normalization. J. Cryptographic En-
gineering 3(2), 99110 (2013). http://dx.doi.org/10.1007/s13389-012-0038-y
17. Moradi, A., Richter, B., Schneider, T., Standaert, F.: Leakage Detection with the
χ2 -Test. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018
(1), 209237 (2018).
https://doi.org/10.13154/tches.v2018.i1.209-237
18. Oswald, D.: Side-Channel Attacks on SHA-1-Based Product Authentication ICs.
In: Homma, N., Medwed, M. (eds.) Smart Card Research and Advanced Ap-
plications - 14th International Conference, CARDIS 2015, Bochum, Germany,
November 4-6, 2015. Revised Selected Papers. Lecture Notes in Computer Science,
vol. 9514, pp. 314. Springer (2015). https://doi.org/10.1007/978-3-319-31271-2_1
19. Schuhmacher, F.: Canonical DPA attack on HMAC-SHA1/SHA2. In: Balasch, J.,
O'Flynn, C. (eds.) Constructive Side-Channel Analysis and Secure Design - 13th
International Workshop, COSADE 2022, Leuven, Belgium, April 11-12, 2022, Pro-
ceedings. Lecture Notes in Computer Science, vol. 13211, pp. 193211. Springer
(2022). https://doi.org/10.1007/978-3-030-99766-3_9
20. Welch, B.: The Generalization of Student's Problem when Several Dierent Pop-
ulation Variances are Involved. Biometrika 34(1/2), 28 (January 1947)
21. Zheng, Y., Zhou, Y., Yu, Z., Hu, C., Zhang, H.: How to compare selections of
points of interest for side-channel distinguishers in practice? In: Information and
Communications Security: 16th International Conference, ICICS 2014, Hong Kong,
China, December 16-17, 2014, Revised Selected Papers 16. pp. 200214. Springer
(2015)