Skip to main content

20 years ago, three ‘crazy nerds’ changed smart card security for ever

Estimated reading time: 5 minutes

In September 2024, the International Association for Cryptologic Research gave a special ‘test of time’ award to the authors of a paper published 20 years earlier. It was well-deserved. The research – on Correlation Power Analysis (CPA) – has had a huge impact on cryptographic defence measures.

Today’s smart cards are highly secure. This is partly due to the curiosity of three cryptographic specialists 20 years ago….

"We were just crazy nerds trying to solve mathematical problems."

This is how Eric Brier, Thales Chief Technology Officer for Cyber Digital Solutions, describes the lab work he was doing 20 years ago. Along with two colleagues (Francis Olivier and Christophe Clavier), Eric was studying Differential Power Analysis (DPA) – a technique for measuring the power outputs of smart cards and similar products. 

In 2004, DPA was emerging as a promising technique for extracting cryptographic keys from electronic devices. Researchers would analyse the relationship between power consumption and the data being processed during a cryptographic operation. They would look for a correlation, and use it to extract keys. They guessed that this was a technique that cyber-attackers could use to steal cryptographic materials.

In their experiments, the Gemplus trio (Gemplus was later re-named as Gemalto, and eventually acquired by Thales) noticed an anomaly that sometimes produced incorrect results. Most DPA researchers ignored it. The Gemplus team didn't. Instead, they set to work to discover what caused the errors.

They solved the problem and published their findings in a paper called Correlation Power Analysis With A Leakage Model. The study did not have a good start. It was nearly rejected by the Conference on Cryptographic Hardware and Embedded Systems (CHES). And after publication, it was mostly ignored; CPA wasn't a glamorous topic in 2004. 

But while most overlooked research papers disappear into obscurity, this one didn't. Instead, it became well-known. Over 20 years, it was cited more than 3,000 times. This placed it in the top one percent of all scientific papers. 

Why did it succeed? Because CPA became a valuable technique for simulating hardware attacks on low power devices in the lab. In an era of explosive growth for smart cards and secure enclaves, this proved important work. 

Last September, on its 20th birthday, the paper finally received the recognition it deserved. Every year, the International Association for Cryptologic Research gives out a special 'Test Of Time' award at its annual CHES event. The prize celebrates historic papers that remain relevant long after their publication. 

Correlation Power Analysis With A Leakage Model was an obvious choice for the 2024 prize.

Within Thales, the work of Eric, Francis and Christophe remains highly valued. Philippe Loubet Moundi, Thales' Principal, Security HW Lab Manager, says: “If Thales is an undisputed leader in embedded security, it is thanks to experts that worked in this lab to develop proprietary counter measures to CPA.”

 

So, what was it like to work in that lab 20 years ago? What drove the team? And what is the legacy of this pioneering research? We asked Eric Brier to take a trip down memory lane…
 

Can you explain CPA in simple terms?

Eric: You can always measure the power consumed by the microprocessor in a device – and the measurement varies in time depending on the type of computation you perform. The process works especially well in a chip. The more bits you flip, the more energy you need. 

In a tiny physical device, the exact power variation is not easy to discover. It’s measurable up to a constant that you don't know, to a slope that you don't know, and with the extra complication of some unavoidable noise from the electromagnetic magnetic field, which might be inside the lab.

So, you have to use a bunch of complex mathematical techniques to extract the correct information. 

How did you do that back in 2004?

Eric: We used something called a differential power analysis. We would run an algorithm hundreds of times to record the consumption traces. We would align everything, and use statistics to find out which sub key corresponded to the highest peaks.

The story might have ended there. But then we began to notice that sometimes the highest peak would correspond to the wrong sub key. We called them fake peaks. 

How did you, Francis and Christophe respond to these problematic results?

Eric: It all started with Christophe. Everyone just took the anomalies for granted. They accepted them as a fact without seeking an explanation. 

But Christophe is not like that. He is the kind of guy who can't accept that something just happens without any explanation. He always wants to know why. 

He was puzzled by these anomalies. So he was the one who got us all working together to find a new way to do things. Luckily, the management of Gemplus at the time were happy to pay three crazy nerds to solve these mathematical problems – even though there was no real-world application. At that stage, we weren’t trying to design a new method, we were just trying to understand what happens.

After a couple of weeks, we found a solution for where the fake peaks were coming from. Then we developed a new method which delivered the right results at a much lower error rate. 

What happened when you published the paper?

Eric: Well, it was a struggle to get it accepted at all. The research we were doing was not trendy at that time. It didn’t get a lot of attention. But then that changed, and now the research has been cited thousands of times. 

What did the ‘Test of Time’ award mean to you?

Eric: It was good to be recognised and obviously great to get an award. But it’s even better to know what we did was genuinely meaningful. The three of us are really proud about that.

How has your research impacted the digital security space?

Eric: You can never be completely sure how hackers attack systems. But you can try to find the most common methods. A security teams’ role is to protect products against these known attacks.

In our work, we gave security specialists a new tool. We gave them a technique to assess the actual level of security for a smart-card – or more generally a micro-processor or cryptographic accelerator.

20 years later, the technique is still part of the requirement to make smart cards and many other sensitive crypto devices resistant to power attacks. 
 

Correlation Power Analysis explained in simple terms

If you are trying to extract cryptographic secrets (such as a password) from an electronic device, the primary method is to break the mathematical algorithm.
But there's an alternative – called side channel analysis. This describes various ways of analysing data from physical factors such as a device’s computation time, electro-magnetic output, sound and heat. Attackers can study this data and look for correlations when a device is processing a PIN for example. 
One particularly effective side channel analysis marker is power. In other words, studying the electricity consumed and emitted during a cryptographic operation.
The technique works well with smart cards. They are often described as tamper-resistant devices because they don't have moving parts, and they consume relatively small amounts of power. For these reasons, smart cards were traditionally considered resistant to security attacks. 
In 1999, this thinking changed. A researcher called Paul Kocher argued that it might be possible to recover secret information through power analysis. By analysing the power consumption of the device on an oscilloscope, a hacker might be able to deduce secret data from its power curve.
The new technique published in CHES 2004 was named Correlation Power Analysis, and soon researchers began using it to check for unintentional information leakages in smart cards.