up:: Classical Cryptography MOC

Differential Power Analysis

Differential Power Analysis is a statistical side-channel attack that recovers a secret key by recording the power a device draws across many cryptographic operations and then correlating those measurements against a hypothesis about a secret-dependent intermediate value, so that the correct key guess produces a visible statistical spike and every wrong guess averages away into noise. Introduced by Paul Kocher, Joshua Jaffe, and Benjamin Jun in 1999, it is the technique that turned power measurement from a lab curiosity into a practical way to pull keys out of smart cards and embedded devices, and it is the archetypal physical attack that masking and constant-time design exist to defeat. Because it reads the key from the silicon rather than the math, it applies to a post-quantum algorithm like ML-DSA exactly as it applies to RSA or AES-256.

The short version:

  1. Differential Power Analysis attacks the implementation, not the algorithm. It reads a key from how much power a chip draws while it computes, so the strength of the cipher on paper is beside the point.
  2. It beats noise with statistics. Where a leak is far too small to see in any single measurement, averaging thousands of measurements makes the correct key guess stand out and washes the wrong guesses flat.
  3. It attacks the key one small piece at a time. The attacker guesses a few key bits, predicts an intermediate value, and tests that prediction across every trace, so a long key gives no protection.
  4. Its defenses are masking, hiding, blinding, and constant-time or constant-power hardware. Each one costs performance or complexity, which is why implementations skip them and get broken.
  5. Post-quantum algorithms are exposed too. A quantum-safe scheme like ML-KEM or ML-DSA still leaks its key to Differential Power Analysis if it is coded without side-channel defenses, which is why NIST wrote intermediate-value destruction into the standard.

Picture trying to learn a card by watching a dealer whose hand trembles a hair more on a red card than a black one. The tremor is far too faint to read on any single deal, and the honest noise of a shaking hand swamps it completely.

So you watch ten thousand deals, sort them by a guess about the card, and average each pile. If your guess is right, the two averages pull apart at the exact moment the card is turned, and if your guess is wrong, both piles average to the same blur. Differential Power Analysis is that patient watcher, translated into a current probe on a chip’s power line and pointed at the microscopic flickers in how much electricity the processor burns.

What is Differential Power Analysis?

Differential Power Analysis is a class of side-channel attack that recovers secret keys by statistically analyzing the power a cryptographic device consumes over many runs of an operation. It rests on one physical fact: the instantaneous current a digital circuit draws depends on the data it is processing, roughly on how many bits are flipping from 0 to 1 and back at each step. When some of those flipping bits depend on the secret key, the power trace carries a faint imprint of the key, and Differential Power Analysis is the machinery for lifting that imprint out even when it is buried far below the measurement noise.

The attack was introduced by Paul Kocher, Joshua Jaffe, and Benjamin Jun at CRYPTO 1999, in the paper that named it, three years after Kocher had shown that timing alone could break implementations of RSA and Diffie-Hellman. It reframed what “breaking” a cipher means. A mathematical attack treats the algorithm as a black box and tries to defeat the number theory; Differential Power Analysis opens the box and watches the machine work, so a device running a NIST-standard cipher with a full-size key can still hand over that key through its power line.

Two properties make it dangerous in practice:

  1. It sidesteps the security proof. A proof of an algorithm’s strength describes an idealized computation and says nothing about the transistors running it. The key can be the right size and the algorithm a published standard, and a leaky implementation still gives it away.
  2. It needs cheap equipment and no math breakthrough. The core setup is a small resistor in the device’s power line and an oscilloscope to record the voltage across it. The statistics that turn those recordings into a key are ordinary averaging, well within reach of a modestly funded attacker.

Source: P. Kocher, J. Jaffe, B. Jun, “Differential Power Analysis,” Advances in Cryptology, CRYPTO ‘99, LNCS 1666, pp. 388-397, Springer.

How does Differential Power Analysis work?

Differential Power Analysis works by guessing a small part of the key, using that guess to predict a secret-dependent value inside the computation, and then checking the prediction against thousands of recorded power traces with a statistical test that only lights up when the guess is right. The chip does subtly different electrical work depending on the value it is handling, and that difference, invisible in any one trace, becomes unmistakable across a large enough pile. The attack runs as an ordered sequence:

  1. Pick a target intermediate value. The attacker chooses a spot in the algorithm where some bits depend on a small chunk of the key and on data the attacker can see, such as the output of a cipher’s substitution box early in the first round, which depends on one key byte and one known input byte.
  2. Collect many traces. The device runs the operation on many different known inputs while the attacker records the power consumption for each run. Each recording is one trace, and Differential Power Analysis typically needs a large batch of them.
  3. Guess a key chunk and predict a bit. For one guess of the small key chunk, the attacker computes what the target intermediate value would be for every input, and reads off one bit of it (a “selection function”).
  4. Partition and average. The attacker sorts the traces into two piles by that predicted bit, 0 in one pile and 1 in the other, then averages each pile and subtracts one average from the other to form a differential trace.
  5. Read the verdict. If the key guess was correct, the predicted bit really did drive the device’s power at the moment it was computed, so the two piles differ there and the differential trace shows a sharp spike. If the guess was wrong, the predicted bit is uncorrelated with anything the device actually did, the two piles average to the same curve, and the differential trace stays flat.
  6. Repeat across every chunk. The attacker tries all guesses for the chunk, keeps the one that spikes, and moves to the next chunk until the whole key is recovered.

The step that makes this devastating is the divide-and-conquer structure. Because the attacker recovers the key a few bits at a time, testing a handful of guesses per chunk, the total work grows with the length of the key rather than with the size of the key space. A 128-bit key is not searched as one impossible space of 2^128 possibilities; it is peeled apart chunk by chunk, which is why simply using a longer key buys no defense against this attack.

Source: P. Kocher, J. Jaffe, B. Jun, “Differential Power Analysis,” Advances in Cryptology, CRYPTO ‘99, LNCS 1666, pp. 388-397, Springer.

What is the difference between simple and differential power analysis?

Simple power analysis reads the key from the shape of one trace or a few, while Differential Power Analysis extracts the key statistically from many traces where no single one shows anything useful. Simple power analysis (SPA) works when the secret-dependent operations are large and directly visible: watching the square-versus-multiply pattern in an unprotected RSA exponentiation and reading the exponent bit by bit off a single trace is the textbook case. It fails the moment the leak is small or buried in noise, because there is nothing a human eye can pick out. Differential Power Analysis was built precisely for that harder case, trading the need for a clean, legible trace for the need for a large number of noisy ones and the statistics to average them.

PropertySimple power analysis (SPA)Differential Power Analysis (DPA)
Traces neededOne, or a handfulMany, often thousands
What it exploitsA large, directly visible secret-dependent operationA tiny data-dependent difference in power draw
How the key is readBy inspecting the shape of the trace directlyBy statistically correlating a key guess against all traces
Handles measurement noisePoorly, the leak must be legible by eyeWell, averaging cancels noise and reveals the leak
Typical targetKey-dependent branches, such as square-and-multiplyIntermediate values, such as an S-box output byte
Analyst skill vs dataMore interpretation of one traceMore data and computation, less interpretation

The two are complementary rather than competing. An attacker often uses simple power analysis to understand the layout of an unfamiliar implementation, spotting the rounds and the major operations, and then aims Differential Power Analysis at the exact moment a secret-dependent intermediate value is computed. Defeating the eye by making an implementation “look” smooth on a scope stops simple power analysis and does nothing about the differential version.

Source: P. Kocher, J. Jaffe, B. Jun, “Differential Power Analysis,” Advances in Cryptology, CRYPTO ‘99, LNCS 1666, pp. 388-397, Springer.

Why does Differential Power Analysis defeat noise that simple inspection misses?

Differential Power Analysis defeats noise because averaging cancels everything uncorrelated with the attacker’s guess and preserves the one thing that is. Any single power trace is a mess of contributions: the target leak, the electrical activity of every unrelated part of the chip, thermal noise, and measurement error. In one trace the tiny secret-dependent component is hopelessly outweighed by all of that. When the attacker averages thousands of traces sorted by a correct prediction, the unrelated activity and the noise are random with respect to that prediction, so they average toward a flat baseline, while the secret-dependent component lines up in the same place every time and survives. The faint-imprint-buried-in-noise problem that stops the human eye is exactly the problem statistics are built to solve.

This is the property that makes “it looked constant on the oscilloscope” a false comfort. A device can present a trace with no visible key-dependent feature and still leak a difference of a few thousandths of its total power draw at the right instant, and Differential Power Analysis pulls that difference out by collecting enough traces to average the noise below it. The practical rule that follows is blunt: the more traces an attacker can gather, the smaller the leak they can exploit, so a countermeasure has to shrink or randomize the leak itself, not merely hide it from casual inspection.

Source: P. Kocher, J. Jaffe, B. Jun, “Differential Power Analysis,” Advances in Cryptology, CRYPTO ‘99, LNCS 1666, pp. 388-397, Springer.

What is correlation power analysis, and how does it relate to DPA?

Correlation power analysis is a refinement of Differential Power Analysis that replaces the simple difference-of-means test with a correlation coefficient measured against a model of how the device leaks. Introduced by Éric Brier, Christophe Clavier, and Francis Olivier at CHES 2004, it predicts the actual power a device would draw for each key guess, usually with a Hamming-weight or Hamming-distance model that estimates power from the number of bits set or flipped, and then computes the statistical correlation between that prediction and the measured traces. The guess whose model correlates most strongly with reality is the correct one. Because it uses a richer prediction than a single bit, correlation power analysis often recovers a key from fewer traces than the original single-bit differential test.

Correlation power analysis belongs to the same family and rests on the same idea: a secret-dependent intermediate value leaves a statistical fingerprint in the power trace, and the correct key guess is the one whose predicted fingerprint matches the measurements. Practitioners often use “differential power analysis” loosely to cover this whole family of statistical power attacks, with the difference-of-means method and the correlation method as two specific tools inside it. The defenses are the same for both, because both feed on the correlation between the secret and the device’s power draw.

Source: E. Brier, C. Clavier, F. Olivier, “Correlation Power Analysis with a Leakage Model,” CHES 2004, LNCS 3156, pp. 16-29, Springer.

Does Differential Power Analysis threaten post-quantum cryptography?

Yes. Post-quantum algorithms are quantum-safe in their mathematics, and that mathematics says nothing about whether a given implementation leaks through its power line. A post-quantum scheme that resists Shor’s algorithm perfectly can still surrender its key to Differential Power Analysis if it is built without side-channel defenses, so migrating to ML-KEM or ML-DSA does not by itself close this exposure. NIST treated the concern as first-class rather than an afterthought.

The lattice-based schemes have their own secret-dependent operations for a power attack to target, including the arithmetic over their polynomial rings, the decryption comparison inside their Fujisaki-Okamoto transform, and the rejection sampling in ML-DSA’s signing loop. These have driven an active research line on masking the lattice schemes specifically to blunt Differential Power Analysis. After extended study during standardization, NIST concluded that the differences in how hard the finalist algorithms are to protect against side channels “appear to be small,” so no finalist won or lost on side-channel grounds alone.

The concern is written into the standard itself. FIPS 203 states that conforming to the standard does not by itself ensure a secure implementation, which remains the implementer’s responsibility, and its requirements include a “Destruction of intermediate values” rule: intermediate data that “could be used by an adversary to compromise security” must be destroyed the moment the algorithm is done with it. That is a side-channel requirement sitting in the middle of a math standard, and it exists because those intermediate values are exactly what an attack like Differential Power Analysis reads.

Source: NIST IR 8413-upd1, “Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process,” 2022, csrc.nist.gov.

Source: NIST FIPS 203, “Module-Lattice-Based Key-Encapsulation Mechanism Standard,” Section 3.3, August 2024, FIPS 203.

How do you defend against Differential Power Analysis?

Defending against Differential Power Analysis means breaking the correlation between the secret and the measured power, so that averaging traces never makes the correct key guess stand out. The field does this at both the software and the hardware level, and real high-assurance products layer several techniques rather than trusting one. The established countermeasures:

CountermeasureHow it blunts Differential Power AnalysisCost or limit
MaskingSplits each secret value into random shares processed separately, so no single measured value correlates with the keyHigher order costs roughly quadratic compute and hungry randomness
Hiding (shuffling, added noise)Randomizes the order of operations or adds noise so traces cannot be lined up cleanly for averagingRaises the trace count an attack needs rather than closing the leak
BlindingRandomizes an operation’s inputs before it runs and corrects afterward, so the device never processes a fixed known valueAdds computation and needs a fresh random value per operation
Constant-power or dual-rail logicHardware designed to draw the same current regardless of data, flattening the data-dependent leak at its sourceExtra silicon area and power, imperfect in practice
Leakage-resistant key updatesRefreshes or re-derives keys frequently so no single key is used for enough operations to gather the tracesAdds protocol and key-management complexity

Two points shape how these get chosen:

  1. Masking carries the provable guarantee. It is the primary countermeasure researchers are building for the lattice schemes, because on a noisy device the traces an attacker needs grow exponentially with the masking order while the compute cost grows only quadratically, a favorable trade up to a point.
  2. The honest cost is why unprotected devices keep shipping. Every one of these measures spends performance, memory, randomness, or design effort, so a vendor optimizing for speed or price on a device nobody expects to be attacked physically often ships without them, and that device is what Differential Power Analysis breaks.

Source: S. Chari, C. Jutla, J. R. Rao, P. Rohatgi, “Towards Sound Approaches to Counteract Power-Analysis Attacks,” CRYPTO 1999, LNCS 1666, pp. 398-412, Springer.

Common misconceptions

  1. “A strong algorithm means a secure device.” The proof covers the algorithm, and the attacker faces the silicon. A NIST-standard cipher with a full-size key still leaks if the implementation running it has no side-channel protection, and Differential Power Analysis reads the key straight from the power line.
  2. “A longer key stops Differential Power Analysis.” Key length defends against a mathematical search. This attack recovers the key a few bits at a time from a physical measurement, so its work scales with key length rather than key space, and a bigger key changes almost nothing.
  3. “If nothing shows up on the oscilloscope, the device is safe.” Differential Power Analysis averages thousands of traces to recover a leak far too small for any eye to catch in one trace. Defeating simple inspection is a different thing from defeating the statistics.
  4. “It needs a national-lab budget.” The core rig is a resistor in the power line and an oscilloscope, and the analysis is ordinary averaging. The attack was practical against smart cards in the late 1990s and is more so now.
  5. “Post-quantum algorithms are immune because they are new and quantum-resistant.” Quantum resistance is a property of the math. Lattice schemes like ML-KEM and ML-DSA have secret-dependent operations that leak in unprotected implementations, which is why NIST studied their side-channel resistance and mandated destroying intermediate values.
  6. “Constant-time code closes it.” Constant-time coding removes timing and cache leakage, and it does nothing about the data-dependent power draw that Differential Power Analysis feeds on. That channel needs masking and hardware measures on top.

Questions people ask

What is the difference between SPA and DPA? Simple power analysis reads the key from the visible shape of one trace or a few, so it works only when the secret-dependent operation is large and legible. Differential Power Analysis works statistically across thousands of noisy traces where no single one shows anything, correlating a key guess against all of them, which lets it break implementations that give simple analysis nothing to see.

How many power traces does a Differential Power Analysis attack need? It depends entirely on the device, the amount of noise, and whether any countermeasures are present, ranging from a few hundred on an unprotected chip to far more when hiding or masking raises the bar. The governing rule is that more traces let an attacker exploit a smaller leak, so a defense has to shrink or randomize the leak rather than assume the attacker runs out of measurements.

Is Differential Power Analysis a real-world threat or a lab result? It is a real and repeatedly demonstrated threat. It was used to pull keys from smart cards and pay-television and payment chips soon after it was published, and the same statistical machinery, refined as correlation power analysis, is standard practice in side-channel testing labs today. Any device an attacker can hold and power is in scope.

Does Differential Power Analysis break the algorithm or the implementation? The implementation. The algorithm can be mathematically sound and the key the correct size, and the attack still recovers the key from how the specific chip draws power while it runs. Fixing it is an implementation problem, solved with masking, hiding, blinding, and hardware measures, not a matter of choosing a stronger cipher.

What is correlation power analysis and how is it different? Correlation power analysis is a refinement that swaps the original difference-of-means test for a correlation coefficient measured against a model of how the device leaks, usually based on Hamming weight or Hamming distance. It often needs fewer traces than the classic method and is the workhorse of modern power-analysis labs, but it rests on the same idea and is stopped by the same countermeasures.

Do I need to worry about this if I already moved to post-quantum cryptography? If the hardware holds private keys where an attacker can measure it, yes. Post-quantum migration fixes the math against a quantum computer, and it leaves the power-analysis exposure untouched, so a device like an HSM, secure element, or constrained IoT device running ML-DSA still needs side-channel defenses.

How can I tell whether a product resists Differential Power Analysis? Not from the algorithm name, because two products using the same standard can differ enormously in implementation quality. Meaningful assurance comes from independent side-channel evaluation and certification of the physical implementation, such as testing under FIPS 140-3 and related lab programs, rather than from the cipher printed on the datasheet.

Who invented Differential Power Analysis? Paul Kocher, Joshua Jaffe, and Benjamin Jun published it at CRYPTO 1999, building on Kocher’s 1996 work showing that timing alone could break RSA and Diffie-Hellman implementations. The correlation-based refinement came from Brier, Clavier, and Olivier at CHES 2004.


Everything here is the map, given freely. When your team needs to know whether the devices behind its post-quantum migration actually hold up against attacks like this one, that’s the work I do, and there’s an alignment briefing for it.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.