Input Correlation Clause Samples

Input Correlation. To determine where the computations leak we compute the correlation of values that we know and that are going to be used in the sensitive variable. If we look at Fig. 4a, we see the correlation of the measured power consumption with the Hamming weight of w[9]. The same approach was applied for σ1(w[14]). For w[9] we observe peaks in the correlation and for σ1(w[14]) we only observe noise. The value w[9] is directly loaded from the memory to a register while σ1(w[14]) is not loaded from the memory, but w[14] is and has the linear computation σ1 applied afterwards. We only observe correlation with values directly loaded from the memory. This lead us to the conclusion that the memory bus provided us with the highest observed leakage. If we look at Fig. 4b we see a power trace of the compression function com- putation where the message expansion is computed. Each negative peak corre- sponds to a round. The first 16 rounds are shorter as in WolfSSL the message schedule does not happen before the compression rounds start, but on the fly. The time samples in Fig. 4b correspond to time samples in Fig. 4a, thus we can relate the peaks to the round where they appear. The first peak is when word w[9] is used in the round function at round 9 and the second peak at round 24 when w[9] is used to compute σ0(w[9]). There is no input correlation at round