Simple Power Analysis on AES Key Expansion Revisited

We consider a simple power analysis on an 8-bit software implementation of the AES key expansion. Assuming that an attacker is able to observe the Hamming weights of the key bytes generated by the key expansion, previous works from Mangard and from VanLaven et al. showed how to exploit this information to recover the key from unprotected implementations. Our contribution considers several possible countermeasures that are commonly used to protect the encryption process and may well be adopted to protect the computation and/or the manipulation of round keys from this attack. We study two different Boolean masking countermeasures and present efficient attacks against both of them. We also study a third countermeasure based on the computation of the key expansion in a shuffled order. We show that it is also possible to attack this countermeasure by exploiting the side-channel leakage only. As this last attack requires a not negligible computation effort, we also propose a passive and active combined attack PACA where faults injected during the key expansion are analyzed to derive information that render the side-channel analysis more efficient. These results put a new light on the in-security of implementations of the key expansion with respect to SPA. As a side contribution of this paper, we also investigate the open question whether two different ciphering keys may be undistinguishable in the sense that they have exactly the same set of expanded key bytes Hamming weights. We think that this problem is of theoretical interest as being related to the quality of the diffusion process in the AES key expansion. We answer positively to this open question by devising a constructive method that exhibits many examples of such ambiguous observations.

[1]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[2]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[3]  Pankaj Rohatgi,et al.  Cryptographic Hardware and Embedded Systems Ches 2008 , 2009 .

[4]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[5]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[6]  Chae Hoon Lim,et al.  Information Security and Cryptology — ICISC 2002 , 2003, Lecture Notes in Computer Science.

[7]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[8]  Bart Preneel,et al.  Mutual Information Analysis A Generic Side-Channel Distinguisher , 2008 .

[9]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[10]  Rita Mayer-Sommer,et al.  Smartly Analyzing the Simplicity and the Power of Simple Power Analysis on Smartcards , 2000, CHES.

[11]  Thomas S. Messerges,et al.  Investigations of Power Analysis Attacks on Smartcards , 1999, Smartcard.

[12]  Mark Brehob,et al.  Side Channel Analysis, Fault Injection and Applications - A Computationally Feasible SPA Attack on AES via Optimized Search , 2005, SEC.

[13]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings , 2006, CHES.

[14]  Stefan Mangard,et al.  A Simple Power-Analysis (SPA) Attack on Implementations of the AES Key Expansion , 2002, ICISC.

[15]  Henk L. Muller,et al.  Cryptographic Hardware and Embedded Systems — CHES 2001 , 2001, Lecture Notes in Computer Science.

[16]  Simon Heron,et al.  Encryption: Advanced Encryption Standard (AES) , 2009 .

[17]  Thomas S. Messerges,et al.  Using Second-Order Power Analysis to Attack DPA Resistant Software , 2000, CHES.

[18]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[19]  Bart Preneel,et al.  Mutual Information Analysis , 2008, CHES.