Simple Power Analysis on AES Key Expansion Revisited

  • Christophe Clavier
  • Damien Marion
  • Antoine Wurcker
Conference paper

DOI: 10.1007/978-3-662-44709-3_16

Volume 8731 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Clavier C., Marion D., Wurcker A. (2014) Simple Power Analysis on AES Key Expansion Revisited. In: Batina L., Robshaw M. (eds) Cryptographic Hardware and Embedded Systems – CHES 2014. CHES 2014. Lecture Notes in Computer Science, vol 8731. Springer, Berlin, Heidelberg

Abstract

We consider a simple power analysis on an 8-bit software implementation of the AES key expansion. Assuming that an attacker is able to observe the Hamming weights of the key bytes generated by the key expansion, previous works from Mangard and from VanLaven et al. showed how to exploit this information to recover the key from unprotected implementations.

Our contribution considers several possible countermeasures that are commonly used to protect the encryption process and may well be adopted to protect the computation and/or the manipulation of round keys from this attack. We study two different Boolean masking countermeasures and present efficient attacks against both of them. We also study a third countermeasure based on the computation of the key expansion in a shuffled order. We show that it is also possible to attack this countermeasure by exploiting the side-channel leakage only. As this last attack requires a not negligible computation effort, we also propose a passive and active combined attack (PACA) where faults injected during the key expansion are analyzed to derive information that render the side-channel analysis more efficient. These results put a new light on the (in-)security of implementations of the key expansion with respect to SPA.

As a side contribution of this paper, we also investigate the open question whether two different ciphering keys may be undistinguishable in the sense that they have exactly the same set of expanded key bytes Hamming weights. We think that this problem is of theoretical interest as being related to the quality of the diffusion process in the AES key expansion. We answer positively to this open question by devising a constructive method that exhibits many examples of such ambiguous observations.

Keywords

side-channel analysis simple power analysis passive and active combined attacks AES key expansion 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Christophe Clavier
    • 1
  • Damien Marion
    • 1
  • Antoine Wurcker
    • 1
  1. 1.Université de Limoges, XLIM-CNRSLimogesFrance