Successfully Attacking Masked AES Hardware Implementations
During the last years, several masking schemes for AES have been proposed to secure hardware implementations against DPA attacks. In order to investigate the effectiveness of these countermeasures in practice, we have designed and manufactured an ASIC. The chip features an unmasked and two masked AES-128 encryption engines that can be attacked independently.
In addition to conventional DPA attacks on the output of registers, we have also mounted attacks on the output of logic gates. Based on simulations and physical measurements we show that the unmasked and masked implementations leak side-channel information due to glitches at the output of logic gates. It turns out that masking the AES S-Boxes does not prevent DPA attacks, if glitches occur in the circuit.
KeywordsAES ASIC DPA Masking Power Analysis
- 7.Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
- 10.National Institute of Standards and Technology (NIST). FIPS-197: Advanced Encryption Standard (November 2001), Available online at, http://www.itl.nist.gov/fipspubs/
- 11.Örs, S.B., Gürkaynak, F.K., Oswald, E., Preneel, B.: Power-Analysis Attack on an ASIC AES Implementation. In: Proccedings International Conference on Information Technology - ITCC 2004, Las Vegas, USA (2004)Google Scholar
- 14.Rabaey, J.M.: Digital Integrated Circuits. Prentice-Hall, Englewood Cliffs (1996) ISBN 0-13-178609-1Google Scholar
- 15.Suzuki, D., Saeki, M., Ichikawa, T.: Random Switching Logic: A Countermeasure against DPA based on Transition Probability. Cryptology ePrint Archive, Report 2004/346 (2004), http://eprint.iacr.org/