A Simple Power-Analysis (SPA) Attack on Implementations of the AES Key Expansion

  • Stefan Mangard
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2587)

Abstract

This article presents a simple power-analysis (SPA) attack on implementations of the AES key expansion. The attack reveals the secret key of AES software implementations on smart cards by exploiting the fact that the power consumption of most smart-card processors leaks information during the AES key expansion. The presented attack efficiently utilizes this information leakage to substantially reduce the key space that needs to be considered in a brute-force search for the secret key. The details of the attack are described on the basis of smart cards that leak the Hamming weight of intermediate results occurring during the AES key expansion.

Keywords

Smart Cards Power Analysis SPA AES Key Expansion Key Scheduling 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    M.-L. Akkar, R. Bevan, P. Dischamp, and D. Moyart. Power Analysis, What Is Now Possible... In Advances in Cryptology-ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science (LNCS), pages 489–502. Springer-Verlag, 2000. 349CrossRefGoogle Scholar
  2. [2]
    M.-L. Akkar and C. Giraud. An implementation of DES and AES, secure against some attacks. In Cryptographic Hardware and Embedded Systems-CHES 2001, volume 2162 of Lecture Notes in Computer Science (LNCS), pages 309–318. Springer-Verlag, 2001. 344, 355CrossRefGoogle Scholar
  3. [3]
    G. Bertoni, L. Breveglieri, P. Fragneto, M. Macchetti, and S. Marchesin. Efficient Software Implementation of AES on 32-bits Platforms. In Cryptographic Hardware and Embedded Systems-CHES 2002, Lecture Notes in Computer Science (LNCS). Springer-Verlag, 2002. 348, 354Google Scholar
  4. [4]
    E. Biham and A. Shamir. Power Analysis of the Key Scheduling of the AES Candidates. In Second Advanced Encryption Standard (AES) Candidate Conference, Rome, Italy, 1999. 343, 344, 347Google Scholar
  5. [5]
    S. Chari, C. Jutla, J.R. Rao, and P. Rohatgi. A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards. In Second Advanced Encryption Standard (AES) Candidate Conference, Rome, Italy, 1999. 343Google Scholar
  6. [6]
    J. Daemen and V. Rijmen. The Design of Rijndael. Springer-Verlag, 2002, ISBN b3-540-42580-2. 343Google Scholar
  7. [7]
    J. Daemen and V. Rijmen. The Rijndael Page. Available at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/. 348
  8. [8]
    J. Daemen and V. Rijmen. Resistance Against Implementation Attacks. A Comparative Study of the AES Proposals. In Second Advanced Encryption Standard (AES) Candidate Conference, Rome, Italy, 1999. 343Google Scholar
  9. [9]
    P. Fahn and P. Pearson. IPA: A New Class of Power Attacks. In Workshop on Cryptographic Hardware and Embedded Systems-CHES 1999, volume 1717 of Lecture Notes in Computer Science (LNCS), pages 173–186. Springer-Verlag, 1999. 347Google Scholar
  10. [10]
    V. Fischer and M. Drutarovský. Two Methods of Rijndael Implementation in Reconfigurable Hardware. In Workshop on Cryptographic Hardware and Embedded Systems-CHES 2001, volume 2162 of Lecture Notes in Computer Science (LNCS), pages 77–92. Springer-Verlag, 2001. 354Google Scholar
  11. [11]
    J. Dj. Golic and C. Tymen. Multiplicative Masking and Power Analysis of AES. In Cryptographic Hardware and Embedded Systems-CHES 2002, Lecture Notes in Computer Science (LNCS). Springer-Verlag, 2002. 344, 355, 356Google Scholar
  12. [12]
    K. Itoh, M. Takenaka, and N. Torii. DPA Countermeasure Based on the “Masking Method”. In Information Security and Cryptology-ICISC 2001, volume 2288 of Lecture Notes in Computer Science (LNCS), pages 440–456. Springer-Verlag, 2002. 344, 355CrossRefGoogle Scholar
  13. [13]
    P. C. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis. In Advances in Cryptology-CRYPTO 1999, volume 1666 of Lecture Notes in Computer Science (LNCS), pages 388–397. Springer-Verlag, 1999. 343, 346Google Scholar
  14. [14]
    H. Kuo and I. Verbauwhede. Architectural Optimization for a 1.82Gbits/sec VLSI Implementation of the AES Rijndael Algorithm. In Workshop on Cryptographic Hardware and Embedded Systems-CHES 2001, volume 2162 of Lecture Notes in Computer Science (LNCS), pages 51–64. Springer-Verlag, 2001. 354Google Scholar
  15. [15]
    R. Mayer-Sommer. Smartly Analyzing the Simplicity and the Power of Simple Power Analysis on Smartcards. In Cryptographic Hardware and Embedded Systems-CHES 2000, volume 1965 of Lecture Notes in Computer Science (LNCS) pages 78–92. Springer-Verlag, 2000. 344CrossRefGoogle Scholar
  16. [16]
    M. McLoone and J.V. McCanny. High Performance Single-Chip FPGA Rijndael Algorithm Implementations. In Workshop on Cryptographic Hardware and Embedded Systems-CHES 2001, volume 2162 of Lecture Notes in Computer Science (LNCS), pages 65–76. Springer-Verlag, 2001. 354Google Scholar
  17. [17]
    T. S. Messerges. Using Second-Order Power Analysis to Attack DPA Resistant Software. In Cryptographic Hardware and Embedded Systems-CHES 2000, volume 1965 of Lecture Notes in Computer Science (LNCS), pages 238–251. Springer-Verlag, 2000. 344CrossRefGoogle Scholar
  18. [18]
    T. S. Messerges, E.A. Dabbish, and R. H. Sloan. Investigations of Power Analysis Attacks on Smartcards. In Proceedings of USENIX Workshop on Smartcard Technology, pages 151–162, 1999. 344Google Scholar
  19. [19]
    National Institute of Standards and Technology. FIPS 197 Advanced Encryption Standard (AES). Available at http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf. 343, 345
  20. [20]
    National Institute of Standards and Technology. FIPS 46-2 Data Encryption Standard (DES). Available at http://csrc.nist.gov/publications/fips/. 343
  21. [21]
    National Institute of Standards and Technology. The AES Home Page. Available at http://csrc.nist.gov/encryption/aes/. 348
  22. [22]
    A. Satoh, S. Morioka, K. Takano, and S. Munetoh. A Compact Rijndael Hardware Architecture with S-Box Optimization. In Advances in Cryptology-ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science (LNCS), pages 239–254. Springer-Verlag, 2001. 354CrossRefGoogle Scholar
  23. [23]
    K. Tiri, M. Akmal, and I. Verbauwhede. A Dynamic and Differential CMOS Logic with Signal Independent Power Consumption to Withstand Differential Power Analysis on Smart Cards. In 28th European Solid-State Circuits Conference-ESSCIRC 2002, Florence, Italy, 2002. 343Google Scholar
  24. [24]
    E. Trichina, D. De Seta, and L. Germani. Simplified Adaptive Multiplicative Masking for AES and its Secure Implementation. In Cryptographic Hardware and Embedded Systems-CHES 2002, Lecture Notes in Computer Science (LNCS). Springer-Verlag, 2002. 344, 355, 356Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Stefan Mangard
    • 1
  1. 1.Institute for Applied Information Processing and CommunicationsGraz University of TechnologyGrazAustria

Personalised recommendations