Simple Power Analysis on AES Key Expansion Revisited

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8731)


We consider a simple power analysis on an 8-bit software implementation of the AES key expansion. Assuming that an attacker is able to observe the Hamming weights of the key bytes generated by the key expansion, previous works from Mangard and from VanLaven et al. showed how to exploit this information to recover the key from unprotected implementations.

Our contribution considers several possible countermeasures that are commonly used to protect the encryption process and may well be adopted to protect the computation and/or the manipulation of round keys from this attack. We study two different Boolean masking countermeasures and present efficient attacks against both of them. We also study a third countermeasure based on the computation of the key expansion in a shuffled order. We show that it is also possible to attack this countermeasure by exploiting the side-channel leakage only. As this last attack requires a not negligible computation effort, we also propose a passive and active combined attack (PACA) where faults injected during the key expansion are analyzed to derive information that render the side-channel analysis more efficient. These results put a new light on the (in-)security of implementations of the key expansion with respect to SPA.

As a side contribution of this paper, we also investigate the open question whether two different ciphering keys may be undistinguishable in the sense that they have exactly the same set of expanded key bytes Hamming weights. We think that this problem is of theoretical interest as being related to the quality of the diffusion process in the AES key expansion. We answer positively to this open question by devising a constructive method that exhibits many examples of such ambiguous observations.


side-channel analysis simple power analysis passive and active combined attacks AES key expansion 


  1. 1.
    Biham, E., Shamir, A.: Power Analysis of the Key Scheduling of the AES Candidates. In: Second AES Candidate Conference – AES2, Rome, Italy (1999)Google Scholar
  2. 2.
    Brier, E., Clavier, C., Olivier, F.: Correlation Power Analysis with a Leakage Model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual Information Analysis. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 426–442. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Koç, Ç.K., Paar, C.: CHES 2000. LNCS, vol. 1965. Springer, Heidelberg (2000)CrossRefzbMATHGoogle Scholar
  6. 6.
    Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  7. 7.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  8. 8.
    Mangard, S.: A Simple Power-Analysis (SPA) Attackon Implementations of the AES Key Expansion. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 343–358. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Mayer-Sommer, R.: Smartly analyzing the simplicity and the power of simple power analysis on smartcards. In: Koç, Paar (eds.) [5], pp. 78–92Google Scholar
  10. 10.
    Messerges, T.S.: Using Second-Order Power Analysis to Attack DPA Resistant Software. In: Koç, Paar (eds.) [5], pp. 238–251 Google Scholar
  11. 11.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Investigations of Power Analysis Attacks on Smartcards. In: WOST 1999: Proceedings of the USENIX Workshop on Smartcard Technology, pp. 151–162. USENIX Association, Berkeley (1999)Google Scholar
  12. 12.
    National Institute of Standards and Technology. Advanced Encryption Standard (AES). Federal Information Processing Standard #197 (2001)Google Scholar
  13. 13.
    VanLaven, J., Brehob, M., Compton, K.J.: Side Channel Analysis, Fault Injection and Applications - A Computationally Feasible SPA Attack on AES via Optimized Search. In: Sasaki, R., Qing, S., Okamoto, E., Yoshiura, H. (eds.) SEC 2005. IFIP AICT, vol. 181, pp. 577–588. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.Université de Limoges, XLIM-CNRSLimogesFrance

Personalised recommendations