A Side-Channel and Fault-Attack Resistant AES Circuit Working on Duplicated Complemented Values
M. Doulcier-Verdier1,2, J-M. Dutertre2, J. Fournier1,2, J-B. Rigaud2, B. Robisson1,2 & A.Tria1,2.
1 2
Context • Cryptographic circuits are subjected to different
kinds of non-invasive physical attacks:
Side-Channel Attacks • Differential Power/EM
Analysis • Correlation Power/EM
Analysis
Fault Attacks • Differential Fault Analysis
Side-Channel Attacks EM/Power
Measurements Input
Messages
Key Guesses Statistical
Analysis
Right key guess with highest peak!
Differential Fault Attacks
Secret Key K
Input Message M
Correct cipher C
Secret Key K
Input Message M
Faulted cipher C’
DFA Secret Key K
revealed!
Advanced Encryption Standard
• The AES was specified by the NIST in 2001 (128-bit key version): – Input message of 16 bytes arranged into 4x4
matrix. – Message is brewed into a “round” function
which is repeated 10 times. – Input key of 16 bytes from which sub-keys are
iteratively for each “round” thru a ‘KEY_EXPANDER’ function.
Our Tamper-Resistant AES ‘Original’ AES datapath
‘Duplicated’ AES datapath
Error Propagation: the difference between the data paths is spread:
Against DFA.
The duplicated path works on complemented values to
balance power/EM consumption: Against SCA.
TR-AES Chip • HCMOS9gp 0.13µm STM
technology. • Max frequency of 50 MHz. • 1336x1411µm² • 27400 gates
– Including communication interface.
– Overhead of 67% wrt non-secure AES in the same technology.
Resistance against EM Analysis • Performed EM-based Correlation Analysis. • Used up to 1,000,000 curves done on several
points of the circuit. • No significant correlation peak obtained for any
key guess.
Resistance to laser fault attacks
• Characteristics of the laser source used: – Green 532nm wavelength. – Spot size between 6 and 12 µm. – Min energy value (0.2 to 5 nJ).
• We managed to inject faults in the seperate data paths, – which lead to the error spreading as expected by our
scheme. – the resulting cipher text is useless for differential
cryptanalysis
Error propagation using laser
Comparison with design from Tokunaga & Blaauw
Conclusion • Complemented-duplicated design which offers
counter-measures both against side-channel and fault attacks.
• Originality of our approach – We don’t systematically detect the errors but we
spread them to render faulty cipher texts useless for differential cryptanalysis.
– Since we already duplicate the datapath, we complement the second datapath which provide a counter-measure against side channel attacks at no cost.