A Side-Channel and Fault-Attack Resistant AES Circuit Working on Duplicated Complemented Values

M. Doulcier-Verdier1,2, J-M. Dutertre2, J. Fournier1,2, J-B. Rigaud2, B. Robisson1,2 & A.Tria1,2.

1 2

Context •  Cryptographic circuits are subjected to different

kinds of non-invasive physical attacks:

Side-Channel Attacks •  Differential Power/EM

Analysis •  Correlation Power/EM

Analysis

Fault Attacks •  Differential Fault Analysis

Side-Channel Attacks EM/Power

Measurements Input

Messages

Key Guesses Statistical

Analysis

Right key guess with highest peak!

Differential Fault Attacks

Secret Key K

Input Message M

Correct cipher C

Secret Key K

Input Message M

Faulted cipher C’

DFA Secret Key K

revealed!

Advanced Encryption Standard

•  The AES was specified by the NIST in 2001 (128-bit key version): –  Input message of 16 bytes arranged into 4x4

matrix. – Message is brewed into a “round” function

which is repeated 10 times. –  Input key of 16 bytes from which sub-keys are

iteratively for each “round” thru a ‘KEY_EXPANDER’ function.

Our Tamper-Resistant AES ‘Original’ AES datapath

‘Duplicated’ AES datapath

Error Propagation: the difference between the data paths is spread:

Against DFA.

The duplicated path works on complemented values to

balance power/EM consumption: Against SCA.

TR-AES Chip •  HCMOS9gp 0.13µm STM

technology. •  Max frequency of 50 MHz. •  1336x1411µm² •  27400 gates

–  Including communication interface.

–  Overhead of 67% wrt non-secure AES in the same technology.

Resistance against EM Analysis •  Performed EM-based Correlation Analysis. •  Used up to 1,000,000 curves done on several

points of the circuit. •  No significant correlation peak obtained for any

key guess.

Resistance to laser fault attacks

•  Characteristics of the laser source used: –  Green 532nm wavelength. –  Spot size between 6 and 12 µm. –  Min energy value (0.2 to 5 nJ).

•  We managed to inject faults in the seperate data paths, –  which lead to the error spreading as expected by our

scheme. –  the resulting cipher text is useless for differential

cryptanalysis

Error propagation using laser

Comparison with design from Tokunaga & Blaauw

Conclusion •  Complemented-duplicated design which offers

counter-measures both against side-channel and fault attacks.

•  Originality of our approach –  We don’t systematically detect the errors but we

spread them to render faulty cipher texts useless for differential cryptanalysis.

–  Since we already duplicate the datapath, we complement the second datapath which provide a counter-measure against side channel attacks at no cost.