Principles on the Security of AES against First and Second-Order Differential Power Analysis
The Advanced Encryption Standard (AES) is a 128-bit block cipher that is currently being widely used in smartcards. Differential Power Analysis (DPA) is a powerful technique used to attack a cryp tographic implementation in a resource-limited application environment like smartcards. Despite the extensive research on DPA of AES, it seems none has explicitly addressed the fundamental issue: How many rounds of the beginning and end parts of an AES implementation should be protected in order to resist practical DPA attacks, namely first and second-order DPA attacks? Implementation designers may think that it is sufficient to protect the first and last one (or one and a half) rounds of AES, leaving the inner rounds unprotected or protected by simple countermeasures. In this paper, we show that power leakage of some in termediate values from the more inner rounds of AES can be exploited to conduct first and/or second-order DPA attacks by employing techniques such as fixing certain plaintext/ciphertext bytes. We give five general principles on DPA vulnerability of unprotected AES implementations, and then give several general principles on DPA vulnerability of pro tected AES implementations. These principles specify which positions of AES are vulnerable to first and second-order DPA. To justify the prin ciples, we attack two recently proposed AES implementations that use two kinds of countermeasures to achieve a high resistance against power analysis, and demonstrate that they are even vulnerable to DPA. Finally, we conclude that at least the first two and a half rounds and the last three rounds should be secured for an AES implementation to be resis tant against first and second-order DPA in practice.
Side channel cryptanalysis Advanced Encryption Standard Differential power analysis
Jiqiang Lu Jing Pan Jerry den Hartog
Departmcnt of Mathematics and Computer Science, Eindhoven University of Technology,5600 MB Eindhoven Departmcnt of Mathematics and Computer Science, Eindhoven University of Technology,5600 MB Eindhoven
国际会议
8th International Conference,ACNS 2010(第八届国际应用密码与网络安全大会)
北京
英文
168-185
2010-06-22(万方平台首次上网日期,不代表论文的发表时间)