The goal of t-private circuits is to protect information processed by the circuit. This work presents the first practical power analysis evaluation of t-private logic style for FPGAs. Following the synthesis technique introduced at HOST 2012, a t-private S-box of the Present block cipher is synthesized and analyzed with respect to side channel leakage. The analysis is performed on simulated power traces as well as real power measurements taken from an implementation on a Virtex 5 FPGA. Classical Correlation power analysis and Correlation enhanced collision analysis are applied to detect first order leakages. Our results reveal a remaining first-order side channel attack vulnerability.
I. MOTIVATIONImplementation attacks are a common threat to cryptographic cores in hardware. In many embedded applications, the attacker has physical access to the chip containing the crypto core. That access can be abused to recover critical secrets, namely cryptographic keys. Common attack techniques include invasive attacks such as probing as well as non-invasive attacks such as power, EM and timing attacks. Power and EM side channel attacks are particularly interesting, because, unlike probing attacks, the equipment and hardware specific knowledge necessary to perform them is minimal. At the same time, power and EM attacks are extremely difficult to completely prevent. One of the common and well studied techniques to hinder power analysis is masking. Masking splits internal states of logic into two or more random shares so that secret information can only be extracted from their combination. It has been found that masking can be overcome by higher order side channel analysis. However, if implemented correctly, first order (or in general lower order) side channel attacks are prevented, while higher order attacks are known to need much higher number of traces to succeed, yielding a practical security for many applications. Nevertheless, the price is high in terms of the introduced area overhead and the care that is needed to implement the masking countermeasure correctly.t-private circuits are a countermeasure that have originally been proposed to counter probing attacks. It is fairly similar to the above-described approaches, as it is also based on the principle of secret sharing. In [1] the authors show a methodology where t-private circuits can be efficiently mapped to FPGAs. While side channel resistance is not explicitly claimed in [1], the work suggests that t-private circuits protect against a stronger adversary, i.e. the probing adversary that can observe internal states directly, instead of an aggregate leakage through the common power supply. The application of the t-private logic as a Differential Power Analysis (DPA) countermeasure was studied in more detail in [2]. That work describes their method of finding circuits with a low DPA robustness and replacing that logic with a t-private countermeasure to mitigate these problems. The paper, however, does not describe the overall DPA resistance of t-private logic.In this wo...