Investigation of DPA Resistance of Block RAMs in Cryptographic Implementations on FPGAs

Shah, shaunak; Velegalati, Rajesh; Kaps, Jens-Peter; Hwang, D.

doi:10.1109/reconfig.2010.80

Cited by 28 publications

(17 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [2], the authors only analyze architectures that store the S-Boxes in BRAMs, obtaining that about 5000 traces are needed to recover the last round key with a success rate of 80 %. The number of traces reported in [33] is higher (greater than 11,000). This difference may be due to measurement setup differences between these works.…”

Section: Performance Results and Comparisonmentioning

confidence: 85%

“…The discussion of these results is presented below. AES T-Box-based implementations have been previously attacked using two kinds of side-channel attacks: power analysis techniques and microprocessor cache leakages [20,33].…”

Section: Performance Results and Comparisonmentioning

confidence: 99%

“…In [33] and [2], the resistance of BRAM-based AES implementations was evaluated against side-channel power attacks (DPA). The authors presented their findings only for AES-128.…”

Section: Performance Results and Comparisonmentioning

confidence: 99%

“…The use of FPGA block memories to implement the abovementioned operations motivated further research into the security properties of these elements against implementation attacks (e.g., side-channel attacks) [2,33]. This paper presents a new way of attacking AES implementations in Xilinx FPGA devices that use embedded block memories (BRAMs) to store T-Boxes.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

AES T-Box tampering attack

2015

View full text Add to dashboard Cite

The use of embedded block memories (BRAMs) in Xilinx FPGA devices makes it possible to store the T-Boxes that are employed to implement the AES block cipher's SubBytes and MixColumns operations. Several studies into BRAM resistance to side-channel attacks have been reported in the literature, whereas this paper presents a novel attack based on tampering the BRAMs storing the T-Boxes. This approach allows recovering the key using a ciphertextonly attack for all AES key sizes. The complexity of the attack makes it completely feasible. The attack was mounted against previously reported FPGA-based AES implementations, taking into account the different design criteria used in each case and focusing mainly on the implementation of the final round of the AES algorithm, which plays a crucial role in the analysis. Three different final round implementations extracted from well-known existing architectures are analyzed in this work. The paper also discusses some countermeasures with regard to security, performance and FPGA resource utilization. The attack is presented against FPGAbased implementations but it can be extended to software architectures as well.

show abstract

Section: Performance Results and Comparisonmentioning

confidence: 85%

Section: Performance Results and Comparisonmentioning

confidence: 99%

“…In [33] and [2], the resistance of BRAM-based AES implementations was evaluated against side-channel power attacks (DPA). The authors presented their findings only for AES-128.…”

Section: Performance Results and Comparisonmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

AES T-Box tampering attack

2015

View full text Add to dashboard Cite

show abstract

“…Indeed, they are undoubtedly the resource that leaks the most. Also, the rest of the logic can be advantageously hidden in tables, thereby limiting their side-channel leakage [36]. It is referred to as "tabulated round logic" in Figure 1.…”

Section: Leakage Squeezing For Additive Boolean Maskingmentioning

confidence: 99%

Leakage squeezing: Optimal implementation and security evaluation

Carlet

Danger

Guilley

et al. 2014

Journal of Mathematical Cryptology

View full text Add to dashboard Cite

Hardware devices can be protected against side-channel attacks by introducing one random mask per sensitive variable. The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers. Nonetheless, this setup can still be attacked if the side-channel is squared, because this operation causes an interference between the two shares. This more sophisticated analysis is referred to as a zero-offset second-order correlation power analysis (CPA) attack. When the device leaks in Hamming distance, the countermeasure can be improved by the "leakage squeezing". It consists in manipulating the mask through a bijection, aimed at reducing the dependency between the shares' leakage. Thus d th-order zero-offset attacks, that consist in applying CPA on the d th power of the centered side-channel traces, can be thwarted for d 2 at no extra cost. We denote by n the size in bits of the shares and call F the transformation function, that is, a bijection of F n 2 . In this paper, we explore the functions F that thwart zero-offset high-order CPA (HO-CPA) of maximal order d . We mathematically demonstrate that optimal choices for F relate to optimal binary codes (in the sense of communication theory). First, we exhibit optimal linear F functions. They are suitable for masking schemes where only one mask is used throughout the algorithm. Second, we note that for values of n for which non-linear codes exist with better parameters than linear ones, better protection levels can be obtained. This applies to implementations in which each mask is randomly cast independently of the previous ones. These results are exemplified in the case n D 8, where the optimal F can be identified: it is derived from the optimal rate 1=2 binary code of size 2n, namely the Nordstrom-Robinson .16; 256; 6/ code. This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates. It protects against all zero-offset HO-CPA attacks of order d Ä 5. Eventually, the countermeasure is shown to be resilient to imperfect leakage models, where the registers leak differently than the sum of their toggling bits.

show abstract

An efficient single unit T‐box/T⁻¹‐box implementation for 128‐bit AES on FPGA

Kundi

Aziz

Kazmi

2014

Security Comm Networks

View full text Add to dashboard Cite

In this paper, we present an area efficient Block RAM (BRAM)‐based single unit design of T‐box/T−1‐box on a Field Programmable Gate Array (FPGA) for combined Advanced Encryption Standard (AES) encryption and decryption. Conventional FPGA designs for T‐box module not only utilize several BRAMs for 16 bytes parallel look‐up operations but also because of asymmetric nature of AES, use separate hardware for T−1‐box unit in decryption process. Alternatively in iterative architecture, BRAM in dual‐port mode configuration takes eight clock cycles to access 16 look‐up operations from a T‐box because of its synchronous nature. Thus, resulting in an unoptimized solution not only in term of FPGA resources but also results in high latency for iterative architecture. Our proposed design uses single symmetric T‐box/T−1‐box table with same set of single resource‐shared hardware for both the encryptor and decryptor and at the same time performs eight look‐up operations from single BRAM in one clock cycle using efficient BRAM switching technique instead of using multirated clocking. Our complete 128‐bit symmetric T‐box/T−1‐box design fits into just 2 BRAMs and 136 Slices. It occupies lowest area reported to date with 50% power saving and highest Throughput Per Slice (TPS) of 10.77. Copyright © 2014 John Wiley & Sons, Ltd.

show abstract

Investigation of DPA Resistance of Block RAMs in Cryptographic Implementations on FPGAs

Cited by 28 publications

References 19 publications

AES T-Box tampering attack

AES T-Box tampering attack

Leakage squeezing: Optimal implementation and security evaluation

An efficient single unit T‐box/T⁻¹‐box implementation for 128‐bit AES on FPGA

Contact Info

Product

Resources

About

Investigation of DPA Resistance of Block RAMs in Cryptographic Implementations on FPGAs

Cited by 28 publications

References 19 publications

AES T-Box tampering attack

AES T-Box tampering attack

Leakage squeezing: Optimal implementation and security evaluation

An efficient single unit T‐box/T−1‐box implementation for 128‐bit AES on FPGA

Contact Info

Product

Resources

About

An efficient single unit T‐box/T⁻¹‐box implementation for 128‐bit AES on FPGA