An energy efficient AES engine with DPA-resistance

Chung, Hye Won

Author(s)

Chung, Hye Won

DownloadFull printable version (9.740Mb)

Alternative title

Energy efficient Advanced Encryption Standard engine with Differential Power Analysis-resistance

Other Contributors

Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science.

Advisor

Anantha P. Chandrakasan.

Terms of use

M.I.T. theses are protected by copyright. They may be viewed from this source for any purpose, but reproduction or distribution in any format is prohibited without written permission. See provided URL for inquiries about permission. http://dspace.mit.edu/handle/1721.1/7582

Metadata

Show full item record

Abstract

The advent of portable electronics which transmit and receive sensitive data via wireless communication have led to interest in the design of energy-efficient security engines. The hardware implementation of cryptographic algorithms, however, leaks side-channel information about the operations they process. Differential Power Analysis (DPA) is one of the most powerful attacks to disclose secret key of the engine. This thesis proposes an energy efficient AES-128 engine which is resilient to DPA attacks. A proposed design adopts extensive parallelism and voltage scaling to simultaneously achieve energy efficiency and throughput requirement. Optimized 128-bit architecture and 16 S-boxes placed in the encryption datapath allow the parallel operation of 16 bytes of encryption data at supply voltages in the subthreshold region while maintaining more than tens of Mbps throughput rate. The energy efficient AES core, which does not incorporate techniques to mitigate DPA attack, can operate at 0.35V with 54.12pJ/encrypt. and 64.6Mbps. Before developing countermeasures against DPA, a previously suggested DPA attack methodology in [1] is studied and modified to disclose secret key of our system. The transition power of register is estimated by using the byte-oriented reverse algorithm of AES with the knowledge of a ciphertext and a guess of a secret key. Correlation between the power estimate and the power measurement discloses 12 key bytes (among 16) within 20K encryption runs. A newly proposed AES architecture which balances the Hamming weight of register input can protect the system from DPA attacks.

(cont.) The secured core has been subjected to 100K encryptions, 33x more than the number of runs at which attack can disclose a secret key of the unprotected core, but none of its secret key have yet been disclosed. When running the encryption core at 0.4V and 10IMHz, power increases by 2x compared to the unprotected core. Maximum throughput at 1.OV is reduced by 2/3 for protected core compared with the unprotected core. This IC performance overhead comes at the cost of the increased security.

Description

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2009.

Cataloged from PDF version of thesis.

Includes bibliographical references (p. 73-75).

Date issued

2009

URI

http://hdl.handle.net/1721.1/55146

Department

Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Publisher

Massachusetts Institute of Technology

Keywords

Electrical Engineering and Computer Science.

Collections

Graduate Theses