An energy efficient AES engine with DPA-resistance
Author(s)Chung, Hye Won
Energy efficient Advanced Encryption Standard engine with Differential Power Analysis-resistance
Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science.
Anantha P. Chandrakasan.
MetadataShow full item record
The advent of portable electronics which transmit and receive sensitive data via wireless communication have led to interest in the design of energy-efficient security engines. The hardware implementation of cryptographic algorithms, however, leaks side-channel information about the operations they process. Differential Power Analysis (DPA) is one of the most powerful attacks to disclose secret key of the engine. This thesis proposes an energy efficient AES-128 engine which is resilient to DPA attacks. A proposed design adopts extensive parallelism and voltage scaling to simultaneously achieve energy efficiency and throughput requirement. Optimized 128-bit architecture and 16 S-boxes placed in the encryption datapath allow the parallel operation of 16 bytes of encryption data at supply voltages in the subthreshold region while maintaining more than tens of Mbps throughput rate. The energy efficient AES core, which does not incorporate techniques to mitigate DPA attack, can operate at 0.35V with 54.12pJ/encrypt. and 64.6Mbps. Before developing countermeasures against DPA, a previously suggested DPA attack methodology in  is studied and modified to disclose secret key of our system. The transition power of register is estimated by using the byte-oriented reverse algorithm of AES with the knowledge of a ciphertext and a guess of a secret key. Correlation between the power estimate and the power measurement discloses 12 key bytes (among 16) within 20K encryption runs. A newly proposed AES architecture which balances the Hamming weight of register input can protect the system from DPA attacks.(cont.) The secured core has been subjected to 100K encryptions, 33x more than the number of runs at which attack can disclose a secret key of the unprotected core, but none of its secret key have yet been disclosed. When running the encryption core at 0.4V and 10IMHz, power increases by 2x compared to the unprotected core. Maximum throughput at 1.OV is reduced by 2/3 for protected core compared with the unprotected core. This IC performance overhead comes at the cost of the increased security.
Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2009.Cataloged from PDF version of thesis.Includes bibliographical references (p. 73-75).
DepartmentMassachusetts Institute of Technology. Department of Electrical Engineering and Computer Science
Massachusetts Institute of Technology
Electrical Engineering and Computer Science.