Data Processing and Evaluation

a band-pass filter is applied between the reasonable frequencies of the circuit. For the baseline system running at 100 MHz, a bandpass filter within the Inspector software is set between 90 and 210 MHz. While a narrower frequency band would slightly increase the signal to noise ratio, a wider band was selected to improve processing performance for the Riscure software. After the traces are filtered, they are aligned by shifting the data left or right so that the entire AES process is synced on the time scale for all EM traces. Finally, all data before and after the AES run (as seen by the apparent voltage increase in Figure 4.2) is trimmed, leaving only the AES algorithm to be evaluated.

Once the traces have been processed, they can then be compared to power models as described in Chapter 2. To effectively attack the AES algorithm, several different models were used on both the first and last round of the algorithm. The reason only the first and last rounds of the AES algorithm are attacked is because of the MixColumns function. The outputs bytes of the other modules within the AES algorithm only depend on one input byte, and therefore also only one key byte [2]. However, the output bytes of MixColumns depend on four input bytes. This depen- dency increases the complexity of intermediate value calculation beyond reasonable levels. Instead of having only one byte of the key to evaluate, an attacker would have to evaluate four bytes of the key. This problem only compounds as the number of rounds increases, therefore exponentially increasing the number of key guesses as the number of rounds increases. Instead, only the data before the first MixColumns function or after the last MixColumns function is evaluated. Figure 4.6 shows how the iterative version of AES used in this research works. Each round is evaluated in one clock cycle [27].

Figure 4.6: Iterative Version of AES

Because HW and HD models evaluate the difference in power between a 0 and a 1, it is desireable to attack where intermediate values are temporarily stored. Based on how the iterative version of AES in this research works, an attack appears to be most effective on data before or after the entire round (because the data must be saved and loaded into the next round). However, to fully determine the most effective HW or HD attack, four intermediate values were chosen for HW, and three bit changes were chosen for HD.

It is important to consider the difference between iterative and pipelined versions of AES and whether the countermeasures are applicable to both. In general, the main benefit to using an iterative version of AES is the area required for the circuit [28]. Figure 4.6 shows an iterative approach to AES. The algorithm completes after n clock cycles, where n is the number of rounds. The next block of input data cannot be evaluated until the previous has completed. On the other hand, pipelined AES unrolls the rounds, allowing each round to be processing a different block of input data concurrently. This unrolling speeds up the process, but generally requires more memory and space for the circuit [28]. Figure 4.7 shows a graphical view of the pipelined approach.

The main difference when performing DPA on the two types of AES is the noise level. For iterative AES, each round and therefore each intermediate value can be isolated to specific points along the time scale. Also, no other data is being evaluated at that specific point in time, therefore minimizing the background noise. For pipelined AES, up to 10 rounds can be evaluated in one clock cycle (for 128 bit AES). Therefore, the power trace will contain the desired intermediate value plus nine other intermediate values. In this case, the other rounds act as noise. However, bit-balancing and random clocking work for both implementations. Because the noise level for iterative AES is lower, it has been chosen for this research. By taking this approach, it minimizes the number of traces required to attack the implementations, saving both time and resources. However, the two countermeasures proposed in this research should work effectively for pipelined AES as well.

When performing HW and HD attacks on the circuit, seven different interme- diate values or intermediate value pairs were chosen:

1. HW: First Round Before SBOX 2. HW: First Round After SBOX 3. HW: Last Round Before SBOX 4. HW: Last Round AFter SBOX

5. HD: First Round Between Values Before and After SBOX 6. HD: Last Round Between Values Before and After SBOX

7. HD: Last Round Between Values Before SBOX and Round Output

When evaluating the last round, the original key cannot be used, but instead the last round key as given in Equation 4.1.

The correlation is performed using MATLAB software. After evaluating each modeling technique on the different intermediate values, it appears the HD on the last round between the intermediate value before the SBOX and the ciphertext (choice 7) provides the highest correlation. This result makes sense because if the input and

output data to the rounds are being stored in the same register, then the values in those registers would change every clock cycle.