Experimental core for performing masking of AES by generating noise.

The core is sort of completed. But does it provide maskingt? Need to implement the testbench to at least try different inputs and see that it generates noise. We should measure toggle rate etc.

Differential Side-Channel Power Analysis (DPA) is a well-known method to extract secret keys being used against cryptosystems. Different ciphers require different DPA methods tailored to the specific cipher.

For the block cipher AES DPA methods usually focus on the SubBytes() operation in combination with the AddRoundKey() operation.

Masking is the general term for adding functionality to the cipher to defeat DPA by making it (practically) infeasible to find the difference in energy from a bit of the key in a set of power traces. There are many papers describing masking methods, some of the are even provably secure. But due to for example glitching, many provably secure masking methods have been shown not to secure.

Typically the masking methods try to alter the S-boxes by performing a transform before the SubBytes(), use an altered S-box, peform AddRoundKey() and then another transform to undo the changes of the transform. If not, the cipher will not work correctly.

An interesting question related to masking is how expensive the masking functionality is (in terms of computing or gates, registers etc in hardware).

This core is my attempt at performing masking. Not by developing a new transform that modifies the AES implementing, but by adding random power noise in sync with the AES functionality. A separate core that can work in parallel with AES and cause variance in power consumption.

Basically the core implements parts of the AES encipher pipeline. But the key schedule is different. And the S-boxes used are different. The core operates in something akin to CBC mode and the key is transformed between next() calls. This should cause the noise to vary in between calls... Or is that bad? Not sure. Lets find out!

The core borrows the MixColumns And AddRoundKey operations from AES. The core borrows the 4-bit S-boxes from the PRINCE lightweight, low latency block cipher. The core instantiate 32 of these S-boxes.

This core is supported by the FuseSoC core package manager and build system. Some quick FuseSoC instructions:

install FuseSoC

pip install fusesoc

Create and enter a new workspace

mkdir workspace && cd workspace

Register aes as a library in the workspace

fusesoc library add aes /path/to/aes

...if repo is available locally or... ...to get the upstream repo

fusesoc library add aes https://github.com/secworks/aes

To run lint

fusesoc run --target=lint secworks:crypto:aes

Run tb_aes testbench

fusesoc run --target=tb_aes secworks:crypto:aes

Run with modelsim instead of default tool (icarus)

fusesoc run --target=tb_aes --tool=modelsim secworks:crypto:aes

List all targets

fusesoc core show secworks:crypto:aes

Tool: ISE 14.7

Device: xc7a200t

Package: fbg676

Speed: -3

Number of Slice Registers: 256

Number of Slice LUTs: 742

Number of Slices: 378

Max clock frequency: 213 MHz