Experimental core for performing masking of AES by generating noise.
The core is sort of completed. But does it provide maskingt? Need to implement the testbench to at least try different inputs and see that it generates noise. We should measure toggle rate etc.
Differential Side-Channel Power Analysis (DPA) is a well-known method to extract secret keys being used against cryptosystems. Different ciphers require different DPA methods tailored to the specific cipher.
For the block cipher AES DPA methods usually focus on the SubBytes() operation in combination with the AddRoundKey() operation.
Masking is the general term for adding functionality to the cipher to defeat DPA by making it (practically) infeasible to find the difference in energy from a bit of the key in a set of power traces. There are many papers describing masking methods, some of the are even provably secure. But due to for example glitching, many provably secure masking methods have been shown not to secure.
Typically the masking methods try to alter the S-boxes by performing a transform before the SubBytes(), use an altered S-box, peform AddRoundKey() and then another transform to undo the changes of the transform. If not, the cipher will not work correctly.
An interesting question related to masking is how expensive the masking functionality is (in terms of computing or gates, registers etc in hardware).
This core is my attempt at performing masking. Not by developing a new transform that modifies the AES implementing, but by adding random power noise in sync with the AES functionality. A separate core that can work in parallel with AES and cause variance in power consumption.
Basically the core implements parts of the AES encipher pipeline. But the key schedule is different. And the S-boxes used are different. The core operates in something akin to CBC mode and the key is transformed between next() calls. This should cause the noise to vary in between calls... Or is that bad? Not sure. Lets find out!
The core borrows the MixColumns And AddRoundKey operations from AES. The core borrows the 4-bit S-boxes from the PRINCE lightweight, low latency block cipher. The core instantiate 32 of these S-boxes.
This core is supported by the FuseSoC core package manager and build system. Some quick FuseSoC instructions:
install FuseSoC
pip install fusesoc
Create and enter a new workspace
mkdir workspace && cd workspace
Register aes as a library in the workspace
fusesoc library add aes /path/to/aes
...if repo is available locally or... ...to get the upstream repo
fusesoc library add aes https://github.com/secworks/aes
To run lint
fusesoc run --target=lint secworks:crypto:aes
Run tb_aes testbench
fusesoc run --target=tb_aes secworks:crypto:aes
Run with modelsim instead of default tool (icarus)
fusesoc run --target=tb_aes --tool=modelsim secworks:crypto:aes
List all targets
fusesoc core show secworks:crypto:aes
Tool: ISE 14.7
Device: xc7a200t
Package: fbg676
Speed: -3
Number of Slice Registers: 256
Number of Slice LUTs: 742
Number of Slices: 378
Max clock frequency: 213 MHz