Improved Security Evaluation Of AES Key Expansion Countermeasures Against Power Analysis

As the carrier of the cryptographic algorithm,the security of cryptographic device is the key to the security of information system.Side-channel analysis is one of the effective methods to study the security of cryptographic implementation.Side-channel analysis utilizes the physical leakage generated by the cryptographic device to obtain key-related information.Attackers attempt to recover the secret key using the key-related information.Power analysis attracts the most research attentions in the area of side-channel analysis because of its superior attack effect.Power analysis measures the power consumption traces of devices and matches the Hamming weight model to obtain the Hamming weight value of intermediate data as the key recovery information.In order to effectively improve the ability of cryptographic algorithm to resist power attack,certain countermeasures must be adopted in the cryptography implementation,and these countermeasures must be verified in a security evaluation.In this paper,we focus on key expansion of AES.We study and improve the security evaluation of two kinds of power attack countermeasures as random order and Boolean masking.Because of their different concepts,we study the key recovery process for these two countermeasures respectively.The main contributions of this work are as follows:(1)We analyzed the shortcomings of the existing security evaluations of these two countermeasures;(2)We improved the attack scenario for the random order countermeasure for a more reasonable security evaluation;(3)We improved the key recovery algorithm for the Boolean masking countermeasure to improve the accuracy of the security evaluation.For the random order countermeasure,this paper proposes a new attack scenario that introduces the power consumption of AES state to the power analysis with Hamming weight leakage model.This scenario uses the power attack technique and utilizes the Hamming weight of AES state to perform the key recovery of AES key expansion process.Compared with the existing attack scenario that combines fault attack and power attack,the attack scenario proposed in this paper is easier to implement and the attack cost is reduced.In this paper,a key recovery algorithm is designed for the new attack scenario,which proves that it reduced the key recovery time by a factor above 3 compared to the original scenario while using the same number of power consumption traces.For the Boolean masking countermeasure,this paper proposes an improved key recovery method with the idea of divide and conquer.By analyzing the computing characteristics of key expansion and Boolean masks,the round key bytes are divided into key groups according to the different mask val-ues.In addition,the representative solutions of each group are restored respectively,thus the key values required to be stored and verified are reduced.We also improved the accuracy of the Hamming distance restriction formulas to increase the amount of information obtained by power analysis.The new proposed algorithm is compared with the existing key recovery algorithm,which proves that the new algorithm can achieve the same attack effect with less attack traces,therefore has a better performance.