Advanced Modes in AES: Are they Safe from Power

Analysis based Side Channel Attacks?

Darshana Jayasinghe∗ , Roshan Ragel† , Jude Angelo Ambrose∗ , Aleksandar Ignjatovic∗ and Sri Parameswaran∗
∗ Schoolof Computer Science and Engineering
University of New South Wales, Australia
Email: {darshanaj, ajangelo, ignjat, sridevan}@cse.unsw.edu.au
† Department of Computer Engineering
University of Peradeniya, Sri Lanka Email: [email protected]

Abstract—Advanced Encryption Standard (AES) is arguably Power analysis based side channel attacks (referred to as
the most popular symmetric block cipher algorithm. The com- power analysis from this point onwards) are shown to be
monly used mode of operation in AES is the Electronic Codebook effective against symmetric block cipher based cryptographic
(ECB) mode. In the past, side channel attacks (including power algorithms by Kocher [26] in 1999. Power analysis attacks
analysis based attacks) have been shown to be effective in breaking exploit the power dissipation measurements of the device to
the secret keys used with AES, while AES is operating in the
ECB mode. AES defines a number of advanced modes (namely
deduce the secret key. Many variants of power analysis attacks
Cipher Block Chaining - CBC, Cipher Feedback - CFB, Output can be found in the literature, such as: Simple Power Analysis
Feedback - OFB, and Counter - CTR) of operations that are built (SPA) [26], Differential Power Analysis (DPA) [26], Correla-
on top of the EBC mode to enhance security via disassociating tion Power Analysis (CPA) [12], Mutual Information Analysis
the encryption function from the plaintext or the secret key used. (MIA) [18] and Leakage Power Analysis (LPA) [6]. Power
In this paper, we investigate the vulnerabilities against power traces of a single cryptographic execution are analyzed in SPA.
analysis based side channel attacks of all such modes of operations, DPA uses means of averages to match the power consumption
implemented on hardware circuits for low power and high speed of the device with the hypothetical power model. Shannon
embedded systems. Through such an investigation, we show that entropy is used in MIA to exploit the data dependent operations
AES is vulnerable in all modes of operations against Correlation in cryptographic algorithms [18]. In LPA, the leakage power
Power Analysis (CPA) attack, one of the strongest power analysis
based side channel attacks. We also quantify the level of difficulty
of the device is exploited to deduce the secret key. CPA is
in breaking AES in different modes by calculating the number widely accepted as one of the most powerful amongst the above
of power traces needed to arrive at the complete secret key. We attacks [12].
conclude that the Counter mode of operation provides a balance CPA exploits the property of differing power dissipation
in between area and power while maintaining adequate resistance for different state transitions in CMOS in order to attack
for power analysis attacks than when used with other modes of the secret keys in AES [28]. In CPA, the power dissipation
operations. We show that the previous recommendations for the during the execution of a cryptographic program is correlated
rate of change in the keys and vectors is grossly inadequate, and against a mathematical power model, which is formulated by
suggest that it must be changed at least every 210 encryptions in the adversary. Such a formulation either starts with the plaintext
CBC mode and 212 encryptions in CFB, OFB and CTR modes in
order to resist power analysis attacks.
and goes through the first round of AES counting the bit flips
or starts with the ciphertext and goes through the last round.
In the first and the last rounds, it is possible to perform such
I. I NTRODUCTION a formulation by guessing one byte (8-bits and therefore 256
Cryptography is the art of transforming confidential infor- possibilities) of the secret key at a time and therefore making
mation into information which is incoherent to a third party. a power analysis attack feasible. AES, when operating in ECB
The confidential information is encrypted before transmis- mode (from this point onwards referred to as AES-ECB), has
sion and decrypted upon receipt using secret keys. Advanced been extensively investigated against CPA [39], [40]. However,
Encryption Standard (AES) [3] is one of the most popular such investigation is rarely performed for advanced modes of
symmetric encryption algorithms, standardized under FIPS192. AES.
AES is utilized for secure transactions in many embedded Advanced Modes of AES:
systems such as smart cards in transport [41], credit cards [7], Advanced modes of AES, such as CBC, CFB, OFB and
TV cards [13], [43] and USB mass storage controllers [5] CTR [15], are proposed to decorrelate the relationship of either
to secure the data in flash memory. Intel Core i3, i5 and i7 the plaintext or the secret key to the actual computation. Such
processors contain a separate instruction set to perform AES modes typically use an AES hardware circuitry, which is then
encryptions [4]. Such a significant increase in the usage of designed and configured based on the mode of operation.
secure applications with AES has attracted various successful Related Work:
attacks in recent years. Obtaining the secret key will allow an Power analysis attacks have been researched extensively in
adversary to impersonate the original owner of the device or the past both in microprocessor based software implementations
even clone a new device. Side channel attacks (power [26], and in custom logic (or circuit) based hardware implementa-
timing [34], electromagnetic emissions [37]), code injection tions of AES-ECB. Power analysis attacks are demonstrated
attacks [17] and physical attacks [10] have been successfully for the initial round or for the final round of AES-ECB,
used in extracting the secret keys of embedded systems. where the hypothetical power dissipation formulation can skip
Power Analysis based Side Channel Attacks on AES: MixColumn operation and make use of either the plaintext or

978-1-4799-6492-5/14/$31.00 ©2014 IEEE 173

the ciphertext directly [16]. mode. Section III presents a step by step investigation of CPA
One of the earliest power analysis attacks presented against attack on an AES-ECB circuit implementation. In Section IV,
AES-ECB is the SPA attack on round key generation proposed CPA attacks on the advanced AES modes are presented. Our
by Mangard [27]. Later, in their book, Mangard et al. showed experimental setup is explained in Section V. A discussion to
how AES in smart cards can be broken using power analysis compare the different modes of operations in the context of
attacks [29]. The book uses examples from both processors power analysis attack is presented in Section VI and the paper
and circuits. Ambrose et al. [8] used DPA by exploiting is concluded in Section VII.
table lookups for verifying their countermeasure against power
analysis attack. Han et al. [19] presented DPA, multi-bit DPA II. A DVANCED E NCRYPTION S TANDARD (AES)
and CPA attacks on both a software and a hardware implemen- The AES algorithm accepts three sizes of secret keys: 128
tations of AES. Recently, Petrvalsky et al. [38] have presented bits; 192 bits; and 256 bits. The number of rounds will depend
DPA on AES implemented in a new microcontroller. on the key size (10, 12 and 14 for 128-bit key, 192-bit and
Power analysis attacks on the last round of AES are 256-bit, respectively). This paper focuses on the most common
reported in literature for hardware implementations of AES- key size, which is 128 bits.
ECB. Authors in [14], [36] presented power analysis attacks on
hardware implementations of AES. Tiri et al. [39] successfully
demonstrated the power analysis attacks on final round of AES.
Mangard et al. [30] presented DPA attacks using both output Plaintext key
of the registers and logic gates on unmasked and masked AES
engines. SubByte
Yongdae et al. [24] have shown, how selecting the right
power traces can improve the power analysis attack on AES- ShiftRows
ECB. Wu et al. [42] demonstrated a DPA attack on the
asynchronous SubByte lookups on an FPGA implementation. SubByte
Add Round Key
Mestiri et al. [32] compared CPA attacks with two different ShiftRows
power consumption models, namely, hamming distance an
switching distance. Recently, Moradi demonstrated an LPA Mix Columns
attack on an FPGA implementation of AES-ECB [33].
Nr1 Add Round Key Ciphertext
The first related work we could find in the literature
that explicitly perform power analysis attack on a different
mode (other than ECB) is the work presented by Jaffe [21].
Fig. 1. Block Diagram of AES Encryption Algorithm
The attack presented in [21] is targeted against a software
implementation of AES counter mode (CTR). The second is by
Kocher et al. [25] performing DPA attack on AES-CBC mode Figure 1 illustrates a block diagram of the AES algorithm. A
of operation on an FPGA implementation. In [25], the authors bitwise Exclusive OR (XOR) operation is initially performed
have presented DPA attack on an FPGA implementation of between the plaintext and the secret key (the initial round).
AES and therefore have not focused on the mode of operation Then SubByte tables are referred (SubByte table lookup).
itself (apart from the fact they have used AES-CBC). In both Next the ShiftRow operation is performed which intermin-
the work, the intention was not to compare different modes of gles the data row-wise. After that, the MixColumn operation
operations, their merits and demerits, but to present the attacks. is performed on intermediate ciphertext to add column-wise
Contributions: scrambling. Finally, a bitwise XOR operation is performed
In this paper, we perform an extensive CPA evaluation of a between the output from the MixColumn and the round key.
general AES hardware circuitry in different advanced modes. The AddRoundKey operation adds more confusion to the
We provide an insight into such advanced modes of AES to intermediate ciphertext with respect to the secret key. This
clearly identify the vulnerabilities for CPA, which has hitherto process is repeated 9 times for AES with 128 bits key. In the
not been examined. A comparison between the number of traces final round, the MixColumn operation is omitted as shown in
required to perform power analysis attacks on different modes Figure 1.
of operation of AES is carried out for designers to choose best In order to accelerate AES, larger circuits with parallel
mode of operation for their design. Due to cryptanalysis attacks SubByte tables are used [20], where the SubByte lookups are
such as slide attacks and collision attacks the secret key and performed in parallel. Block diagram of such an AES circuit
IV must be altered every 264 encryptions in CTR, OFB and is shown in Figure 2. Two sets of registers (Drg and Krg)
CFB modes and 248 encryptions in CBC mode [9]. However are used to store the intermediate ciphertext and the round
we were able to reveal the secret key with less number of traces key. SubByte and MixColumn operations are implemented as
in modes of operation implementations. Hence we propose to combinational modules. Round key generation is implemented
change the secret keys and IVs for every 210 encryptions in as a module and it is independent from the intermediate
CBC mode and 212 encryptions in CFB, OFB and CTR modes ciphertext generation. During the initial round, bitwise XOR
in order to resist power analysis attacks. We present the area operation is performed on the plaintext and the encryption key.
and power overhead data so that the appropriate design can be The result of the initial round is loaded to the Drg register.
chosen by the designer. To the best of our knowledge, this is The Drg register is connected to SubByte modules. There are
the first study that presents the effectiveness of power analysis four SubByte modules. Each SubByte module will fetch four
attack on all the common AES modes. SubByte table lookups and the size of a SubByte table lookup
Organization of the Paper: is one byte. From four parallel SubByte modules all the 16
The rest of the paper is organized as follows: Section II SubByte table lookups will be performed in parallel. After the
provides a brief description of the AES algorithm in ECB SubByte operation, ShiftRow and MixColumn operations are

174
 Din Kin
128 CPA Ciphertext
Plaintext
Krg
Pearson Hypothetical
2:1 Correlation Power
32
Coefficient Consumption
Power Measurements (Hamming
Drg Weight)
SubByte
+ Correlation
Rot Coefficients
SubByte

Inv Roundkey
ShiftRows Final Generation
Secret Key
RCon Roundkey

MixCol Fig. 3. Block Diagram of Extracting Secret Key

32
2:1 ciphertext and a predicted last round key. Voltage measurements
(i.e., voltage drop proportional to the power dissipation) are
128 taken from an oscilloscope. An offline CPA analysis, based
on Pearson Correlation Coefficient, is performed on the power
traces, together with hypothetical power consumption.
Fig. 2. Block Diagram of AES Circuit
A. Hypothetical Power Consumption
Hardware implementations of AES-ECB use a register
(Drg as in Figure 2) to hold the intermediate ciphertext after
performed. ShiftRow operation which shifts the data in byte-
each round of encryption. In the final round of encryption,
wise to scramble the intermediate ciphertext can be achieved by
SubByte and ShiftRow, and XOR with the round key operations
connecting the wires to MixColumn module. Finally the output
are performed on the intermediate ciphertext output from the
from the MixColumn operation is XORed with the round key
previous round. The MixColumn operation is not involved in
from the Krg register. The intermediate ciphertext which is the
the final round (see Figure 1). Therefore the final round key
output from the AddRoundKey operation resides in a bunch of
can be distinctively predicted in eight bits (due to ShiftRow
wires, will be loaded to the Drg register during the next clock
and SubByte operations) to calculate a distinct value of the
cycle.
Drg register in the round before last round.
The round key for next round will be generated in parallel The hypothetical power consumption is formulated for the
with the intermediate ciphertext generation. The first 32 bits last round of AES-ECB by considering the number of bit flips
from the Krg register will undergo a rotation function. The of register Drg as its value changes due to the last round. Using
output from the rotation function will be sent to the SubByte the Hamming distance power model [12], the number of bit flips
module and the output is XORed with round constant. A round of the Drg register during the final round can be expressed as
constant is defined in AES algorithm for each round and there in Equation 1, where Drg10 and Drg9 are the register states at
are 10 round constants for AES-128. The first 32 bits of the next the end of the final round and the round before the final round
round key is generated by performing XOR operation on first respectively.
32 bits of the Krg register with the output from round constant
XOR operation. Using a successive calculation other 96 bits of PHypo ∝ HW (Drg10 ⊕ Drg9 ) (1)
the output round key are generated as shown in Figure 2. ∝ HW (C ⊕ (InvSubByte(InvShiftRow(C ⊕ Rkey10 )))) (2)
∝ HW (InvShiftRow(C) ⊕ (InvSubByte(C ⊕ Rkey10 ))) (3)
III. CPA ATTACKS ON AES-ECB
Drg10 is the final ciphertext (C) and therefore known to
CPA attacks require, (1) a mathematical formulation for the adversary (during a known ciphertext attack). Drg9 can
power consumption (also known as the hypothetical or expected be calculated from the ciphertext and guessed final round
power consumption) with either the input (plaintext) or the key (Rkey10 ). Therefore, Equation 1 can be re-written as
output (ciphertext) of the system and the guessed secret keys, Equation 2. However, as we perform one key byte guess at
(2) the actual power dissipation of the cryptographic device a time, it is not possible to apply InvShiftRow on the complete
while the encryption happens with the secret key to be broken, 128-bit of C ⊕ Rkey10 . Therefore, instead of performing the
and (3) a correlation analysis to identify the correct secret InvShiftRow on C ⊕ Rkey10 as shown in Equation 2, we
key amongst those guessed. A significantly higher correlation perform it on the ciphertext as given in Equation 3.
reveals the correctly guessed secret key [28].
The steps in the CPA attack carried out in this paper are B. Power Trace Extraction and Correlation
illustrated in Figure 3. The hypothetical power consumption To empirically prove that the power analysis attack works in
of the system is represented by a selection function using the our experimental setup on AES-ECB, a CPA attack was carried

175
using the power consumption model given by Equation 3. The IV. P OWER A NALYSIS ON A DVANCED AES M ODES
correlation coefficients for each guessed key byte is plotted In this section, we investigate power analysis on the ad-
against the number of plaintexts used to calculate the correla- vanced AES modes: CBC, CFB, OFB and CTR. In ECB mode,
tion coefficients. the one we investigated in the previous section, each block
As shown in Figure 4, AES-ECB is vulnerable against the of data (128 bits chunk) is encrypted independently, which
last round attack. As depicted, all the key bytes are visible even results in identical ciphertexts for identical plaintexts. No error
with around 2000 plaintexts. The x-axis of Figure 4 indicates propagation happens in the system since each plaintext is en-
the number of plaintexts (in 500 units), where the y-axis denotes crypted independently. Therefore, ECB is considered insecure
the correlation coefficient. We guess one key byte at a time for encrypting long messages. In the advanced modes, such
(K0, K1, ..., K15), resulting in 16 independent correlation correlations are disassociated using a number of means which
coefficient graphs from correlation power analysis. Each line we discuss here. Figure 5 shows how an image (Figure 5(a))
in a correlation coefficient graph is a key guess and the black that is encrypted in ECB mode can still leak information
bold line is the correct key guess. As could be seen from the (Figure 5(b)), while the advanced modes do not reveal such
figure, most of the key bytes are visible very early except for information directly (see Figure 5(c)).
key byte K8, which starts to appear only around the 2000th
sample.
K0 K1 K2 K3

0.2 0.2 0.2 0.2

0.1 0.1 0.1 0.1
0 0 0 0
5 10 15 20 5 10 15 20 5 10 15 20 5 10 15 20
K4 K5 K6 K7
Correlation Coefficient

0.2 0.2 0.2 0.2

0.1 0.1 0.1 0.1
0 0 0 0 (a) A regular image (b) Encrypted using (c) Encrypted using
5 10 15 20 5 10 15 20 5 10 15 20 5 10 15 20
K8 K9 K10 K11 (Plaintext) AES-ECB Adv. modes
0.2 0.2 0.2 0.2
0.1 0.1 0.1 0.1 Fig. 5. Leaking information about data patterns in ECB mode [1]
0 0 0 0
5 10 15 20 5 10 15 20 5 10 15 20 5 10 15 20
K12 K13 K14 K15
Correlation Coefficient

0.2 0.2 0.2 0.2

In all advanced modes, an Initialization Vector (IV) or a
0.1 0.1 0.1 0.1 counter (in CTR mode) is used in combination with the first
0
5 10 15 20
0
5 10 15 20
0
5 10 15 20
0
5 10 15 20 block of encryption (not the first round). Without the IV, the
No. of Plaintexts / 500 No. of Plaintexts / 500 No. of Plaintexts / 500 No. of Plaintexts / 500
ciphertext cannot be decrypted even if the secret key is known.
Fig. 4. Correlation Graphs for CPA attack on AES-ECB In all modes, AES encrypt a set of plaintexts blocks, each
128 bits (for example, 64 blocks in a 1KB file) by iteratively
applying AES. The way in which plaintext blocks are passed
To quantify the number of power traces needed to break all in iterations is different across modes. Let us denote the set
16 bytes further, we used the equation (Equation 4) and the rule of iterations as J. Oj (j ∈ J) is the j th output from the
of thumb presented in [29]. It is worth noting that Equation 4 encryption algorithm (CIPHj ) applied to the j th plaintext (Pj ).
is an estimated guess. As per Mangard et al. [29], the equation Ij is the input to the CIPHj . Note that the plaintext Pj may go
gives us the number of traces with a confidence of 99.99% through a transformation function to create Ij (as opposed to
when the correlation coefficients are below 0.2. it going through none for the ECB mode). The secret key K
and Ij are used with the CIPHj for the j th encryption; hence,
Number of Traces ≈ 28/(Estimated Correlation Coefficient)2 (4)
Oj = CIPHj (Ij , K). Cj is the ciphertext (realized at the end of
Using Equation 4, the number of traces needed to break the mode of operation) obtained from Oj either with or without
each byte in AES-ECB mode is calculated and presented in transformation. In the following subsections, we will focus on
Table I with the actual key number of traces required to each advanced AES modes, one by one.
distinguish correlation coefficients for the correct key guess
from false key guesses. From the table, the maximum number A. Cipher-Block Chaining (CBC)
of traces needed is for key byte K8 and therefore AES-ECB Cipher-Block Chaining uses the initialization vector to add
can be broken with 2016 traces. initial confusion at the start of the encryption. Other iterative
TABLE I. N UMBER OF T RACES N EEDED TO B REAK AES-ECB encryptions will be chained with the output from the previous
iteration. CBC mode is defined as per Equation 5.
Key Byte K0 K1 K2 K3 K4 K5 K6 K7
n C1 = CIPH1 (P1 ⊕ IV, K) (5)
645 444 876 550 689 793 925 476
Key Byte K8 K9 Cj = CIPHj (Pj ⊕ Cj−1 , K) f or j ≥ 2 (6)
K10 K11 K12 K13 K14 K15
n
The block diagram of CBC mode is illustrated in Figure 6,
2016 798 693 568 454 614 675 1225 where the ciphertext from the previous iteration is used with the
plaintext to create the input for the current iteration. Note that,
Revealing the last round key will reveal the encryption key AES in the block diagram refers to the AES algorithm in ECB
in AES-ECB. Once the final round key is extracted from the mode. Intermingling the inputs for the current block and the
correlation coefficient graph, the round key generation function outputs from the previous block happens before the encryption
can be reverse engineered to generate the encryption key. of the current block starts.
This calculation does not involve complex computations and From a power analysis attacker’s point of view, CBC mode
therefore once the correct final round key is extracted, it is of operation does not conceal the relationship between the
straight forward to calculate the encryption key in AES-ECB. actual power dissipation of the device with the information

176
 1 2 n-1 n In Cipher Feedback (CFB) mode, successive outputs will be
used as the inputs for the encryption algorithm (see Figure 8).
IV The input vector (IV) is encrypted first. Once the output is
generated, a bitwise XOR operation is performed on the input
K 1 K 2 K n-1 K n plaintext and the output from the previous encryption. This
output will be used as the input to the next iteration. Encryption
Fig. 6. CBC Mode of Operation
in CFB mode is formulated in Equation 7.
I1 = IV
Ij = Cj−1 f or j ≥ 2
that the attacker has to calculate in the hypothetical power (7)
Oj = CIPHj (Ij , K)
consumption. Therefore, to perform CPA attacks on CBC mode
of operation, Equation 3 can be used to model the hypothetical Cj = Oj ⊕ P j
power consumption. An attacker can perform a last round attack In CFB mode, the attacker needs to know both the plaintext
with a known ciphertext on any block to break the secret key. and the ciphertext to perform the CPA attack on the last round
However, to break the IV, the plaintext of the first block need of any block. Therefore, a ciphertext only attack cannot be
to be known, requiring a chosen plaintext attack to break both performed on the CFB mode and the need for a chosen plaintext
the secret key and the IV. attack arises. In the CFB mode, an XOR operation is performed
on the output of the encryption with the input plaintext after
K0 K1 K2 K3

0.2 0.2 0.2 0.2

the last round and the Drg register is updated with the result.
0.1 0.1 0.1 0.1
PHypo ∝ HW (InvShiftRow(C) ⊕ (InvSubByte((C ⊕ P ) ⊕ Rkey10 ))) (8)
0
5 10 15 20
0
5 10 15 20
0
5 10 15 20
0
5 10 15 20 As the attack is going to be a chosen plaintext attack (where
K4 K5 K6 K7
we assume that the adversary has access to both the plaintext
Correlation Coefficient

0.2 0.2 0.2 0.2

0.1 0.1 0.1 0.1
and the ciphertext during the attack), the formulation of the
0
5 10 15 20
0
5 10 15 20
0
5 10 15 20
0
5 10 15 20
hypothetical power consumption in the CFB mode for the last
K8 K9 K10 K11
round attack should include both the plaintext and the ciphertext
0.2 0.2 0.2 0.2
as shown in Equation 8. The formulation will reveal the secret
0.1 0.1 0.1 0.1
0 0 0 0
key and therefore, the initialization vector can be easily revealed
5 10 15 20 5 10 15 20 5 10 15 20 5 10 15 20
K12 K13 K14 K15 by decrypting the first block.
Correlation Coefficient

0.2 0.2 0.2 0.2

0.1 0.1 0.1 0.1
K0 K1 K2 K3
0 0 0 0
5 10 15 20 5 10 15 20 5 10 15 20 5 10 15 20
No. of Plaintexts / 500 No. of Plaintexts / 500 No. of Plaintexts / 500 No. of Plaintexts / 500

0.1 0.1 0.1 0.1

Fig. 7. CPA on AES-CBC Mode
0 0 0 0
20 40 20 40 20 40 20 40
K4 K5 K6 K7
Correlation Coefficient

Figure 7 shows the correlation coefficients obtained for

CBC encryptions from correlation power analysis. As could be 0.1 0.1 0.1 0.1
seen from Figure 7, after reaching about 2,000 plaintexts the 0 0 0 0
20 40 20 40 20 40 20 40
bold line clearly deviates for most of the other key guesses, K8 K9 K10 K11
revealing that particular key guess as the correct final round
key byte. The number of traces needed to break each byte 0.1 0.1 0.1 0.1
in AES-CBC mode are calculated and presented in Table II.
0 0 0 0
The maximum number of traces needed is for key byte K4 20 40 20 40 20 40 20 40
K12 K13 K14 K15
and therefore AES-CBC can be broken with 1795 traces (with
Correlation Coefficient

99.99% confidence).
0.1 0.1 0.1 0.1
TABLE II. N UMBER OF T RACES N EEDED TO B REAK AES-CBC 0 0 0 0
20 40 20 40 20 40 20 40
Key Byte K0 K1 K2 K3 K4 K5 K6 K7 No. of Plaintexts / 500 No. of Plaintexts / 500 No. of Plaintexts / 500 No. of Plaintexts / 500

n
763 658 719 673 1142 761 956 559
Fig. 9. CPA on AES-CFB Mode
Key Byte K8 K9
K10 K11 K12 K13 K14 K15
n Figure 9 shows the correlation coefficients obtained for CFB
1234 828 872 645 468 679 795 1795
mode. The number of traces needed to break each byte of AES-
CFB is calculated (using Equation 4) and presented in Table III.
B. Cipher Feedback (CFB) The maximum number of traces needed is for key byte K14
and in experiments, AES-CFB can be broken with 24365 traces
1 2 n-1 n
(with 99.99% confidence)
C. Output Feedback (OFB)
IV
OFB mode of operation can be considered as a form of
K 1 K 2 K n-1 K ONE-TIME-PAD encryption [11]. As shown in Figure 10, the
n
initialization vector (IV) is encrypted with the secret key to
Fig. 8. CFB Mode of Operation produce the output. The output is directly passed as the input
for the next block. The ciphertext for each block is generated by

177
 TABLE III. N UMBER OF T RACES N EEDED TO B REAK AES-CFB
Figure 11 shows the correlation coefficients obtained for
Key Byte K0 K1 K2 K3 K4 K5 K6 K7 OFB encryptions from the correlation power analysis. The
n
958 1231 13705 734 2554 2289 1783 4978
number of traces needed to break each byte in AES-OFB mode
K8 K9
is calculated and presented in Table IV (using Equation 4). The
Key Byte
K10 K11 K12 K13 K14 K15 maximum number of traces needed is for key byte K14 and
n
18315 2143 1758 1961 3007 2185 24365 7804 that is 5812 traces. Therefore AES-OFB can be broken with
5812 traces.
IV TABLE IV. N UMBER OF T RACES N EEDED TO B REAK AES-OFB
Key Byte K0 K1 K2 K3 K4 K5 K6 K7
O1
K K K K n
1239 1572 5472 810 1270 1203 1378 5204
Key Byte K8 K9
2 n-1 n K10 K11 K12 K13 K14 K15
n
1813 1738 2250 1730 2955 1775 5812 2246
1 2 n-1 n

Fig. 10. Outline of OFB Encryption

D. Counter Mode (CTR)
AES counter (CTR) mode turns AES block cipher into a
stream cipher. As shown in Figure 12, a nonce is concatenated
performing a bitwise XOR operation on the plaintext with the with a counter which will be incremented after/before each
output. Encryption of OFB can be expressed as in Equation 9. encryption and is encrypted using a secret key. The nonce and
the counter differ from an initialization vector used in CBC,
I1 = IV CFB and OFB modes. Later, the output of the encryption and
Ij = Oj−1 f or j ≥ 2 the plaintext are XORed together to form the ciphertext as
(9)
Oj = CIPHj (Ij , K) in other modes (CFB and OFB). Equation 11 expresses AES
Cj = Oj ⊕ P j encryption in CTR mode.
In OFB mode, both the ciphertext and the plaintext must be
available for the adversary (and therefore this has to be a chosen 1 2 n-1 n
plaintext attack). The information leakage for the attacker is
similar to that of the AES-CFB mode. Encrypting the output
from previous block will not have any significance for thwarting
power analysis attacks in the last round of the current block. 1
Similar to the CFB mode, OFB mode does not prevent revealing
the initialization vector once the secretkey is found. 2 n-1 n
PHypo ∝ HW (InvShiftRow(C ⊕ P ) ⊕ (InvSubByte((C ⊕ P ) ⊕ RkeyF )))
1 2 n-1 n
(10)
In order to calculate the hypothetical power consumption, Fig. 12. CTR Mode of Operation
an XOR operation is performed on the ciphertext and plaintext
when calculating the output from the encryption. The formula-
tion is shown in Equation 10. Ij = [N on : Ctrj ] f or j ≥ 1
Oj = CIPHj (Ij , K) (11)
K0 K1 K2 K3 C j = Oj ⊕ P j

0.1 0.1 0.1 0.1

CTR mode of operation behaves in a similar manner to that
of the OFB mode. Without both the plaintext and the ciphertext
0
10 20 30
0
10 20 30
0
10 20 30
0
10 20 30
last round power analysis attacks cannot be performed. Unlike
K4 K5 K6 K7 in AES-CFB mode, the output from encryption or the ciphertext
Correlation Coefficient

is never encrypted. Therefore, a first round attack cannot be

0.1 0.1 0.1 0.1 performed on CTR mode of operation unless the nonce and
0 0 0 0 the counter values are known. Therefore, for CTR mode,
10 20 30 10 20 30 10 20 30 10 20 30 Equation 10 can be used to model the hypothetical power
K8 K9 K10 K11
consumption.
0.1 0.1 0.1 0.1 Figure 13 shows the correlation coefficients obtained for
CBC encryptions from the correlation power analysis. The
0 0 0 0 number of traces needed to break each byte in AES-CTR mode
10 20 30 10 20 30 10 20 30 10 20 30
K12 K13 K14 K15
is calculated and presented in Table V (using Equation 4. The
Correlation Coefficient

maximum number of traces needed is for key byte K8 and

0.1 0.1 0.1 0.1
therefore AES-CTR can be broken with 12668 traces.
0 0 0 0
10 20 30
No. of Plaintexts / 500
10 20 30
No. of Plaintexts / 500
10 20 30
No. of Plaintexts / 500
10 20 30
No. of Plaintexts / 500
V. E XPERIMENTAL S ETUP
Our AES-ECB implementation is based on the optimised
Fig. 11. CPA on AES-OFB Mode AES hardware implementation proposed by Morioka et al. [35].
We have extended this to implement the CBC, CFB, OFB

178
 K0 K1 K2 K3 power traces and can be attacked with known ciphertext. The
numbers we see for the CBC mode is not very much different
0.1 0.1 0.1 0.1 from the ECB mode. This can be attributed to the fact that
0 0 0 0 the circuit in both the ECB and the CBC modes for the last
10 20 30 10 20 30 10 20 30 10 20 30
K4 K5 K6 K7 round (the round targeted in our attack) are identical (the XOR
Correlation Coefficient

operation with the plaintext in the CBC mode is performed in

0.1 0.1 0.1 0.1 the first round). Based on these numbers, we propose, both the
ECB and the CBC modes have to refresh their keys within 210
0 0 0 0
10 20 30 10 20 30 10 20 30 10 20 30 encryptions to be safe against CPA attack. From Table VI, it
K8 K9 K10 K11
can also be seen that CFB, OFB and CTR modes need more
number of traces to break the complete key compared to the
0.1 0.1 0.1 0.1
CBC mode. We attribute this to the fact that the three modes
0 0 0 0 mentioned perform the XOR operation with the plaintext during
10 20 30 10 20 30 10 20 30 10 20 30
K12 K13 K14 K15 their last round operations and therefore making the correlation
Correlation Coefficient

relatively difficult to perform. Therefore, we propose that the

0.1 0.1 0.1 0.1 change the keys of CFB, OFB and CTR modes to be changed
within 212 encryptions.
0 0 0 0
10 20 30
No. of Plaintexts / 500
10 20 30
No. of Plaintexts / 500
10 20 30
No. of Plaintexts / 500
10 20 30
No. of Plaintexts / 500
The chosen plaintext attack, which is required by all the
advanced modes, is only possible when the attacker has access
Fig. 13. CPA on AES-CTR Mode to the cryptographic device to input some plaintexts and record
the ciphertexts for each plaintext with the power trace. One
TABLE V. N UMBER OF T RACES N EEDED TO B REAK AES-CTR example of such a device is an encrypted USB storage device
Key Byte K0 K1 K2 K3 K4 K5 K6 K7 (with an unknown encryption key) such as Secure USB [2],
n
where the adversary can send a set of chosen plaintexts and
1366 829 2654 466 1191 2047 11991 1611 access the output ciphertext from the storage device. However,
Key Byte K8 K9
K10 K11 K12 K13 K14 K15 in some practical scenarios the attacker will only have access
n
to the ciphertext but not to both ciphertext and plaintext as an
12668 1032 3050 869 1023 1918 893 1400 example, situations where the attacker has no authorization to
input plaintexts to the device but still the adversary have access
to the ciphertext. In such scenarios, the advanced modes are safe
and CTR versions. We have used a SASEBO GII [23] side against the CPA attacks presented in this paper. According to
channel analysis prototyping board which is being used by CPA graphs, Key byte 2, key byte 8 and key byte 14 need
many cryptanalysis researchers [22], [31]. The circuits are a greater number of of power traces to reveal the correct key
mapped on the Virtex5 FPGA, and a Spartan3A FPGA is guess for each key byte compared to other key bytes. We are
utilized for control and measurements. The experiments were planning to investigate this behavior in the future.
conducted at 2MHz. To quantize the power consumption of Resource Utilization:
the cryptographic FPGA, we used an Agilent DSOX2012A
oscilloscope at 2GSa/s. A custom C# program is implemented TABLE VII. R ESOURCE C ONSUMPTION IN X ILINX ISE 14.6#,
to perform CPA and Matlab is used to plot the correlation S YNOPSIS D ESIGN C OMPILER AND S YNOPSIS P RIMETIME ⋆
coefficients. Modes LUTs# Slices# Area⋆ Power (mW)⋆
ECB 1167 1059 21567 0.348
CBC 1171 1075 24481 0.404
VI. D ISCUSSION CFB 1169 1073 25510 0.418
It is evident from the above analysis that the advanced OFB 1181 1082 25049 0.412
modes of AES in a hardware circuitry are vulnerable as the CTR 1187 1080 23273 0.375
standard ECB mode of AES for power analysis. Table VI
summarizes the type of attacks to be performed and the number We performed a rudimentary estimation (both on the FPGA,
of traces required (for the first key byte to appear, for the last and based on a synthesis using Synopsis DC) of the effective
key byte to appear, and a summation for all the key bytes) for costs of these techniques for the advanced modes of AES, as
different modes of operations. The number of traces needed shown in Table VII, to provide a view of the costs for early
for the last key byte indicates the total number of encryptions design considerations. As it can be seen, while ECB mode
to be performed for an attack and the total number of traces is the cheapest, CFB requires the largest space and consumes
indicates the level of computational resources required for a maximal power dissipation.
complete attack, revealing all the key bytes.
Attack Summary: VII. C ONCLUSION
In this paper, we have presented an extensive investigation
TABLE VI. M ODES S UMMARY of power analysis based side channel attacks on all common
Mode ECB CBC CFB OFB CTR modes (ECB, CBC, CFB, OFB and CTR) of AES. On one hand,
Attack Type kCT cPT cPT cPT cPT with 99.99% confidence, we have quantified the level of vulner-
No. of Traces - First Key Byte 444 468 734 810 466
No. of Traces - Last Key Byte 2016 1795 24365 5812 12668
abilities of all these modes of AES circuit implementations by
No. of Traces - Total 12440 13549 88709 38465 46474 calculating the number of power traces needed for the attacks
kCT - known ciphertext attack, cPT - chosen plaintext attack and on the other, show what leakages of information must not
be available to t he attacker to prevent deducing the secret key
As can be seen from Table VI, ECB has the lowest level from the recorded power traces. CTR provides a balance in
of protection against CPA as it requires the lowest number of between area and power while maintaining adequate resistance

179
for power analysis attacks than the other modes of operations. [22] B. Jungk, M. Stottinger, J. Gampe, S. Reith, and S. Huss. Side-
We propose that a secret key must be changed at least for channel resistant aes architecture utilizing randomized composite field
every 210 encryptions in CBC mode and 212 encryptions in representations. In ICFPT 2012, pages 125–128, 2012.
CFB, OFB and CTR modes in order to resist power analysis [23] T. Katashita, A. Satoh, K. Kikuchi, H. Nakagawa, and M. Aoyagi.
Evaluation of dpa characteristics of sasebo for board level simulations.
attacks. In COSADE 2010, pages 36–39, 2010.
[24] Y. Kim, T. Sugawara, and N. Homma. Biasing power traces to improve
R EFERENCES correlation in power analysis attacks. COSADE, 2010.
[1] Block cipher mode of operation. http://en.wikipedia.org/wiki/Block [25] P. Kocher, J. Jaffe, B. Jun, and P. Rohatgi. Introduction to differential
cipher mode of operation. power analysis. In Journal of Cryptographic Engineering, volume 1,
[2] Crypto dual + fips 140-2 - premium aes 256 bit security: Specification. pages 5–27. Springer-Verlag, 2011.
http://www.integralmemory.com/sites/default/files/products/specifcations [26] P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In
/Integral Encrypted USB Spec Sheet Crypto Dual%2B 140-2.pdf. Proceedings of the 19th Annual International Cryptology Conference on
[3] Federal Information Processing Standards Publication 197 announcing Advances in Cryptology, CRYPTO ’99, pages 388–397, London, UK,
the advanced encryption standard (aes). UK, 1999. Springer-Verlag.
[27] S. Mangard. A simple power-analysis (spa) attack on implementations
[4] Intel data protection technology with aes-ni and secure key.
of the aes key expansion. In ICISC 2002, LNCS 2587, pages 343–358.
[5] USB flash drive - wikipedia, the free encyclopedia. Springer-Verlag, 2002.
[6] M. Alioto, L. Giancane, G. Scotti, and A. Trifiletti. Leakage power [28] S. Mangard, E. Oswald, and T. Popp. Power Analysis Attacks: Revealing
analysis attacks: A novel class of attacks to nanometer cryptographic the Secrets of Smart Cards (Advances in Information Security). Springer-
circuits. Circuits and Systems I: Regular Papers, IEEE Transactions on, Verlag New York, Inc., Secaucus, NJ, USA, 2007.
57(2):355–367, Feb 2010. [29] S. Mangard, E. Oswald, and T. Popp. Power Analysis Attacks: Revealing
[7] S. C. Alliance. Smart card alliance financial resources, August the Secrets of Smart Cards (Advances in Information Security). Springer-
2013. http://www.smartcardalliance.org/pages/smart-cards-applications- Verlag New York, Inc., Secaucus, NJ, USA, 2007.
financial#smart-card-alliance-financial-resources. [30] S. Mangard, N. Pramstaller, and E. Oswald. Successfully attacking
[8] A. Ambrose, R. Ragel, S. Parameswaran, and A. Ignjatovic. Multipro- masked aes hardware implementations. In CHES 2005, volume 3659,
cessor information concealment architecture to prevent power analysis- pages 157–171, 2005.
based side channel attacks. Computers Digital Techniques, IET, 5(1):1 [31] B. Mazumdar, D. Mukhopadhyay, and I. Sengupta. Design and imple-
–15, january 2011. mentation of rotation symmetric s-boxes with high nonlinearity and high
[9] A. Biryukov. The design of a stream cipher lex. In Selected Areas dpa resilience. In HOST 2013, pages 87–92, 2013.
in Cryptography, volume 4356 of Lecture Notes in Computer Science, [32] H. Mestiri, N. Benhadjyoussef, M. Machhout, and R. Tourki. A compar-
pages 67–75. Springer Berlin Heidelberg, 2007. ative study of power consumption models for cpa attack. International
[10] J. Blmer and J.-P. Seifert. Fault based cryptanalysis of the advanced Journal of Computer Network & Information Security, 5(3), 2013.
encryption standard (aes). In R. Wright, editor, Financial Cryptography, [33] A. Moradi. Side-channel leakage through static power - should we care
volume 2742 of Lecture Notes in Computer Science, pages 162–181. about in practice? IACR Cryptology ePrint Archive, 2014:25, 2014.
Springer Berlin Heidelberg, 2003.
[34] A. Moradi, O. Mischke, and C. Paar. One attack to rule them all:
[11] M. Borowski and M. Lesniewicz. Modern usage of ”old” one-time pad. Collision timing attack versus 42 aes asic cores. Computers, IEEE
In MCC 2012, Military, pages 1–5, 2012. Transactions on, 62(9):1786–1798, 2013.
[12] E. Brier, C. Clavier, and F. Olivier. Correlation power analysis with a [35] S. Morioka and A. Satoh. An optimized s-box circuit architecture for
leakage model. In Cryptographic Hardware and Embedded Systems - low power aes design. In B. Kaliski, e. Ko, and C. Paar, editors,
CHES 2004, volume 3156 of Lecture Notes in Computer Science, pages Cryptographic Hardware and Embedded Systems - CHES 2002, volume
16–29. Springer Berlin Heidelberg, 2004. 2523 of Lecture Notes in Computer Science, pages 172–186. Springer
[13] M. Carr. Smart card technology with case studies. In Security Tech- Berlin Heidelberg, 2003.
nology, 2002. Proceedings. 36th Annual 2002 International Carnahan [36] S. Ors, F. Gurkaynak, E. Oswald, and B. Preneel. Power-analysis attack
Conference on, pages 158–159, 2002. on an asic aes implementation. In ITCC 2004, pages 546–552 Vol.2,
[14] F. cois Xavier Standaert, S. B. Örs, and B. Preneel. Power analysis of an 2004.
fpga: Implementation of rijndael: Is pipelining a dpa countermeasure? [37] Z. Peng, D. Gaoming, Z. Qiang, and C. Kaiyan. Em frequency domain
In CHES 2004, volume 3156, pages 30–44, 2004. correlation analysis on cipher chips. In ICISE 09, pages 1729–1732,
[15] C. S. Division. Recommendation for block cipher modes of operation. 2009.
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf. [38] M. Petrvalsky, M. Drutarovsky, and M. Varchola. Differential power
[16] O. Dunkelman and N. Keller. The effects of the omission of last round’s analysis of advanced encryption standard on accelerated 8051 processor.
mixcolumns on aes. Inf. Process. Lett., 110:304–308, 2010. In Radioelektronika (RADIOELEKTRONIKA), 2013 23rd International
Conference, pages 334–339, April 2013.
[17] A. Francillon and C. Castelluccia. Code injection attacks on harvard-
architecture devices. CCS ’08, pages 15–26. ACM, 2008. [39] K. Tiri, D. Hwang, A. Hodjat, B. Lai, S. Yang, P. Schaumont, and
I. Verbauwhede. A side-channel leakage free coprocessor ic in 0.18um
[18] B. Gierlichs, L. Batina, P. Tuyls, and B. Preneel. Mutual information cmos for embedded aes-based cryptographic and biometric processing.
analysis. In E. Oswald and P. Rohatgi, editors, Cryptographic Hardware In In DAC’05, pages 222–227. ACM Press, 2005.
and Embedded Systems CHES 2008, volume 5154 of Lecture Notes in
Computer Science, pages 426–442. Springer Berlin Heidelberg, 2008. [40] K. Tiri, D. Hwang, A. Hodjat, B.-C. Lai, S. Yang, P. Schaumont, and
I. Verbauwhede. Prototype ic with wddl and differential routing –
[19] Y. HAN, X. cheng ZOU, Z. lin LIU, and Y. cheng CHEN. The research dpa resistance assessment. In Proceedings of the 7th International Con-
of dpa attacks against aes implementations. The Journal of China ference on Cryptographic Hardware and Embedded Systems, CHES’05,
Universities of Posts and Telecommunications, pages 101 – 106, 2008. pages 354–365, Berlin, Heidelberg, 2005. Springer-Verlag.
[20] A. Hodjat, D. D. Hwang, B. Lai, K. Tiri, and I. Verbauwhede. A [41] A. Transport services, New South Wales. The opal card:
3.84 gbits/s aes crypto coprocessor with modes of operation in a 0.18- Transforming the way we move around, August 2013.
um cmos technology. In Proceedings of the 15th ACM Great Lakes http://www.transport.nsw.gov.au/opal.
Symposium on VLSI, GLSVLSI ’05, pages 60–63, New York, NY, USA,
2005. ACM. [42] J. Wu, Y. Shi, and M. Choi. Measurement and evaluation of power anal-
ysis attacks on asynchronous s-box. Instrumentation and Measurement,
[21] J. Jaffe. A first-order dpa attack against aes in counter mode with IEEE Transactions on, 61(10):2765–2775, 2012.
unknown initial counter. In P. Paillier and I. Verbauwhede, editors,
Cryptographic Hardware and Embedded Systems - CHES 2007, volume [43] Q. Xie, S. Zeng, and X. Yu. A smart-card-based conditional access
4727 of Lecture Notes in Computer Science, pages 1–13. Springer Berlin subsystem separation scheme for digital tv broadcasting. Consumer
Heidelberg, 2007. Electronics, IEEE Transactions on, 51(3):925–932, 2005.

180