Low-Cost Full Correlated-Power-Noise Generator to Counteract Side-Channel Attacks

Abstract

Considerable attention has been given to addressing side-channel attacks to improve the security of cryptographic hardware implementations. These attacks encourage the exploration of various countermeasures across different levels of abstraction, through masking and hiding techniques, mainly. In this paper, we introduce a novel hiding countermeasure designed to mitigate Correlation Power Analysis (CPA) attacks without significant overhead. The new countermeasure interferes with the processed data, minimizing the power correlation with the secret key. The proposed method involves using a Correlated-Power-Noise Generator (CPNG). This study is supported by experimental results using CPA attacks on a SAKURA-G board with a SPARTAN-6 Xilinx FPGA. An Advanced Encryption Standard (AES) cipher with 128/256-bit key size is employed for this purpose. The proposed secure design of AES has an area overhead of 29.04% compared to unprotected AES. After conducting a CPA attack, the acquisition of information about the private key has been reduced drastically by 44.5%.

1. Introduction

In the age of the Internet of Things (IoT), characterized by extensive device interconnectivity and ubiquitous data transmission, there is a demanding need for the implementation of security measures that encompass a diverse spectrum of applications, from high-performance to lightweight computing platforms. With such a forecast in mind, IoT devices are expected to increase demand for energy efficiency, but also hardware reliability, system integration, portability, and security [1]. Within this intricate scenario, the implicated computational power spans various orders of magnitude, extending from the capacities of quantum computers to the modest capabilities of diminutive devices, including radio-frequency identification tags, sensors, and smart cards [2].

Unlike secured computers and cloud servers, the majority of embedded systems are physically accessible. Consequently, the risk of compromising private information is elevated due to the potential for direct manipulation, exploiting vulnerabilities, and extracting sensitive information from these devices. In view of compromising security by physical attacks on the hardware implementations, extensive research has been carried out. These studies have demonstrated the existence of connections between power consumption, electromagnetic emissions, thermal patterns, and various other phenomena with secret information during encryption. This area of exploration, known as Side-Channel Analysis (SCA), has remained dynamic over the past two decades [1]. During a SCA attack on the cryptographic device, the secret key is exposed while the device operates correctly during encryption. Namely, although conventional cryptographic algorithms, for instance, even the ciphers Advanced Encryption Standard (AES) or ASCON, are designed to obfuscate sensitive data and safeguard them against unauthorized access, they remain susceptible to physical attacks.

Power analysis (PA) is one of the most common SCA attacks and has attracted significant attention because of its effectiveness and because it can be carried out relatively easily [1], meaning a substantial security threat to cryptographic devices. Indeed, unprotected cryptocircuits can be broken with slight effort. The main idea of PA attacks is to use the relationship between the power consumed by the device and the data being computed to find secret data such as the key to an encryption process. Some PA techniques are Differential Power Analysis (DPA) and Correlation Power Analysis (CPA) [3].

This kind of attack exploits target circuit power with a hypothetical model. Those predictions are subsequently compared to the real power traces to recover the private data [3]. To mitigate such attacks, countermeasures can be employed to enhance the security of cryptographic devices. These countermeasures can be categorized at three distinct levels: gate, system, and algorithmic. On the other hand, depending on the technique used to break the data correlation with the power consumption, we can classify the countermeasure into two main groups: the hiding or masking technique. The hiding technique attempts to have the same power consumption or a random power consumption independently of the data being processed. In order to obtain the same power consumption, one of the most widely used strategies is the use of dual-rail logics such as SABL or WDDL [4,5]. On the other hand, we find countermeasures that generate power consumption contributions understood as dummy by means of noise generators, hiding the real consumption of our cryptographic circuit. In masking, the critical data are masked with a random data sequence during encryption such that operations on the masked data are indistinguishable from random data [1,6]. In embedded design scenarios, all these countermeasures are resource-intensive. In light of the imperative requirement to minimize both the area overhead and power consumption in specific embedded devices, novel and cost-effective architectural countermeasures are demanded.

A hiding countermeasure is introduced in this work, as a solution to counteract PA attacks with no significant influence on the overhead and frequency degradation of the cipher implementation. This countermeasure introduces an evolution of Correlated-Power-Noise Generator (CPNG), introducing an interference noise power signal that correlates with both the manipulated data and the encryption key, improving the scheme presented in [7].

The main contributions of this paper are:

• A state-of-the-art review regarding the hardware attacks and countermeasures on AES cipher is performed.
• A CPNG design methodology is proposed to increase the security os AES cipher.
• A comprehensive security assessment is conducted by comparing the unprotected AES with the AES protected using the countermeasure introduced in this study.

The organization of the rest of the paper is as follows. Section 2 contextualizes actual and effective PA attacks and their countermeasures to counteract them. We introduce in Section 3 the AES architecture and discuss the differences between its versions with 128- and 256-bit key lengths, their characteristics, and vulnerabilities. Section 4 puts forward the new architectural countermeasure providing the overhead and degradation in comparison with the unprotected AES. The experimental results and security evaluation are given in Section 5. Finally, in Section 6, the conclusions are presented.

2. PA Attacks and Effective Countermeasures

This section contextualizes actual and effective PA attacks and their countermeasures to counteract them.

2.1. Attacks

Actual attack strategies exhibit significant differences in terms of cost, time, equipment, and expertise. Since the reverse engineering of chips demands costly and advanced equipment, there has been an interest in exploring alternative methods for developing physical attacks [1]. The focus was on identifying the information accessible to attackers, which was not assumed within the cryptographic protocols. Within this category of threats, a secondary classification is made between active and passive attacks. An active attack changes the functionality of the device during operation manipulating its inputs, power supply, or temperature, then finally analyzing the behaviour of the target after the manipulation. In contrast, in a passive attack, the secret information is revealed while the cryptographic device operates in the correct way, so the attack may even go unnoticed by device users. For this reason, researchers show great interest in studying the security against these latest attacks.

Passive non-invasive attacks, particularly SCAs targeting cryptographic devices, exploit specific physical data to uncover confidential or critical information contained by the target. Depending on the exploited leakage, the SCA attacks can be classified into different types of attacks [1]. One of the most known SCAs is timing attacks [8], where the adversaries may recover data from systems through meticulous timing measurements during operations. This attack proves to be computationally economical and the attacker does not need to have strong knowledge of the device. On the other hand, PA [3] or electromagnetic (EM) [9] attacks leverage the correlation between power consumption or electromagnetic radiation, respectively, in cryptographic circuits and the data being processed.

SCA attacks can also be categorized based on different attacker models [1]. Non-profiled attacks assume that the adversary has access only to the specific targeted device, often needing additional information like hypothetical power models or specific details of the implementation. Examples of non-profiled attacks include Simple Power Analysis (SPA) and DPA/CPA attacks [3]. Still, profiled attacks involve adversaries who not only have access to the target device but also possess other samples under their control. This access enables the attacker to model the physical behavior of the target, determining its response to all possible secret intermediate values in a phase known as the profiling phase. Examples of profiling attacks encompass Template or machine-learning-based attacks.

This study measures the security of crypto-implementations by performing non-profiled attacks as the CPA attacks. The objective of a CPA attack is to uncover the confidential cryptographic key employed by a device by analyzing a substantial volume of power consumption traces obtained from the Device Under Test (DUT) during data encryption or decryption. In the practical execution of a CPA attack, an adversary begins by observing and capturing a series of m encryption operations or power traces, denoted as $T[1:m]$. Each trace comprises n sampled points so the power consumption matrix is $T[m,n]$. Additionally, the attacker acquires recordings of either the $ciphertext$$[1:m]$, $plaintexts$$[1:m]$, or both. The analysis centers on an intermediate cipher operation where the private key interacts with a known value, typically $plaintext$ or $ciphertext$, corresponding to the operation performed during the first or last encryption round, respectively. Figure 1 shows the steps in a complete CPA attack on the first round. Once the operation of interest has been identified, and the power consumption traces T have been collected, the subsequent step in the CPA attack involves calculating intermediate hypothetical values, $H[m,n]$, for each of the possible keys k. These hypothetical values are subsequently correlated with power consumption values using a power model. The choice of the power model significantly impacts the success of the attack. This study uses the Hamming-Distance Model. The correlation between the H matrix and the measured power consumption traces, T, should yield the maximum correlation value for the correct private key.

2.2. Countermeasures Against Power Analysis Attacks

The selection of hardware countermeasures against SCA attacks is not straightforward. Each proposed countermeasure has pros and cons that must be carefully considered, since the increase in security levels entails a degradation in the operating conditions of the circuits, such as a degradation in the operating frequency, an increase in power consumption or occupied area. There is no best choice suitable for all cases, since the best solution will depend in each case on the particular application of the cryptographic module, where different requirements will have to be met and the best choice will be the one that offers the best trade-off in terms of performance and security levels.

Since the emergence of power-analysis attacks in the late 1990s, the scientific community has proposed numerous countermeasures to mitigate the vulnerabilities of cryptographic circuits; some examples are [7,10]. At the hardware level, the design strategies depend on the abstraction level and the mechanism employed to uncouple power consumption or electromagnetic emanations from the key and data being processed. These countermeasures span from the layout to the algorithm level, encompassing tasks from attack detection to adding redundant blocks to obscure potential information leakage. In this sense, the existing hardware countermeasures can be classified as follows. A first classification depends on the abstraction level, with countermeasures focused on the algorithm circuit or gate level. Regarding hardware countermeasures applied at the gate level [4], their main advantage is that, once the secure cell library has been designed with the selected secure logic style, and the automatic design flow has been adapted for use with this new library, the same design flow can be applied regardless of the implemented algorithm. Note that when combining gate-level countermeasures with those at a higher level or complementary ones at the same level of abstraction, additional analysis is required to ensure that the overall security enhancements do not interfere. Furthermore, countermeasures can also be classified based on the technique used to break the correlation between data and power consumption, which typically falls into two main categories: masking and hiding techniques.

Masking is widely employed to mitigate PA attacks, where sensitive data are masked by combining it with a random data sequence in such a way that all encryption operations on the masked data become indistinguishable. The most straightforward method for implementing masking is through Boolean masking m, which involves masking an input word by performing an XOR operation with a random value. The masked signal $a_m$ is propagated along the critical datapath [10], and as a consequence, the power consumption of the running implementation becomes unpredictable.

Hiding countermeasures aim to achieve constant power consumption at the gate, circuit, or algorithm level, regardless of the processed data [4]. Since the introduction of CPA attacks, there have been numerous logic-style propositions aiming to achieve resistance against such attacks by ensuring power consumption remains independent of the data being processed. In an initial approach, this uniform power consumption can be attained by employing dual-rail signals and differential gates [11]. As the concept of concealment entails maintaining precise power consumption regardless of the processed data, it inherently necessitates complete symmetry. Nevertheless, the majority of these techniques encounter challenges in the precise calibration of the place and route operation to achieve equal capacitive loads on two wires.

3. AES: Structure, Implementation, and Vulnerabilities

In this section, the AES architecture is introduced and the differences between its versions with 128- and 256-bit key lengths, their characteristics, and vulnerabilities are discussed.

AES operates as a Symmetric Key Cryptographic (SKC) algorithm, where a single key serves for both encryption and decryption, and both the sender and receiver know its value [2]. The standard AES cipher operates with a 128-bit data block during each round until the entire input data are fully encrypted. So a given input data or plaintext will always result in the same output data or ciphertext and the same length as the input, using the same key. The AES key size may assume values of 128, 192, or 256 bits, and the number of rounds required to finalize the encryption process depends on this key length. In particular, the number of rounds, $n_r$, is 10, 12, or 14 rounds for 128-bit, 192-bit, and 256-bit key sizes, respectively. In this paper, the particular implementation of the AES cipher includes both 128 and 256 key length implementation in the same cryptocircuit. The AES algorithm diagram of encryption is shown in Figure 2. Each round has four layers that handle 128-bit data blocks as was mentioned. Those layers are the SubByte, Shiftrow, MixColumn, and AddRoundKey layers. The SubByte layer employs the widely recognized Sbox matrix transformation. In simpler terms, each input state element corresponds uniquely to a specific output value. The Shiftrow operation entails the leftward rotation of each row within the state matrix: the first row of the AES state remains unaltered, the second row shifts one position to the left, the third row shifts two positions, and the final row shifts three positions to the left. Subsequently, the MixColumn layer multiplies the state by a fixed data matrix with known values. Finally, the AddRoundKey layer performs an XOR operation to incorporate the Key_i obtained from the key schedule process [12]. Note that before the first round ($n_r=1$) an AddRoundKey is carried out and the last round does not make use of the MixColumn transformation.

When the encryption starts, 128 bits of plaintext are combined with the initial 128 bits of the original key, Key₀, using the Key-Addition layer through an XOR operation. Afther that, the Key Addition carries on being responsible for mixing the current 16-byte state matrix with a subkey that has been obtained from the original key in the Key Schedule process. The Key Schedule algorithm takes the original key (in 128-bit blocks) and generates what is known as the expanded key matrix. This algorithm is different for every key size [13]. The key expanded matrix consists of a specific number of 16-byte subkey matrix. The number of subkeys depends on the key size chosen and is equal to the number of rounds plus one. Thus, the number of rounds for AES-128 is $n_r$ = 10, and there are 11 subkeys. In contrast, AES-256 utilizes 15 subkeys. Each of these subkeys comprises four words, which means that the expanded keys consist of 44 words for AES-128 and 60 words for AES-256.

The implementation of the AES cipher under study in this work presents the option to choose between 128- and 256-bit key lengths, as well as to encrypt or decrypt the input message. Regarding the comparison with the state of the art, it should be noted that AES implementations can be divided into two groups, the first group focuses on low resource and power consumption [14,15] through serialization, the reduction of the AES datapath width, etc., and the second aimed at maximizing the performance of the cipher implementation in terms of operating frequency and throughput at the expense of high resource consumption [16,17]. Compared to the other implementations [16,17], the selected AES implementation exhibits reduced throughput while maintaining a moderate level of resource consumption.

3.1. Area and Frequency

The performance of the AES implementation is analyzed in terms of timing and resource occupation using the device Spartan-6 Xilinx Field-Programmable Gate Array (FPGA) device. In order to evaluate the security levels achieved by our designs, a specific platform has been used to develop CPA attacks in an appropriate manner. In this sense, the SAKURA-G has been chosen for its versatility, which has two Xilinx Spartan-6 FPGAs, where the cryptographic module can be implemented in one of its FPGAs, while the other one can be exclusively dedicated to the control and data transmission with the PC. Design specifications are in

Table 1. Resources required for the implementation of AES128-256 in Spartan-6 XC6SLX75-2CSG484.

Feature	AES-128	AES-256
Encryption clock cycles	11	15
Decryption clock cycles	21	22
Frequency (MHz)	66.20
LUTS	3616

. The AES128-256 uses 3616 Look-Up Tables (LUTs) in total so requires 7% of FPGA resources. It is significant to mention that the AES response time depends on the key length and whether an encryption or decryption operation is performed. However, there is no dependency between the response time and the specific value of the key or the data value processed.

3.2. Vulnerabilities, Metrics, and Attacks

The security level of the ciphers was primarily based on their mathematical formulation, but the physical implementation of these algorithms led them to become more vulnerable to physical attacks. It is advisable to identify all potential security vulnerabilities and to implement countermeasures in order to prevent any leakage of information. A well-known method to analyze vulnerable leakage points is called Test Vector Leakage Assessment (TVLA) [18]. This test is a preliminary experimental security metric whose objective is to certify vulnerability points of a cipher, block, or any device. In essence, the TVLA metric detects the presence of potential private information leakages. TVLA has been carried out for the AES. Its configuration involves the cipher (as DUT) holding a fixed known key and receiving a plaintext that alternates between random and fixed values in every encryption. The resulting graph is displayed in Figure 3.

All the encryption rounds and three post-processing rounds are shown. As can be observed, there is evident information leakage, as the TVLA values exceed the threshold of +/−4.5 [18]. Given the result, the proposed countermeasures must protect all the encryption rounds, as the original implementation of AES is vulnerable to power attacks on the majority of them.

To confirm that the leakage detected in our preliminary security evaluation leads to successful attacks, experimental first-order CPA attacks have been performed. Unlike TVLA, the CPA attack is focused on discovering private information, specifically the key in the case of AES, rather than solely determining its vulnerability. The attack has been successful for the AES employed in this paper—a SubByte attack is shown in Figure 4; thus, the AES implementation is vulnerable against first-order CPA attacks. In this work, first-order CPA attacks have been taken into account. However, new types of attacks are appearing every day, such as those based on machine-learning techniques or higher-order attacks, which makes it interesting to evaluate the security levels against numerous hardware attacks in the future for further and complete analysis.

It is common to observe attacks on the first or the last round, in which the knowledge of plaintexts or ciphertext, respectively, is necessary. In this instance, the last round exhibits a greater degree of leakage compared to the first round, making it more susceptible to vulnerabilities. The CPA attack on the last round will get the last subkey of the expanded key $K_{n_r}$. Afterwards, a second step is necessary, which is to reverse the Key Schedule process until the original key is obtained. The difficulty of reversing the key-programming process depends on the key length. While attacking the AES-128 involves discovering only one of the subkeys of the expanded key, reversing the process for AES-256 requires knowledge of two consecutive subkeys [13,19]. This fact often necessitates the execution of two consecutive interdependent attacks [13,19]. The first consecutive attack follows a similar approach as that used for AES-128, but the second attack, which is directly contingent on the success of the first one, must be carried out. Any error or uncertainty in the initial attack further complicates the process of key recovery. That is the reason why the AES-256 attack is more difficult and time consuming for the attacker, assuming greater concern than AES-128. Consequently, in this study, while the AES implementation has been designed for both 128-bit and 256-bit key sizes, only the AES-256 is subjected to experimental analysis.

4. Hiding Countermeasure for SCA Attacks

In this section the new architectural countermeasure is presented, providing the overhead and degradation in comparison with the unprotected AES.

4.1. Background

In AES implementations, the power-consumption traces are correlated with data computed, and, at the same time, those computation data are correlated with the secret key $Key$. Mainly, the correlation peak emerges during the SubByte step for the AES cipher. To address this security vulnerability, Najeh et al. [7] propose interfering with the power signal using an added correlated power signal. They use a parallel block to the classic AES core with the same cipher input data $Plaintext$ but with an interfering random key $Ke{y}_{interf}$. The block includes the AddRoundKey and SubByte layers of the AES cipher, this architecture-level countermeasure is replicated in Figure 5.

Therefore, on the first-round encryption, the input data is processed simultaneously by two encryption cores, the original and the CPNG block, so the global power consumption is due to both AES states, S and $S_{interf}$. The $S_{interf}$ signal is unconnected because it will not affect the encrypted output $ciphertext$. In other words, the cipher power consumption of that round is correlated to input data and the keys: $Key$ and $Ke{y}_{interf}$. Given that power noise exhibits a correlation with the input data, it becomes unfeasible to filter it out during a CPA attack. The unique condition of the countermeasure is that the interfering key value has to be different from the original key but the same size. Through experimentation, the authors demonstrate that their design is resilent to conventional first-order CPA attacks on the first encryption round [7].

It is crucial to note that the countermeasure they propose primarily focuses on safeguarding the first round. It is reasonable to assume that the most critical point of vulnerability occurs in this initial round, as this is where the original key is combined with the plaintext. However, it is well-documented that the AES algorithm exhibits greater vulnerability in the final round. In this scenario, the attacker gains access to the key expanded and must engage in additional key recovery processing [13,19], as explained in Section 3. Although the difficulty of finding the original key from the key extended depends on the key size, this process is practically manageable. Consequently, attacks on the intermediate and/or final rounds are of significant concern.

4.2. Proposal

A fully Correlated-Power-Noise generator has been deployed. It means “hiding” each encryption/decryption round due to module $AddRoundKey$ input being the plaintext for the first round and feedback for the rest of the rounds. It was archived by connecting the same input signal to the encryption/decryption datapath and the added CPNG as well. The hiding countermeasure presented in this paper is illustrated in Figure 6. CPA attacks are conducted during the final round to assess the effectiveness of this countermeasure in achieving security. This will be discussed in Section 5.

The main countermeasure idea is to add another block to the unprotected AES cipher using the same input data but an interfering random key, $Ke{y}_{interf}$. In detail, the AES core performs the first $AddRoundKey$ step with a 128-bit block of cipher data input $Plaintext$ and with the secret key, denoted as $Key$. At the same time, in the interference core, the same 128-bit block of the cipher input data is provided to another similar module $AddRoundKey$ but with the interfering key $Ke{y}_{interf}$. During encryption, the outputs of the two $AddRoundKey$ modules are applied to two similar $SubBytes$ modules synchronously as well, generating S and $S_{interf}$. S is connected to the next step on the AES datapath, whereas $S_{interf}$ is unconnected. In the decryption scheme, the output $AddRoundKey$ is unconnected. Afterward, while the inverse operation of $Subbyte$ (referenced like $invSubByte$) is in progress, an intrusive $invSubByte$ is also executed opening with the same input state.

4.3. Evaluation

A 20K power traces will be recorded for each set of three randomly selected keys to execute CPA attacks. Each trace means a full encrypt or decrypt operation, equivalent to introducing a new whole random plaintext each time. In order to ascertain the efficacy of the countermeasure and to preclude the filtration of the interference key by the CPA algorithm, the interface key will undergo modification in each successive round. In the context of this suggestion, a simple pseudo-random number generator (PRNG) has been included [20,21], the one shown in Figure 7.

4.4. Area Overhead and Frecuency Degradation

Table 2. Area overhead and frequency degradation comparison between unprotected and protected AES with CPNG in SAKURA-G Spartan-6 Xilinx FPGA.

Implementation	LUTs	Slices	Freq. (MHz)
Unprotected AES	3616	1518	66.20
Protected CPNG AES	4666	1630	66.20
Overhead/Degradation	29.04%	7.38%	0%

summarizes the degradation characteristics in terms of timing and resource occupation resulting from the inclusion of the hiding countermeasure in comparison to the unprotected AES. The AES designs are implemented in a Spartan-6 Xilinx FPGA. As was mentioned in Section 3, the unprotected AES128-256 uses 3616 LUTS while the protected CPNG AES uses 4666 LUTS. The proposal has an area overhead of 29% when the LUTs are considered and a 7.38% in slices. Regarding maximum operating frequency, the proposal present no frequency degradation.

5. Security Evaluation and Experimental Results

The security evaluation of the hiding countermeasure proposal has been conducted experimentally. As an experimental setup, the scheme shown in Figure 8 is proposed, where the following equipment is used: (1) computer, (2) oscilloscope Keysight InfiniiVision DSOX3054T, with 4 G/samples and a bandwidth of 500 MHz, (3) power supply Keysight E36312A, and (4) SAKURA-G FPGA board (a specific board designed for SCA attacks). The power supply supplies the SAKURA-G board precisely and the oscilloscope makes the trace acquisition. The computer controls the instruments, communicates with the AES implementation in the Spartan-6 Xilinx FPGA of the SAKURA-G board, and processes the data to carry out the CPA attacks.

5.1. Test Vector Leakage Assessment, TVLA

A preliminary security comparison between unprotected and protected CPNG AES-256 is based on the TVLA. Figure 9 depicts the TVLA graph for the cipher without protection (in red) and with protection provided by the CPNG countermeasure (in blue) for the AES-256. The graph highlights 15 operations, each associated with the subkeys that constitute the expanded key, and three consecutive operations executed by the cipher. For the first and second rounds, using the subkeys K₀ and K₁ which form the full 256-bit original key, the protected CPNG AES exhibits smaller leakage peaks, particularly in the second round. Although it is notable that, in some of the intermediate rounds, it attains higher absolute maximum values, the overall mean leakage remains lower. In terms of extracting information from the last round, the original AES reaches a maximum value of 30.51 whereas the protected AES only reaches 20.56, signifying a reduction in information leakage by 32.61%. Therefore, it is possible to assert that the countermeasure enhances the security of the cipher, particularly with regard to the attacks on the first and last rounds, which are typically subject to more extensive analysis. As follows, these attacks are going to experimentally be conducted to validate this claim.

5.2. CPA Attack

The CPA attack has been applied in the final round. The quantification of security for each attack is determined by assessing the acquisition of SubBytes, in addition to the determination of Measurements to Disclose (MTD) the secret key, which, in turn, defines the minimum number of required input patterns for the retrieval of the secret key. The attacks have been conducted using three different keys to calculate average values, while the input data were randomly generated. The first keys for both implementations, $ke{y}_1$, are a public NIST key test while the rest are pseudo-random.

Table 3. DPA attack results with set of 20,000 traces for unprotected and protected CPNG AES.

Implementation	Unprotected AES			Protected CPNG AES
	Key 1	Key 2	Key 3	Key 1	Key 2	Key 3
Revealed SubBytes	6	4	8	6	2	2
MTD Key Mean	16.63	17.68	17.38	17.75	18.88	19.38
Revealed SubBytes Mean	6			3.33
MTD Mean	17.13			18.66

MTDs are ×1000 the represented values.

provides a summary of the results of the attack, employing a dataset comprising 20,000 ciphertexts. The average of revealed SubBytes is 6 for the unprotected AES and 3.33 for the proposed countermeasure. Therefore, obtaining the SubBytes in the attack is made more challenging, resulting in a 44.5% reduction in their number employing a set of 20,000 traces.

In support of these results, the Figure 10 is presented. For each key, a graphical representation illustrates the revealed SubBytes relative to the number of power consumption traces employed. We can observe that the number of revealed SubBytes for the protected AES (in blue) is lower for nearly all data set sizes used in the attack. Even for key 1, where 6 SubBytes are revealed for both implementations with the complete dataset, a greater number of traces are required to uncover the initial bytes. Thus, while 2 SubBytes are already known for the unprotected AES with 4000 traces, none have been obtained for the protected AES.

Comparing the results obtained with other countermeasures proposed in the literature, we can see that we have to evaluate the trade-off between security levels achieved and degradation in performance. In relation to hiding techniques based on DPL logic styles, we find SABL or WDDL countermeasures as the most widespread. However, the cost in the design phases is high due to the need for a full-custom or semi-custom design process. On the other hand, the degradation in area in the case of SABL countermeasure amounts to a factor of ×2, while in WDDL it can reach increments of around ×7 [4]. In the case of similar power noise generators, as the one presented in [7], the authors present an area overhead of ×1.44, while maintaining the same operating frequency. However, authors claim only first-order security levels in the first operation round of the AES cipher. Our proposal although protecting all encryption rounds, it achieves the same operating frequency as the unprotected implementation, with a minimal area overhead of ×1.29.

Based on these data, the following conclusions can be given. Paying attention to the revealed SubBytes for each implementation, it can be observed that the unprotected AES presents a greater threat than the proposed AES. The protected CPNG AES includes a second $SubByte$ operation that causes a significant noise correlated with the original key, the input data or state cipher for intermediate rounds, and, thus, an interference key which is changes in each round. The overall power consumption is influenced, and its correlation with the original key is also impacted, rendering the CPA attack more challenging. It is important to note that there are different types of attacks that exploit hardware implementations beyond power attacks, such as fault-injection attacks. In this sense, in order to achieve a higher level of security, it would be interesting to use combined countermeasures that can protect the circuit, not only against one threat, but against several types of attacks, even combined. Therefore, the countermeasures included must be compatible in terms of their implementation without degrading performance and security levels compared to other types of attacks.

6. Conclusions

This paper has presented a low-cost full Correlated-Power-Noise Generator as a countermeasure against power-analysis attacks. Correlated power noise has been generated for each encryption/decryption round, with the $AddRoundKey$ module input being the plaintext for the first round and feedback for subsequent rounds. The proposal has been validated with experimental results using a first-order CPA attack on a SAKURA-G board with a SPARTAN-6 Xilinx FPGA. An unprotected AES design with a 128/256-bit key size was used for this study. The countermeasure has proven resilient against CPA attacks due to the increased difficulty in obtaining SubBytes, resulting in a 44.5% reduction in their count when using a dataset of 20,000 traces. Additionally, the number of traces needed to obtain the initial SubBytes has increased. Our approach is introduced as a cost-effective solution that may interest various applications prioritizing both area and throughput while enhancing the security of lightweight ciphers. For our secure design, the area overhead is only 29.04%, while the maximum frequency for both unprotected and secure designs remains the same, making the degradation negligible.