AES T-Box tampering attack

Abstract

The use of embedded block memories (BRAMs) in Xilinx FPGA devices makes it possible to store the T-Boxes that are employed to implement the AES block cipher’s SubBytes and MixColumns operations. Several studies into BRAM resistance to side-channel attacks have been reported in the literature, whereas this paper presents a novel attack based on tampering the BRAMs storing the T-Boxes. This approach allows recovering the key using a ciphertext-only attack for all AES key sizes. The complexity of the attack makes it completely feasible. The attack was mounted against previously reported FPGA-based AES implementations, taking into account the different design criteria used in each case and focusing mainly on the implementation of the final round of the AES algorithm, which plays a crucial role in the analysis. Three different final round implementations extracted from well-known existing architectures are analyzed in this work. The paper also discusses some countermeasures with regard to security, performance and FPGA resource utilization. The attack is presented against FPGA-based implementations but it can be extended to software architectures as well.

Appendix: Masking analysis for the first multiplication elimination block

The main objective of this annex is to show which indices \(z\) (belonging to the last round key) can be masked in such a way that Algorithm 2 is unable to recover them when the first MEB is used. A proof is also presented to show that the relation between all possible indices \(z\) and \(x\) in a coordinate \((x,y)\rightarrow z\) that causes masking is unique. These results are useful for recovering missing bytes using the post-processing step described in Sect. 4.3.

Considering that for a coordinate \((x,y)\rightarrow z\) a masking occurs during the penultimate round of the AES algorithm. If the position of the distinguisher byte during the last round \((y^{LR})\) that allows the masked index \(z\) to be extracted is equal to the index used by the first MEB to extract the SubBytes transformation, then the masked index \(z\) cannot be recovered using Algorithm 2. Expressions for obtaining the coordinates for that a masking may occur for the first MEB are presented as follows.

If \(T(x)\) is a function that relates an index \(x\) of the state of any round with the T-Box accessed by that index during an AES round, it can be defined as: \(T(x)=x\, \hbox {mod}\, 4\). Using this function, the indices of the bytes extracted for \(MEB_{1,1}\) and \(MEB_{1,2}\) for a given index \(z\) can be obtained using Eqs. (12) and (13), respectively:

$$\begin{aligned} MEB_{1,1}(z)= & {} T(z)+2\, \hbox {mod}\, 4 \end{aligned}$$

(12)

$$\begin{aligned} MEB_{1,2}(z)= & {} T(z)+1\, \hbox {mod}\, 4 \end{aligned}$$

(13)

Table 5 Coordinates that can generate maskings

An expression that allows \(y^{LR}\) to be calculated for a given coordinate \((x,y)\rightarrow z\) is obtained as follows. The position of the distinguisher byte during the penultimate round that generates the masking of index \(z\) is \(y\), according to the coordinate definition. Given such coordinate, the table accessed for the index \(z\) during the last round is therefore equal to \(T(z)=z\, \hbox {mod}\, 4\), and the position of the distinguisher byte in \(T(z)\) is defined as \(y^{LR}\). Following the T-Boxes’ relations specified in Eq. (1), each T-Box can be obtained by cyclically rotating the previous one to the left. Taking this relation into account, \(y^{LR}\) can be obtained with Eq. (14), where the term \(4-T(x)+T(z)\) represents the difference between tables \(T(x)\) and \(T(z)\) in number of bytewise rotations to the left.

$$\begin{aligned} y^{LR}(x,y,z)=(4-T(x)+T(z)+y)\, \hbox {mod}\, 4 \end{aligned}$$

(14)

The solutions of Eqs. (15) and (16) for \(MEB_{1,1}\) and \(MEB_{1,2}\), respectively, are the coordinates for which maskings can occur for these MEBs.

$$\begin{aligned} y^{LR}(x,y,z)= & {} MEB_{1,1}(z) \end{aligned}$$

(15)

$$\begin{aligned} y^{LR}(x,y,z)= & {} MEB_{1,2}(z) \end{aligned}$$

(16)

Table 5 shows one quarter of all possible coordinates and indicates which of them are solutions of Eqs. (15) and (16), marked in this table (at column \(z\)) with italic and bold italic, respectively. From these solutions, the unique relation between indices \(x\) and \(z\) of a coordinate \((x,y)\rightarrow z\) that may generate a masking for the first MEB can be generalized due to the modular expression used to calculate them. This relation allows any masked byte belonging to \(K_{Nr-1}\) except \(z=15\) and \(z=14\) to be recovered when using \(MEB_{1,1}\) and \(MEB_{1,2}\), respectively. The quarter shown in Table 5 was selected because its coordinates allow the first word of \(K_{Nr-2}\) \((W[48])\) to be related with the fourth word of \(K_{Nr-1}\) \((W[55])\), which is used in Eq. (9) to recover the missing bytes that cannot be recovered directly from Eq. (8).