AES Masked Version

JSE · September 27, 2020, 12:27am

Hello,

Am I correct in assuming TINYAES128C is an unmasked implementation of the algorithm, and is there a simple way I could go about making it masked instead?

Thanks,
Jack

Alex_Dewar · September 30, 2020, 6:06pm

Sorry, completely forgot to reply to this post as well. See https://github.com/ANSSI-FR/SecAESSTM32/tree/3b9ed68a4576255636634ec539079476cd5bbc92 for a masked AES implementation for arm.

JSE · September 30, 2020, 11:06pm

Thank you Alex. To be honest though, I’m not entirely sure how to integrate it with the ChipWhisperer through serial communication. Are there a lot of things I would have to change in order to use the built in functions like cw.capture?

Alex_Dewar · October 1, 2020, 1:44pm

I think I’ve got this working simpleserial-aes - Copy.zip (379.3 KB)

You may want to check and make sure the results are valid. You might also want to replace my hacky randomness function with your own randomness.

@biyuanqiao

JSE · October 2, 2020, 5:05pm

Thank you Alex! It does seem to be working for me, but I’m wondering if you could give me an explanation of the important changes you made and how your code works with the masks. I ran collected traces through the same neural network I used on unmasked AES, and though it seems to have a bit more difficulty determining the key bytes (and the traces clearly look different than before), the difference in number of traces required to correctly determine the key bytes is honestly not that extreme, which makes me wonder if the masking is actually working. Maybe my MLP is just better than I expected, but I’m a little hesitant to believe that haha. How would you recommend I go about confirming that the Sbox outputs really are getting masked? I really appreciate your help with this!

Alex_Dewar · October 2, 2020, 7:14pm

Haha, I mostly just stuffed the AES files in the simpleserial-aes directory, added them to the makefile, and guessed at the necessary setup/calls for aes(). The fact that it worked so easily is definitely suspect. I think the random key/aes values are the mask values, so you may want to modify the code to load custom ones in. aes.h and aes.c is probably the clearest documentation you’ll get.

Alex

JSE · October 2, 2020, 7:53pm

Okay will do - thanks

carl · October 20, 2020, 10:54pm

Thanks, that’s really helpful!
Is there any way to read back the vector of masks used?
capture_trace only reads back the trace, but maybe some other function could be available?