AES Masked Version


Am I correct in assuming TINYAES128C is an unmasked implementation of the algorithm, and is there a simple way I could go about making it masked instead?


Sorry, completely forgot to reply to this post as well. See for a masked AES implementation for arm.

Thank you Alex. To be honest though, I’m not entirely sure how to integrate it with the ChipWhisperer through serial communication. Are there a lot of things I would have to change in order to use the built in functions like cw.capture?

I think I’ve got this working simpleserial-aes - (379.3 KB)

You may want to check and make sure the results are valid. You might also want to replace my hacky randomness function with your own randomness.


Thank you Alex! It does seem to be working for me, but I’m wondering if you could give me an explanation of the important changes you made and how your code works with the masks. I ran collected traces through the same neural network I used on unmasked AES, and though it seems to have a bit more difficulty determining the key bytes (and the traces clearly look different than before), the difference in number of traces required to correctly determine the key bytes is honestly not that extreme, which makes me wonder if the masking is actually working. Maybe my MLP is just better than I expected, but I’m a little hesitant to believe that haha. How would you recommend I go about confirming that the Sbox outputs really are getting masked? I really appreciate your help with this!

Haha, I mostly just stuffed the AES files in the simpleserial-aes directory, added them to the makefile, and guessed at the necessary setup/calls for aes(). The fact that it worked so easily is definitely suspect. I think the random key/aes values are the mask values, so you may want to modify the code to load custom ones in. aes.h and aes.c is probably the clearest documentation you’ll get.


Okay will do - thanks :slight_smile:

Thanks, that’s really helpful!
Is there any way to read back the vector of masks used?
capture_trace only reads back the trace, but maybe some other function could be available?