SCA resistant AES implementation


#1

First of all love the CW-lite! Awesome framework/tool that makes SCA accessible to the rest of us.

After looking at the attack a bit it appears to me (the crypto naiive) that SCA resistant AES should be possible by cancelling out any hamming weight changes. For instance to prevent the attack on subBytes:

  1. Align sbox table on 256 byte boundary.
  2. Interleave sbox with sbox’ where: sbox’[ i ] = sbox[ i ] ^ (address(sbox[ i ]) & 0xff) ^ 0xff
  3. In the sub bytes step fetch 16bit entries instead of 8 bit entries.

I understand there may be other places the key leaks and I intend to test this myself when I have cycles but just wanted to run it by the community to see if I’m missing something… I think an SCA resistant AES library along with SRAM based PUF for commodity cortex-M hardware could be a compelling solution.

Best,
Elliot