Principles on the Security of AES against First and Second-Order Differential Power Analysis

Differential Power Analysis (DPA) is a powerful and practical technique used to attack a cryptographic implementation in a resourcelimited application environment. Despite the extensive research on DPA of AES, it seems none has explicitly addressed the fundamental issue: How far should we protect the first and last parts of AES in order to resist practical DPA attacks, namely first and second-order DPA attacks? Software developers may think that it is sufficient to protect the first and last one (or one and a half) rounds of AES, leaving the inner rounds unprotected or protected by simple countermeasures. In this paper, we show that some intermediate values from the inner rounds can be exploited by deploying techniques such as fixing certain plaintext/ciphertext bytes. We give five general principles on DPA vulnerability of unprotected AES implementations, and give several general principles on DPA vulnerability of protected AES implementations. These principles specify which operations of AES are vulnerable to first and second-order DPA. To illustrate the principles, we attack the two AES implementations [1, 2] that use two kinds of countermeasures to achieve a high resistance against power analysis, and demonstrate that they are even vulnerable to DPA. Finally, we conclude that at least the first two and a half rounds and the last three rounds of AES should be secured for an AES software implementation to be resistant against first and second-order DPA in practice.