An 8.3-to-18Gbps Reconfigurable SCA-Resistant/Dual-Core/Blind-Bulk AES Engine in Intel 4 CMOS

Abstract

Power and electromagnetic (EM) side-channel attacks (SCA) exploit data-dependent power consumption from cryptographic engines to extract embedded secret keys. While series-connected voltage regulators [1], [2] and arithmetic countermeasures like heterogenous Galois-field arithmetic [3] provide acceptable levels of side-channel leakage suppression, they cannot defend against determined adversaries. Random additive masking [4] on the other hand, provides a provably-secure solution [5] that disrupts first-order correlations between measured power/EM signatures and secret keys, while incurring $2\times$ overhead in area and power consumption. In this paper, we demonstrate a reconfigurable AES accelerator fabricated in Intel 4 CMOS process with minimum-time-to-disclosure (MTD) $> 1\text{B power}/\text{EM}$ traces in on-demand SCA-resistant mode, while providing a $2.2\times$ boost in encryption performance during a dual-core mode of operation (Fig. 34.4.1). When coupled with side-channel attack detection techniques [6], [7], this approach allows the user to operate at $> 2\times$ AES throughput during the safe mode of operation in trusted environments, with the ability to quickly trade-off throughput for a higher level of SCA-resistance when the onset of an attack is detected. In the blind-bulk mode of operation, the accelerator randomly switches at a user-specified rate between SCA-resistant and dual-core modes while encrypting bulk data, providing $1.14-\text{to}-1.6\times$ boost in encryption throughput with measured MTD $> 50\mathrm{M}$ traces.