Constant-weight coding based software implementation of DPA countermeasure in embedded microcontroller

Abstract

Nowadays, firmware in low-cost microcontrollers (MCUs) must implement cryptographic primitives in order to support practical applications. Effective protections of such implementations against side-channel attacks, especially the differential power analysis (DPA) attack, are still active topic in embedded device security. Low-cost MCUs lack many features, e.g. true random number generators typically used in modern DPA countermeasures. On the other hand, currently even the low-cost MCUs contain several dozens of kilobytes (kB) of program Flash memory not always completely used by a target firmware. In this paper we propose a new countermeasure against the DPA attack. We use randomly assigned general constant-weight codes (m-of-n codes) for every intermediate value in a secure embedded device. In an ideal hardware, the equal Hamming weight of the data ensures balanced power consumption for any values in the device and thus it complicates the DPA attack. We demonstrate this method on a table based AES cipher and we propose several implementation enhancements to reduce the size of tables to 24 kB/12 kB that are more suitable for practical MCU implementations. We evaluate the performance of the proposed method in terms of speed, memory usage and we test possible side-channel leakages on a system implemented on ARM Cortex-M3 MCU.