Analyzing the DPA Leakage of the Masked S-box via Digital Simulation and Reducing the Leakage by Inserting Delay Cells

Differential power analysis (DPA) attack is an important threat that researchers spend great effort to make crypto algorithms resistant against DPA attacks. A masked AES hardware has been implemented under the project of National ID Card Design, and a prototype of the chip has been manufactured in HHNEC´s 0.25 um eFlash process. Whole round analysis (WRA) of the hardware has shown that masked S-boxes of AES have zero-value (ZV) input DPA leakage. In order to determine whether the hardware has DPA leakage before manufacturing, an accurate power model in digital simulation with back-annotated netlist has been generated. In this paper, we show that DPA leakage can be reduced by inserting delay cells just before nets where the leakage is significantly high. Moreover, improvements achieved by inserting delay cells have been demonstrated with the help of generated power model by using the back-annotated netlist of the whole AES hardware, and this method gives more realistic results to determine the effectiveness of the improvements rather than in which only back-annotated netlist of the S-boxes has been used.