A Performance and Area Efficient ASIP for Higher-Order DPA-Resistant AES

Masking is a common method used in embedded systems to prevent differential power analysis (DPA) attack. However, first-order masking cannot prevent higher-order DPA attacks. To enhance security, higher-order masking should be implemented. Hardware accelerator based higher-order masking has higher performance, but it consumes large area. General purpose processor (GPP) based higher-order masking is area-efficient, but it is unable to meet performance requirements. To handle this problem, we propose a novel high-order DPA-resistant ASIP. We develop three performance and area-efficient methods to extend the instruction set for a 32-bit LEON3 processor, with the goal of reducing execution cycles and code sizes. First, we reorder the execution sequence of SubBytes and ShiftRows. We partition new critical pathłthe masked SubBytes followed by the masked MixColumns, and transform computations from GF(2⁸) to GF(2⁴)² that efficiently reduces the area. We reused our previous technique, which moved the map and the inverse map functions outside the AES round. Second, we develop an algorithm to search for an optimal transformation matrix of the map function to reduce the critical path of the masked MixColumns. Third, we reuse first-order masked SubBytes for higher-order masked SubBytes to optimize area without compromising performance. The experimental results show that our third-order masking design reduces around 8/9 execution cycles of GPP based reference design and reduces 70.5% area of hardware accelerator based reference design. We have realized a highly secure ASIP with third-order masking that dramatically reduces execution cycles from 197-470 K to only 3.3 K compared with state-of-the-art software implementations.