Side-channel analysis of a high-throughput AES peripheral with countermeasures

We analyze the side-channel countermeasures implemented in a high-throughput AES peripheral of a commercially available microcontroller which is not dedicated to high security applications. We detect and classify the employed countermeasures and examine their effectiveness against first-order DPA attacks. We practically demonstrate, that all of the implemented countermeasures, which are common time-based hiding countermeasures, can easily be nullified with simple preprocessing methods. This is caused by the inherent properties of high-throughput designs (low number of cycles), which offers few choices for such countermeasures. Hence, we found that the effectively achieved side-channel protection is significantly lower than the theoretically expected one due to the way countermeasures are implemented and present ways to improve the effectiveness. We also reveal a design flaw in the implementation which allows timing-based attacks on the device.