Scan Based Side Channel Attack on Advanced Encryption Standard

Scan based test is a double edged sword. On one hand, it is a powerful test technique. On the other hand, it is an equally powerful attack tool. In this paper we show that scan chains can be used as a side channel to recover secret keys from a hardware implementation of any cryptographic algorithm. Compared to the 2 plaintexts required to break the new Advanced Encryption Standard (AES), the proposed attack uses no more than 2 plaintexts, which is 2 times faster. We describe a two step attack on a hardware implementation of any cryptographic algorithm. Any changes in one byte in the input plaintext to the 128-bit AES will affect a corresponding word (four bytes) in the 128-bit round register R. Based on this observation, in attack step 1, we apply 6 plaintexts on average in the normal mode and then scan out the internal state in the test mode to determine the positions of flip flops of the word in the scan chain. In attack step 2, based on a systematic analysis of an AES round, we apply a chosen plaintext pair in the normal mode and scan out the corresponding output word pair to infer the pair of inputs to the non-linear S-box function. We discover one byte of the user key by comparing the input pair to the S-box with the chosen plaintext pair. The 128-bit user key is discovered by repeating these two steps 16 times.