How Far Can We Reach? Breaking RSM-Masked AES-128 Implementation Using Only One Trace

Rotating Sbox Masking (RSM) scheme is a lightweight and highly efficient first-order masking scheme proposed to protect cryptographic implementations like AES from side channel attacks. It is a Low Entropy Masking Scheme (LEMS) and has attracted special attention from academia and industry with its low overhead and high performance. The two public targets of DPA Contest v4 are both RSM-masked AES implementations, specifically, AES-256 (namely RSM-AES-256) for v4.1 and AES-128 (namely RSM-AES-128) for v4.2 respectively. The security of RSM-AES-256 was intensively studied by researchers worldwide under the framework of DPA Contest and several flaws were identified. Its improved version is RSM-AES-128, in which several pitfalls of RSM-AES-256 were fixed. However, the practical security of RSM-AES-128 is still not thoroughly studied. In this paper, we focus on analyzing the practical security of RSM-AES-128 from a profiling attack point of view. Specifically, we firstly present a Multivariate Template Attack (MTA) to maximize the success rates of key recovery. Next, we propose a new Depth-First Key Enumeration Algorithm (DFKEA) that could be applied to find the correct key efficiently after a side channel attack. By combining the DFKEA to our MTA, we propose a novel multivariate profiling attack scheme which could recover the secret key of RSM-AES-128 with over 95% possibility only using one trace. It is the best attack among all attacks submitted to DPA Contest Official up to now. After thoroughly analyzed our attack scheme and RSM-AES-128, we finally present two proposals to improve the practical security of this implementation at an acceptable overhead and performance loss.