Combination of Side-Channel and Collision Attacks to Reveal the Secrets of Gate Masked Implementations

new class of collision attacks which uses side channel analysis has been introduced by Schramm et al. in 2004. They targeted an 8051 based microcontroller running AES in software. They deduced that a pair of plaintexts which lead to the same partial intermediate values is distinguished by examining the similarity of their power consumption traces. This contribution combines collision attacks and simple power analysis to detect a plaintext whose intermediate result includes some identical partial values. In this article, our target is ASIC and FPGA implementations of cryptographic algorithms because the designers of such devices have to share the resources due to the area constrain. In fact, our proposed attack is based on the concept that the power consumption of a CMOS device has a significant minimum if two consecutive values which are loaded in a register are the same. First, we show that key dependent collisions could occur in most registers of cryptographic hardwares. It is shown that how these collisions can be detected by investigating the power consumption traces. The proposed attack decreases the number of candidates for the secret key. For instance, 2128 candidates in a particular implementation of AES-128 encryption are decreased to 28. Furthermore, it is shown how this attack works in the presence of the gate masking, and how the masking at the gate level affects the size of the key candidate space. Finally, a trade off between the success rate of this attack and the number of mask bits is illustrated. Although the proposed attack is generally not restricted to a particular cryptographic algorithm, AES-128 encryption algorithm is considered for the examples shown.