LPC55S69 AES masking countermeasure against SCA

NewDwarf · ‎03-25-2026

Hello.

Whether I correctly understand that below approach should protect the reference AES-128 key against the side channel attack due to usage of the mask? I use a bit outdated API but it doesn't matter, I get the correct results.

 
    uint32_t coreClockHz = CLOCK_GetFreq(kCLOCK_CoreSysClk);

    status_t result = PUF_Init(PUF, PUF_DISCHARGE_TIME_MS, coreClockHz);
    if (result != kStatus_Success) return result;

    result = PUF_Start(PUF, ac_buffer, ac_size);
    if (result != kStatus_Success) {
        PUF_Deinit(PUF, PUF_DISCHARGE_TIME_MS, coreClockHz);
    }

    __attribute__((aligned(4)))
    uint8_t user_key[16] = {0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c};

    __attribute__((aligned(4)))
    uint8_t keyCode[52] = {0x00};
    result =  PUF_SetUserKey(PUF, kPUF_KeyIndex_00, user_key, sizeof(user_key), keyCode, sizeof(keyCode));
    if (result != kStatus_Success) {
        PUF_Deinit(PUF, PUF_DISCHARGE_TIME_MS, coreClockHz);
    }

    hashcrypt_handle_t hch;
    hch.keySize = kHASHCRYPT_Aes128;
    hch.keyType = kHASHCRYPT_SecretKey;

    result = PUF_GetHwKey(PUF, keyCode, 52, kPUF_KeySlot0, 0x01000001);
    if (result != kStatus_Success) {
        PUF_Deinit(PUF, PUF_DISCHARGE_TIME_MS, coreClockHz);
    }

    uint8_t pt[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
    uint8_t ct[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
    result = HASHCRYPT_AES_EncryptEcb(HASHCRYPT, &hch, pt, ct, 16);

At least key bytes at positions 0, 3, 4, 7... should be protected?

NewDwarf · ‎04-01-2026

@Harry_Zhang The problem is I am able to recover the key from the key code. Or is it expected behaviour, security level?

Harry_Zhang · ‎04-01-2026

Hi @NewDwarf

Yes, this is expected behavior.
The diagram shows that the PUF only protects key storage and then sends the reconstructed plaintext key directly to the AES engine.
The AES engine is not side‑channel protected, so its power/EM behavior can still leak the real key during encryption.

BR

Harry

NewDwarf · ‎03-26-2026

I am asking this question as I am able to recover the AES-128/AES-256 keys pushed from the PUF to the AES key register by the PUF_GetHwKey() API using the non-zero mask parameter. All key bytes are correctly recovered. Also I validated that plaintext/ciphertext is correct for the recovered AES key.

The question is whether I am doing something wrong with setting the mask or the mask doesn't properly work.

Harry_Zhang · ‎03-27-2026

Hi @NewDwarf

We can check the AN12324

LPC55Sxx Usage of the Physically Unclonable Function and Hash

• The PUF offers other features to prevent attacks. For example, by blocking functionalities (enroll, code output,
keylock) or by offering enhanced side-channel protection (by using a keymask)

This refers only to the internal cryptographic operations during key reconstruction.

The mask parameter in PUF_GetHwKey() does not protect individual AES key bytes from being observable once they are loaded into the HASHCRYPT AES key registers.

BR

Harry

NewDwarf · ‎03-31-2026

@Harry_Zhang Thanks!

The mask parameter in PUF_GetHwKey() does not protect individual AES key bytes from being observable once they are loaded into the HASHCRYPT AES key registers.

Let me clarify one more question. What is the purpose of the "keyMask" parameter of

status_t PUF_GetHwKey(PUF_Type *base, const uint8_t *keyCode, size_t keyCodeSize, puf_key_slot_t keySlot, uint32_t keyMask);

Harry_Zhang · ‎04-01-2026

Hi @NewDwarf

The keyMask parameter is used only inside the PUF hardware to add some randomness during the key‑reconstruction process.
Its purpose is to make the internal PUF operations slightly harder to analyze with side‑channel attacks.
It does NOT mask or modify the final AES key, and it does NOT protect the HASHCRYPT AES engine.
So the mask helps only during PUF key unwrapping, not during AES encryption.

You can view the definition of the PUF_GetHwKey function.

BR

Harry