A Tale of Two Shares: Why Two-Share Threshold Implementation Seems Worthwhile—and Why It Is Not

Chen, Cong; Farmani, Mohammad; Eisenbarth, Thomas

doi:10.1007/978-3-662-53887-6_30

Cited by 16 publications

(12 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…their inputs). As in the previous subsection, this can be explained by observing that each stage of the decomposition is pseudo−1−SNI, and that the pseudo-randomized monomials are only used once in the circuit, which provides a probing-based explanation to the recent results in [CFE16].…”

Section: The Number Of Shares Vs Cycle Count Tradeoffmentioning

confidence: 99%

“…For this purpose, we observe that the correctness property of threshold implementations is in fact not needed for their intermediate results (i.e., we only want the final result to be correct). It allows us to exhibit examples of 4-bit S-boxes that globally match the definition of first-order threshold implementations in two shares and two cycles (a similar example is given in [CFE16] for the Simon S-box). We then exploit this observation in order to (slightly) refine the exhaustive decomposition in [BNN + 12, RBN + 15b] for certain S-boxes.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model

Faust

Grosso

Pozo

et al. 2018

TCHES

View full text Add to dashboard Cite

Composability and robustness against physical defaults (e.g., glitches) are two highly desirable properties for secure implementations of masking schemes. While tools exist to guarantee them separately, no current formalism enables their joint investigation. In this paper, we solve this issue by introducing a new model, the robust probing model, that is naturally suited to capture the combination of these properties. We first motivate this formalism by analyzing the excellent robustness and low randomness requirements of first-order threshold implementations, and highlighting the difficulty to extend them to higher orders. Next, and most importantly, we use our theory to design and prove the first higher-order secure, robust and composable multiplication gadgets. While admittedly inspired by existing approaches to masking (e.g., Ishai-Sahai-Wagner-like, threshold, domain-oriented), these gadgets exhibit subtle implementation differences with these state-of-the-art solutions (none of which being provably composable and robust). Hence, our results illustrate how sound theoretical models can guide practically-relevant implementations.

show abstract

Section: The Number Of Shares Vs Cycle Count Tradeoffmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model

Faust

Grosso

Pozo

et al. 2018

TCHES

View full text Add to dashboard Cite

show abstract

“…10 000 traces. This is due to two facts: (a) masking with minimum number of two shares has in general a strong vulnerability to second- order attacks [18], (b) higher-order attacks are sensitive to the noise level [48] and our design (due to its extremely low resource utilization) has a very low switching noise particularly when the masked S-box is evaluated the entire circuit stops till the termina-tion of the S-box. Hence, the S-box is the sole source of leakage at that time.…”

Section: Discussionmentioning

confidence: 99%

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version

2020

View full text Add to dashboard Cite

The effort in reducing the area of AES implementations has largely been focused on application-specific integrated circuits (ASICs) in which a tower field construction leads to a small design of the AES S-box. In contrast, a naive implementation of the AES S-box has been the status-quo on field-programmable gate arrays (FPGAs). A similar discrepancy holds for masking schemes-a well-known side-channel analysis countermeasure-which are commonly optimized to achieve minimal area in ASICs. In this paper, we demonstrate a representation of the AES S-box exploiting rotational symmetry which leads to a 50% reduction in the area footprint on FPGA devices. We present new AES implementations which improve on the state-of-the-art and explore various trade-offs between area and latency. For instance, at the cost of increasing 4.5 times the latency, one of our design variants requires 25% less look-up tables (LUTs) than the smallest known AES on Xilinx FPGAs by Sasdrich and Güneysu at ASAP 2016. We further explore the protection of such implementations against side-channel attacks. We introduce a generic methodology for masking any n-bit Boolean functions of degree t with protection order d. The methodology is exact for first-order and heuristic for higher orders. Its application to our new construction of the AES S-box allows us to improve previous results and introduce the smallest first-order masked AES implementation on Xilinx FPGAs, to date.

show abstract

“…10 000 traces. This is due to two facts: (a) masking with minimum number of two shares has in general a strong vulnerability to second-order attacks [CFE16], (b) higher-order attacks are sensitive to the noise level [PRB09] and our design (due to its extremely low resource utilization) has a very low switching noise particularly when the masked S-box is evaluated the entire circuit stops till the termination of the S-box. Hence, the S-box is the sole source of leakage at that time.…”

Section: Sca Evaluationmentioning

confidence: 99%

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES

Meyer

Moradi

Wegener

2018

TCHES

View full text Add to dashboard Cite

The effort in reducing the area of AES implementations has largely been focused on Application-Specific Integrated Circuits (ASICs) in which a tower field construction leads to a small design of the AES S-box. In contrast, a naïve implementation of the AES S-box has been the status-quo on Field-Programmable Gate Arrays (FPGAs). A similar discrepancy holds for masking schemes – a wellknown side-channel analysis countermeasure – which are commonly optimized to achieve minimal area in ASICs.In this paper we demonstrate a representation of the AES S-box exploiting rotational symmetry which leads to a 50% reduction of the area footprint on FPGA devices. We present new AES implementations which improve on the state of the art and explore various trade-offs between area and latency. For instance, at the cost of increasing 4.5 times the latency, one of our design variants requires 25% less look-up tables (LUTs) than the smallest known AES on Xilinx FPGAs by Sasdrich and Güneysu at ASAP 2016. We further explore the protection of such implementations against first-order side-channel analysis attacks. Targeting the small area footprint on FPGAs, we introduce a heuristic-based algorithm to find a masking of a given function with d + 1 shares. Its application to our new construction of the AES S-box allows us to introduce the smallest masked AES implementation on Xilinx FPGAs, to-date.

show abstract

A Tale of Two Shares: Why Two-Share Threshold Implementation Seems Worthwhile—and Why It Is Not

Cited by 16 publications

References 27 publications

Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model

Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES

Contact Info

Product

Resources

About