Mode-Level vs. Implementation-Level Physical Security in Symmetric Cryptography

“…We summarize and discuss implementation security and efficient implementations in Sect. 7. Finally, we conclude in Sect.…”

“…As a result, masked software implementations of Ascon result in a performance penalty with low overhead. Additionally, leveled implementations of Ascon are possible to improve the robustness and/or security of the design [4,7]. Examples are side-channel protected implementations with different strength of the key XORs, p a and/or p b .…”

“…Next, we give a list of papers that either evaluate the side-channel and fault resistance of Ascon or elaborate protection mechanisms against side-channel and fault attacks [4,7,12,[28][29][30]50,51,55,60,68,[77][78][79]83].…”

“…For example, even if an attacker somehow manages to recover an internal state during data processing (e.g., due to side-channel attacks), this does not directly lead to the recovery of the secret key or to constructing forgeries without significant additional computations. Besides increasing the robustness of any implementation, this also allows more efficient protection against side-channel attacks such as differential power analysis (DPA) attacks with leveled implementations [4,7]: In masked implementations, it can be sufficient that the initialization and finalization provides high robustness against side-channel analysis, whereas the bulk data can be processed at higher speed with a lower protection level. Thanks to Ascon's low-degree S-box, masked implementations induce only a relatively small overhead in hardware and software [75], so it is feasible to include protection on constrained devices.…”

Ascon v1.2: Lightweight Authenticated Encryption and Hashing

“…We summarize and discuss implementation security and efficient implementations in Sect. 7. Finally, we conclude in Sect.…”

“…As a result, masked software implementations of Ascon result in a performance penalty with low overhead. Additionally, leveled implementations of Ascon are possible to improve the robustness and/or security of the design [4,7]. Examples are side-channel protected implementations with different strength of the key XORs, p a and/or p b .…”

“…Next, we give a list of papers that either evaluate the side-channel and fault resistance of Ascon or elaborate protection mechanisms against side-channel and fault attacks [4,7,12,[28][29][30]50,51,55,60,68,[77][78][79]83].…”

“…For example, even if an attacker somehow manages to recover an internal state during data processing (e.g., due to side-channel attacks), this does not directly lead to the recovery of the secret key or to constructing forgeries without significant additional computations. Besides increasing the robustness of any implementation, this also allows more efficient protection against side-channel attacks such as differential power analysis (DPA) attacks with leveled implementations [4,7]: In masked implementations, it can be sufficient that the initialization and finalization provides high robustness against side-channel analysis, whereas the bulk data can be processed at higher speed with a lower protection level. Thanks to Ascon's low-degree S-box, masked implementations induce only a relatively small overhead in hardware and software [75], so it is feasible to include protection on constrained devices.…”

Ascon v1.2: Lightweight Authenticated Encryption and Hashing

“…Related Work. Two NIST LWC finalists, Ascon [21] and ISAP [22], have been shown to have nonce-misuse resilient privacy and misuse resistant authenticity [23,24]. NMRL security has been shown for a 2nd-round candidate Spook [25].…”

Nonce‐misuse resilience of Romulus‐N and GIFT‐COFB

Mode-Level vs. Implementation-Level Physical Security in Symmetric Cryptography