Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version

Wegener, Felix; Meyer, Lauren De; Moradi, Amir

doi:10.1007/s00145-019-09342-y

“…Indeed, none of them has been designed to efficiently utilize FPGA resources, e.g., slices, LUTs, and BRAMs. Instead, in [DMW18] (improved in [WMM20]) an FPGA-specific masked AES has been presented. Following the same concept as in [WM18], the authors decomposed the inversion in GF (2 8 ) into two cubic functions and reduced the area footprint on FPGA by exploiting the rotational symmetry [RBF08].…”

Section: Related Workmentioning

confidence: 99%

“…The work presented in [WMM20] provides the masked form of such a function with 16 component functions, but with no guarantees of optimality, since the presented algorithm always produces k × (d + 1) t component functions, with k being an integer. Here, d = 1 and t = 3, i.e., 2 shares and a cubic coordinate function.…”

Section: Techniquementioning

confidence: 99%

“…In order to ease the notation, we utilize the same matrix/table representation of output sharing used in [WMM20] and [BKN19]. While the table notation does not uniquely determine the Algebraic Normal Form (ANF) of the sharing, it is sufficient to argue the correctness and non-completeness properties.…”

Section: Techniquementioning

confidence: 99%

“…Accordingly, we provided a performance table listing the resource utilization and throughput of our design compared to the state of the art in Table 3. Of course, the smallest design is the one presented in [WMM20], which has 30 times lower throughput compared to almost every other known implementation. Compared to the other designs with comparable throughput, our design outperforms the others with respect to resource utilization (except for BRAM).…”

Section: Area-latency-randomness Trade-offmentioning

confidence: 99%

“…As an FPGA-specific design, at the cost of extremely high latency, the authors of [WMM20] have presented a tiny masked AES for Xilinx FPGAs. Albeit efficiently utilizing FPGA resources, the design is absolutely not a choice when high throughput is desired, which -to the best of our knowledge -is among the main motivations behind employing an FPGA in various applications.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

New First-Order Secure AES Performance Records

Shahmirzadi¹,

Božilov²,

Moradi³

2021

TCHES

Self Cite

View full text Add to dashboard Cite

Being based on a sound theoretical basis, masking schemes are commonly applied to protect cryptographic implementations against Side-Channel Analysis (SCA) attacks. Constructing SCA-protected AES, as the most widely deployed block cipher, has been naturally the focus of several research projects, with a direct application in industry. The majority of SCA-secure AES implementations introduced to the community opted for low area and latency overheads considering Application-Specific Integrated Circuit (ASIC) platforms. Albeit a few, those which particularly targeted Field Programmable Gate Arrays (FPGAs) as the implementation platform yield either a low throughput or a not-highly secure design.In this work, we fill this gap by introducing first-order glitch-extended probing secure masked AES implementations highly optimized for FPGAs, which support both encryption and decryption. Compared to the state of the art, our designs efficiently map the critical non-linear parts of the masked S-box into the built-in Block RAMs (BRAMs).The most performant variant of our constructions accomplishes five first-order secure AES encryptions/decryptions simultaneously in 50 clock cycles. Compared to the equivalent state-of-the-art designs, this leads to at least 70% reduction in utilization of FPGA resources (slices) at the cost of occupying BRAMs. Last but not least, we provide a wide range of such secure and efficient implementations supporting a large set of applications, ranging from low-area to high-throughput.

show abstract

Revisiting the Security of COMET Authenticated Encryption Scheme

Gueron

¹

,

Jha

²

,

Nandi

³

2021

Lecture Notes in Computer Science

2

0

View full text Add to dashboard Cite

Threshold Implementations have become a popular generic technique to construct circuits resilient against power analysis attacks. In this paper, we look to devise efficient threshold circuits for the lightweight block cipher family SKINNY. The only threshold circuits for this family are those proposed by its designers who decomposed the 8-bit S-box into four quadratic S-boxes, and constructed a 3-share byte-serial threshold circuit that executes the substitution layer over four cycles. In particular, we revisit the algebraic structure of the S-box and prove that it is possible to decompose it into (a) three quadratic S-boxes and (b) two cubic S-boxes. Such decompositions allow us to construct threshold circuits that require three shares and executes each round function in three cycles instead of four, and similarly circuits that use four shares requiring two cycles per round. Our constructions significantly reduce latency and energy consumption per encryption operation. Notably, to validate our designs, we synthesize our circuits on standard CMOS cell libraries to evaluate performance, and we conduct leakage detection via statistical tests on power traces on FPGA platforms to assess security. 1

show abstract

Improving First-Order Threshold Implementations of SKINNY

Caforio

¹

,

Collins

²

,

Glamočanin

³

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Threshold Implementations have become a popular generic technique to construct circuits resilient against power analysis attacks. In this paper, we look to devise efficient threshold circuits for the lightweight block cipher family SKINNY. The only threshold circuits for this family are those proposed by its designers who decomposed the 8-bit S-box into four quadratic S-boxes, and constructed a 3-share byte-serial threshold circuit that executes the substitution layer over four cycles. In particular, we revisit the algebraic structure of the S-box and prove that it is possible to decompose it into (a) three quadratic S-boxes and (b) two cubic S-boxes. Such decompositions allow us to construct threshold circuits that require three shares and executes each round function in three cycles instead of four, and similarly circuits that use four shares requiring two cycles per round. Our constructions significantly reduce latency and energy consumption per encryption operation. Notably, to validate our designs, we synthesize our circuits on standard CMOS cell libraries to evaluate performance, and we conduct leakage detection via statistical tests on power traces on FPGA platforms to assess security. 1

show abstract

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version

Cited by 16 publications

References 59 publications

New First-Order Secure AES Performance Records

New First-Order Secure AES Performance Records

Revisiting the Security of COMET Authenticated Encryption Scheme

Improving First-Order Threshold Implementations of SKINNY

Contact Info

Product

Resources

About