Uniform First-Order Threshold Implementations

Beyne, Tim; Bilgin, Begül

doi:10.1007/978-3-319-69453-5_5

Cited by 10 publications

(8 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The underlying optimizations are not FPGA-specific, and achieving SCA protection by means of masking on such a construction does not seem easily possible. 1 FPGA versus ASIC An FPGA design is indeed very different to its ASIC counterpart, most notably in the use of LUTs, which makes the number of inputs to a Boolean function a more defining factor for implementation cost than its algebraic complexity. Since the standardization of Rijndael as the AES, several successful efforts [12,15,19] have been made to reduce its size on FPGAs.…”

Section: Aes S-boxmentioning

confidence: 99%

See 1 more Smart Citation

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version

2020

View full text Add to dashboard Cite

The effort in reducing the area of AES implementations has largely been focused on application-specific integrated circuits (ASICs) in which a tower field construction leads to a small design of the AES S-box. In contrast, a naive implementation of the AES S-box has been the status-quo on field-programmable gate arrays (FPGAs). A similar discrepancy holds for masking schemes-a well-known side-channel analysis countermeasure-which are commonly optimized to achieve minimal area in ASICs. In this paper, we demonstrate a representation of the AES S-box exploiting rotational symmetry which leads to a 50% reduction in the area footprint on FPGA devices. We present new AES implementations which improve on the state-of-the-art and explore various trade-offs between area and latency. For instance, at the cost of increasing 4.5 times the latency, one of our design variants requires 25% less look-up tables (LUTs) than the smallest known AES on Xilinx FPGAs by Sasdrich and Güneysu at ASAP 2016. We further explore the protection of such implementations against side-channel attacks. We introduce a generic methodology for masking any n-bit Boolean functions of degree t with protection order d. The methodology is exact for first-order and heuristic for higher orders. Its application to our new construction of the AES S-box allows us to improve previous results and introduce the smallest first-order masked AES implementation on Xilinx FPGAs, to date.

show abstract

Section: Aes S-boxmentioning

confidence: 99%

“…Finding a uniform sharing without using fresh randomness is often tedious [1,10] and may be impossible. Hence, many masking schemes restore the uniformity by remasking with fresh randomness.…”

Section: Boolean Masking In Hardwarementioning

confidence: 99%

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version

2020

View full text Add to dashboard Cite

show abstract

“…Otherwise, the security of such an implementation cannot be guaranteed. Note that fulfilling the uniformity property of TI constructions is amongst its most difficult challenges, and it has been the core topic of several articles like [22], [25]- [28]. Alternatively, the shares can be remasked at the end of every non-uniformly shared non-linear function (see [29], [30]), which requires a source to provide fresh randomness at every clock cycle.…”

Section: B Threshold Implementationsmentioning

confidence: 99%

Side-Channel Hardware Trojan for Provably-Secure SCA-Protected Implementations

Ghandali

Moos

Moradi

et al. 2020

IEEE Trans. VLSI Syst.

View full text Add to dashboard Cite

Hardware Trojans have drawn the attention of academia, industry and government agencies. Effective detection mechanisms and countermeasures against such malicious designs can only be developed when there is a deep understanding of how hardware Trojans can be built in practice, in particular Trojans specifically designed to avoid detection. In this work, we present a mechanism to introduce an extremely stealthy hardware Trojan into cryptographic primitives equipped with provably-secure first-order side-channel countermeasures. Once the Trojan is triggered, the malicious design exhibits exploitable side-channel leakage, leading to successful key recovery attacks. Generally, such a Trojan requires neither addition nor removal of any logic which makes it extremely hard to detect. On ASICs, it can be inserted by subtle manipulations at the sub-transistor level and on FPGAs by changing the routing of particular signals, leading to zero logic overhead. The underlying concept is based on modifying a securely-masked hardware implementation in such a way that running the device at a particular clock frequency violates one of its essential properties, leading to exploitable leakage. We apply our technique to a Threshold Implementation of the PRESENT block cipher realized in two different CMOS technologies, and show that triggering the Trojan makes the ASIC prototypes vulnerable.

show abstract

“…Although hardware designers have been tackling the problem by designing serialized implementations in order to achieve an extreme of the area-speed trade-off, implementation-level optimization is reaching its limit. To push the limit further, researchers have been studying a BC optimized for TI by design, mostly focusing on TI-friendly Sboxes [ 13 , 21 ]. In this paper, we follow this line of research and go one step further by introducing the TI-friendly AE mode.…”

Section: Introductionmentioning

confidence: 99%

Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation

Naito

Sasaki

Sugawara

2020

Advances in Cryptology – EUROCRYPT 2020

View full text Add to dashboard Cite

This paper proposes tweakable block cipher (TBC) based modes and that are efficient in threshold implementations (TI). Let t be an algebraic degree of a target function, e.g. (resp. ) for linear (resp. non-linear) function. The d -th order TI encodes the internal state into shares. Hence, the area size increases proportionally to the number of shares. This implies that TBC based modes can be smaller than block cipher (BC) based modes in TI because TBC requires s -bit block to ensure s -bit security, e.g. PFB and Romulus, while BC requires 2 s -bit block. However, even with those TBC based modes, the minimum we can reach is 3 shares of s -bit state with and the first-order TI ( ). Our first design aims to break the barrier of the 3 s -bit state in TI. The block size of an underlying TBC is s /2 bits and the output of TBC is linearly expanded to s bits. This expanded state requires only 2 shares in the first-order TI, which makes the total state size 2.5 s bits. We also provide rigorous security proof of . Our second design further increases a parameter : a ratio of the security level s to the block size of an underlying TBC. We prove security of for any under some assumptions for an underlying TBC and for parameters used to update a state. Next, we show a concrete instantiation of for 128-bit security. It requires a TBC with 64-bit block, 128-bit key and 128-bit tweak, while no existing TBC can support it. We design a new TBC by extending SKINNY and provide basic security evaluation. Finally, we give hardware benchmarks of in the first-order TI to show that TI of is smaller than that of PFB by more than one thousand gates and is the smallest within the schemes having 128-bit security.

show abstract

Uniform First-Order Threshold Implementations

Cited by 10 publications

References 19 publications

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version

Side-Channel Hardware Trojan for Provably-Secure SCA-Protected Implementations

Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation

Contact Info

Product

Resources

About