Article

Guarding the First Order: The Rise of AES Maskings

Authors:

Amund Askeland,

Siemen Dhooghe,

Vincent Rijmen,

Zhenda ZhangAuthors Info & Claims

Smart Card Research and Advanced Applications: 21st International Conference, CARDIS 2022, Birmingham, UK, November 7–9, 2022, Revised Selected Papers

Pages 103 - 122

https://doi.org/10.1007/978-3-031-25319-5_6

Published: 29 January 2023 Publication History

Abstract

We provide three first-order hardware maskings of the AES, each allowing for a different trade-off between the number of shares and the number of register stages. All maskings use a generalization of the changing of the guards method enabling the re-use of randomness between masked S-boxes. As a result, the maskings do not require fresh randomness while still allowing for a minimal number of shares and providing provable security in the glitch-extended probing model. The low-area variant has five cycles of latency and a serialized area cost of 8.13 kGE. The low-latency variant reduces the latency to three cycles while increasing the serialized area by compared to the low-area variant. The maskings of the AES encryption are implemented on FPGA and evaluated with Test Vector Leakage Assessment (TVLA).

References

[1]

Beyne T, Dhooghe S, and Zhang Z Moriai S and Wang H Cryptanalysis of masked ciphers: a not so random idea Advances in Cryptology – ASIACRYPT 2020 2020 Cham Springer 817-850

[2]

Bilgin B, Gierlichs B, Nikova S, Nikov V, and Rijmen V Sarkar P and Iwata T Higher-order threshold implementations Advances in Cryptology – ASIACRYPT 2014 2014 Heidelberg Springer 326-343

[3]

Bilgin B, Gierlichs B, Nikova S, Nikov V, and Rijmen V Trade-offs for threshold implementations illustrated on AES IEEE Trans. CAD ICs Syst. 2015 34 7 1188-1200

[4]

Canright D Rao JR and Sunar B A very compact s-box for AES Cryptographic Hardware and Embedded Systems – CHES 2005 2005 Heidelberg Springer 441-455

[5]

Chari S, Jutla CS, Rao JR, and Rohatgi P Wiener M Towards sound approaches to counteract power-analysis attacks Advances in Cryptology — CRYPTO’ 99 1999 Heidelberg Springer 398-412

[6]

Daemen, J.: Changing of the guards: a simple and efficient method for achieving uniformity in threshold sharing. Cryptology ePrint Archive, Report 2016/1061 (2016). https://eprint.iacr.org/2016/1061

[7]

Daemen J Fischer W and Homma N Changing of the guards: a simple and efficient method for achieving uniformity in threshold sharing Cryptographic Hardware and Embedded Systems – CHES 2017 2017 Cham Springer 137-153

[8]

Daemen, J., Rijmen, V.: Advanced Encryption Standard (AES). National Institute of Standards and Technology (NIST), FIPS PUB 197, U.S. Department of Commerce (2001)

[9]

De Cnudde T, Reparaz O, Bilgin B, Nikova S, Nikov V, and Rijmen V Gierlichs B and Poschmann AY Masking AES with shares in hardware Cryptographic Hardware and Embedded Systems – CHES 2016 2016 Heidelberg Springer 194-212

[10]

De Meyer L, Reparaz O, and Bilgin B Multiplicative masking for AES in hardware IACR TCHES 2018 2018 3 431-468

[11]

Dhooghe, S., Nikova, S., Rijmen, V.: Threshold implementations in the robust probing model. In: Bilgin, B., Petkova-Nikova, S., Rijmen, V., (eds.) Proceedings of ACM Workshop on Theory of Implementation Security, TIS@CCS 2019, London, UK, 11 November 2019, pp. 30–37. ACM (2019).

[12]

Faust S, Grosso V, Pozo SMD, Paglialonga C, and Standaert FX Composable masking schemes in the presence of physical defaults & the robust probing model IACR TCHES 2018 2018 3 89-120

[13]

GmbH, L.E.T.: Langer EMV - pa 303 SMA, preamplifier 100 kHz up to 3 GHz

[14]

Goodwill, G., Jun, B., Jaffe, J., Rohatgi, P.: A testing methodology for side-channel resistance validation (2011)

[15]

Goubin L and Patarin J Koç ÇK and Paar C DES and differential power analysis the “Duplication” method Cryptographic Hardware and Embedded Systems 1999 Heidelberg Springer 158-172

[16]

Gross H, Iusupov R, and Bloem R Generic low-latency masking in hardware IACR TCHES 2018 2018 2 1-21

[17]

Ishai Y, Sahai A, and Wagner D Boneh D Private circuits: securing hardware against probing attacks Advances in Cryptology - CRYPTO 2003 2003 Heidelberg Springer 463-481

[18]

Kocher P, Jaffe J, and Jun B Wiener M Differential power analysis Advances in Cryptology — CRYPTO’ 99 1999 Heidelberg Springer 388-397

[19]

Lab./UEC, S.: Sakura (sasebo-giii) (2014). https://satoh.cs.uec.ac.jp/SAKURA/hardware/SAKURA-X.html

[20]

NANGATE: The NanGate 45nm Open Cell Library, version: PDKv1.3_v2010_12.Apache.CCL. https://github.com/The-OpenROAD-Project/OpenROAD-flow-scripts/tree/master/flow/platforms/nangate45

[21]

Nikova S, Rechberger C, and Rijmen V Ning P, Qing S, and Li N Threshold implementations against side-channel attacks and glitches Information and Communications Security 2006 Heidelberg Springer 529-545

[22]

Reparaz O, Bilgin B, Nikova S, Gierlichs B, and Verbauwhede I Gennaro R and Robshaw M Consolidating masking schemes Advances in Cryptology – CRYPTO 2015 2015 Heidelberg Springer 764-783

[23]

Sasdrich P, Bilgin B, Hutter M, and Marson ME Low-latency hardware masking with application to AES IACR TCHES 2020 2020 2 300-326

[24]

Shahmirzadi AR and Moradi A Re-consolidating first-order masking schemes IACR TCHES 2021 2021 1 305-342

[25]

Sugawara T 3-share threshold implementation of AES s-box without fresh randomness IACR TCHES 2018 2019 1 123-145

[26]

Wegener F and Moradi A Fan J and Gierlichs B A first-order SCA resistant AES without fresh randomness Constructive Side-Channel Analysis and Secure Design 2018 Cham Springer 245-262

Index Terms

Guarding the First Order: The Rise of AES Maskings
1. Hardware
  1. Very large scale integration design
    1. Application-specific VLSI designs
2. Security and privacy
  1. Cryptography

Index terms have been assigned to the content through auto-classification.

Recommendations

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version
Abstract
The effort in reducing the area of AES implementations has largely been focused on application-specific integrated circuits (ASICs) in which a tower field construction leads to a small design of the AES S-box. In contrast, a naive implementation ...
Second-Order Low-Randomness d + 1 Hardware Sharing of the AES
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

In this paper, we introduce a second-order masking of the AES using the minimal number of shares and a total of 1268 bits of randomness including the sharing of the plaintext and key. The masking of the S-box is based on the tower field decomposition of ...
A Low-Randomness Second-Order Masked AES
Selected Areas in Cryptography
Abstract
We propose a second-order masking of the AES in hardware that requires an order of magnitude less random bits per encryption compared to previous work. The design and its security analysis are based on recent results by Beyne et al. from Asiacrypt ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Smart Card Research and Advanced Applications: 21st International Conference, CARDIS 2022, Birmingham, UK, November 7–9, 2022, Revised Selected Papers

Nov 2022

310 pages

ISBN:978-3-031-25318-8

DOI:10.1007/978-3-031-25319-5

Editors:
Ileana Buhan
Radboud University, Nijmegen, The Netherlands
,
Tobias Schneider
NXP Semiconductors, Gratkorn, Austria

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 29 January 2023

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

View Options

View options

Figures

Tables

Media

View Table of Conten