invited-talk

Public Access

Masking AES With d+1 Shares in Hardware

Authors:

Thomas De Cnudde,

Ventzislav Nikov,

Vincent RijmenAuthors Info & Claims

TIS '16: Proceedings of the 2016 ACM Workshop on Theory of Implementation Security

Page 43

https://doi.org/10.1145/2996366.2996428

Published: 24 October 2016 Publication History

Abstract

Masking requires splitting sensitive variables into at least d+1 shares to provide security against DPA attacks at order d. To this date, this minimal number has only been deployed in software implementations of cryptographic algorithms and in the linear parts of their hardware counterparts. So far there is no hardware construction that achieves this lower bound if the function is nonlinear and the underlying logic gates can glitch. In this paper, we give practical implementations of the AES using d+1 shares aiming at first- and second-order security even in the presence of glitches. To achieve this, we follow the conditions presented by Reparaz et al. at CRYPTO 2015 to allow hardware masking schemes, like Threshold Implementations, to provide theoretical higher-order security with d+1 shares. The decrease in number of shares has a direct impact in the area requirements: our second-order DPA resistant core is the smallest in area so far, and its S-box is 50% smaller than the current smallest Threshold Implementation of the AES S-box with similar security and attacker model. We assess the security of our masked cores by practical side-channel evaluations. The security guarantees are met with 100 million traces.

References

[1]

NanGate Open Cell Library. http://www.nangate.com/.

[2]

Research Center for Information Security, National Institute of Advanced Industrial Science and Technology, Side-channel Attack Standard Evaluation Board SASEBO-G Specification. http://satoh.cs.uec.ac.jp/SASEBO/en/board/sasebo-g.html.

[3]

D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi. The EM Side-Channel(s). In B. S. K. Jr., Ç. K. Koç, and C. Paar, editors, Cryptographic Hardware and Embedded Systems - CHES 2002, 4th International Workshop, Redwood Shores, CA, USA, August 13--15, 2002, Revised Papers, volume 2523 of Lecture Notes in Computer Science, pages 29--45. Springer, 2002.

Digital Library

[4]

G. Barthe, S. Belaıd, P. Fouque, B. Grégoire, P. Strub, and R. Zucchini. Strong non-interference and type-directed higher-order masking. In 23rd ACM Conference on Computer and Communications Security (ACM CCS 2016) (to appear). ACM, 2016.

Digital Library

[5]

S. Belaıd, F. Benhamouda, A. Passelègue, E. Prouff, A. Thillard, and D. Vergnaud. Randomness complexity of private circuits for multiplication. In M. Fischlin and J. Coron, editors, Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8--12, 2016, Proceedings, Part II, volume 9666 of Lecture Notes in Computer Science, pages 616--648. Springer, 2016.

[6]

B. Bilgin, J. Daemen, V. Nikov, S. Nikova, V. Rijmen, and G. Van Assche. Efficient and First-Order DPA Resistant Implementations of Keccak. In A. Francillon and P. Rohatgi, editors, Smart Card Research and Advanced Applications, Lecture Notes in Computer Science, pages 187--199. Springer International Publishing, 2014.

[7]

B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen. A More Efficient AES Threshold Implementation. In D. Pointcheval and D. Vergnaud, editors, Progress in Cryptology - AFRICACRYPT 2014 - 7th International Conference on Cryptology in Africa, Marrakesh, Morocco, May 28--30, 2014. Proceedings, volume 8469 of Lecture Notes in Computer Science, pages 267--284. Springer, 2014.

[8]

B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen. Higher-Order Threshold Implementations. In P. Sarkar and T. Iwata, editors, Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7--11, 2014, Proceedings, Part II, volume 8874 of Lecture Notes in Computer Science, pages 326--343. Springer, 2014.

[9]

B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen. Trade-Offs for Threshold Implementations Illustrated on AES. IEEE Trans. on CAD of Integrated Circuits and Systems, 34(7):1188--1200, 2015.

[10]

J. Borghoff, A. Canteaut, T. Güneysu, E. B. Kavun, M. Knezevic, L. R. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rechberger, P. Rombouts, S. S. Thomsen, and T. Yalçin. PRINCE - A low-latency block cipher for pervasive computing applications (full version). IACR Cryptology ePrint Archive, 2012:529, 2012.

Digital Library

[11]

D. Canright. A Very Compact S-Box for AES. In J. R. Rao and B. Sunar, editors, Cryptographic Hardware and Embedded Systems - CHES 2005, 7th International Workshop, Edinburgh, UK, August 29 - September 1, 2005, Proceedings, volume 3659 of Lecture Notes in Computer Science, pages 441--455. Springer, 2005.

Digital Library

[12]

S. Chari, C. S. Jutla, J. R. Rao, and P. Rohatgi. Towards Sound Approaches to Counteract Power-Analysis Attacks. In M. J. Wiener, editor, Advances in Cryptology - CRYPTO '99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15--19, 1999, Proceedings, volume 1666 of Lecture Notes in Computer Science, pages 398--412. Springer, 1999.

Digital Library

[13]

J. Cooper, E. DeMulder, G. Goodwill, J. Jaffe, G. Kenworthy, and P. Rohatgi. Test Vector Leakage Assessment (TVLA) Methodology in Practice. International Cryptographic Module Conference, 2013. http://icmc-2013.org/wp/wp-content/uploads/2013/09/goodwillkenworthtestvector.pdf.

[14]

J. Coron, P. C. Kocher, and D. Naccache. Statistics and Secret Leakage. In Y. Frankel, editor, Financial Cryptography, 4th International Conference, FC 2000 Anguilla, British West Indies, February 20--24, 2000, Proceedings, volume 1962 of Lecture Notes in Computer Science, pages 157--173. Springer, 2000.

Digital Library

[15]

J. Coron, D. Naccache, and P. C. Kocher. Statistics and secret leakage. ACM Trans. Embedded Comput. Syst., 3(3):492--508, 2004.

Digital Library

[16]

J. Coron, E. Prouff, M. Rivain, and T. Roche. Higher-order side channel security and mask refreshing. In S. Moriai, editor, Fast Software Encryption - 20th International Workshop, FSE 2013, Singapore, March 11--13, 2013. Revised Selected Papers, volume 8424 of Lecture Notes in Computer Science, pages 410--424. Springer, 2013.

[17]

T. De Cnudde, B. Bilgin, O. Reparaz, V. Nikov, and S. Nikova. Higher-Order Threshold Implementation of the AES S-box. In N. Homma and M. Medwed, editors, Smart Card Research and Advanced Applications - 14th International Conference, CARDIS 2015, Bochum, Germany, November 4--7, 2015., Lecture Notes in Computer Science. Springer-Verlag, 2015.

Digital Library

[18]

A. Duc, S. Dziembowski, and S. Faust. Unifying leakage models: From probing attacks to noisy leakage. In P. Q. Nguyen and E. Oswald, editors, Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11--15, 2014. Proceedings, volume 8441 of Lecture Notes in Computer Science, pages 423--440. Springer, 2014.

[19]

G. Goodwill, B. Jun, J. Jaffe, and P. Rohatgi. A Testing Methodology for Side-Channel Resistance Validation. NIST non-invasive attack testing workshop, 2011. http://csrc.nist.gov/news_events/non-invasive-attack-testing-workshop/papers/08_Goodwill.pdf.

[20]

Y. Ishai, A. Sahai, and D. Wagner. Private Circuits: Securing Hardware against Probing Attacks. In D. Boneh, editor, Advances in Cryptology - CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17--21, 2003, Proceedings, volume 2729 of Lecture Notes in Computer Science, pages 463--481. Springer, 2003.

[21]

P. C. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In N. Koblitz, editor, Advances in Cryptology - CRYPTO '96, 16th Annual International Cryptology Conference, Santa Barbara, California, USA, August 18--22, 1996, Proceedings, volume 1109 of Lecture Notes in Computer Science, pages 104--113. Springer, 1996.

Digital Library

[22]

P. C. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis. In M. J. Wiener, editor, Advances in Cryptology - CRYPTO '99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15--19, 1999, Proceedings, volume 1666 of Lecture Notes in Computer Science, pages 388--397. Springer, 1999.

Digital Library

[23]

S. Mangard, N. Pramstaller, and E. Oswald. Successfully Attacking Masked AES Hardware Implementations. In J. R. Rao and B. Sunar, editors, Cryptographic Hardware and Embedded Systems - CHES 2005, 7th International Workshop, Edinburgh, UK, August 29 - September 1, 2005, Proceedings, volume 3659 of Lecture Notes in Computer Science, pages 157--171. Springer, 2005.

Digital Library

[24]

A. Moradi, A. Poschmann, S. Ling, C. Paar, and H. Wang. Pushing the Limits: A Very Compact and a Threshold Implementation of AES. In K. G. Paterson, editor, Advances in Cryptology - EUROCRYPT 2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15--19, 2011. Proceedings, volume 6632 of Lecture Notes in Computer Science, pages 69--88. Springer, 2011.

Digital Library

[25]

S. Nikova, V. Rijmen, and M. Schl\"affer. Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches. J. Cryptology, 24(2):292--321, 2011.

Digital Library

[26]

A. Poschmann, A. Moradi, K. Khoo, C. Lim, H. Wang, and S. Ling. Side-Channel Resistant Crypto for Less than 2, 300 GE. J. Cryptology, 24(2):322--345, 2011.

Digital Library

[27]

E. Prouff and M. Rivain. Masking against Side-Channel Attacks: A Formal Security Proof. In T. Johansson and P. Q. Nguyen, editors, Advances in Cryptology -- EUROCRYPT 2013, volume 7881 of Lecture Notes in Computer Science, pages 142--159. Springer Berlin Heidelberg, 2013.

[28]

E. Prouff and T. Roche. Higher-Order Glitches Free Implementation of the AES Using Secure Multi-party Computation Protocols. In B. Preneel and T. Takagi, editors, Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28 - October 1, 2011. Proceedings, volume 6917 of Lecture Notes in Computer Science, pages 63--78. Springer, 2011.

Digital Library

[29]

O. Reparaz. Detecting flawed masking schemes with leakage detection tests. In T. Peyrin, editor, Fast Software Encryption, 23rd International Conference, FSE 2016, Bochum, Germany, March 20--23, 2016, volume 0000 of Lecture Notes in Computer Science, page 20. Springer, 2016.

[30]

O. Reparaz, B. Bilgin, S. Nikova, B. Gierlichs, and I. Verbauwhede. Consolidating Masking Schemes. In R. Gennaro and M. Robshaw, editors, Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16--20, 2015, Proceedings, Part I, volume 9215 of Lecture Notes in Computer Science, pages 764--783. Springer, 2015.

[31]

T. Schneider and A. Moradi. Leakage Assessment Methodology - A Clear Roadmap for Side-Channel Evaluations. In T. Güneysu and H. Handschuh, editors, Cryptographic Hardware and Embedded Systems - CHES 2015 - 17th International Workshop, Saint-Malo, France, September 13--16, 2015, Proceedings, volume 9293 of Lecture Notes in Computer Science, pages 495--513. Springer, 2015.

[32]

C. Shannon. The Synthesis of Two-Terminal Switching Circuits. Bell System Technical Journal, The, 28(1):59--98, Jan 1949.

[33]

E. Trichina. Combinational logic design for AES subbyte transformation on masked data. IACR Cryptology ePrint Archive, 2003:236, 2003.

Cited By

Jin SXu MCai YHong JPark J(2024)Energy Efficient Obfuscation of Side-Channel Leakage for Preventing Side-Channel AttacksProceedings of the 39th ACM/SIGAPP Symposium on Applied Computing10.1145/3605098.3635997(1405-1414)Online publication date: 8-Apr-2024
https://dl.acm.org/doi/10.1145/3605098.3635997
Song JLee KPark J(2023)Low Area and Low Power Threshold Implementation Design Technique for AES S-BoxIEEE Transactions on Circuits and Systems II: Express Briefs10.1109/TCSII.2022.321715070:3(1169-1173)Online publication date: Mar-2023
https://doi.org/10.1109/TCSII.2022.3217150
Hoang AHanley NKhalid AKundi DO’Neill M(2023)Stacked Ensemble Models Evaluation on DL Based SCAE-Business and Telecommunications10.1007/978-3-031-45137-9_3(43-68)Online publication date: 30-Sep-2023
https://doi.org/10.1007/978-3-031-45137-9_3
Show More Cited By

Index Terms

Masking AES With d+1 Shares in Hardware
1. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures
      1. Side-channel analysis and countermeasures
    2. Hardware security implementation

Recommendations

Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order
TIS '16: Proceedings of the 2016 ACM Workshop on Theory of Implementation Security

Passive physical attacks, like power analysis, pose a serious threat to the security of embedded systems and corresponding countermeasures need to be implemented. In this talk, we demonstrate how the costs for protecting digital circuits against passive ...
Successfully attacking masked AES hardware implementations
CHES'05: Proceedings of the 7th international conference on Cryptographic hardware and embedded systems

During the last years, several masking schemes for AES have been proposed to secure hardware implementations against DPA attacks. In order to investigate the effectiveness of these countermeasures in practice, we have designed and manufactured an ASIC. ...
Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version
Abstract
The effort in reducing the area of AES implementations has largely been focused on application-specific integrated circuits (ASICs) in which a tower field construction leads to a small design of the AES S-box. In contrast, a naive implementation ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

TIS '16: Proceedings of the 2016 ACM Workshop on Theory of Implementation Security

October 2016

50 pages

ISBN:9781450345750

DOI:10.1145/2996366

Program Chairs:
Begül Bilgin
KU Leuven, Belgium
,
Svetla Nikova
KU Leuven, Belgium
,
Vincent Rijmen
KU Leuven, Belgium

Copyright © 2016 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Check for updates

Author Tags

Qualifiers

Invited-talk

Funding Sources

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24, 2016

Vienna, Austria

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

32
Total Citations
View Citations
390
Total Downloads

Downloads (Last 12 months)83
Downloads (Last 6 weeks)21

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Jin SXu MCai YHong JPark J(2024)Energy Efficient Obfuscation of Side-Channel Leakage for Preventing Side-Channel AttacksProceedings of the 39th ACM/SIGAPP Symposium on Applied Computing10.1145/3605098.3635997(1405-1414)Online publication date: 8-Apr-2024
https://dl.acm.org/doi/10.1145/3605098.3635997
Song JLee KPark J(2023)Low Area and Low Power Threshold Implementation Design Technique for AES S-BoxIEEE Transactions on Circuits and Systems II: Express Briefs10.1109/TCSII.2022.321715070:3(1169-1173)Online publication date: Mar-2023
https://doi.org/10.1109/TCSII.2022.3217150
Hoang AHanley NKhalid AKundi DO’Neill M(2023)Stacked Ensemble Models Evaluation on DL Based SCAE-Business and Telecommunications10.1007/978-3-031-45137-9_3(43-68)Online publication date: 30-Sep-2023
https://doi.org/10.1007/978-3-031-45137-9_3
Chilikov A(2022)Regarding Classification of n-sharing of Multivariate Mappings over Finite Fields and One NSUCrypto'2019 Olympiad ProblemMathematics and Mathematical Modeling10.24108/mathm.0122.0000262(31-51)Online publication date: 24-Sep-2022
https://doi.org/10.24108/mathm.0122.0000262
Pundir NPark JFarahmandi FTehranipoor M(2022)Power Side-Channel Leakage Assessment Framework at Register-Transfer LevelIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2022.317506730:9(1207-1218)Online publication date: Sep-2022
https://doi.org/10.1109/TVLSI.2022.3175067
Belaïd SMercadier DRivain MTaleb A(2022)IronMask: Versatile Verification of Masking Security2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833600(142-160)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833600
Shanmugham SParamasivam S(2021)Power analysis attack resilient block cipher implementation based on 1‐of‐4 data encodingETRI Journal10.4218/etrij.2020-0175Online publication date: 2-Jun-2021
https://doi.org/10.4218/etrij.2020-0175
Jayasinghe DIgnjatovic ARagel RAmbrose JParameswaran S(2021)QuadSeal: Quadruple Balancing to Mitigate Power Analysis Attacks with Variability Effects and Electromagnetic Fault Injection AttacksACM Transactions on Design Automation of Electronic Systems10.1145/344370626:5(1-36)Online publication date: 5-Jun-2021
https://dl.acm.org/doi/10.1145/3443706
Arribas VZhang ZNikova S(2021)LLTI: Low-Latency Threshold ImplementationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2021.312352716(5108-5123)Online publication date: 2021
https://doi.org/10.1109/TIFS.2021.3123527
Cassiers GGregoire BLevi IStandaert F(2021)Hardware Private Circuits: From Trivial Composition to Full VerificationIEEE Transactions on Computers10.1109/TC.2020.3022979(1-1)Online publication date: 2021
https://doi.org/10.1109/TC.2020.3022979
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents