Optimized Threshold Implementations: Minimizing the Latency of Secure Cryptographic Accelerators

Božilov, Dušan; Knežević, Miroslav; Nikov, Ventzislav

doi:10.1007/978-3-030-42068-0_2

Cited by 8 publications

(14 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This section presents the evaluation of a masking-based countermeasure as applicable to the unrolled architectures of low-latency ciphers. The countermeasure is based on threshold implementation (TI) for PRINCE, proposed by Moradi and Schneider [7], and its subsequent development [29]. We extended the unrolled TI-based countermeasure with register elements, such as pipeline registers and deglitchers.…”

Section: Countermeasuresmentioning

confidence: 99%

Diffusional Side-Channel Leakage From Unrolled Lightweight Block Ciphers: A Case Study of Power Analysis on PRINCE

Yli-Mäyry

Ueno

Miura

et al. 2021

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

This study investigates a new side-channel leakage observed in the inner rounds of an unrolled hardware implementation of block ciphers in a chosen-input attack scenario. The side-channel leakage occurs in the first round and it can be observed in the later inner rounds because it arises from path activation bias caused by the difference between two consecutive inputs. Therefore, a new attack that exploits the leakage is possible even for unrolled implementations equipped with countermeasures (masking and/or deglitchers that separate the circuit in terms of glitch propagation) in the round involving the leakage. We validate the existence of such a unique sidechannel leakage through a set of experiments with a fully unrolled PRINCE cipher hardware, implemented on a field-programmable gate array (FPGA). In addition, we verify the validity and evaluate the hardware cost of a countermeasure for the unrolled implementation, namely the Threshold Implementation (TI) countermeasure.

show abstract

Section: Countermeasuresmentioning

confidence: 99%

Diffusional Side-Channel Leakage From Unrolled Lightweight Block Ciphers: A Case Study of Power Analysis on PRINCE

Yli-Mäyry

Ueno

Miura

et al. 2021

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

show abstract

“…In fact, the authors optimized k and not the number of component functions in general. Additionally, another methodology has been given in [BKN19], which is only suitable for sharing functions that have degree t = n − 1, where n is the number of input bits. As we have t = 3 and n = 8, this method obviously cannot be applied in our case.…”

Section: Techniquementioning

confidence: 99%

“…In order to ease the notation, we utilize the same matrix/table representation of output sharing used in [WMM20] and [BKN19]. While the table notation does not uniquely determine the Algebraic Normal Form (ANF) of the sharing, it is sufficient to argue the correctness and non-completeness properties.…”

Section: Techniquementioning

confidence: 99%

New First-Order Secure AES Performance Records

Shahmirzadi¹,

Božilov²,

Moradi³

2021

TCHES

Self Cite

View full text Add to dashboard Cite

Being based on a sound theoretical basis, masking schemes are commonly applied to protect cryptographic implementations against Side-Channel Analysis (SCA) attacks. Constructing SCA-protected AES, as the most widely deployed block cipher, has been naturally the focus of several research projects, with a direct application in industry. The majority of SCA-secure AES implementations introduced to the community opted for low area and latency overheads considering Application-Specific Integrated Circuit (ASIC) platforms. Albeit a few, those which particularly targeted Field Programmable Gate Arrays (FPGAs) as the implementation platform yield either a low throughput or a not-highly secure design.In this work, we fill this gap by introducing first-order glitch-extended probing secure masked AES implementations highly optimized for FPGAs, which support both encryption and decryption. Compared to the state of the art, our designs efficiently map the critical non-linear parts of the masked S-box into the built-in Block RAMs (BRAMs).The most performant variant of our constructions accomplishes five first-order secure AES encryptions/decryptions simultaneously in 50 clock cycles. Compared to the equivalent state-of-the-art designs, this leads to at least 70% reduction in utilization of FPGA resources (slices) at the cost of occupying BRAMs. Last but not least, we provide a wide range of such secure and efficient implementations supporting a large set of applications, ranging from low-area to high-throughput.

show abstract

“…In [MS16a], the S-box is decomposed to three quadratic bijections allowing to obtain its uniform sharing with three shares without any fresh masks, i.e., three clock cycles per encryption/decryption round. In [BKN19], the authors considered d + 1 masking and did not decompose the S-box, as we do in our construction. Each first-order masked S-box in their design requires 12 fresh mask bits while using a form of mask reuse, the authors could reduce the required fresh masks to 48 bits per clock cycle in a round-based implementation with two clock cycles per cipher round.…”

Section: Mʹ Compressmentioning

confidence: 99%

“…Table 2 shows a comparison between the performance of these designs. Since the key path was masked in [BKN19], but not in [MS16a], we provided both designs with and without key masking enabling a more meaningful comparison.…”

Section: Mʹ Compressmentioning

confidence: 99%

Re-Consolidating First-Order Masking Schemes

Shahmirzadi

Moradi

2020

TCHES

View full text Add to dashboard Cite

Application of masking, known as the most robust and reliable countermeasure to side-channel analysis attacks, on various cryptographic algorithms has dedicated a lion’s share of research to itself. The difficulty originates from the fact that the overhead of application of such an algorithmic-level countermeasure might not be affordable. This includes the area- and latency overheads and the amount of fresh randomness required to fulfill the resulting design’s security properties. There are already techniques applicable in hardware platforms that consider glitches into account. Among them, classical threshold implementations force the designers to use at least three shares in the underlying masking. The other schemes, which can deal with two shares, often necessitates the use of fresh randomness.Here, in this work, we present a technique allowing us to use two shares to realize the first-order glitch-extended probing secure masked realization of several functions, including the S-box of Midori, PRESENT, PRINCE, and AES ciphers without any fresh randomness.

show abstract

Optimized Threshold Implementations: Minimizing the Latency of Secure Cryptographic Accelerators

Cited by 8 publications

References 17 publications

Diffusional Side-Channel Leakage From Unrolled Lightweight Block Ciphers: A Case Study of Power Analysis on PRINCE

Diffusional Side-Channel Leakage From Unrolled Lightweight Block Ciphers: A Case Study of Power Analysis on PRINCE

New First-Order Secure AES Performance Records

Re-Consolidating First-Order Masking Schemes

Contact Info

Product

Resources

About