Threshold implementations of small S-boxes

Bilgin, Begül; Nikova, Svetla; Nikov, Ventzislav; Rijmen, Vincent; Tokareva, Natalia; Vitkup, V. A.

doi:10.1007/s12095-014-0104-7

Cited by 42 publications

(46 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The most popular scheme is the threshold implementation (TI) masking scheme introduced by Nikova et al [18]. It has been extensively researched and extended by Bilgin et al [1,4] during the last years. There exist many protected hardware implementations that are based on TI [2,3,17].…”

Section: Introductionmentioning

confidence: 99%

An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order

Groß

Mangard

Korak

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Passive physical attacks, like power analysis, pose a serious threat to the security of digital circuits. In this work, we introduce an efficient sidechannel protected Advanced Encryption Standard (AES) hardware design that is completely scalable in terms of protection order. Therefore, we revisit the private circuits scheme of Ishai et al. [13] which is known to be vulnerable to glitches. We demonstrate how to achieve resistance against multivariate higher-order attacks in the presence of glitches for the same randomness cost as the private circuits scheme. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6 kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15 th protection order.

show abstract

Section: Introductionmentioning

confidence: 99%

An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order

Groß

Mangard

Korak

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Otherwise, the security of such an implementation cannot be guaranteed. Note that fulfilling the uniformity property of TI constructions is amongst its most difficult challenges, and it has been the core topic of several articles like [22], [25]- [28]. Alternatively, the shares can be remasked at the end of every non-uniformly shared non-linear function (see [29], [30]), which requires a source to provide fresh randomness at every clock cycle.…”

Section: B Threshold Implementationsmentioning

confidence: 99%

Side-Channel Hardware Trojan for Provably-Secure SCA-Protected Implementations

Ghandali

Moos

Moradi

et al. 2020

IEEE Trans. VLSI Syst.

View full text Add to dashboard Cite

Hardware Trojans have drawn the attention of academia, industry and government agencies. Effective detection mechanisms and countermeasures against such malicious designs can only be developed when there is a deep understanding of how hardware Trojans can be built in practice, in particular Trojans specifically designed to avoid detection. In this work, we present a mechanism to introduce an extremely stealthy hardware Trojan into cryptographic primitives equipped with provably-secure first-order side-channel countermeasures. Once the Trojan is triggered, the malicious design exhibits exploitable side-channel leakage, leading to successful key recovery attacks. Generally, such a Trojan requires neither addition nor removal of any logic which makes it extremely hard to detect. On ASICs, it can be inserted by subtle manipulations at the sub-transistor level and on FPGAs by changing the routing of particular signals, leading to zero logic overhead. The underlying concept is based on modifying a securely-masked hardware implementation in such a way that running the device at a particular clock frequency violates one of its essential properties, leading to exploitable leakage. We apply our technique to a Threshold Implementation of the PRESENT block cipher realized in two different CMOS technologies, and show that triggering the Trojan makes the ASIC prototypes vulnerable.

show abstract

“…The number of 4 × 4 s-boxes up to affine equivalence is 302 [2], among which 10 s-boxes have nonlinearity 4, degree 3 and absolute autocorrelation value 8, which are the basic cryptographic properties that make these s-boxes useful in practice. We compute the TO values of each of these 10 s-boxes (denoted as F ) and their extended affine equivalent ones (denoted as G).…”

Section: To Of S-boxes In the Same (Extended) Affine Equivalence Classesmentioning

confidence: 99%

Redefining the transparency order

Chakraborty

Sarkar²,

Maitra

et al. 2016

Des. Codes Cryptogr.

View full text Add to dashboard Cite

Abstract. In this paper, we consider the multi-bit Differential Power Analysis (DPA) in the Hamming weight model. In this regard, we revisit the definition of Transparency Order (TO) from the work of Prouff (FSE 2005) and find that the definition has certain limitations. Although this work has been quite well referred in the literature, surprisingly, these limitations remained unexplored for almost a decade. We analyse the definition from scratch, modify it and finally provide a definition with better insight that can theoretically capture DPA in Hamming weight model for hardware implementation with precharge logic. At the end, we confront the notion of (revised) transparency order with attack simulations in order to study to what extent the low transparency order of an s-box impacts the efficiency of a side channel attack against its processing. To the best of our knowledge, this is the first time that such a critical analysis is conducted (even considering the original notion of Prouff). It practically confirms that the transparency order is indeed related to the resistance of the s-box against side-channel attacks, but it also shows that it is not sufficient alone to directly achieve a satisfying level of security. Regarding this point, our conclusion is that the (revised) transparency order is a valuable criterion to consider when designing a cryptographic algorithm, and even if it does not preclude to also use classical countermeasures like masking or shuffling, it enables to improve their effectiveness.

show abstract

Threshold implementations of small S-boxes

Cited by 42 publications

References 33 publications

An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order

An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order

Side-Channel Hardware Trojan for Provably-Secure SCA-Protected Implementations

Redefining the transparency order

Contact Info

Product

Resources

About