Higher-Order Glitch Resistant Implementation of the PRESENT S-Box

Abstract

Glitches, occurring from the unwanted switching of CMOS gates, have been shown to leak information even when side-channel countermeasures are applied to hardware cryptosystems. The polynomial masking scheme presented at CHES 2011 by Roche et al. is a method that offers provable security against side-channel analysis at any order even in the presence of glitches. The method is based on Shamir’s secret sharing and its computations rely on a secure multi-party computation protocol. At CHES 2013, Moradi et al. presented a first-order glitch resistant implementation of the AES S-box based on this method. Their work showed that the area and speed overheads resulting from the polynomial masking are high. In this paper, we present a first-order glitch resistant implementation of the present S-box which is designed for lightweight applications, indicating less area and randomness requirements. Moreover, we provide a second-order glitch resistant implementation of this S-box and observe the increase in implementation requirements.

Appendices

Appendix A: Finite Field Multiplier

The combinational finite field multiplier in \(\mathbb {F}_{2^4}\) used in our implementation is based on the algebraic normal form. The 4-bit inputs \(A=(a_3,a_2,a_1,a_0)\) and \(B=(b_3,b_2,b_1,b_0)\) result in output \(C=(c_3,c_2,c_1,c_0)\) by following bitwise operations:

$$\begin{aligned} c_0&= (a_0 b_0) + (a_1 b_3) + (a_2 b_2) + (a_3 b_1) \\ c_1&= (a_0 b_1) + (a_1 b_0) + (a_1 b_3) + (a_2 b_2) + (a_2 b_3) + (a_3 b_1) + (a_3 b_2) \\ c_2&= (a_0 b_2) + (a_1 b_1) + (a_2 b_0) + (a_2 b_3) + (a_3 b_2) + (a_3 b_3) \\ c_3&= (a_0 b_3) + (a_1 b_2) + (a_2 b_1) + (a_3 b_0) + (a_3 b_3) \end{aligned}$$

where A, B and C are in little-endian notation.

Appendix B: Polynomial Masking Scheme with (5,2)-sharing

This section lists the equations for the construction of, reconstruction from and operations on the shares when considering a (5,2)-sharing. We refer to [16] for a full coverage of the operations in the (3,1)-sharing scheme. In what follows, all additions and multiplications are in \(\mathbb {F}_{2^4}\).

First, five distinct non-zero elements in \(\mathbb {F}_{2^4}\) need to be chosen. These are referred to as the public coefficients \(\alpha _{1 \le i \le 5}\). Together with these points, the first row \((\lambda _1,...,\lambda _5)\) of the inverse Vandermonde matrix \((\alpha _i^j)_{1\le i,j \le 5}\) is needed. These interpolation coefficients can be calculated as:

$$\begin{aligned} \lambda _1 = \alpha _2 (\alpha _1 + \alpha _2)^{-1} \alpha _3 (\alpha _1 + \alpha _3)^{-1} \alpha _4 (\alpha _1 + \alpha _4)^{-1} \alpha _5 (\alpha _1 + \alpha _5)^{-1} \\ \lambda _2 = \alpha _1 (\alpha _2 + \alpha _1)^{-1} \alpha _3 (\alpha _2 + \alpha _3)^{-1} \alpha _4 (\alpha _2 + \alpha _4)^{-1} \alpha _5 (\alpha _2 + \alpha _5)^{-1} \\ \lambda _3 = \alpha _1 (\alpha _3 + \alpha _1)^{-1} \alpha _2 (\alpha _3 + \alpha _2)^{-1} \alpha _4 (\alpha _3 + \alpha _4)^{-1} \alpha _5 (\alpha _3 + \alpha _5)^{-1} \\ \lambda _4 = \alpha _1 (\alpha _4 + \alpha _1)^{-1} \alpha _2 (\alpha _4 + \alpha _2)^{-1} \alpha _3 (\alpha _4 + \alpha _3)^{-1} \alpha _5 (\alpha _4 + \alpha _5)^{-1} \\ \lambda _5 = \alpha _1 (\alpha _5 + \alpha _1)^{-1} \alpha _2 (\alpha _5 + \alpha _2)^{-1} \alpha _3 (\alpha _5 + \alpha _3)^{-1} \alpha _4 (\alpha _5 + \alpha _4)^{-1} \end{aligned}$$

Here, the multiplicative inverse in our field is represented by \(.^{-1}\). Elements \(\alpha _{1 \le i \le 5}\) and \( \lambda _{1 \le i \le 5}\) are publicly available to all five players.

Sharing a value X requires two secret and random coefficients \(a_1\), \(a_2\) and the public coefficients \(\alpha _{1 \le i \le 5}\). The resulting shares \(X_{1 \le i \le 5}\) are calculated as:

$$\begin{aligned} X_i = X + (a_1 \alpha _i) + (a_2 \alpha _i^2) \text {, with } 1 \le i \le 5 \end{aligned}$$

Each player receives exactly one share \(X_i\) and has no access to any other share.

Reconstruction of the secret value X requires the interpolation coefficients \(\lambda _{1 \le i \le 5}\):

$$\begin{aligned} X = (X_1 \lambda _1) + (X_2 \lambda _2) + (X_3 \lambda _3) + (X_4 \lambda _4) + (X_5 \lambda _5) \end{aligned}$$

To describe the operations, a constant value will be represented as c and two secret values as X and Y. Their (5,2)-sharings are given by \(X_{1 \le i \le 5}\) and \(Y_{1 \le i \le 5}\). Both are masked with the same public coefficients but use independent random secret coefficients \(a_1, a_2\) and \(b_1, b_2\).

Addition with a constant can be achieved by each player independently as:

$$\begin{aligned} Z_i&= \, X_i + c \\&= (X + (a_1 \alpha _i) + (a_2 \alpha _i^2)) + c\\&= (X + c) + (a_1 \alpha _i) + (a_2 \alpha _i^2)\text {, with }1 \le i \le 5 \end{aligned}$$

The resulting shares of the addition represent the correct new secret \(Z=X + c\).

Multiplication with a constant is performed in a similar way and can again be achieved by each player independently:

$$\begin{aligned} Z_i&= \, X_i c \\&= (X + (a_1 \alpha _i) + (a_2 \alpha _i^2)) c \\&= (X c) + (a_1 c \alpha _i) + (a_2 c \alpha _i^2) \text {, with }1 \le i \le 5 \end{aligned}$$

Considering \((a_1 \, \, c)\) and \((a_2 \, \, c)\) as the new coefficients of the second-order polynomial, the shares \(Z_{1 \le i \le 5}\) represent the desired output \(Z = X c\). Note that the reconstruction of the masked secret variable does not depend on the polynomial coefficients \(a_1\), \(a_2\), but on the interpolation coefficients \(\lambda _{1 \le i \le 5}\), which only depend on the public coefficients \(\alpha _{1 \le i\le 5}\).

Addition of two shared secrets is executed in following way:

$$\begin{aligned} Z_i&= \, X_i + Y_i \\&= (X + (a_1 \alpha _i) + (a_2 \alpha _i^2)) + (Y + (b_1 \alpha _i) + (b_2 \alpha _i^2)) \\&=(X + Y) + (a_1 + b_1) \alpha _i) + (a_2 + b_2) \alpha _i^2)\text {, with } 1 \le i \le 5 \end{aligned}$$

With \(a_1 \, + b_1\) and \(a_2 \, + b_2\) as the new polynomial coefficients, the resulting shares mask the desired new secret variable \(Z=X + Y\).

Multiplication of two shared secrets consists of the following three steps:

1. 1.

   Each player i first computes \(t_i\)

   $$\begin{aligned} t_i =\;&X_i Y_i \\ =\;&(X Y) + (a_1 Y + b_1 X) \alpha _i + (a_1 b_1 + a_2 Y + b_2 X) \alpha _i^2 \\&+ (a_1 b_2 + b_1 a_2) \alpha _i^3 + (a_2 b_2) \alpha _i^4\text {, with } 1 \le i \le 5 \end{aligned}$$
2. 2.

   Each player i then randomly selects two coefficients \(a_{i,1}\), \(a_{i,2}\) and remasks \(t_i\):

   $$\begin{aligned} q_{i,1}=t_i + (a_{i,1} \alpha _1) + (a_{i,2} \alpha _1^2) \\ q_{i,2}=t_i + (a_{i,1} \alpha _2) + (a_{i,2} \alpha _2^2) \\ q_{i,3}=t_i + (a_{i,1} \alpha _3) + (a_{i,2} \alpha _3^2) \\ q_{i,4}=t_i + (a_{i,1} \alpha _4) + (a_{i,2} \alpha _4^2) \\ q_{i,5}=t_i + (a_{i,1} \alpha _5) + (a_{i,2} \alpha _5^2) \end{aligned}$$

   Each \(q_{i,\forall j \ne i}\) is subsequently send to the corresponding player j.

3. 3.

   The outputs \(q_{1,i}\), \(q_{2,i}\), \(q_{3,i}\) of each player i are then distributed and reconstructed as

   $$\begin{aligned} Z_i = (q_{1,i} \lambda _1) + (q_{2,i} \lambda _2) + (q_{3,i} \lambda _3) + (q_{4,i} \lambda _4) + (q_{5,i} \lambda _5) \end{aligned}$$

This sequence of operations gives the shares corresponding to the correct masked result \(Z = X Y\) in a secure way.

Square of a shared secret can only be computed in the straightforward way, i.e., as \(Z=X^2\) or

$$\begin{aligned} Z_i = Z_i^2 = X^2 + (a_1^2 \alpha _i^2) + (a_2^2 (\alpha _i^2)^2)\text {, with } 1 \le i \le 5 \end{aligned}$$

when \(\alpha _{1 \le i \le 5}\) satisfy the conditions for frobenious stability. This means that for every \(\alpha _i\), there exists an \(\alpha _j\) such that \(\alpha _j = \alpha _i^2\). A reordering between every player i and player j satisfying \(\alpha _j = \alpha _i^2\) is then required to keep the correct public coefficient linked to its player. When this reordering is not performed, the reconstruction of the correct masked secret \(Z = X^2\) is not possible.

Appendix C: Second-order Hardware Architecture

Fig. 5.

Architecture diagram for the second-order present implementation.

Appendix D: Area Requirements for the First-Order and Second-Order present S-box Implementations

Table 3. Area in GE of the first-order and second-order present S-box implementations.

Appendix E: Welch’s t-Test

An easy way to test for potential side-channel leakages, which might lead to a successful attack in a cryptographic system, is proposed by Goodwill et al. [7]. Due to its independence of a leakage model, this method is a convenient way to test whether or not the implementation of the device effectively counteracts SCA attacks. Although no single test can guarantee the revelation of all vulnerabilities against all possible SCA attacks, this test is designed to be sensitive enough to cover a wide range of potential problems. After acquisition of a sufficient amount of power traces, the traces are divided in two sets, A and B, based on an intermediate value in the computation. The problem of assessing whether there is potentially exploitable leakage or not is then formulated as an hypothesis test. The null hypothesis corresponds to the statement ”the mean power curves of A and B are data-independent”. The statistical test is Welch’s t-test, a generalization of the Student’s t-test allowing samples to have unequal variances [25]. For the first statistical moment, the t-test statistic is calculated as:

$$\begin{aligned} t = \frac{\overline{T_a}-\overline{T_b}}{\sqrt{\frac{s_a^2}{N_a}+\frac{s_b^2}{N_b}}} \end{aligned}$$

where \(\overline{T_i}\), \(s_i^2\), \(N_i\) are the sample mean, sample variance and sample size of the set \(T_{i\in {a,b}}\). This formula can easily be extended to higher statistical moments.

The t-test statistic is computed point-wise on the different sets of power traces. If no point exceeds a certain confidence threshold \(\pm C\), then the null hypothesis holds, indicating that there is no relation between the processed intermediate value and the instantaneous power consumption. In case the threshold is crossed, another t-test is performed on an independent set of traces. When the t-test statistic exceeds \(\pm C\) at the same points in time, the null hypothesis can be rejected with a significance level related to C. In that case, the alternate hypothesis holds, indicating that the power consumption and the intermediate values are related in a statistically significant way, making the device potentially vulnerable to SCA attacks.

Figure 6 shows the resulting t-test statistic in case the alternate hypothesis holds.

Fig. 6.

Result of the t-test for the first-order present implementation with biased masks.