Toward More Efficient DPA-Resistant AES Hardware Architecture Based on Threshold Implementation

Abstract

This paper presents a highly efficient AES hardware architecture resistant to differential power analyses (DPAs) on the basis of threshold implementation (TI). In contrast to other conventional masking schemes, the major feature of TI is to guarantee DPA-resistance under d-probing condition at the resister-transfer level (RTL). On the other hand, TI utilizes pipelining techniques between the non-linear functions to avoid propagating glitches, which would lead to non-negligible overheads of circuit area and latency. In this paper, we first propose a compact first-order TI-based AES S-box which has a major effect on the performance and DPA-resistance of AES hardware. The proposed S-box exploits a state-of-the-art TI construction with \(d+1\) shares in addition to the algebraic characteristics of AES S-box. We then propose an efficient AES hardware architecture suitable with the above TI-based S-box. The architectural advantage is given by register-retiming and tower-field arithmetic techniques. The performance of the proposed AES hardware was evaluated in comparison with that of conventional best ones. The logic synthesis result suggests that the proposed AES hardware architecture achieves more compact and 11–21% lower-latency than the conventional ones, which indicates that the proposed architecture can perform encryption based on TI with the lowest-energy. We also confirm the DPA-resistance of the proposed AES hardware by the Test Vector Leakage Assessment (TVLA) methodology with its FPGA implementation.

Appendix: First-Order TI-Based \(GF((2^2)^2)\) Inversion with \(d+1\) Input Shares

Let \(a^{(n)}\) and \(a_{i}^{(n)}\) \((0 \le n \le 3, 0 \le i \le 1)\) be the nth bit of input and its shares, respectively. Let \(c^{(n)}\) and \(c_{j}^{(n)}\) \((0 \le j \le 7)\) be the nth bit of output and its shares, respectively. Here, the least-significant bits correspond to \(a_{i}^{(0)}\) and \(c_{j}^{(0)}\).

$$\begin{aligned} c_0^{(0)}= & {} a_0^{(1)}a_0^{(2)}a_0^{(3)} + a_0^{(1)}a_0^{(3)} + a_0^{(2)}, \end{aligned}$$

(1)

$$\begin{aligned} c_0^{(1)}= & {} a_0^{(0)}a_0^{(2)}a_0^{(3)} + a_0^{(0)}a_0^{(3)} + a_0^{(2)}, \end{aligned}$$

(2)

$$\begin{aligned} c_0^{(2)}= & {} a_0^{(0)}a_0^{(1)}a_0^{(3)} + a_0^{(1)}a_0^{(3)} + a_0^{(0)}, \end{aligned}$$

(3)

$$\begin{aligned} c_0^{(3)}= & {} a_0^{(0)}a_0^{(1)}a_0^{(2)} + a_0^{(1)}a_0^{(2)} + a_0^{(0)}, \end{aligned}$$

(4)

$$\begin{aligned} c_1^{(0)}= & {} a_0^{(1)}a_0^{(2)}a_1^{(3)} + a_0^{(1)}a_0^{(2)} + a_0^{(0)}a_1^{(3)}, \end{aligned}$$

(5)

$$\begin{aligned} c_1^{(1)}= & {} a_0^{(0)}a_0^{(2)}a_1^{(3)} + a_0^{(0)}a_1^{(3)}, \end{aligned}$$

(6)

$$\begin{aligned} c_1^{(2)}= & {} a_0^{(0)}a_0^{(1)}a_1^{(3)} + a_0^{(1)}a_1^{(3)}, \end{aligned}$$

(7)

$$\begin{aligned} c_1^{(3)}= & {} a_0^{(0)}a_0^{(1)}a_1^{(2)} + a_0^{(1)}a_1^{(2)}, \end{aligned}$$

(8)

$$\begin{aligned} c_2^{(0)}= & {} a_0^{(1)}a_1^{(2)}a_0^{(3)} + a_0^{(0)}a_1^{(2)} + a_0^{(0)}a_0^{(3)}, \end{aligned}$$

(9)

$$\begin{aligned} c_2^{(1)}= & {} a_0^{(0)}a_1^{(2)}a_0^{(3)} + a_0^{(1)}a_0^{(3)} + a_0^{(3)}, \end{aligned}$$

(10)

$$\begin{aligned} c_2^{(2)}= & {} a_0^{(0)}a_1^{(1)}a_0^{(3)} + a_1^{(1)}a_0^{(2)} + a_0^{(0)}a_0^{(2)}, \end{aligned}$$

(11)

$$\begin{aligned} c_2^{(3)}= & {} a_0^{(0)}a_1^{(1)}a_0^{(2)} + a_1^{(1)}a_1^{(3)} + a_1^{(1)}, \end{aligned}$$

(12)

$$\begin{aligned} c_3^{(0)}= & {} a_0^{(1)}a_1^{(2)}a_1^{(3)} + a_0^{(0)}a_1^{(3)}, \end{aligned}$$

(13)

$$\begin{aligned} c_3^{(1)}= & {} a_0^{(0)}a_1^{(2)}a_1^{(3)} + a_0^{(1)}a_1^{(3)}, \end{aligned}$$

(14)

$$\begin{aligned} c_3^{(2)}= & {} a_0^{(0)}a_1^{(1)}a_1^{(3)} + a_0^{(0)}a_1^{(2)} + a_1^{(1)}a_1^{(2)}, \end{aligned}$$

(15)

$$\begin{aligned} c_3^{(3)}= & {} a_0^{(0)}a_1^{(1)}a_1^{(2)} + a_1^{(1)}a_0^{(3)}, \end{aligned}$$

(16)

$$\begin{aligned} c_4^{(0)}= & {} a_1^{(1)}a_0^{(2)}a_0^{(3)} + a_1^{(1)}a_0^{(3)}, \end{aligned}$$

(17)

$$\begin{aligned} c_4^{(1)}= & {} a_1^{(0)}a_0^{(2)}a_0^{(3)} + a_1^{(1)}a_0^{(3)}, \end{aligned}$$

(18)

$$\begin{aligned} c_4^{(2)}= & {} a_1^{(0)}a_0^{(1)}a_0^{(3)} + a_1^{(0)}a_0^{(2)} + a_0^{(1)}a_0^{(2)}, \end{aligned}$$

(19)

$$\begin{aligned} c_4^{(3)}= & {} a_1^{(0)}a_0^{(1)}a_0^{(2)} + a_0^{(1)}a_1^{(3)},\end{aligned}$$

(20)

$$\begin{aligned} c_5^{(0)}= & {} a_1^{(1)}a_0^{(2)}a_1^{(3)} + a_1^{(0)}a_0^{(2)}, \end{aligned}$$

(21)

$$\begin{aligned} c_5^{(1)}= & {} a_1^{(0)}a_0^{(2)}a_1^{(3)} + a_1^{(1)}a_1^{(3)} + a_1^{(3)}, \end{aligned}$$

(22)

$$\begin{aligned} c_5^{(2)}= & {} a_1^{(0)}a_0^{(1)}a_1^{(3)} + a_0^{(1)}a_1^{(2)} + a_1^{(0)}a_1^{(2)}, \end{aligned}$$

(23)

$$\begin{aligned} c_5^{(3)}= & {} a_1^{(0)}a_0^{(1)}a_1^{(2)} + a_0^{(1)}a_0^{(3)} + a_0^{(3)}, \end{aligned}$$

(24)

$$\begin{aligned} c_6^{(0)}= & {} a_1^{(1)}a_1^{(2)}a_0^{(3)} + a_1^{(0)}a_1^{(2)} + a_1^{(0)}a_0^{(3)}, \end{aligned}$$

(25)

$$\begin{aligned} c_6^{(1)}= & {} a_1^{(0)}a_1^{(2)}a_0^{(3)} + a_1^{(0)}a_0^{(3)}, \end{aligned}$$

(26)

$$\begin{aligned} c_6^{(2)}= & {} a_1^{(0)}a_1^{(1)}a_0^{(3)} + a_1^{(1)}a_0^{(3)}, \end{aligned}$$

(27)

$$\begin{aligned} c_6^{(3)}= & {} a_1^{(0)}a_1^{(1)}a_0^{(2)} + a_1^{(1)}a_0^{(2)}, \end{aligned}$$

(28)

$$\begin{aligned} c_7^{(0)}= & {} a_1^{(1)}a_1^{(2)}a_1^{(3)} + a_1^{(1)}a_1^{(3)} + a_1^{(2)}, \end{aligned}$$

(29)

$$\begin{aligned} c_7^{(1)}= & {} a_1^{(0)}a_1^{(2)}a_1^{(3)} + a_1^{(0)}a_1^{(3)} + a_1^{(2)}, \end{aligned}$$

(30)

$$\begin{aligned} c_7^{(2)}= & {} a_1^{(0)}a_1^{(1)}a_1^{(3)} + a_1^{(1)}a_1^{(3)} + a_1^{(0)}, \end{aligned}$$

(31)

$$\begin{aligned} c_7^{(3)}= & {} a_1^{(0)}a_1^{(1)}a_1^{(2)} + a_1^{(1)}a_1^{(2)} + a_1^{(0)}. \end{aligned}$$

(32)