Advertisement

Journal of Cryptology

, Volume 24, Issue 2, pp 322–345 | Cite as

Side-Channel Resistant Crypto for Less than 2,300 GE

  • Axel PoschmannEmail author
  • Amir Moradi
  • Khoongming Khoo
  • Chu-Wee Lim
  • Huaxiong Wang
  • San Ling
Article

Abstract

A provably secure countermeasure against first order side-channel attacks was proposed by Nikova et al. (P. Ning, S. Qing, N. Li (eds.) International conference in information and communications security. Lecture notes in computer science, vol. 4307, pp. 529–545, Springer, Berlin, 2006). We have implemented the lightweight block cipher PRESENT using the proposed countermeasure. For this purpose we had to decompose the S-box used in PRESENT and split it into three shares that fulfill the properties of the scheme presented by Nikova et al. (P. Lee, J. Cheon (eds.) International conference in information security and cryptology. Lecture notes in computer science, vol. 5461, pp. 218–234, Springer, Berlin, 2008). Our experimental results on real-world power traces show that this countermeasure provides additional security. Post-synthesis figures for an ASIC implementation require only 2,300 GE, which makes this implementation suitable for low-cost passive RFID-tags.

Key words

Side-channel attacks Countermeasures Secret sharing Lightweight ASIC 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    E. Biham, A. Shamir, Differential fault analysis of secret key cryptosystems, in Advances in Cryptology—CRYPTO 1997, ed. by B.S. Kaliski. Lecture Notes in Computer Science, vol. 1294 (Springer, Berlin, 1997), pp. 513–525 Google Scholar
  2. [2]
    G.R. Blakley, Safeguarding cryptographic keys, in National Computer Conference (1979), pp. 313–317 Google Scholar
  3. [3]
    A. Bogdanov, G. Leander, L. Knudsen, C. Paar, A. Poschmann, M. Robshaw, Y. Seurin, C. Vikkelsoe, PRESENT—an ultra-lightweight block cipher, in Cryptographic Hardware and Embedded Systems—CHES 2007, ed. by P. Paillier, I. Verbauwhede. Lecture Notes in Computer Science, vol. 4727 (Springer, Berlin, 2007), pp. 450–466 CrossRefGoogle Scholar
  4. [4]
    E. Brier, C. Clavier, F. Olivier, Correlation power analysis with a leakage model, in CHES 2004. Lecture Notes in Computer Science, vol. 3156 (Springer, Berlin, 2004), pp. 16–29 Google Scholar
  5. [5]
    C. Carlet, Vectorial (multi-output) boolean functions for cryptography, in Boolean Methods and Models (Cambridge University Press, Cambridge, to appear) Google Scholar
  6. [6]
    S. Chari, C.S. Jutla, J.R. Rao, P. Rohatgi, Towards sound approaches to counteract power-analysis attacks, in Advances in Cryptology—CRYPTO 1999, ed. by M. Wiener. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 398–412 Google Scholar
  7. [7]
    T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh, M.T.M. Shalmani, On the power of power analysis in the real world: a complete break of the KeeLoq code hopping scheme, in Advances in Cryptology—CRYPTO 2008. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 203–220 CrossRefGoogle Scholar
  8. [8]
    M. Feldhofer, J. Wolkerstorfer, V. Rijmen, AES implementation on a grain of sand. Inf. Secur. IEE Proc. 152(1), 13–20 (2005) CrossRefGoogle Scholar
  9. [9]
    P. Fišer, J. Hlavička, BOOM—a heuristic boolean minimizer. Comput. Inf. 22(1), 19–51 (2003) zbMATHGoogle Scholar
  10. [10]
    P. Fišer, J. Hlavička, Two-level boolean minimizer BOOM-II, in Proceedings of 6th Int. Workshop on Boolean Problems—IWSBP’04 (2004), pp. 221–228 Google Scholar
  11. [11]
    T. Good, M. Benaissa, Hardware results for selected stream cipher candidates. State of the Art of Stream Ciphers 2007 (SASC 2007), Workshop Record, February 2007. Available via www.ecrypt.eu.org/stream
  12. [12]
    P. Hämäläinen, T. Alho, M. Hännikäinen, T.D. Hämäläinen, Design and implementation of low-area and low-power AES encryption hardware core, in DSD (2006), pp. 577–583 Google Scholar
  13. [13]
    C. Herbst, E. Oswald, S. Mangard, An AES smart card implementation resistant to power analysis attacks, in Applied Cryptography and Network Security—ACNS 2006. Lecture Notes in Computer Science, vol. 3989 (Springer, Berlin, 2006), pp. 239–252 CrossRefGoogle Scholar
  14. [14]
    D. Hong, J. Sung, S. Hong, J. Lim, S. Lee, B.S. Koo, C. Lee, D. Chang, J. Lee, K. Jeong, H. Kim, J. Kim, S. Chee, HIGHT: a new block cipher suitable for low-resource device, in Cryptographic Hardware and Embedded Systems—CHES 2006, ed. by L. Goubin, M. Matsui. Lecture Notes in Computer Science, vol. 4249 (Springer, Berlin, 2006), pp. 46–59 CrossRefGoogle Scholar
  15. [15]
    A. Juels, S.A. Weis, Authenticating pervasive devices with human protocols, in Advances in Cryptology—CRYPTO 2005, ed. by V. Shoup. Lecture Notes in Computer Science, vol. 3126 (Springer, Berlin, 2005), pp. 293–198 CrossRefGoogle Scholar
  16. [16]
    L.F.A. Karpinskyy, M. Korkishko, Masked encryption algorithm mCrypton for resource-constrained devices, in IEEE Workshop on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, 2007—IDAACS 2007 (2007), pp. 628–633 CrossRefGoogle Scholar
  17. [17]
    M. Khatir, A. Moradi, A. Ejlali, M.T. Manzuri Shalmani, M. Salmasizadeh, A secure and low-energy logic style using charge recovery approach, in International Symposium on Low Power Electronics and Design—ISLPED 2008 (ACM, New York, 2008), pp. 259–264 Google Scholar
  18. [18]
    N.N. Keeloq algorithm. Available via http://en.wikipedia.org/wiki/KeeLoq, November 2006
  19. [19]
    P.C. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems, in Advances in Cryptology—CRYPTO 1996, ed. by N.I. Koblitz. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 104–113 Google Scholar
  20. [20]
    P.C. Kocher, J. Jaffe, B. Jun, Differential power analysis, in Advances in Cryptology—CRYPTO 1999, ed. by M. Wiener. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 388–397 Google Scholar
  21. [21]
    G. Leander, C. Paar, A. Poschmann, K. Schramm, New lightweight DES variants, in Fast Software Encryption 2007—FSE 2007. Lecture Notes in Computer Science, vol. 4593 (Springer, Berlin, 2007), pp. 196–210 CrossRefGoogle Scholar
  22. [22]
    C. Lim, T. Korkishko, mCrypton—a lightweight block cipher for security of low-cost RFID tags and sensors, in Workshop on Information Security Applications—WISA 2005, ed. by J. Song, T. Kwon, M. Yung. Lecture Notes in Computer Science, vol. 3786 (Springer, Berlin, 2005), pp. 243–258 CrossRefGoogle Scholar
  23. [23]
    F. Mace, F.-X. Standaert, J.-J. Quisquater, ASIC implementations of the block cipher sea for constrained applications, in RFID Security—RFIDsec 2007, Workshop Record (Malaga, Spain, 2007), pp. 103–114 Google Scholar
  24. [24]
    S. Mangard, E. Oswald, T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards (Springer, Berlin, 2007) zbMATHGoogle Scholar
  25. [25]
    S. Mangard, N. Pramstaller, E. Oswald, Successfully attacking masked AES hardware implementations, in Cryptographic Hardware and Embedded Systems—CHES 2005. Lecture Notes in Computer Science, vol. 3659 (Springer, Berlin, 2005), pp. 157–171 CrossRefGoogle Scholar
  26. [26]
    A. Moradi, A. Poschmann, Lightweight cryptography and DPA countermeasures: a survey, in Workshop of Lightweight Cryptography—WLC’2010, Proceedings of Financial Cryptography. Lecture Notes in Computer Science, vol. 6054 (Springer, Berlin, 2010), pp. 68–79 Google Scholar
  27. [27]
    S. Nikova, C. Rechberger, V. Rijmen, Threshold implementations against side-channel attacks and glitches, in International Conference in Information and Communications Security—ICICS 2006, ed. by P. Ning, S. Qing, N. Li. Lecture Notes in Computer Science, vol. 4307 (Springer, Berlin, 2006), pp. 529–545 Google Scholar
  28. [28]
    S. Nikova, V. Rijmen, M. Schläffer, Secure hardware implementations of non-linear functions in the presence of glitches, in International Conference in Information Security and Cryptology—ICISC 2008, ed. by P. Lee, J. Cheon. Lecture Notes in Computer Science, vol. 5461 (Springer, Berlin, 2008), pp. 218–234 Google Scholar
  29. [29]
    S. Nikova, V. Rijmen, M. Schläffer, Secure hardware implementations of non-linear functions in the presence of glitches. J. Cryptol. (2010). doi: 10.1007/s00145-010-9085-7. Special issue on hardware and security Google Scholar
  30. [30]
    E. Oswald, S. Mangard, N. Pramstaller, V. Rijmen, A side-channel analysis resistant description of the AES S-box, in Fast Software Encryption—FSE 2005. Lecture Notes in Computer Science, vol. 3557 (Springer, Berlin, 2005), pp. 413–423 CrossRefGoogle Scholar
  31. [31]
    T. Popp, M. Kirschbaum, T. Zefferer, S. Mangard, Evaluation of the masked logic style MDPL on a prototype chip, in CHES 2007. Lecture Notes in Computer Science, vol. 4727 (Springer, Berlin, 2007), pp. 81–94 Google Scholar
  32. [32]
    T. Popp, S. Mangard, Masked dual-rail pre-charge logic: DPA-resistance without routing constraints, in Cryptographic Hardware and Embedded Systems—CHES 2005. Lecture Notes in Computer Science, vol. 3659 (Springer, Berlin, 2005), pp. 172–186 CrossRefGoogle Scholar
  33. [33]
    F. Regazzoni, A. Cevrero, F.-X. Standaert, S. Badel, T. Kluter, P. Brisk, Y. Leblebici, P. Ienne, A design flow and evaluation framework for DPA-resistant instruction set extensions, in Cryptographic Hardware and Embedded Systems—CHES 2009. Lecture Notes in Computer Science, vol. 5747 (Springer, Berlin, 2009), pp. 205–219 CrossRefGoogle Scholar
  34. [34]
    C. Rolfes, A. Poschmann, G. Leander, C. Paar, Ultra-lightweight implementations for smart devices—security for 1000 gate equivalents, in Smart Card Research and Advanced Application—CARDIS 2008, ed. by G. Grimaud, F.-X. Standaert. Lecture Notes in Computer Science, vol. 5189 (Springer, Berlin, 2008), pp. 89–103 CrossRefGoogle Scholar
  35. [35]
    A. Shamir, How to share a secret. Commun. ACM 22(11), 612–613 (1979) CrossRefzbMATHMathSciNetGoogle Scholar
  36. [36]
    Side-channel attack standard evaluation board (SASEBO). Further information are available via http://www.rcis.aist.go.jp/special/SASEBO/index-en.html
  37. [37]
    D. Suzuki, M. Saeki, T. Ichikawa, DPA leakage models for CMOS logic circuits, in CHES 2005. Lecture Notes in Computer Science, vol. 3659 (Springer, Berlin, 2005), pp. 366–382 Google Scholar
  38. [38]
    Synopsys, Design compiler user guide—version A-2007.12. Available via http://tinyurl.com/pon88o, December 2007
  39. [39]
    Synopsys, Power compiler user guide—version A-2007.12. Available via http://tinyurl.com/lfqhy5, March 2007
  40. [40]
    National Security Agency. TEMPEST: a signal problem. Cryptol. Spectr. 2(3), 1972 (declassified 2007) Google Scholar
  41. [41]
    K. Tiri, M. Akmal, I. Verbauwhede, A dynamic and differential CMOS Logic with signal independent power consumption to withstand differential power analysis on smart cards, in European Solid-State Circuits Conference—ESSCIRC 2002 (2002), pp. 403–406 Google Scholar
  42. [42]
    K. Tiri, I. Verbauwhede, A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation, in Design, Automation and Test in Europe Conference—DATE 2004 (2004), pp. 246–251 Google Scholar
  43. [43]
    Virtual Silicon Inc. 0.18 μm VIP standard cell library tape out ready, part number: UMCL18G212T3, process: UMC logic 0.18 μm generic II technology: 0.18 μm, July 2004 Google Scholar
  44. [44]
    J. Waddle, D. Wagner, Towards efficient second-order power analysis, in Cryptographic Hardware and Embedded Systems—CHES 2004. Lecture Notes in Computer Science, vol. 3156 (Springer, Berlin, 2004), pp. 1–15 CrossRefGoogle Scholar
  45. [45]
    M. Weiser, The computer for the 21st century. ACM SIGMOBILE Mob. Comput. Commun. Rev. 3(3), 3–11 (1999) CrossRefGoogle Scholar
  46. [46]
    Xilinx, Virtex-II Pro and Virtex-II ProX Platform FPGAs: Complete data sheet. Available via http://www.xilinx.com/support/documentation/data_sheets/ds083.pdf, November 2007
  47. [47]
    S. Yang, W. Wolf, N. Vijaykrishnan, D.N. Serpanos, Y. Xie, Power attack resistant cryptosystem design: a dynamic voltage and frequency switching approach, in Design, Automation and Test in Europe—DATE 2005 (IEEE Computer Society, Los Alamitos, 2005), pp. 64–69 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  • Axel Poschmann
    • 1
    Email author
  • Amir Moradi
    • 2
  • Khoongming Khoo
    • 3
  • Chu-Wee Lim
    • 3
  • Huaxiong Wang
    • 1
  • San Ling
    • 1
  1. 1.Division of Mathematical Sciences, School of Physical and Mathematical SciencesNanyang Technological UniversitySingaporeSingapore
  2. 2.Horst Görtz Institute for IT SecurityRuhr University BochumBochumGermany
  3. 3.DSO National LaboratoriesSingaporeSingapore

Personalised recommendations