Efficient and First-Order DPA Resistant Implementations of Keccak

  • Begül BilginEmail author
  • Joan Daemen
  • Ventzislav Nikov
  • Svetla Nikova
  • Vincent Rijmen
  • Gilles Van Assche
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8419)


In October 2012 NIST announced that the SHA-3 hash standard will be based on Keccak. Besides hashing, Keccak can be used in many other modes, including ones operating on a secret value. Many applications of such modes require protection against side-channel attacks, preferably at low cost. In this paper, we present threshold implementations (TI) of Keccak with three and four shares that build further on unprotected parallel and serial architectures. We improve upon earlier TI implementations of Keccak in the sense that the latter did not achieve uniformity of shares. In our proposals we do achieve uniformity at the cost of an extra share in a four-share version or at the cost of injecting a small number of fresh random bits for each computed round. The proposed implementations are efficient and provably secure against first-order side-channel attacks.


Keccak Side-channel attacks Threshold implementation 



We would like to thank the anonymous reviewers for their constructive comments. In addition, this work has been supported in part by the Research Council of KU Leuven (OT/13/071), B. Bilgin was partially supported by the Flemish Government by the project G.0B421.13N., and V. Nikov was supported by the European Commission (FP7) within the Tamper Resistant Sensor Node (TAMPRES) project with the contract number 258754.


  1. 1.
    ATHENa: automated tool for hardware evaluation.
  2. 2.
    Akkar, M.-L., Giraud, C.: An implementation of DES and AES, secure against some attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 309–318. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  3. 3.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Building power analysis resistant implementations of Keccak. In: Second SHA-3 Candidate Conference, August 2010Google Scholar
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic sponge functions, January 2011Google Scholar
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference, January 2011Google Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Keccak implementation overview, September 2011Google Scholar
  8. 8.
    Bilgin, B., Nikova, S., Nikov, V., Rijmen, V., Stütz, G.: Threshold implementations of All \(3 \times 3\) and \(4 \times 4\) S-boxes. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 76–91. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  9. 9.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  10. 10.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  11. 11.
    Kavun, E.B., Yalcin, T.: A lightweight implementation of Keccak hash function for radio-frequency identification applications. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 258–269. Springer, Heidelberg (2010) Google Scholar
  12. 12.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  13. 13.
    Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the limits: a very compact and a threshold implementation of AES. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 69–88. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  14. 14.
    Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of non-linear functions in the presence of glitches. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 218–234. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  15. 15.
    Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptology 24(2), 292–321 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  16. 16.
    Pessl, P., Hutter, M.: Pushing the limits of SHA-3 hardware implementations to fit on RFID. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 126–141. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  17. 17.
    Popp, T., Mangard, S.: Masked dual-rail pre-charge logic: DPA-resistance without routing constraints. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 172–186. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  18. 18.
    Tillich, S., Feldhofer, M., Kirschbaum, M., Plos, T., Schmidt, J.-M., Szekely, A.: Uniform evaluation of hardware implementations of the round-two SHA-3 candidates. In: The Second SHA-3 Candidate Conference, Santa Barbara, USA, pp. 1–16, 23–24 August 2010Google Scholar
  19. 19.
    Tiri, K., Verbauwhede, I.: A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation. In: DATE, pp. 246–251. IEEE Computer Society (2004)Google Scholar
  20. 20.
    Trichina, E., Korkishko, T., Lee, K.-H.: Small size, low power, side channel-immune AES coprocessor: design and synthesis results. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 113–127. Springer, Heidelberg (2005) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Begül Bilgin
    • 3
    • 4
    Email author
  • Joan Daemen
    • 1
  • Ventzislav Nikov
    • 2
  • Svetla Nikova
    • 3
  • Vincent Rijmen
    • 3
  • Gilles Van Assche
    • 1
  1. 1.STMicroelectronicsDiegemBelgium
  2. 2.NXP SemiconductorsLeuvenBelgium
  3. 3.ESAT/COSIC and IMindsKU LeuvenLeuvenBelgium
  4. 4.DIESUniversity of TwenteEnschedeThe Netherlands

Personalised recommendations