A First-Order SCA Resistant AES Without Fresh Randomness

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10815)

Abstract

Since the advent of Differential Power Analysis (DPA) in the late 1990s protecting embedded devices against Side-Channel Analysis (SCA) attacks has been a major research effort. Even though many different first-order secure masking schemes are available today, when applied to the AES S-box they all require fresh random bits in every evaluation. As the quality criteria for generating random numbers on an embedded device are not well understood, an integrated Random Number Generator (RNG) can be the weak spot of any protected implementation and may invalidate an otherwise secure implementation. We present a new construction based on Threshold Implementations and Changing of the Guards to realize a first-order secure AES with zero per-round randomness. Hence, our design does not need a built-in RNG, thereby enhancing security and reducing the overhead.

Notes

Acknowledgments

The work described in this paper has been supported in part by the German Federal Ministry of Education and Research BMBF (grant nr. 16KIS0666 SysKit_HW).

References

  1. 1.
    Side-channel AttacK User Reference Architecture. http://satoh.cs.uec.ac.jp/SAKURA/index.html
  2. 2.
    Balasch, J., Faust, S., Gierlichs, B., Paglialonga, C., Standaert, F.-X.: Consolidating inner product masking. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 724–754. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70694-8_25CrossRefGoogle Scholar
  3. 3.
    Banik, S., Pandey, S.K., Peyrin, T., Sasaki, Y., Sim, S.M., Todo, Y.: GIFT: a small present - towards reaching the limit of lightweight encryption. In: Fischer and Homma [13], pp. 321–345Google Scholar
  4. 4.
    Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: Trade-offs for threshold implementations illustrated on AES. IEEE Trans. CAD Integr. Circuits Syst. 34(7), 1188–1200 (2015)CrossRefGoogle Scholar
  5. 5.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74735-2_31CrossRefGoogle Scholar
  6. 6.
    Boyar, J., Matthews, P., Peralta, R.: Logic minimization techniques with applications to cryptology. J. Cryptol. 26(2), 280–312 (2013)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Božilov, D., Knežević, M., Nikov, V.: Threshold implementations of prince: the cost of physical security. In: NIST Lightweight Cryptography Workshop (2016). https://www.nist.gov/sites/default/files/documents/2016/10/17/bozilov-paper-lwc2016.pdf
  8. 8.
    Canright, D.: A very compact s-box for AES. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 441–455. Springer, Heidelberg (2005).  https://doi.org/10.1007/11545262_32CrossRefGoogle Scholar
  9. 9.
    De Cnudde, T., Bilgin, B., Reparaz, O., Nikov, V., Nikova, S.: Higher-order threshold implementation of the AES s-box. In: Homma, N., Medwed, M. (eds.) CARDIS 2015. LNCS, vol. 9514, pp. 259–272. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-31271-2_16CrossRefGoogle Scholar
  10. 10.
    De Cnudde, T., Reparaz, O., Bilgin, B., Nikova, S., Nikov, V., Rijmen, V.: Masking AES with \(d+1\) shares in hardware. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 194–212. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53140-2_10CrossRefGoogle Scholar
  11. 11.
    Daemen, J.: Changing of the guards: a simple and efficient method for achieving uniformity in threshold sharing. In: Fischer and Homma [13], pp. 137–153Google Scholar
  12. 12.
    Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 423–440. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_24CrossRefGoogle Scholar
  13. 13.
    Fischer, W., Homma, N. (eds.): CHES 2017. LNCS, vol. 10529. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66787-4CrossRefMATHGoogle Scholar
  14. 14.
    Ghoshal, A., De Cnudde, T.: Several masked implementations of the Boyar-Peralta AES s-box. In: Patra, A., Smart, N.P. (eds.) INDOCRYPT 2017. LNCS, vol. 10698, pp. 384–402. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-71667-1_20CrossRefGoogle Scholar
  15. 15.
    Goodwill, G., Jun, B., Jaffe, J., Rohatgi, P.: A testing methodology for side channel resistance validation. In: NIST Non-invasive Attack Testing Workshop (2011). http://csrc.nist.gov/news_events/non-invasive-attack-testing-workshop/papers/08_Goodwill.pdf
  16. 16.
    Gross, H., Mangard, S.: Reconciling \(d+1\) masking in hardware and software. In: Fischer and Homma [13], pp. 115–136Google Scholar
  17. 17.
    Gross, H., Mangard, S., Korak, T.: Domain-oriented masking: compact masked hardware implementations with arbitrary protection order. IACR Cryptology ePrint Archive 2016:486 (2016)Google Scholar
  18. 18.
    Gross, H., Mangard, S., Korak, T.: An efficient side-channel protected AES implementation with arbitrary protection order. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 95–112. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-52153-4_6CrossRefGoogle Scholar
  19. 19.
    Gupta, N., Jati, A., Chattopadhyay, A., Sanadhya, S.K., Chang, D.: Threshold implementations of gift: a trade-off analysis. Cryptology ePrint Archive, Report 2017/1040 (2017). https://eprint.iacr.org/2017/1040
  20. 20.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_27CrossRefGoogle Scholar
  21. 21.
    Jean, J., Moradi, A., Peyrin, T., Sasdrich, P.: Bit-sliding: a generic technique for bit-serial implementations of SPN-based primitives - applications to AES, PRESENT and SKINNY. In: Fischer and Homma [13], pp. 687–707Google Scholar
  22. 22.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_25CrossRefGoogle Scholar
  23. 23.
    Kutzner, S., Nguyen, P.H., Poschmann, A., Wang, H.: On 3-share threshold implementations for 4-Bit s-boxes. In: Prouff, E. (ed.) COSADE 2013. LNCS, vol. 7864, pp. 99–113. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40026-1_7CrossRefGoogle Scholar
  24. 24.
    Moradi, A.: Advances in side-channel security. Habilitation thesis, Ruhr-Universität Bochum (2016)Google Scholar
  25. 25.
    Nikova, S., Rechberger, C., Rijmen, V.: Threshold implementations against side-channel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 529–545. Springer, Heidelberg (2006).  https://doi.org/10.1007/11935308_38CrossRefMATHGoogle Scholar
  26. 26.
    Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptol. 24(2), 292–321 (2011)MathSciNetCrossRefGoogle Scholar
  27. 27.
    Reparaz, O.: A note on the security of higher-order threshold implementations. IACR Cryptology ePrint Archive 2015:1 (2015)Google Scholar
  28. 28.
    Reparaz, O., Bilgin, B., Nikova, S., Gierlichs, B., Verbauwhede, I.: Consolidating masking schemes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 764–783. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_37CrossRefGoogle Scholar
  29. 29.
    Schneider, T., Moradi, A.: Leakage assessment methodology. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 495–513. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48324-4_25CrossRefGoogle Scholar
  30. 30.
    Trichina, E.: Combinational logic design for AES subbyte transformation on masked data. IACR Cryptology ePrint Archive 2003:236 (2003)Google Scholar
  31. 31.
    Ueno, R., Homma, N., Aoki, T.: A systematic design of tamper-resistant Galois-Field arithmetic circuits based on threshold implementation with (d + 1) input shares. In: 47th IEEE International Symposium on Multiple-Valued Logic, ISMVL 2017, Novi Sad, Serbia, 22–24 May 2017, pp. 136–141. IEEE Computer Society (2017)Google Scholar
  32. 32.
    Ueno, R., Homma, N., Aoki, T.: Toward more efficient DPA-resistant AES hardware architecture based on threshold implementation. In: Guilley, S. (ed.) COSADE 2017. LNCS, vol. 10348, pp. 50–64. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-64647-3_4CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Horst Görtz Institute for IT SecurityRuhr-Universität BochumBochumGermany

Personalised recommendations