Thomas De Cnudde

Higher-Order Threshold Implementation of the AES S-Box

In this paper we present a threshold implementation of the Advanced Encryption Standards S-box which is secure against first- and second-order power analysis attacks. This security guarantee holds even in the presence of glitches, and includes resistance against bivariate attacks. The design requires an area of 7849 Gate Equivalents and 126 bits of randomness per S-box execution. The implementation is tested on an FPGA platform and its security claim is supported by practical leakage detection tests.

More Efficient Private Circuits II through Threshold Implementations

Since the introduction of Private Circuits at CRYPTO 2003, several works have attempted its implementation in hardware. Only very recently was an implementation of this masking scheme shown to survive state-of-the-art leakage detection tests. The overhead introduced to achieve the provable security was significant. Similarly, the implementational aspect of Private Circuits II, the tamper-resistant extension of Private Circuits presented at EUROCRYPT 2006, was only recently presented at RECONFIG 2015. It however relied on a combinational PC-I implementation, which is susceptible to both glitches and early evaluation. In this work, we evaluate a recently proposed Private Circuits implementation and its corresponding Threshold Implementation side by side and give a full comparison in an equal and fair setting. In succession, we take the smallest resulting masking scheme as basis for a new approach towards a secure PC-II implementation. In addition to quantifying the resource overhead of PC-II, our work provides detailed instructions on how to achieve PC-II in FPGAs.

Masking AES With d+1 Shares in Hardware

Masking requires splitting sensitive variables into at least d+1 shares to provide security against DPA attacks at order d. To this date, this minimal number has only been deployed in software implementations of cryptographic algorithms and in the linear parts of their hardware counterparts. So far there is no hardware construction that achieves this lower bound if the function is nonlinear and the underlying logic gates can glitch. In this paper, we give practical implementations of the AES using d+1 shares aiming at first- and second-order security even in the presence of glitches. To achieve this, we follow the conditions presented by Reparaz et al. at CRYPTO 2015 to allow hardware masking schemes, like Threshold Implementations, to provide theoretical higher-order security with d+1 shares. The decrease in number of shares has a direct impact in the area requirements: our second-order DPA resistant core is the smallest in area so far, and its S-box is 50% smaller than the current smallest Threshold Implementation of the AES S-box with similar security and attacker model. We assess the security of our masked cores by practical side-channel evaluations. The security guarantees are met with 100 million traces.

Securing the PRESENT Block Cipher Against Combined Side-Channel Analysis and Fault Attacks

In this paper, we present and evaluate a hardware implementation of the PRESENT block cipher secured against both side-channel analysis and fault attacks (FAs). The side-channel security is provided by the first-order threshold implementation masking scheme of the serialized PRESENT proposed by Poschmann et al. For the FA resistance, we employ the Private Circuits II countermeasure presented by Ishai et al. at Eurocrypt 2006, which we tailor to resist arbitrary 1-bit faults. We perform a side-channel evaluation using the state-of-the-art leakage detection tests, quantify the resource overhead of the Private Circuits II countermeasure, subdue the implementation to established differential FAs against the PRESENT block cipher, and contemplate on the structural resistance of the countermeasure. This paper provides the detailed instructions on how to successfully achieve a secure Private Circuits II implementation for the data path as well as the control logic.

Several Masked Implementations of the Boyar-Peralta AES S-Box

Threshold implementation is a masking technique that provides provable security for implementations of cryptographic algorithms against power analysis attacks. In recent publications, several different threshold implementations of AES have been designed. However in most of the threshold implementations of AES, the Canright S-Box has been used. The Boyar-Peralta S-Box is an alternative implementation of the AES S-Box with a minimal circuit depth and is comparable in size to the frequently used Canright AES S-Box. In this paper, we present several versions of first-order threshold implementations of the Boyar-Peralta AES S-Box with different number of shares and several trade-offs in area, randomness and speed. To the best of our knowledge these are the first threshold implementations of the Boyar-Peralta S-Box. Our implementations compare favourably with some of the existing threshold implementations of Canright S-Box along the design trade-offs, e.g. while one of our S-Boxes is 49% larger in area than the smallest known threshold implementation of the Canright AES S-Box, it uses 63% less randomness and requires only 50% of the clock cycles. We provide results of a practical security evaluation based on real power traces to confirm the first-order attack resistance of our implementations.

PRNGs for Masking Applications and Their Mapping to Evolvable Hardware

This paper proposes the use of evolutionary computation for the design and optimization of lightweight Pseudo Random Number Generators (PRNGs). In this work, we focus on PRNGs that are suitable for generating masks and secret shares. Such generators should be light-weight and have a high throughput with good statistical properties. As a proof-of-concept, we present three novel hardware architectures that have an increasing level of prediction resistance and an increasing level of reconfigurability at run-time. We evaluate the three architectures on Zynq, Virtex-6, and ASIC platforms and compare the occupied resources and the throughput of the obtained designs. Finally, we use the Spartan-6 platform for the evaluation of the masked implementation where the masks are obtained via our PRNG.

Hardware Masking, Revisited

MaskingHardware masking schemes have shown many advances in the past few years. Through a series of publications their implementation cost has dropped significantly and flaws have been fixed where present. Despite these advancements it seems that a limit has been reached when implementing masking schemes on FPGA platforms. Indeed, even with a correct transition from the masking scheme to the masking realization (i.e., when the implementation is not buggy) it has been shown that the implementation can still exhibit unexpected leakage, e.g., through variations in placement and routing. In this work, we show that the reason for such unexpected leakages is the violation of an underlying assumption made by all masking schemes, i.e., that the leakage of the circuit is a linear sum of leakages associated to each share. In addition to the theory of VLSI which supports our claim, we perform a wide range of experiments based on an FPGA) to find out under what circumstances this causes a masked hardware implementation to show undesirable leakage. We further illustrate case studies, where publicly-known secure designs exhibit first-order leakage when being operated at certain conditions.