TY - GEN
T1 - Hiding higher-order univariate leakages by shuffling polynomial masking schemes
T2 - 2016 ACM Workshop on the Theory of Implementation Security, TIS 2016
AU - De Santis, Fabrizio
AU - Bauer, Tobias
AU - Sigl, Georg
N1 - Publisher Copyright:
© 2016 Copyright held by the owner/author(s).
PY - 2016/10/24
Y1 - 2016/10/24
N2 - Polynomial masking is a glitch-resistant and higher-order masking scheme based upon Shamir's secret sharing scheme and multi-party computation protocols. Polynomial masking was first introduced at CHES 2011, while a 1st-order implementation of the AES S-box on FPGA was presented at CHES 2013. In this latter work, the authors showed a 2nd-order univariate leakage by side-channel collision analysis on a tuned measurement setup. This negative result motivates the need to evaluate the performance, area-costs, and security margins of combined shuffled and higher-order polynomially masking schemes to counteract trivial univariate leakages. In this work, we provide the following contributions: first, we introduce additional principles for the selection of efficient addition chains, which allow for more compact and faster implementations of cryptographic S-boxes. Our 1st-order AES S-box implementation requires approximately 27% less registers, 20% less clock cycles, and 5% less random bits than the CHES 2013 implementation. Then, we propose a lightweight shuffling countermeasure, which inherently applies to polynomial masking schemes and effectively enhances their univariate security at negligible area expenses. Finally, we present the design of a combined shuffled and higher-order polynomially masked AES S-box in hardware, while providing ASIC synthesis and side-channel analysis results in the Electro-Magnetic (EM) domain.
AB - Polynomial masking is a glitch-resistant and higher-order masking scheme based upon Shamir's secret sharing scheme and multi-party computation protocols. Polynomial masking was first introduced at CHES 2011, while a 1st-order implementation of the AES S-box on FPGA was presented at CHES 2013. In this latter work, the authors showed a 2nd-order univariate leakage by side-channel collision analysis on a tuned measurement setup. This negative result motivates the need to evaluate the performance, area-costs, and security margins of combined shuffled and higher-order polynomially masking schemes to counteract trivial univariate leakages. In this work, we provide the following contributions: first, we introduce additional principles for the selection of efficient addition chains, which allow for more compact and faster implementations of cryptographic S-boxes. Our 1st-order AES S-box implementation requires approximately 27% less registers, 20% less clock cycles, and 5% less random bits than the CHES 2013 implementation. Then, we propose a lightweight shuffling countermeasure, which inherently applies to polynomial masking schemes and effectively enhances their univariate security at negligible area expenses. Finally, we present the design of a combined shuffled and higher-order polynomially masked AES S-box in hardware, while providing ASIC synthesis and side-channel analysis results in the Electro-Magnetic (EM) domain.
KW - AES
KW - Multi-party computation
KW - Polynomial masking
KW - Secret sharing
KW - Shuffling
KW - Side-channel analysis
UR - http://www.scopus.com/inward/record.url?scp=84997637211&partnerID=8YFLogxK
U2 - 10.1145/2996366.2996370
DO - 10.1145/2996366.2996370
M3 - Conference contribution
AN - SCOPUS:84997637211
T3 - TIS 2016 - Proceedings of the 2016 ACM Workshop on the Theory of Implementation Security, co-located with CCS 2016
SP - 17
EP - 26
BT - TIS 2016 - Proceedings of the 2016 ACM Workshop on the Theory of Implementation Security, co-located with CCS 2016
PB - Association for Computing Machinery, Inc
Y2 - 24 October 2016
ER -