Abstract
The effort in reducing the area of AES implementations has largely been focused on application-specific integrated circuits (ASICs) in which a tower field construction leads to a small design of the AES S-box. In contrast, a naive implementation of the AES S-box has been the status-quo on field-programmable gate arrays (FPGAs). A similar discrepancy holds for masking schemes—a well-known side-channel analysis countermeasure—which are commonly optimized to achieve minimal area in ASICs. In this paper, we demonstrate a representation of the AES S-box exploiting rotational symmetry which leads to a 50% reduction in the area footprint on FPGA devices. We present new AES implementations which improve on the state-of-the-art and explore various trade-offs between area and latency. For instance, at the cost of increasing 4.5 times the latency, one of our design variants requires 25% less look-up tables (LUTs) than the smallest known AES on Xilinx FPGAs by Sasdrich and Güneysu at ASAP 2016. We further explore the protection of such implementations against side-channel attacks. We introduce a generic methodology for masking any n-bit Boolean functions of degree t with protection order d. The methodology is exact for first-order and heuristic for higher orders. Its application to our new construction of the AES S-box allows us to improve previous results and introduce the smallest first-order masked AES implementation on Xilinx FPGAs, to date.
Highlights
Ever since the introduction of differential power analysis (DPA) by Kocher et al [34], protecting cryptographic devices against side-channel analysis (SCA) has been a challenging and active area of research
We stress that no optimization for field-programmable gate arrays (FPGAs) has been done for these designs
When comparing these results to the application-specific integrated circuits (ASICs) numbers reported in the original works, the stark contrast between the worlds of ASICs and FPGAs is clearly confirmed
Summary
Ever since the introduction of differential power analysis (DPA) by Kocher et al [34], protecting cryptographic devices against side-channel analysis (SCA) has been a challenging and active area of research. Masking In 2003, Ishai et al [32] introduced the d-probing model, in which a very powerful attacker has the ability to probe the exact values of up to d intermediate variables Security in this model has been related to more realistic adversary scenarios such as the noisy leakage [20] and the bounded moment leakage model [2]. In 2005 it was noted by Mangard et al [41] that the Boolean masking schemes which are secure in sequential platforms [32,59] still exhibit side-channel leakage when implemented in hardware This is due to unintended transitions (or glitches) on wires before they stabilize. The most challenging task in securing implementations is to mask the nonlinear components of a cipher
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
