Abstract

The effort in reducing the area of AES implementations has largely been focused on Application-Specific Integrated Circuits (ASICs) in which a tower field construction leads to a small design of the AES S-box. In contrast, a naïve implementation of the AES S-box has been the status-quo on Field-Programmable Gate Arrays (FPGAs). A similar discrepancy holds for masking schemes – a wellknown side-channel analysis countermeasure – which are commonly optimized to achieve minimal area in ASICs.In this paper we demonstrate a representation of the AES S-box exploiting rotational symmetry which leads to a 50% reduction of the area footprint on FPGA devices. We present new AES implementations which improve on the state of the art and explore various trade-offs between area and latency. For instance, at the cost of increasing 4.5 times the latency, one of our design variants requires 25% less look-up tables (LUTs) than the smallest known AES on Xilinx FPGAs by Sasdrich and Güneysu at ASAP 2016. We further explore the protection of such implementations against first-order side-channel analysis attacks. Targeting the small area footprint on FPGAs, we introduce a heuristic-based algorithm to find a masking of a given function with d + 1 shares. Its application to our new construction of the AES S-box allows us to introduce the smallest masked AES implementation on Xilinx FPGAs, to-date.

Highlights

  • Ever since the introduction of Differential Power Analysis (DPA) by Kocher et al [KJJ99], protecting cryptographic devices against Side-Channel Analysis (SCA) has been a challenging and active area of research

  • Our result reduces the number of occupied look-up tables (LUTs) to 50% compared to a case with dependency on all eight variables

  • It is difficult to compare these results to state-of-the-art masked AES implementations [BGN+15, CRB+16, GMK17, UHA17b] since they target an Application-Specific Integrated Circuits (ASICs) platform

Read more

Summary

Introduction

Ever since the introduction of Differential Power Analysis (DPA) by Kocher et al [KJJ99], protecting cryptographic devices against Side-Channel Analysis (SCA) has been a challenging and active area of research. We speak of a dth-order DPA attack when the adversary exploits the statistical moments of the SCA leakages (e.g., power consumption) up to order d. In 2003, Ishai et al [ISW03] introduced the d-probing model, in which a very powerful attacker has the ability to probe the exact values of up to d intermediate variables. Security in this model has been related to more realistic adversary scenarios such as the noisy leakage [CJRR99] and the bounded moment leakage model [BDF+17]. In 2005 it was noted by Mangard et al [MPO05] that the Boolean masking schemes which are secure in sequential platforms [Tri, ISW03] still exhibit side-channel leakage when implemented

Methods
Results
Conclusion

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.