Threshold implementations

Abstract

Embedded devices are used pervasively in a wide range of applications some of which require cryptographic algorithms in order to provide security. Sensitive information, such as the secret key used in the algorithm, can be derived from the physical leakage of these devices. The most common attack based on the physical leakages is differential power analysis (DPA) which exploits the correlation between the instantaneous power consumption of a device and the intermediate results of a cryptographic algorithm. Different countermeasures have been proposed to prevent DPA. Here, we focus on a powerful approach called threshold implementation (TI) which is based on secret sharing and multi-party computation and is proven secure even in the presence of glitches by Nikova et al. in ICICS’06. TI relies on four properties, namely correctness, non- completeness, uniformity of the shared variables and uniformity of the shared functions. Achieving all four properties for linear functions is straight-forward. However, it can be challenging when nonlinear functions, such as the S-boxes of symmetric-key algorithms, are considered. Satisfying all the properties can impose using extra randomness or increasing the number of shares both of which imply an increase of resources. The contribution of this thesis is two-fold. In the first part of the thesis, we introduce the theory for generating higher-order TI which can counteract higher-order DPA. The early works of TI provide security against first-order DPA attacks. However, it has been shown that second-order attacks are also feasible even though the amount of traces required for a successful attack increases exponentially in the noise standard deviation. Therefore, increasing the security using higher-order TI is valuable. In the second part of the thesis, we examine area- randomness-security trade-offs during a TI. In order to do that, we first investigate all 3 × 3 and 4 × 4, and some cryptographically significant classes of 5 × 5 and 6 × 6 invertible S-boxes. Then, we extend our research to the TIs of standardized symmetric-key algorithms AES and SHA-3 with detailed investigation on the trade-offs.