Skip to main content
SpringerLink
Log in

Higher-Order Threshold Implementation of the AES S-Box

  • Conference paper
  • First Online:
Smart Card Research and Advanced Applications (CARDIS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9514))

Abstract

In this paper we present a threshold implementation of the Advanced Encryption Standard’s S-box which is secure against first- and second-order power analysis attacks. This security guarantee holds even in the presence of glitches, and includes resistance against bivariate attacks. The design requires an area of 7849 Gate Equivalents and 126 bits of randomness per S-box execution. The implementation is tested on an FPGA platform and its security claim is supported by practical leakage detection tests.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We mean strict composition as \(g\circ f\). If g sees the concatenation of two functions \(f_1\), \(f_2\), one should make sure that the input to g stays uniform. This does not automatically happen even if \(f_1\) and \(f_2\) are independently uniform [4].

  2. 2.

    Special attention is paid so that these options optimize within, but not across, block boundaries. Otherwise, the non-completeness property could be destroyed by the synthesis tool.

  3. 3.

    This is because the size of a HOGFI circuit grows, very roughly, with the number of shares \(2d+1\).

  4. 4.

    This number is obtained by applying the HOGFI theory [21].

  5. 5.

    Usual precautions should be taken when mounting the test. For instance, in order to assure that no environmental factor creates an undesired balance between the sets, we interleave the lookups from each set in a random manner.

References

  1. Bilgin, B.: Threshold implementations, as countermeasure against higher-order differential power analysis. Ph.D. thesis, University of Twente, Enschede, May 2015

    Google Scholar 

  2. Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: A more efficient AES threshold implementation. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT. LNCS, vol. 8469, pp. 267–284. Springer, Heidelberg (2014). http://dx.doi.org/10.1007/978-3-319-06734-6_17

    Chapter  Google Scholar 

  3. Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: Higher-order threshold implementations. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 326–343. Springer, Heidelberg (2014). http://dx.doi.org/10.1007/978-3-662-45608-8_18

    Google Scholar 

  4. Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: Trade-offs for threshold implementations illustrated on AES. IEEE Trans. CAD Integr. Circ. Syst. 34(7), 1188–1200 (2015). doi:10.1109/TCAD.2015.2419623

    Article  MATH  Google Scholar 

  5. Canright, D.: A very compact S-box for AES. In: Rao and Sunar [22], pp. 441–455. http://dx.org/10.1007/11545262_32

    Google Scholar 

  6. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  7. Cooper, J., DeMulder, E., Goodwill, G., Jaffe, J., Kenworthy, G., Rohatgi, P.: Test vector leakage assessment (TVLA) methodology in practice. In: International Cryptographic Module Conference (2013). http://icmc-2013.org/wp/wp-content/uploads/2013/09/goodwillkenworthtestvector.pdf

  8. Daemen, J., Rijmen, V.: The design of rijndael: AES - the advanced encryption standard. In: Information Security and Cryptography. Springer, Berlin (2002). doi:10.1007/978-3-662-04722-4

    Google Scholar 

  9. De Cnudde, T., Bilgin, B., Reparaz, O., Nikova, S.: Higher-order glitch resistant implementation of the PRESENT S-box. In: Ors, B., Preneel, B. (eds.) BalkanCryptSec 2014. LNCS, vol. 9024, pp. 75–93. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  10. Goodwill, G., Jun, B., Jaffe, J., Rohatgi, P.: A testing methodology for side-channel resistance validation. In: NIST Non-Invasive Attack Testing Workshop (2011). http://csrc.nist.gov/news_events/non-invasive-attack-testing-workshop/papers/08_Goodwill.pdf

  11. Goubin, L., Patarin, J.: DES and differential power analysis. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  12. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  13. Mangard, S., Pramstaller, N., Oswald, E.: Successfully attacking masked AES hardware implementations. In: Rao and Sunar [22], pp. 157–171. http://dblp.uni-trier.de/db/conf/ches/ches2005.html#MangardPO05

    Google Scholar 

  14. Messerges, T.S.: Using second-order power analysis to attack DPA resistant software. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 238–251. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  15. Moradi, A., Mischke, O.: On the simplicity of converting leakages from multivariate to univariate. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 1–20. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  16. Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the limits: a very compact and a threshold implementation of AES. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 69–88. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  17. Nikova, S., Rechberger, C., Rijmen, V.: Threshold implementations against side-channel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 529–545. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  18. Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptology 24(2), 292–321 (2011). doi:10.1007/s00145-010-9085-7

    Article  MathSciNet  MATH  Google Scholar 

  19. Oswald, E., Mangard, S., Herbst, C., Tillich, S.: Practical second-order DPA attacks for masked smart card implementations of block ciphers. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 192–207. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  20. Peeters, E., Standaert, F., Donckers, N., Quisquater, J.: Improved higher-order side-channel attacks with FPGA experiments. In: Rao and Sunar [22], pp. 309–323. doi:10.1007/11545262_23

    Google Scholar 

  21. Prouff, E., Roche, T.: Higher-order glitches free implementation of the AES using secure multi-party computation protocols. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 63–78. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  22. Rao, J.R., Sunar, B. (eds.): CHES 2005. LNCS, vol. 3659. Springer, Heidelberg (2005)

    MATH  Google Scholar 

  23. Reparaz, O., Bilgin, B., Nikova, S., Gierlichs, B., Verbauwhede, I.: Consolidating Masking Schemes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 1–20. Springer, Heidelberg (2015)

    Google Scholar 

  24. Reparaz, O., Gierlichs, B., Verbauwhede, I.: Selecting time samples for multivariate DPA attacks. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 155–174. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  25. Rijmen, V.: Efficient implementation of the rijndael S-box. http://www.researchgate.net/profile/Vincent_Rijmen/publication/2621085_Efficient_Implementation_of_the_Rijndael_S-box/links/0912f50f7a7be367d7000000?origin=publication_detail

  26. Schneider, T., Moradi, A.: Leakage assessment methodology. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 495–513. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  27. Standaert, F., Peeters, E., Quisquater, J.: On the masking countermeasure and higher-order power analysis attacks. In: International Symposium on Information Technology: Coding and Computing (ITCC 2005), vol. 1, pp. 562–567. IEEE Computer Society, Las Vegas, Nevada, USA, 4–6 April 2005. doi:10.1109/ITCC.2005.213

  28. Waddle, J., Wagner, D.: Towards efficient second-order power analysis. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 1–15. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

Download references

Acknowledgements

This work was supported in part by the Research Council KU Leuven: GOA TENSE (GOA/11/007). In addition, this work was partially supported by the Research Fund KU Leuven, OT/13/071, and by European Union’s Horizon 2020 research and innovation programme under grant agreement No 644052 HECTOR. Begül Bilgin was partially supported by the FWO project G0B4213N. Oscar Reparaz is funded by a PhD fellowship of the Fund for Scientific Research - Flanders (FWO). Thomas De Cnudde is funded by a research grant of the Institute for the Promotion of Innovation through Science and Technology in Flanders (IWT-Vlaanderen).

Author information

Authors and Affiliations

  1. KU Leuven, ESAT-COSIC and iMinds, Leuven, Belgium

    Thomas De Cnudde, Begül Bilgin, Oscar Reparaz & Svetla Nikova

  2. NXP Semiconductors, Leuven, Belgium

    Ventzislav Nikov

Authors
  1. Thomas De Cnudde
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Begül Bilgin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Oscar Reparaz
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ventzislav Nikov
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Svetla Nikova
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thomas De Cnudde .

Editor information

Editors and Affiliations

  1. Tohoku University, Sendai, Japan

    Naofumi Homma

  2. NXP Semiconductors, Gratkorn, Austria

    Marcel Medwed

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

De Cnudde, T., Bilgin, B., Reparaz, O., Nikov, V., Nikova, S. (2016). Higher-Order Threshold Implementation of the AES S-Box. In: Homma, N., Medwed, M. (eds) Smart Card Research and Advanced Applications. CARDIS 2015. Lecture Notes in Computer Science(), vol 9514. Springer, Cham. https://doi.org/10.1007/978-3-319-31271-2_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-31271-2_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-31270-5

  • Online ISBN: 978-3-319-31271-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation