CryptoDB
Smooth Passage with the Guards: Second-Order Hardware Masking of the AES with Low Randomness and Low Latency
Authors: |
|
---|---|
Download: | |
Abstract: | Cryptographic devices in hostile environments can be vulnerable to physical attacks such as power analysis. Masking is a popular countermeasure against such attacks, which works by splitting every sensitive variable into d+1 randomized shares. The implementation cost of the masking countermeasure in hardware increases significantly with the masking order d, and protecting designs often results in a large overhead. One of the main drivers of the cost is the required amount of fresh randomness for masking the non-linear parts of a cipher. In the case of AES, first-order designs have been built without the need for any fresh randomness, but state-of-the-art higher-order designs still require a significant number of random bits per encryption. Attempts to reduce the randomness however often result in a considerable latency overhead, which is not favorable in practice. This raises the need for AES designs offering a decent performance tradeoff, which are efficient both in terms of required randomness and latency.In this work, we present a second-order AES design with the minimal number of three shares, requiring only 3 200 random bits per encryption at a latency of 5 cycles per round. Our design represents a significant improvement compared to state-of-the-art designs that require more randomness and/or have a higher latency. The core of the design is an optimized 5-cycle AES S-box which needs 78 bits of fresh randomness. We use this S-box to construct a round-based AES design, for which we present a concept for sharing randomness across the S-boxes based on the changing of the guards (COTG) technique. We assess the security of our design in the probing model using a formal verification tool. Furthermore, we evaluate the practical side-channel resistance on an FPGA. |
BibTeX
@article{tches-2023-33670, title={Smooth Passage with the Guards: Second-Order Hardware Masking of the AES with Low Randomness and Low Latency}, journal={IACR Transactions on Cryptographic Hardware and Embedded Systems}, publisher={Ruhr-Universität Bochum}, volume={024 No. 1}, pages={309-335}, url={https://tches.iacr.org/index.php/TCHES/article/view/11254}, doi={10.46586/tches.v2024.i1.309-335}, author={Barbara Gigerl and Franz Klug and Stefan Mangard and Florian Mendel and Robert Primas}, year=2023 }