International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Low-Latency Keccak at any Arbitrary Order

Authors:
Sara Zarei , Shahid Beheshti University, Cyber Research Center, Tehran, Iran
Aein Rezaei Shahmirzadi , Ruhr University Bochum, Horst Görtz Institute for IT Security, Bochum, Germany
Hadi Soleimany , Shahid Beheshti University, Cyber Research Center, Tehran, Iran
Raziyeh Salarifard , Shahid Beheshti University, Faculty of Computer Science and Engineering, Tehran, Iran
Amir Moradi , Ruhr University Bochum, Horst Görtz Institute for IT Security, Bochum, Germany
Download:
DOI: 10.46586/tches.v2021.i4.388-411
URL: https://tches.iacr.org/index.php/TCHES/article/view/9070
Search ePrint
Search Google
Abstract: Correct application of masking on hardware implementation of cryptographic primitives necessitates the instantiation of registers in order to achieve the non-completeness (commonly said to stop the propagation of glitches). This sometimes leads to a high latency overhead, making the implementation not necessarily suitable for the underlying application. As a concrete example, this holds for Keccak. Application of d + 1 Domain Oriented Masking (DOM) on a round-based implementation of Keccak leads to the introduction of two register stages per round, i.e., two times higher latency. On the other hand, Rhythmic-Keccak, introduced in CHES 2018, unrolls two rounds to half the latency compared to an unprotected ordinary round-based implementation. To that end, td + 1 masking is used which requires a notable area, and – apart from the difficulty to construct – its extension to higher orders seems beyond the bounds of feasibility.In this paper, we focus on d + 1 masking and introduce a methodology which enables us to stay with the latency of an unprotected round-based implementation, i.e., one register stage per round. While being secure under glitch-extended probing model, we provide a general design where the desired security order can be easily adjusted without any effect on the above-given latency. Compared to the Rhythmic-Keccak, the synthesis results show that our first-order design is able to accomplish the entire operations of Keccak-f[200] in the same period of time while decreasing the area by 74.5%. Notably, our implementations achieve around 30% less delay compared to the corresponding original DOM-Keccak designs.
Video from TCHES 2021
BibTeX
@article{tches-2021-31321,
  title={Low-Latency Keccak at any Arbitrary Order},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2021, Issue 4},
  pages={388-411},
  url={https://tches.iacr.org/index.php/TCHES/article/view/9070},
  doi={10.46586/tches.v2021.i4.388-411},
  author={Sara Zarei and Aein Rezaei Shahmirzadi and Hadi Soleimany and Raziyeh Salarifard and Amir Moradi},
  year=2021
}