International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Smooth Passage with the Guards: Second-Order Hardware Masking of the AES with Low Randomness and Low Latency

Authors:
Barbara Gigerl , Graz University of Technology, Graz, Austria
Franz Klug , Infineon Technologies AG, Munich, Germany
Stefan Mangard , Graz University of Technology, Graz, Austria
Florian Mendel , Infineon Technologies AG, Munich, Germany
Robert Primas , Intel Labs, Hillsboro, USA
Download:
DOI: 10.46586/tches.v2024.i1.309-335
URL: https://tches.iacr.org/index.php/TCHES/article/view/11254
Search ePrint
Search Google
Abstract: Cryptographic devices in hostile environments can be vulnerable to physical attacks such as power analysis. Masking is a popular countermeasure against such attacks, which works by splitting every sensitive variable into d+1 randomized shares. The implementation cost of the masking countermeasure in hardware increases significantly with the masking order d, and protecting designs often results in a large overhead. One of the main drivers of the cost is the required amount of fresh randomness for masking the non-linear parts of a cipher. In the case of AES, first-order designs have been built without the need for any fresh randomness, but state-of-the-art higher-order designs still require a significant number of random bits per encryption. Attempts to reduce the randomness however often result in a considerable latency overhead, which is not favorable in practice. This raises the need for AES designs offering a decent performance tradeoff, which are efficient both in terms of required randomness and latency.In this work, we present a second-order AES design with the minimal number of three shares, requiring only 3 200 random bits per encryption at a latency of 5 cycles per round. Our design represents a significant improvement compared to state-of-the-art designs that require more randomness and/or have a higher latency. The core of the design is an optimized 5-cycle AES S-box which needs 78 bits of fresh randomness. We use this S-box to construct a round-based AES design, for which we present a concept for sharing randomness across the S-boxes based on the changing of the guards (COTG) technique. We assess the security of our design in the probing model using a formal verification tool. Furthermore, we evaluate the practical side-channel resistance on an FPGA.
BibTeX
@article{tches-2023-33670,
  title={Smooth Passage with the Guards: Second-Order Hardware Masking of the AES with Low Randomness and Low Latency},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universit├Ąt Bochum},
  volume={024 No. 1},
  pages={309-335},
  url={https://tches.iacr.org/index.php/TCHES/article/view/11254},
  doi={10.46586/tches.v2024.i1.309-335},
  author={Barbara Gigerl and Franz Klug and Stefan Mangard and Florian Mendel and Robert Primas},
  year=2023
}