Rei Ueno , Naofumi Homma, and Takafumi Aoki Toward More Efficient DPA-Resistant AES Hardware Architecture Based on Threshold Implementation 13th April 2017, Paris, France Constructive Side-Channel Analysis and Secure Design (COSADE) Tohoku University
26
Embed
Toward More Efficient DPA-Resistant AES Hardware ... · Toward More Efficient DPA-Resistant AES Hardware Architecture Based on Threshold Implementation 13th April 2017, Paris, France
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Rei Ueno, Naofumi Homma, and Takafumi Aoki
Toward More Efficient DPA-Resistant AES Hardware
Architecture Based on Threshold Implementation
13th April 2017, Paris, France
Constructive Side-Channel Analysis and Secure Design (COSADE)
Tohoku University
Threshold Implementation (TI)
Achieve provable security considering glitches
Masking-based countermeasure
a: secret value,ai: share
Exploits pipelining to avoid propagating glitches
dth-order TI defeats dth-order DPAs
2
(Unprotected) AES hardware architectures
3
Latency
Are
a
Round-
based
Byte-
serial
Un-
rolled
Resource
sharing
Datapath
replication
2K~
10K~
100K~
GE
TI-based AES architectures
4
Byte-
serial
Round-
based
Un-
rolled
Latency
Are
a
6K~
40K~
GE
400K~
Randomness in TI-based AES architectures
5
Byte-
serial
Round-
based
Un-
rolled
Latency
Are
a
6K~
40K~
GE
400K~
32~bit
512~
bit
5,120~
bit
This work
New TI-based S-box
Combine algebraic characteristic of AES S-box with
state-of-the-art TI construction (d + 1 input share TI)
Achieve 25% smaller area than conventional ones
Efficient byte-serial AES HW architecture for TI
Resister-retiming for low latency encryption
Achieve 11-21% lower latency without area overhead
6
Outline
Introduction
TI-based AES S-box
AES HW architecture for TI
Experimental leakage evaluation
Concluding remarks
7
Conditions for dth-order TI
Correctness
dth-order non-completeness
Uniformity (or mask refreshing)
8
First-order
non-complete circuitRing-refreshing
z0
z1
z2
Two constructions of TI-based circuit
TI with td + 1 input shares (t : algebraic degree)
Less registers and randomness
Efficiently applied to some practical 4-bit S-boxes
TI with d + 1 input shares
Smaller area, but more registers and randomness
Input shares must be independent of each other
9
TI-based AES
Linear functions are easily realized
For non-linear function (i.e., S-box)?
Inversion determines security-order and performance