A note on the security of Higher-Order Threshold Implementations.

Rijmen, "Higher-Order Threshold Implementations". ASIACRYPT 2014 [2] A.Moradi, A. Wild, "Assessment of Hiding the Higher-Order Leakages in Hardware -What are the Achievements versus Overheads?". ... non-completeness  correctness  uniform sharing of function outputs (each set of output pairs occurs with same probability) NOTE: The number of input and output shares depends on the function ... CONCEPT:  success of higher-order attacks depends on noise-level  combining hiding countermeasures (noise addition) with classical approaches (e.g. first-order secure TI)  dynamic hardware modifications ...

doi:10.1007/978-3-319-52153-4_7 fatcat:oowhrolyfrgcddzbzqr45wmqiq

In this paper we present a threshold implementation of the Advanced Encryption Standard's S-box which is secure against first-and second-order power analysis attacks. ... The implementation is tested on an FPGA platform and its security claim is supported by practical leakage detection tests. ... Acknowledgements This work was supported in part by the Research Council KU Leuven: GOA TENSE (GOA/11/007). In addition, this work was partially supported by the ...

doi:10.1007/978-3-319-31271-2_16 fatcat:3tv7et4p6zg5fjscgsttlm23lu

In this paper we present a threshold implementation of the Advanced Encryption Standard's S-box which is secure against first- and second-order power analysis attacks. ... The implementation is tested on an FPGA platform and its security claim is supported by practical leakage detection tests. ... Acknowledgements This work was supported in part by the Research Council KU Leuven: GOA TENSE (GOA/11/007). In addition, this work was partially supported by the ...

doi:10.5281/zenodo.58086 fatcat:2ovqn6rme5fk7e4coxg7m5ylhu

Open Access

The security validation process is nowadays a lengthy, tedious and manual process. In this paper, we report on a method to verify the soundness of a masking scheme before implementing it on a device. ... We also present a new second-order flaw on a table recomputation scheme, and show that the approach is useful when designing a hardware masked implementation. ... The author is funded by a PhD fellowship of the Fund for Scientific Research -Flanders (FWO). ...

doi:10.1007/978-3-662-52993-5_11 fatcat:qtkcptberra5ndyr24ll6l2ile

We present the theoretical concept of our approach based on simulation traces and examine its efficiency on noisy real-world measurements taken from a first-order secure threshold implementation of the ... block cipher PRESENT-80, implemented on a 150nm CMOS ASIC prototype chip. ... Acknowledgements The authors would like to acknowledge Axel Poschmann for the hardware designs and Stefan Heyse for his help on taping out the prototype chip. ...

doi:10.1007/978-3-319-64647-3_10 fatcat:mvakxgmk2rfynnpib4ix2w2j3y

Threshold Implementations (TI) are provably secure algorithmic countermeasures against side-channel attacks in the form of differential power analysis. ... Thus, over the years the practice of protecting implementations matured, however, the theory behind threshold implementations remained the same. ... The authors would like to thank Michiel Van Beirendonck for the interesting discussions. ...

doi:10.1145/3338467.3358949 dblp:conf/ccs/DhoogheNR19 fatcat:no2bzgan6ze53mi47br6sr5c7i

Therefore we introduce a new model, the bounded moment model, that formalizes a weaker notion of security order frequently used in the side-channel literature. ... In this paper, we provide a necessary clarification of the good security properties that can be obtained from parallel implementations of masking schemes. ... Note that threshold implementations crucially rely on the separation of the non-complete f i functions by registers. ...

doi:10.1007/978-3-319-56620-7_19 fatcat:bjrjvrpu6rer3mm2opyhf5vgaq

Threshold Implementation of the AES S-box with similar security and attacker model. ... To achieve this, we follow the conditions presented by Reparaz et al. at CRYPTO 2015 to allow hardware masking schemes, like Threshold Implementations, to provide theoretical higher-order security with ... Acknowledgments The authors would like to thank the anonymous reviewers for providing constructive and valuable comments. This work was supported in part by NIST ...

doi:10.1007/978-3-662-53140-2_10 fatcat:zyxgtv6adjhrzdvo46gi2zfsvi

They confirm the first-order attack resistance of our implementation and show good resistance against higher-order attacks. ... In addition, we provide results of a practical security evaluation based on real power traces in adversary-friendly conditions. ... We proceed with higher-order attacks to assess the level of security our implementation provides. ...

doi:10.1007/978-3-319-06734-6_17 fatcat:xeeii4peeffmncxvog4yzzm3wq

Motivated by the development of Side-Channel Analysis (SCA) countermeasures which can provide security up to a certain order, defeating higher-order attacks has become amongst the most challenging issues ... In this work we look at the feasibility of higher-order attacks on firstorder TI from another perspective. ... Contribution: In this work we look at the feasibility of higher-order attacks on first-order secure TI designs from another perspective. ...

doi:10.1007/978-3-319-31301-6_16 fatcat:46xqo6zdnvcjvhmnyjsvnnc2ui

Threshold Implementation of the AES S-box with similar security and attacker model. ... To achieve this, we follow the conditions presented by Reparaz et al. at CRYPTO 2015 to allow hardware masking schemes, like Threshold Implementations, to provide theoretical higher-order security with ... Acknowledgments The authors would like to thank the anonymous reviewers for providing constructive and valuable comments. This work was supported in part by NIST ...

doi:10.1145/2996366.2996428 dblp:conf/ccs/CnuddeRBNNR16 fatcat:uj2d7vjp7jclnboe7ukmayqssm

Besides, programmability of the device and security of the recorded information are desirable features, which need to be considered during the design of such systems. ... secure hardware for on-chip realtime signal processing in implantable systems. ... On the other hand, super-threshold design, although more effective in terms of yield and reliability, usually dissipates much higher power. ...

doi:10.1109/asqed.2010.5548247 fatcat:teb4dnt5ira77one3os524747q

In IEEE Symposium on Security and Privacy, pages 31–41. IEEE Computer Society, 2002. 44. O. Reparaz. A note on the security of Higher-Order Threshold Implementations. ... On the Need of Physical Security for Small Embedded Devices: A Case Study with COMP128-1 Implementations in SIM Cards. ...

doi:10.1007/978-3-662-48324-4_23 fatcat:g4f6ch2jfrg5hi3va7bfnkilwa

However, so far it is only provable secure against 1 st -order DPA. We address this gap and extend the Threshold Implementation technique to higher orders. ... The attack order in a higher-order DPA corresponds to the number of wires that are probed in the circuit (per unmasked bit). ... Bilgin was partially supported by the FWO project G0B4213N and Benedikt Gierlichs is a Postdoctoral Fellow of the Research Foundation -Flanders (FWO). ...

doi:10.1007/978-3-662-45608-8_18 fatcat:prm5ogxf7veihhw4w53topjre4

So far it is known for solid security reductions but implementations of specific instances have often been reported to be too complex beyond any practicability. ... This unit can encrypt and decrypt a block in 26.19 µs and 16.80 µs on a Virtex-6 LX75T FPGA, respectively -at moderate resource requirements of about 1506 slices and a few block RAMs. ... ., a single point multiplication [24] ) and RSA (random-exponent 1024-bit exponentiation [50] ) our implementation is by an order of magnitude faster, scales better for higher security levels, and also ...

doi:10.1007/978-3-662-43414-7_4 fatcat:2zkqm5obynehvomvienyqizocm

Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers [chapter]

Preserved Fulltext

Higher-Order Threshold Implementation of the AES S-Box [chapter]

Preserved Fulltext

Higher-Order Threshold Implementation Of The Aes S-Box

Preserved Fulltext

Detecting Flawed Masking Schemes with Leakage Detection Tests [chapter]

Preserved Fulltext

On the Easiness of Turning Higher-Order Leakages into First-Order [chapter]

Preserved Fulltext

Threshold Implementations in the Robust Probing Model

Preserved Fulltext

Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model [chapter]

Preserved Fulltext

Masking AES with $$d+1$$ Shares in Hardware [chapter]

Preserved Fulltext

A More Efficient AES Threshold Implementation [chapter]

Preserved Fulltext

Affine Equivalence and Its Application to Tightening Threshold Implementations [chapter]

Preserved Fulltext

Masking AES With d+1 Shares in Hardware

Preserved Fulltext

Digital signal processing in bio-implantable systems: Design challenges and emerging solutions

Preserved Fulltext

Assessment of Hiding the Higher-Order Leakages in Hardware [chapter]

Preserved Fulltext

Higher-Order Threshold Implementations [chapter]

Preserved Fulltext

Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware [chapter]

Preserved Fulltext