Masking AES With d+1 Shares in Hardware. - Internet Archive Scholar

d + 1 shares. ... In this paper, we give practical implementations of the AES using d + 1 shares aiming at first-and second-order security even in the presence of glitches. ... This work was supported in part by NIST ...

doi:10.1145/2996366.2996428 dblp:conf/ccs/CnuddeRBNNR16 fatcat:uj2d7vjp7jclnboe7ukmayqssm

d + 1 shares. ... In this paper, we give practical implementations of the AES using d + 1 shares aiming at first-and second-order security even in the presence of glitches. ... This work was supported in part by NIST ...

doi:10.1007/978-3-662-53140-2_10 fatcat:zyxgtv6adjhrzdvo46gi2zfsvi

At CHES 2016, De Cnudde et al. [7] demonstrated the suitability of using only d+1 shares on an AES hardware design. ... In this work 1 , we demonstrate how the randomness requirements for d + 1 masking can be lowered from (d + 1) 2 to only d(d + 1)/2. ... In comparison with the recently published d + 1 share AES design [7] , our design requires just d(d + 1)/2 fresh random shares instead of (d + 1) 2 . ...

doi:10.1007/978-3-319-52153-4_6 fatcat:p4xs4tuwtfbohenlboa3fd2iaq

In this paper, we present a hardware masking technique which does not increase the latency for such algorithms. ... Unfortunately, many hardware masking techniques can lead to increased latency compared to unprotected circuits for algorithms such as AES, due to the high-degree of nonlinear functions in their designs ... Composability and d-Strong Non-Interference In [RP10] the authors present an AES implementation using d + 1 shares, with the claim of d th -order security. ...

doi:10.13154/tches.v2020.i2.300-326 dblp:journals/tches/SasdrichBHM20 fatcat:eai3v3vyl5bqbg7mwkrasr3sda

DOAJ OJS

The presented AES implementation is built in a way that it can be synthesized for any protection order. ... We introduce a novel masking approach called domain-oriented masking (DOM). ... A DOM implementation uses d + 1 shares per variable in order to achieve d th -order security. There are d + 1 domains in this case. ...

doi:10.1145/2996366.2996426 dblp:conf/ccs/GrossMK16 fatcat:2zklq624cjfufgy2zoprnhe6qa

Constructing SCA-protected AES, as the most widely deployed block cipher, has been naturally the focus of several research projects, with a direct application in industry. ... five first-order secure AES encryptions/decryptions simultaneously in 50 clock cycles. ... Acknowledgments The work described in this paper has been supported in part by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany's Excellence Strategy -EXC 2092 CASA - ...

doi:10.46586/tches.v2021.i2.304-327 fatcat:r2st3yhkbjga7ar347ahr4jsm4

DOAJ OJS

Among them, classical threshold implementations force the designers to use at least three shares in the underlying masking. ... The other schemes, which can deal with two shares, often necessitates the use of fresh randomness.Here, in this work, we present a technique allowing us to use two shares to realize the first-order glitch-extended ... Acknowledgements The work described in this paper has been supported in part by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany's Excellence Strategy -EXC 2092 CASA ...

doi:10.46586/tches.v2021.i1.305-342 fatcat:xihq4odxd5df3lh42j56byc3sa

DOAJ OJS

When dth-order masking is involved (i.e. when d masks are used per key-dependent variable), the complexity of performing an SCA grows exponentially with the order d. ... This paper presents the first generic dth-order masking scheme for AES with a provable security and a reasonable software implementation overhead. ... The point is that if an attacker observes noisy side channel information about d + 1 shares corresponding to a variable masked with d random masks, the number of samples required to retrieve information ...

doi:10.1007/978-3-642-15031-9_28 fatcat:hzx2cmhqibcfpeexevjotos6gq

Up to now, sound higher-order multiplicative masking schemes have been implemented only in software. In this work, we demonstrate the first hardware implementation of AES using multiplicative masks. ... Hardware masked AES designs usually rely on Boolean masking and perform the computation of the S-box using the tower-field decomposition. ... This means that for any number of shares, the original multiplicative masking scheme is vulnerable to first-order DPA. Masking in Hardware Masking in hardware requires special care. ...

doi:10.13154/tches.v2018.i3.431-468 dblp:journals/tches/MeyerRB18 fatcat:r5zso3vdhjg6ndhxvht573mn7u

DOAJ OJS

As a result, we obtain a first-order masked AES S-box that is calculated in a single clock cycle with rather high implementation costs (60.7 kGE), and a two-cycle variant with much less implementation ... The main idea of our approach is to avoid collisions of shared variables in nonlinear circuit parts and to skip the share compression. ... The work has been supported in part by the Austrian Science Fund (FWF) through project P26494-N15, project W1255-N23, and S11406. ...

doi:10.13154/tches.v2018.i2.1-21 dblp:journals/tches/GrossIB18 fatcat:2vlxvw74p5auda55js2i2mme5a

DOAJ OJS

associated to each share. ... Hardware masking schemes have shown many advances in the past few years. Through a series of publications their implementation cost has dropped significantly and flaws have been fixed where present. ... Acknowledgments This work is supported in part by NIST with the research grant 60NANB15D346 and the German Research Foundation (DFG) through the project NaSCA (Nano-Scale Side-Channel Analysis). ...

doi:10.13154/tches.v2018.i2.123-148 dblp:journals/tches/CnuddeEM18 fatcat:ppbii5yiw5ahrnat2v3affsmaa

DOAJ OJS

Our contribution is twofold: first we describe a very compact hardware implementation of AES-128, which requires only 2400 GE. ... Then we apply the threshold countermeasure by Nikova et al. to the AES S-box and yield an implementation of the AES improving the level of resistance against first-order side-channel attacks. ... Acknowledgment The authors would like to thank Akashi Satoh and Research Center for Information Security (RCIS) of Japan for the prompt and kind help in obtaining SASEBOs, and François-Xavier Standaert ...

doi:10.1007/978-3-642-20465-4_6 fatcat:ozdax4u4nnhfzi4qj6ukeojxqm

Over the last decade, a lion's share of research in this area has been dedicated to developing countermeasures at an algorithmic level. ... In particular, we present a design methodology to generate first-order secure masked gadgets which is well-suited for integration into existing Electronic Design Automation (EDA) tools for automated hardware ... Acknowledgments The work described in this paper has been supported in part by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany's Excellence Strategy -EXC 2092 CASA - ...

doi:10.46586/tches.v2022.i1.323-344 fatcat:p5faqxjxt5agvkmybups5nmfli

DOAJ OJS

We additionally show that an FPGA implementation of AES, protected with RS-Mask, is resistant to power analysis SCA using Welch's t-test. ... The area of the RS-Masked AES is about 3.5 times that of an unprotected AES implementation of similar architecture, and about 2 times that of a known FPGA SCA-resistant AES implementation. ... ACKNOWLEDGEMENT This work was supported by NIST award 70NANB18H219 for Lightweight Cryptography in Hardware and Embedded Systems. ...

arXiv:1911.11278v1 fatcat:r6b4lb6kcfai5loenmsawcqkoe

In order to show its practical implications, we replace the linear operations of state-of-the-art first-order AES masking schemes with our proposal, while keeping their original non-linear operations unchanged ... Specifically, we discover some security flaws and redundant processes in popular first-order masked AES linear operations, and pinpoint the underlying root causes. ... Authors' contributions JM and YZ proposed the first-order AES masking scheme, and drafted the manuscript. HL participated in problem discussions and improvements of the manuscript. ...

doi:10.1186/s42400-021-00082-w fatcat:plvsycs6fnf27hd77haxy5gviq

DOAJ

Masking AES With d+1 Shares in Hardware

Preserved Fulltext

Masking AES with $$d+1$$ Shares in Hardware [chapter]

Preserved Fulltext

An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order [chapter]

Preserved Fulltext

Low-Latency Hardware Masking with Application to AES

Preserved Fulltext

Domain-Oriented Masking

Preserved Fulltext

New First-Order Secure AES Performance Records

Preserved Fulltext

Re-Consolidating First-Order Masking Schemes

Preserved Fulltext

Provably Secure Higher-Order Masking of AES [chapter]

Preserved Fulltext

Multiplicative Masking for AES in Hardware

Preserved Fulltext

Generic Low-Latency Masking in Hardware

Preserved Fulltext

Hardware Masking, Revisited

Preserved Fulltext

Pushing the Limits: A Very Compact and a Threshold Implementation of AES [chapter]

Preserved Fulltext

Generic Hardware Private Circuits

Preserved Fulltext

RS-Mask: Random Space Masking as an Integrated Countermeasure against Power and Fault Analysis [article]

Preserved Fulltext

A secure and highly efficient first-order masking scheme for AES linear operations

Preserved Fulltext