Higher-Order Threshold Implementations [chapter]

Begül Bilgin, Benedikt Gierlichs, Svetla Nikova, Ventzislav Nikov, Vincent Rijmen
2014 Lecture Notes in Computer Science  
Higher-order differential power analysis attacks are a serious threat for cryptographic hardware implementations. In particular, glitches in the circuit make it hard to protect the implementation with masking. The existing higher-order masking countermeasures that guarantee security in the presence of glitches use multi-party computation techniques and require a lot of resources in terms of circuit area and randomness. The Threshold Implementation method is also based on multi-party computation
more » ... but it is more area and randomness efficient. Moreover, it typically requires less clock-cycles since all parties can operate simultaneously. However, so far it is only provable secure against 1 st -order DPA. We address this gap and extend the Threshold Implementation technique to higher orders. We define generic constructions and prove their security. To illustrate the approach, we provide 1 st , 2 nd and 3 rd -order DPA-resistant implementations of the block cipher KATAN-32. Our analysis of 300 million power traces measured from an FPGA implementation supports the security proofs. Lemma 1. The attack order in a higher-order DPA corresponds to the number of wires that are probed in the circuit (per unmasked bit).
doi:10.1007/978-3-662-45608-8_18 fatcat:prm5ogxf7veihhw4w53topjre4