Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation

SAEAES is the authenticated encryption algorithm instantiated by combining the SAEB mode of operation with AES, and a candidate of the NIST’s lightweight cryptography competition. Using AES gives the advantage of backward compatibility with the existing accelerators and coprocessors that the industry has invested in so far. Still, the newer lightweight block cipher (e.g., GIFT) outperforms AES in compact implementation, especially with the side-channel attack countermeasure such as threshold implementation. This paper aims to implement the first threshold implementation of SAEAES and evaluate the cost we are trading with the backward compatibility. We design a new circuit architecture using the column-oriented serialization based on the recent 3-share and uniform threshold implementation (TI) of the AES S-box based on the generalized changing of the guards. Our design uses 18,288 GE with AES’s occupation reaching 97% of the total area. Meanwhile, the circuit area is roughly three times the conventional SAEB-GIFT implementation (6229 GE) because of a large memory size needed for the AES’s non-linear key schedule and the extended states for satisfying uniformity in TI.

[1]  Takeshi Sugawara 3-Share Threshold Implementation of AES S-box without Fresh Randomness , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[2]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[3]  Subhadeep Banik,et al.  Low-latency Meets Low-area: An Improved Bit-Sliding Technique for AES, SKINNY and GIFT , 2020, IACR Cryptol. ePrint Arch..

[4]  David Canright,et al.  A Very Compact S-Box for AES , 2005, CHES.

[5]  Vincent Rijmen,et al.  Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches , 2011, Journal of Cryptology.

[6]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[7]  Subhadeep Banik,et al.  Energy Analysis of Lightweight AEAD Circuits , 2020, IACR Cryptol. ePrint Arch..

[8]  Vincent Rijmen,et al.  Trade-Offs for Threshold Implementations Illustrated on AES , 2015, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[9]  Christof Paar,et al.  Pushing the Limits: A Very Compact and a Threshold Implementation of AES , 2011, EUROCRYPT.

[10]  Yusuke Naito,et al.  Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers , 2019, IACR Cryptol. ePrint Arch..

[11]  Amir Moradi,et al.  Side-Channel Resistant Crypto for Less than 2,300 GE , 2011, Journal of Cryptology.

[12]  Vincent Rijmen,et al.  Threshold Implementations Against Side-Channel Attacks and Glitches , 2006, ICICS.

[13]  Takafumi Aoki,et al.  Toward More Efficient DPA-Resistant AES Hardware Architecture Based on Threshold Implementation , 2017, COSADE.

[14]  William Diehl,et al.  Hardware Implementations of NIST Lightweight Cryptographic Candidates: A First Look , 2019, IACR Cryptol. ePrint Arch..

[15]  Joan Daemen,et al.  Changing of the Guards: A Simple and Efficient Method for Achieving Uniformity in Threshold Sharing , 2017, CHES.