Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version

The effort in reducing the area of AES implementations has largely been focused on Application-Specific Integrated Circuits (ASICs) in which a tower field construction leads to a small design of the AES S-box. In contrast, a naive implementation of the AES S-box has been the status-quo on Field-Programmable Gate Arrays (FPGAs). A similar discrepancy holds for masking schemes – a wellknown side-channel analysis countermeasure – which are commonly optimized to achieve minimal area in ASICs.In this paper we demonstrate a representation of the AES S-box exploiting rotational symmetry which leads to a 50% reduction of the area footprint on FPGA devices. We present new AES implementations which improve on the state of the art and explore various trade-offs between area and latency. For instance, at the cost of increasing 4.5 times the latency, one of our design variants requires 25% less look-up tables (LUTs) than the smallest known AES on Xilinx FPGAs by Sasdrich and Guneysu at ASAP 2016. We further explore the protection of such implementations against first-order side-channel analysis attacks. Targeting the small area footprint on FPGAs, we introduce a heuristic-based algorithm to find a masking of a given function with d + 1 shares. Its application to our new construction of the AES S-box allows us to introduce the smallest masked AES implementation on Xilinx FPGAs, to-date.

[1]  Ingrid Verbauwhede,et al.  Consolidating Masking Schemes , 2015, CRYPTO.

[2]  Georg Sigl,et al.  A Petite and Power Saving Design for the AES S-Box , 2015, 2015 Euromicro Conference on Digital System Design.

[3]  Amir Moradi,et al.  Hardware Masking, Revisited , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[4]  Vincent Rijmen,et al.  Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches , 2011, Journal of Cryptology.

[5]  Amir Moradi,et al.  Glitch-free implementation of masking in modern FPGAs , 2012, 2012 IEEE International Symposium on Hardware-Oriented Security and Trust.

[6]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[7]  Amir Moradi,et al.  Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version , 2020, Journal of Cryptology.

[8]  P. Rohatgi,et al.  Test Vector Leakage Assessment ( TVLA ) methodology in practice , 2013 .

[9]  Elena Trichina,et al.  Combinational Logic Design for AES SubByte Transformation on Masked Data , 2003, IACR Cryptol. ePrint Arch..

[10]  Sylvain Guilley,et al.  From Cryptography to Hardware: Analyzing Embedded Xilinx BRAM for Cryptographic Applications , 2012, 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture Workshops.

[11]  Andrey Bogdanov,et al.  Multiple-Differential Side-Channel Collision Attacks on AES , 2008, CHES.

[12]  Tim Güneysu,et al.  Side-Channel Protection by Randomizing Look-Up Tables on Reconfigurable Hardware - Pitfalls of Memory Primitives , 2015, IACR Cryptol. ePrint Arch..

[13]  Amir Moradi Advances in side-channel security , 2016 .

[14]  Begül Bilgin,et al.  Uniform First-Order Threshold Implementations , 2016, SAC.

[15]  Ventzislav Nikov,et al.  Optimized threshold implementations: securing cryptographic accelerators for low-energy and low-latency applications , 2021, Journal of Cryptographic Engineering.

[16]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[17]  Sylvain Guilley,et al.  Exploiting FPGA block memories for protected cryptographic implementations , 2013, ReCoSoC.

[18]  Joan Boyar,et al.  Logic Minimization Techniques with Applications to Cryptology , 2013, Journal of Cryptology.

[19]  Takafumi Aoki,et al.  Toward More Efficient DPA-Resistant AES Hardware Architecture Based on Threshold Implementation , 2017, COSADE.

[20]  Amir Moradi,et al.  Moments-Correlating DPA , 2016, IACR Cryptol. ePrint Arch..

[21]  Stefan Mangard,et al.  Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order , 2016, IACR Cryptol. ePrint Arch..

[22]  Paulo S. L. M. Barreto,et al.  Rotation symmetry in algebraically generated cryptographic substitution tables , 2008, Inf. Process. Lett..

[23]  Takafumi Aoki,et al.  A Systematic Design of Tamper-Resistant Galois-Field Arithmetic Circuits Based on Threshold Implementation with (d + 1) Input Shares , 2017, 2017 IEEE 47th International Symposium on Multiple-Valued Logic (ISMVL).

[24]  Ingrid Verbauwhede,et al.  A Systematic Evaluation of Compact Hardware Implementations for the Rijndael S-Box , 2005, CT-RSA.

[25]  Emmanuel Prouff,et al.  Statistical Analysis of Second Order Differential Power Analysis , 2009, IEEE Transactions on Computers.

[26]  Tim Güneysu,et al.  Cryptographic hardware and embedded systems - CHES 2015 : 17th international workshop Saint-Malo, France, September 13-16, 2015 : proceedings , 2015 .

[27]  Jean-Jacques Quisquater,et al.  Implementation of the AES-128 on Virtex-5 FPGAs , 2008, AFRICACRYPT.

[28]  Vincent Rijmen,et al.  VerMI: Verification Tool for Masked Implementations , 2018, 2018 25th IEEE International Conference on Electronics, Circuits and Systems (ICECS).

[29]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[30]  Nele Mentens,et al.  Maximizing the throughput of threshold-protected AES-GCM implementations on FPGA , 2017, 2017 IEEE 2nd International Verification and Security Workshop (IVSW).

[31]  Akashi Satoh,et al.  A Compact Rijndael Hardware Architecture with S-Box Optimization , 2001, ASIACRYPT.

[32]  Vincent Rijmen,et al.  Threshold Implementations Against Side-Channel Attacks and Glitches , 2006, ICICS.

[33]  Bart Preneel,et al.  Fast, Furious and Insecure: Passive Keyless Entry and Start Systems in Modern Supercars , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[34]  Kris Gaj,et al.  Very Compact FPGA Implementation of the AES Algorithm , 2003, CHES.

[35]  Sylvain Guilley,et al.  BCDL: A high speed balanced DPL for FPGA with global precharge and no early evaluation , 2010, 2010 Design, Automation & Test in Europe Conference & Exhibition (DATE 2010).

[36]  Sylvain Guilley,et al.  Efficient Dual-Rail Implementations in FPGA Using Block RAMs , 2011, 2011 International Conference on Reconfigurable Computing and FPGAs.

[37]  Amir Moradi,et al.  A First-Order SCA Resistant AES without Fresh Randomness , 2018, IACR Cryptol. ePrint Arch..

[38]  Syed Kareem Uddin Trade-OFFS For Threshold Implementations Illustrated on AES , 2017 .

[39]  Georg Sigl,et al.  Pushing the Limits Further: Sub-Atomic AES , 2017, VLSI-SoC.

[40]  Yi Wang,et al.  FPGA Implementations of the AES Masked Against Power Analysis Attacks , 2011 .

[41]  Lejla Batina,et al.  A Very Compact "Perfectly Masked" S-Box for AES , 2008, ACNS.

[42]  P. Rohatgi,et al.  A testing methodology for side channel resistance , 2011 .

[43]  Christof Paar,et al.  The First Thorough Side-Channel Hardware Trojan , 2017, ASIACRYPT.

[44]  Vincent Rijmen,et al.  Using Normal Bases for Compact Hardware Implementations of the AES S-Box , 2008, SCN.

[45]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[46]  Vincent Rijmen,et al.  Decomposition of permutations in a finite field , 2018, Cryptography and Communications.

[47]  Benjamin Grégoire,et al.  Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model , 2017, EUROCRYPT.

[48]  Stefan Mangard,et al.  An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order , 2017, CT-RSA.

[49]  Tim Güneysu,et al.  Cryptanalysis with COPACOBANA , 2008, IEEE Transactions on Computers.

[50]  Mohammed Benaissa,et al.  Low area memory-free FPGA implementation of the AES algorithm , 2012, 22nd International Conference on Field Programmable Logic and Applications (FPL).

[51]  Markus S. Wamser Ultra-Small Designs for Inversion-Based S-Boxes , 2014, 2014 17th Euromicro Conference on Digital System Design.

[52]  Thomas Peyrin,et al.  Bit-Sliding: A Generic Technique for Bit-Serial Implementations of SPN-based Primitives - Applications to AES, PRESENT and SKINNY , 2017, CHES.

[53]  Thomas Eisenbarth,et al.  A Tale of Two Shares: Why Two-Share Threshold Implementation Seems Worthwhile-and Why it is Not , 2016, IACR Cryptol. ePrint Arch..

[54]  Tim Güneysu,et al.  A grain in the silicon: SCA-protected AES in less than 30 slices , 2016, 2016 IEEE 27th International Conference on Application-specific Systems, Architectures and Processors (ASAP).

[55]  Thomas Eisenbarth,et al.  Correlation-Enhanced Power Analysis Collision Attack , 2010, CHES.

[56]  Vincent Rijmen,et al.  Threshold Implementations of all 3x3 and 4x4 S-boxes , 2012, IACR Cryptol. ePrint Arch..

[57]  Berk Sunar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2005, 7th International Workshop, Edinburgh, UK, August 29 - September 1, 2005, Proceedings , 2005, CHES.

[58]  Debdeep Mukhopadhyay,et al.  From theory to practice of private circuit: A cautionary note , 2015, 2015 33rd IEEE International Conference on Computer Design (ICCD).

[59]  Christof Paar,et al.  Pushing the Limits: A Very Compact and a Threshold Implementation of AES , 2011, EUROCRYPT.