Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version

The effort in reducing the area of AES implementations has largely been focused on application-specific integrated circuits (ASICs) in which a tower field construction leads to a small design of the AES S-box. In contrast, a naive implementation of the AES S-box has been the status-quo on field-programmable gate arrays (FPGAs). A similar discrepancy holds for masking schemes—a well-known side-channel analysis countermeasure—which are commonly optimized to achieve minimal area in ASICs. In this paper, we demonstrate a representation of the AES S-box exploiting rotational symmetry which leads to a 50% reduction in the area footprint on FPGA devices. We present new AES implementations which improve on the state-of-the-art and explore various trade-offs between area and latency. For instance, at the cost of increasing 4.5 times the latency, one of our design variants requires 25% less look-up tables (LUTs) than the smallest known AES on Xilinx FPGAs by Sasdrich and Güneysu at ASAP 2016. We further explore the protection of such implementations against side-channel attacks. We introduce a generic methodology for masking any n -bit Boolean functions of degree t with protection order d . The methodology is exact for first-order and heuristic for higher orders. Its application to our new construction of the AES S-box allows us to improve previous results and introduce the smallest first-order masked AES implementation on Xilinx FPGAs, to date.

[1]  Elena Trichina,et al.  Combinational Logic Design for AES SubByte Transformation on Masked Data , 2003, IACR Cryptol. ePrint Arch..

[2]  Amir Moradi,et al.  Hardware Masking, Revisited , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[3]  Vincent Rijmen,et al.  Threshold Implementations Against Side-Channel Attacks and Glitches , 2006, ICICS.

[4]  Tim Güneysu,et al.  Cryptographic Hardware and Embedded Systems -- CHES 2015 , 2015, Lecture Notes in Computer Science.

[5]  Bart Preneel,et al.  Fast, Furious and Insecure: Passive Keyless Entry and Start Systems in Modern Supercars , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[6]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[7]  Ingrid Verbauwhede,et al.  A Systematic Evaluation of Compact Hardware Implementations for the Rijndael S-Box , 2005, CT-RSA.

[8]  Begül Bilgin,et al.  Uniform First-Order Threshold Implementations , 2016, SAC.

[9]  Paulo S. L. M. Barreto,et al.  Rotation symmetry in algebraically generated cryptographic substitution tables , 2008, Inf. Process. Lett..

[10]  Amir Moradi,et al.  Leakage Assessment Methodology - A Clear Roadmap for Side-Channel Evaluations , 2015, CHES.

[11]  Amir Moradi,et al.  Glitch-free implementation of masking in modern FPGAs , 2012, 2012 IEEE International Symposium on Hardware-Oriented Security and Trust.

[12]  Akashi Satoh,et al.  Side-channel Attack user reference architecture board SAKURA-W for security evaluation of IC card , 2015, 2015 IEEE 4th Global Conference on Consumer Electronics (GCCE).

[13]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[14]  Ventzislav Nikov,et al.  Optimized threshold implementations: securing cryptographic accelerators for low-energy and low-latency applications , 2021, Journal of Cryptographic Engineering.

[15]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[16]  P. Rohatgi,et al.  Test Vector Leakage Assessment ( TVLA ) methodology in practice , 2013 .

[17]  Sylvain Guilley,et al.  From Cryptography to Hardware: Analyzing Embedded Xilinx BRAM for Cryptographic Applications , 2012, 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture Workshops.

[18]  Syed Kareem Uddin Trade-OFFS For Threshold Implementations Illustrated on AES , 2017 .

[19]  Stefan Mangard,et al.  Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order , 2016, IACR Cryptol. ePrint Arch..

[20]  Vincent Rijmen,et al.  Decomposition of permutations in a finite field , 2018, Cryptography and Communications.

[21]  Akashi Satoh,et al.  A Compact Rijndael Hardware Architecture with S-Box Optimization , 2001, ASIACRYPT.

[22]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[23]  Amir Moradi,et al.  Assessment of Hiding the Higher-Order Leakages in Hardware - What Are the Achievements Versus Overheads? , 2015, CHES.

[24]  Andrey Bogdanov,et al.  Multiple-Differential Side-Channel Collision Attacks on AES , 2008, CHES.

[25]  Joan Boyar,et al.  Logic Minimization Techniques with Applications to Cryptology , 2013, Journal of Cryptology.

[26]  Kris Gaj,et al.  Very Compact FPGA Implementation of the AES Algorithm , 2003, CHES.

[27]  Sylvain Guilley,et al.  BCDL: A high speed balanced DPL for FPGA with global precharge and no early evaluation , 2010, 2010 Design, Automation & Test in Europe Conference & Exhibition (DATE 2010).

[28]  Takafumi Aoki,et al.  Toward More Efficient DPA-Resistant AES Hardware Architecture Based on Threshold Implementation , 2017, COSADE.

[29]  Ingrid Verbauwhede,et al.  Consolidating Masking Schemes , 2015, CRYPTO.

[30]  Jean-Jacques Quisquater,et al.  Implementation of the AES-128 on Virtex-5 FPGAs , 2008, AFRICACRYPT.

[31]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[32]  Georg Sigl,et al.  Pushing the limits further: Sub-atomic AES , 2017, 2017 IFIP/IEEE International Conference on Very Large Scale Integration (VLSI-SoC).

[33]  Amir Moradi,et al.  Moments-Correlating DPA , 2016, IACR Cryptol. ePrint Arch..

[34]  Sylvain Guilley,et al.  Efficient Dual-Rail Implementations in FPGA Using Block RAMs , 2011, 2011 International Conference on Reconfigurable Computing and FPGAs.

[35]  Amir Moradi,et al.  A First-Order SCA Resistant AES without Fresh Randomness , 2018, IACR Cryptol. ePrint Arch..

[36]  Georg Sigl,et al.  A Petite and Power Saving Design for the AES S-Box , 2015, 2015 Euromicro Conference on Digital System Design.

[37]  Vincent Rijmen,et al.  Masking AES With d+1 Shares in Hardware , 2016, CHES.

[38]  Benjamin Grégoire,et al.  Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model , 2017, EUROCRYPT.

[39]  Vincent Rijmen,et al.  Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches , 2011, Journal of Cryptology.

[40]  Tim Güneysu,et al.  Side-Channel Protection by Randomizing Look-Up Tables on Reconfigurable Hardware - Pitfalls of Memory Primitives , 2015, IACR Cryptol. ePrint Arch..

[41]  Sylvain Guilley,et al.  Exploiting FPGA block memories for protected cryptographic implementations , 2013, 2013 8th International Workshop on Reconfigurable and Communication-Centric Systems-on-Chip (ReCoSoC).

[42]  Stefan Mangard,et al.  Successfully Attacking Masked AES Hardware Implementations , 2005, CHES.

[43]  Nele Mentens,et al.  Maximizing the throughput of threshold-protected AES-GCM implementations on FPGA , 2017, 2017 IEEE 2nd International Verification and Security Workshop (IVSW).

[44]  Markus S. Wamser Ultra-Small Designs for Inversion-Based S-Boxes , 2014, 2014 17th Euromicro Conference on Digital System Design.

[45]  Thomas Peyrin,et al.  Bit-Sliding: A Generic Technique for Bit-Serial Implementations of SPN-based Primitives - Applications to AES, PRESENT and SKINNY , 2017, CHES.

[46]  Takafumi Aoki,et al.  A Systematic Design of Tamper-Resistant Galois-Field Arithmetic Circuits Based on Threshold Implementation with (d + 1) Input Shares , 2017, 2017 IEEE 47th International Symposium on Multiple-Valued Logic (ISMVL).

[47]  Tim Güneysu,et al.  Cryptanalysis with COPACOBANA , 2008, IEEE Transactions on Computers.

[48]  Mohammed Benaissa,et al.  Low area memory-free FPGA implementation of the AES algorithm , 2012, 22nd International Conference on Field Programmable Logic and Applications (FPL).

[49]  Yi Wang,et al.  FPGA Implementations of the AES Masked Against Power Analysis Attacks , 2011 .

[50]  Srdjan Capkun,et al.  Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars , 2010, NDSS.

[51]  Amir Moradi,et al.  Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version , 2018, Journal of Cryptology.

[52]  David Canright,et al.  A Very Compact S-Box for AES , 2005, CHES.

[53]  Vincent Rijmen,et al.  Threshold Implementations of all 3x3 and 4x4 S-boxes , 2012, IACR Cryptol. ePrint Arch..

[54]  Berk Sunar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2005, 7th International Workshop, Edinburgh, UK, August 29 - September 1, 2005, Proceedings , 2005, CHES.

[55]  Debdeep Mukhopadhyay,et al.  From theory to practice of private circuit: A cautionary note , 2015, 2015 33rd IEEE International Conference on Computer Design (ICCD).

[56]  Lejla Batina,et al.  A Very Compact "Perfectly Masked" S-Box for AES , 2008, ACNS.

[57]  P. Rohatgi,et al.  A testing methodology for side channel resistance , 2011 .

[58]  Christof Paar,et al.  The First Thorough Side-Channel Hardware Trojan , 2017, ASIACRYPT.

[59]  Christof Paar,et al.  Pushing the Limits: A Very Compact and a Threshold Implementation of AES , 2011, EUROCRYPT.

[60]  Stefan Mangard,et al.  An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order , 2017, CT-RSA.

[61]  Thomas Eisenbarth,et al.  A Tale of Two Shares: Why Two-Share Threshold Implementation Seems Worthwhile-and Why it is Not , 2016, IACR Cryptol. ePrint Arch..

[62]  Tim Güneysu,et al.  A grain in the silicon: SCA-protected AES in less than 30 slices , 2016, 2016 IEEE 27th International Conference on Application-specific Systems, Architectures and Processors (ASAP).

[63]  Thomas Eisenbarth,et al.  Correlation-Enhanced Power Analysis Collision Attack , 2010, CHES.

[64]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[65]  Emmanuel Prouff,et al.  Statistical Analysis of Second Order Differential Power Analysis , 2009, IEEE Transactions on Computers.