Side Channel Resistance at a Cost: A Comparison of ARX-Based Authenticated Encryption

Lightweight cryptography offers viable security solutions for resource constrained Internet of Things (IoT) devices. However, IoT devices have implementation vulnerabilities such as side channel attacks (SCA), where observation of physical phenomena associated with device operations can reveal sensitive internal contents. The U.S. National Institute of Standards and Technology has called for lightweight cryptographic solutions to process authenticated encryption with associated data (AEAD), and is evaluating candidates for suitability in a Lightweight Cryptography (LWC) Standardization Process. Two Round 2 candidate variants, COMET-CHAM and SCHWAEMM, use Addition-Rotation-XOR (ARX) primitives. However, ARX ciphers are known to be costly to protect against certain SCA. In this work we implement side channel protected versions of COMET-CHAM and SCHWAEMM using register transfer level design. Identical protection schemes consisting of a threshold implementation (TI)-protected Kogge-Stone adder are adopted. Resistance to power side channel analysis is verified on an Artix-7 FPGA target device. Implementations comply with the Hardware API for Lightweight Cryptography, and use a custom-designed extension of the Development Package for the Hardware API for Lightweight Cryptography which enables test and evaluation of side channel resistant designs. We compare side channel protection costs of the two candidates against each other, against their unprotected counterparts, and against previous side channel protected AEAD implementations. COMET-CHAM is shown to consume less area and power, while SCHWAEMM has higher throughput and throughput to area ratio, and is more energy efficient. On average, the costs of protecting these ciphers against SCA are 32% more in area and 38% more in power, compared to the average protection costs for a large selection of previously-evaluated ciphers of similar implementation. Our results highlight the costs involved in implementing side channel protected ARX-ciphers, and help to inform NIST LWC late round and final portfolio selections.

[1]  Jason Smith,et al.  The SIMON and SPECK Families of Lightweight Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[2]  Sumesh Manjunath Ramesh,et al.  Side Channel Analysis of SPARX-64/128: Cryptanalysis and Countermeasures , 2019, AFRICACRYPT.

[3]  Vincent Rijmen,et al.  Threshold Implementations Against Side-Channel Attacks and Glitches , 2006, ICICS.

[4]  Kris Gaj,et al.  Implementer’s Guide to Hardware Implementations Compliant with the Hardware API for Lightweight Cryptography , 2019 .

[5]  Kris Gaj,et al.  Hardware API for Lightweight Cryptography , 2019 .

[6]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[7]  Minerva , 2004, BMJ : British Medical Journal.

[8]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[9]  P. Rohatgi,et al.  Test Vector Leakage Assessment ( TVLA ) methodology in practice , 2013 .

[10]  Kan Yasuda,et al.  Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[11]  N. Datta,et al.  LOTUS and LOCUS AEAD: Hardware Benchmarking and Security Analysis , 2019 .

[12]  Kris Gaj,et al.  CAESAR Hardware API , 2016, IACR Cryptol. ePrint Arch..

[13]  Ashwin Jha,et al.  COMET: COunter Mode Encryption with authentication Tag , 2019 .

[14]  Changhoon Lee,et al.  Fast implementations of ARX-based lightweight block ciphers (SPARX, CHAM) on 32-bit processor , 2019, Int. J. Distributed Sens. Networks.

[15]  Daesung Kwon,et al.  CHAM: A Family of Lightweight Block Ciphers for Resource-Constrained Devices , 2017, ICISC.

[16]  Jean-Sébastien Coron,et al.  Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity , 2015, FSE.

[17]  John Kelsey,et al.  Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition , 2012 .

[18]  Erich Wenger,et al.  Ascon hardware implementations and side-channel evaluation , 2017, Microprocess. Microsystems.

[19]  Louis Goubin,et al.  A Sound Method for Switching between Boolean and Arithmetic Masking , 2001, CHES.

[20]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[21]  Nicky Mouha,et al.  Threshold schemes for cryptographic primitives: , 2019 .

[22]  Jovan Dj. Golic Techniques for Random Masking in Hardware , 2007, IEEE Transactions on Circuits and Systems I: Regular Papers.

[23]  Stefan Mangard,et al.  Successfully Attacking Masked AES Hardware Implementations , 2005, CHES.

[24]  Mark D. Aagaard,et al.  Hardware Design and Analysis of the ACE and WAGE Ciphers , 2019, ArXiv.

[25]  Harold S. Stone,et al.  A Parallel Algorithm for the Efficient Solution of a General Class of Recurrence Equations , 1973, IEEE Transactions on Computers.

[26]  William Diehl,et al.  Hardware Implementations of NIST Lightweight Cryptographic Candidates: A First Look , 2019, IACR Cryptol. ePrint Arch..

[27]  Bart Preneel,et al.  A Proof that the ARX Cipher Salsa20 is Secure against Differential Cryptanalysis , 2013, IACR Cryptol. ePrint Arch..

[28]  Blandine Debraize Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking , 2012, CHES.

[29]  Kris Gaj,et al.  Comparison of cost of protection against differential power analysis of selected authenticated ciphers , 2018, 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[30]  Donghoon Chang,et al.  Status report on the first round of the NIST lightweight cryptography standardization process , 2019 .