Paper 2021/734
Guarding the First Order: The Rise of AES Maskings
, KU Leuven COSIC-imec, KU Leuven COSIC-imec, University of Bergen, KU Leuven COSIC-imec, University of Bergen, KU Leuven COSIC-imecAbstract
We provide three first-order hardware maskings of the AES, each allowing for a different trade-off between the number of shares and the number of register stages. All maskings use a generalization of the changing of the guards method enabling the re-use of randomness between masked S-boxes. As a result, the maskings do not require fresh randomness while still allowing for a minimal number of shares and providing provable security in the glitch-extended probing model. The low-area variant has five cycles of latency and a serialized area cost of $8.13~kGE$. The low-latency variant reduces the latency to three cycles while increasing the serialized area by $67.89\%$ compared to the low-area variant. The maskings of the AES encryption are implemented on FPGA and evaluated with Test Vector Leakage Assessment (TVLA).
Note: Changed Table 1 and 2 to show the number of register layers instead of cycles for the S-box.
Metadata
- Available format(s)
-
PDF
- Category
- Implementation
- Publication info
- Published elsewhere. Minor revision. CARDIS 2022
- Keywords
- AESHardwareProbing SecurityThreshold Implementations
- Contact author(s)
-
amund askeland @ uib no
siemen dhooghe @ esat kuleuven be
svetla nikova @ esat kuleuven be
vincent rijmen @ esat kuleuven be
zhenda zhang @ esat kuleuven be - History
- 2024-04-23: last of 5 revisions
- 2021-06-03: received
- See all versions
- Short URL
- https://ia.cr/2021/734
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2021/734,
author = {Amund Askeland and Siemen Dhooghe and Svetla Nikova and Vincent Rijmen and Zhenda Zhang},
title = {Guarding the First Order: The Rise of AES Maskings},
howpublished = {Cryptology ePrint Archive, Paper 2021/734},
year = {2021},
note = {\url{https://eprint.iacr.org/2021/734}},
url = {https://eprint.iacr.org/2021/734}
}
