Abstract
Threshold Implementation (TI) is an elegant and promising lightweight countermeasure for hardware implementations to resist first order Differential Power Analysis (DPA) in the presence of glitches. Unfortunately, in its most efficient version with only three shares, it can only be applied to 50 % of all 4-bit S-boxes so far. In this paper, we introduce a new approach, called factorization, that enables us to protect all 4-bit S-boxes with a 3-share TI. This allows—for the first time—to protect numerous important ciphers to which the 3-share TI countermeasure was previously not applicable, such as CLEFIA, DES, DESL, GOST, HUMMINGBIRD1, HUMMINGBIRD2, LUCIFER, mCrypton, SERPENT, TWINE, TWOFISH among others. We verify the security and correctness with experiments on simulations and real world power traces and finally provide exemplary decompositions of all those S-boxes.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
See Sect. 5 for our detailed line of argumentation.
References
NIST Special Publication 800-90A.: Recommendation for random number generation using deterministic random bit generators. Technical report (2012). http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
Bertoni, G., Daemen, J., Debande, N., Le, T.-H., Peeters, M., Van Assche, G.: Power analysis of hardware implementations protected with secret sharing. Cryptology ePrint Archive, Report 2013/067 (2013). http://eprint.iacr.org/
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Building power analysis resistant implementations of KECCAK. In: Second SHA-3 Candidate Conference (2010)
Biham, E., Anderson, R., Knudsen, L.R.: SERPENT: a new block cipher proposal. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 222–238. Springer, Heidelberg (1998)
Bilgin, B., Nikova, S., Nikov, V., Rijmen, V., Stütz, G.: Threshold implementations of all \(3 \times 3\) and \(4 \times 4\) s-boxes. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 76–91. Springer, Heidelberg (2012)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)
Coron, J.-S., Goubin, L.: On Boolean and arithmetic masking against differential power analysis. In: Koç, Ç.K., Paar, C., et al. (eds.) CHES 2000. LNCS, vol. 1965, pp. 231–237. Springer, Heidelberg (2000)
Engels, D., Saarinen, M.-J.O., Schweitzer, P., Smith, E.M.: The HUMMINGBIRD-2 lightweight authenticated encryption algorithm. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 19–31. Springer, Heidelberg (2012)
Fan, X., Hu, H., Gong, G., Smith, E.M., Engels, D.: Lightweight implementation of HUMMINGBIRD cryptographic algorithm on 4-bit microcontroller. In: ICITST 2009 (2009)
Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001)
Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual information analysis. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 426–442. Springer, Heidelberg (2008)
Jacobson, N.: Basic Algebra, vol. 1, 2nd edn. Dover, Mineola (2009). ISBN 978-0-486-47189-1
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)
Leander, G., Paar, C., Poschmann, A., Schramm, K.: New lightweight DES variants. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 196–210. Springer, Heidelberg (2007)
Lim, C.H., Korkishko, T.: mCrypton – a lightweight block cipher for security of low-cost RFID tags and sensors. In: Song, J.-S., Kwon, T., Yung, M. (eds.) WISA 2005. LNCS, vol. 3786, pp. 243–258. Springer, Heidelberg (2006)
Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Advances in Information Security. Springer, New York (2007)
Mangard, S., Popp, T., Gammel, B.M.: Side-channel leakage of masked CMOS gates. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 351–365. Springer, Heidelberg (2005)
Mangard, S., Pramstaller, N., Oswald, E.: Successfully attacking masked AES hardware implementations. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 157–171. Springer, Heidelberg (2005)
Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the limits: a very compact and a threshold implementation of AES. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 69–88. Springer, Heidelberg (2011)
Moradi, A., Mischke, O., Paar, C., Li, Y., Ohta, K., Sakiyama, K.: On the power of fault sensitivity analysis and collision side-channel attacks in a combined setting. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 292–311. Springer, Heidelberg (2011)
U.S. Department of Commerce National Bureau of Standards.: Data encryption standard. Technical report (1977). http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
National Security Agency.: TEMPEST: a signal problem. Cryptologic Spectrum, vol. 2(3) (1972) (declassified 2007)
Nikova, S., Rechberger, C., Rijmen, V.: Threshold implementations against side-channel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 529–545. Springer, Heidelberg (2006)
Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptol. 24(2), 292–321 (2011)
Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of non-linear functions in the presence of glitches. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 218–234. Springer, Heidelberg (2009)
Popp, T., Mangard, S.: Masked dual-rail pre-charge logic: DPA-resistance without routing constraints. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 172–186. Springer, Heidelberg (2005)
Poschmann, A., Moradi, A., Khoo, K., Lim, C., Wee, C., Wang, H., Ling, S.: Side-channel resistant crypto for less than 2,300 GE. J. Cryptol. 24(2), 322–345 (2011)
Saarinen, M.-J.O.: Cryptographic analysis of all \(4 \times 4\)-bit s-boxes. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 118–133. Springer, Heidelberg (2012)
Schindler, W.: Random number generators for cryptographic applications. In: Koç, Ç.K. (ed.) Cryptographic Engineering. Springer, New York (2009)
Schneier, B., Kelsey, J., Whiting, D., Wagner, D., Hall, C., Ferguson, N.: The TWOFISH encryption algorithm. Technical report (1998)
Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit blockcipher CLEFIA (extended abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007)
Sorkin, A.: LUCIFER, a cryptographic algorithm. Cryptologia 8(1), 22–41 (1984)
Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: a lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013)
Zabotin, I.A., Glazkov, G.P., Isaeva, V.B.: Cryptographic protection for information processing systems, Government Standard of the USSR, GOST 28147-89. Government Committee of the USSR for Standards. Technical report (1989)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix: 3-Share TIs of S-Boxes in \(B_{16}\)
A Appendix: 3-Share TIs of S-Boxes in \(B_{16}\)
In this section, we present the 3-share TIs of some S-boxes or important permutations which are in \(B_{16}\) by using a hybrid structure. All examples use the odd permutation \(M=[0, 1, 2, 3, 4, 5, 6, 15, 8, 9, 10, 11, 12, 13, 14, 7]\) which is also used in previous sections. Recall, that \(M\) can be any odd permutation of which the shared version is a 12-bit permutation, i.e., satisfying the uniformity property without using remasking.
For the sake of convenience, a given permutation is described in hexadecimal representation. For example, if a permutation \(F=[15, 5, 6, 14, 13, 7, 2, 10, 8, 0, 11, 1, 12, 4, 9, b],\) then \(F\) is written as follows: \(\mathrm{F}=\mathrm{f56ed72a80b1c493}\). All S-boxes in this section can be found in [5, 29] or from their respective specifications.
All S-boxes below belong to \(B_{16}\) and they can be decomposed in two different ways (see Fig. 5):
-
type 1: \(S(\cdot )=M(F(G(G(\cdot ))))\)
-
type 2: \(S(\cdot )=M(F(G(\cdot )))\)
In fact nearly all S-boxes belong to type 1 and only two S-boxes (\(iS_4\) of HUMMINGBIRD2 and \(S_5\) of SERPENT) belong to type 2. The 3-share TIs of all \(F\) and \(G\) by using direct sharing are 12-bit permutations.
CLEFIA [32]
-
1.
\(SS_0\): \(\mathrm{F}=\mathrm{e6ca89d24b10537f},\; \mathrm{G}=\mathrm{021346fda89bce57}\);
-
2.
\(SS_1\): \(\mathrm{F}=\mathrm{6f29a5e3781cd4b0},\; \mathrm{G}=\mathrm{053f8db72694ae1c}\);
-
3.
\(SS_2\): \(\mathrm{F}=\mathrm{b56e7302da981cf4},\; \mathrm{G}=\mathrm{094c187f2b6e3a5d}\);
-
4.
\(SS_3\): \(\mathrm{F}=\mathrm{a6d295c37bf048e1},\; \mathrm{G}=\mathrm{02319b8a57ec46df}\);
DES [22]. Actually, the \(i\)-th DES S-box (\(DESi\)) contains a set of four 4-bit S-boxes. Notation \(DESi_j\) means the \(j\)-th row (i.e., 4-bit S-box) of the \(i\)-th DES S-box.
-
1.
\(DES2_0\): \(\mathrm{F}=\mathrm{f986bda42c710e35},\;\mathrm{G}=\mathrm{4c28a0f7d539b16e}\);
-
2.
\(DES2_1\): \(\mathrm{F}=\mathrm{acd1265b97403fe8},\;\mathrm{G}=\mathrm{1c593a7f0d482b6e}\);
-
3.
\(DES2_2\): \(\mathrm{F}=\mathrm{d3f0c481b596a2e7},\; \mathrm{G}=\mathrm{9d26a78503cf4e1b}\);
-
4.
\(DES2_3\): \(\mathrm{F}=\mathrm{dc8b37421f6a5e09},\;\mathrm{G}=\mathrm{0b1a46579382decf}\);
-
5.
\(DES3_0\): \(\mathrm{F}=\mathrm{d69e75a410f2b3c8},\; \mathrm{G}=\mathrm{168c079d24be35af}\);
-
6.
\(DES3_1\): \(\mathrm{F}=\mathrm{803a46ed952f17bc},\;\mathrm{G}=\mathrm{17069a8b5243dfce}\);
-
7.
\(DES3_2\): \(\mathrm{F}=\mathrm{df47ae50b921c836},\;\mathrm{G}=\mathrm{0d861c972ea53fb4}\);
-
8.
\(DES3_3\): \(\mathrm{F}=\mathrm{9716fac0b8e4d532},\;\mathrm{G}=\mathrm{fb647ec318a59d02}\);
-
9.
\(DES4_0\): \(\mathrm{F}=\mathrm{fd3402cb75168ae9},\;\mathrm{G}=\mathrm{419b03c8de62fa57}\);
-
10.
\(DES4_1\): \(\mathrm{F}=\mathrm{3edf68ba70c41592},\;\mathrm{G}=\mathrm{125ac68e9bd34f07}\);
-
11.
\(DES4_2\): \(\mathrm{F}=\mathrm{abc4fd928375e610},\;\mathrm{G}=\mathrm{094b6a285d1f3e7c}\);
-
12.
\(DES4_3\): \(\mathrm{F}=\mathrm{36dea581b2f047c9},\;\mathrm{G}=\mathrm{02d64f135e8a9bc7}\);
-
13.
\(DES5_0\): \(\mathrm{F}=\mathrm{28fc1b569a7d304e},\;\mathrm{G}=\mathrm{0e1f869725bcad34}\);
-
14.
\(DES6_0\): \(\mathrm{F}=\mathrm{792bd3c54a81e06f},\;\mathrm{G}=\mathrm{4e396f18a0d7c5b2}\);
-
15.
\(DES6_3\): \(\mathrm{F}=\mathrm{48ac537b2e9f601d},\;\mathrm{G}=\mathrm{0a7c1e68295f3d4b}\);
-
16.
\(DES7_0\): \(\mathrm{F}=\mathrm{6b3d719c2e5a8f40},\;\mathrm{G}=\mathrm{21e74da903c56f8b}\);
-
17.
\(DES7_1\): \(\mathrm{F}=\mathrm{68f143bc970ead52},\;\mathrm{G}=\mathrm{be364f290c1d57a8}\);
-
18.
\(DES7_2\): \(\mathrm{F}=\mathrm{abd4c93e671805f2},\;\mathrm{G}=\mathrm{1a084e5c293b7d6f}\);
-
19.
\(DES8_0\): \(\mathrm{F}=\mathrm{d572c908143be6af},\;\mathrm{G}=\mathrm{0eb4962c1da7853f}\);
-
20.
\(DES8_1\): \(\mathrm{F}=\mathrm{fd963b2745c01ae8},\;\mathrm{G}=\mathrm{1c0d3a2b59487f6e}\);
-
21.
\(DES8_2\): \(\mathrm{F}=\mathrm{fa41e5830b6d72c9},\; \mathrm{G}=\mathrm{048c9d152f6b3e7a}\);
DESL [15]
-
1.
\(Row_0\): \(\mathrm{F}=\mathrm{e6a3d4197f2b5c80},\;\mathrm{G}=\mathrm{091d7f6b5c482a3e}\);
-
2.
\(Row_1\): \(\mathrm{F}=\mathrm{51ebc9378d6204af},\;\mathrm{G}=\mathrm{02cf1b5e93d68a47}\);
-
3.
\(Row_2\): \(\mathrm{F}=\mathrm{15dbef74c2a63809},\;\mathrm{G}=\mathrm{17ad358f269c04be}\);
-
4.
\(Row_3\): \(\mathrm{F}=\mathrm{dae51379f80b64c2},\;\mathrm{G}=\mathrm{af53269e8d7104bc}\);
GOST [35]
-
1.
\(k_3\): \(\mathrm{F}=\mathrm{52840cadb79e613f},\; \mathrm{G}=\mathrm{063d1f24acb5978e}\);
-
2.
\(k_4\): \(\mathrm{F}=\mathrm{f93457dec1a62b08},\; \mathrm{G}=\mathrm{0e7d1b4a2c5f3968}\);
-
3.
\(k_7\): \(\mathrm{F}=\mathrm{d7954f6b2c08e1a3},\;\mathrm{G}=\mathrm{0a6f384c1b7e295d}\);
-
4.
\(k_8\): \(\mathrm{F}=\mathrm{5b79d3f104ae62c8},\;\mathrm{G}=\mathrm{179fda52e46cb038}\);
HUMMINGBIRD1 [9]
-
1.
\(S_0\): \(\mathrm{F}=\mathrm{82f7e639c40ab1d5},\;\mathrm{G}=\mathrm{0f1e9687bd24ac35}\);
-
2.
\(S_1\): \(\mathrm{F}=\mathrm{063b7f42d1eca895},\;\mathrm{G}=\mathrm{0f861e97ad24bc35}\);
-
3.
\(S_2\): \(\mathrm{F}=\mathrm{21430895dbeca76f},\;\mathrm{G}=\mathrm{0ad7b16c92e54f38}\);
-
4.
\(S_3\): \(\mathrm{F}=\mathrm{0f2e7d5c4a6b3819},\;\mathrm{G}=\mathrm{0a7f295c6e1b4d38}\);
HUMMINGBIRD2 [8]
-
1.
\(S_1\): \(\mathrm{F}=\mathrm{f56ed72a80b1c493},\;\mathrm{G}=\mathrm{0a5bd38217ce469f}\);
-
2.
\(S_2\): \(\mathrm{F}=\mathrm{a8034ce7b61d52f9},\;\mathrm{G}=\mathrm{14860d9fae3cb725}\);
-
3.
\(S_3\): \(\mathrm{F}=\mathrm{2f6e5d1c4a380b79},\;\mathrm{G}=\mathrm{0f5bc78293d64a1e}\);
-
4.
\(S_4\): \(\mathrm{F}=\mathrm{0819ae37c4d562fb},\;\mathrm{G}=\mathrm{853b29a47ed1f06c}\);
The inverse S-boxes of HUMMINGBIRD2:
-
1.
\(iS_1\): \(\mathrm{F}=\mathrm{0d42ca8597eb631f},\;\mathrm{G}=\mathrm{3c4b21de56a9780f}\);
-
2.
\(iS_2\): \(\mathrm{F}=\mathrm{de8c94b162305f7a},\;\mathrm{G}=\mathrm{14a69d2fcbe05378}\);
-
3.
\(iS_3\): \(\mathrm{F}=\mathrm{c36740b18e5d2fa9},\;\mathrm{G}=\mathrm{0c6f2a583b491d7e}\);
-
4.
\(iS_4\): \(\mathrm{F}=\mathrm{f5ac403b16927ed8},\;\mathrm{G}=\mathrm{209a8b3164fced75}\); (type 2)
Inversion ( \(\varvec{x}^{{\mathbf {-1}}}\) ) in \({\varvec{GF}}\mathbf (2 ^\mathbf{4}\mathbf ). \) The function \(x^{-1}=\mathrm{019edb76f2c5a438}\) which is defined over \(GF(2)/(x^4 \oplus x \oplus 1).\)
\(F=\mathrm{843dae67f25bc91}\) and \(G=\mathrm{059dbf278e3416ac}\).
LUCIFER [33]
-
1.
\(S_0\): \(\mathrm{F}=\mathrm{a2fde8b7906534c1},\;\mathrm{G}=\mathrm{1e482c6b0f593d7a}\);
-
2.
\(S_1\): \(\mathrm{F}=\mathrm{f21deb047c93658a},\;\mathrm{G}=\mathrm{068f9e174bd3c25a}\);
mCrypton [16]
-
1.
\(S_0\): \(\mathrm{F}=\mathrm{4af0827c3516b9de},\;\mathrm{G}=\mathrm{0a7c5e28396d4f1b}\);
-
2.
\(S_1\): \(\mathrm{F}=\mathrm{19df3b647580cea2},\;\mathrm{G}=\mathrm{06d71fce8a5b9342}\);
-
3.
\(S_2\): \(\mathrm{F}=\mathrm{31078f46ec25ad9b},\;\mathrm{G}=\mathrm{2b5f097d4e186c3a}\);
-
4.
\(S_3\): \(\mathrm{F}=\mathrm{b420af918c7e3d65},\;\mathrm{G}=\mathrm{041d3f26ac97b58e}\);
SERPENT [4]
-
1.
\(S_3\): \(\mathrm{F}=\mathrm{072e351c9db4af86},\;\mathrm{G}=\mathrm{0c792f5a3e4b1d68}\);
-
2.
\(S_4\): \(\mathrm{F}=\mathrm{53bd19f708e6ca24},\;\mathrm{G}=\mathrm{ea5d69cf0873214b}\);
-
3.
\(S_5\): \(\mathrm{F}=\mathrm{7c4b259a3e6f01d8},\;\mathrm{G}=\mathrm{05432761c89feabd}\); (type 2)
-
4.
\(S_7\): \(\mathrm{F}=\mathrm{18679d3f5acb024e},\;\mathrm{G}=\mathrm{0d87961c3fa4b52e}\);
The inverse S-boxes of \(S_3\), \(S_4\), \(S_5\), \(S_7\):
-
1.
\(iS_3\): \(\mathrm{F}=\mathrm{09dacef3b1624578},\;\mathrm{G}=\mathrm{0c483e7a6f2b195d}\);
-
2.
\(iS_4\): \(\mathrm{F}=\mathrm{98b7406fac5e21d3},\;\mathrm{G}=\mathrm{1a0bc2d34e5f8796}\);
-
3.
\(iS_5\): \(\mathrm{F}=\mathrm{87f6dc43b915e2a0},\;\mathrm{G}=\mathrm{0eb63c95842da71f}\);
-
4.
\(iS_7\): \(\mathrm{F}=\mathrm{35f921edc60a874b},\;\mathrm{G}=\mathrm{0c489d5173bfa6e2}\);
TWINE [34]
-
1.
\(S\): \(\mathrm{F}=\mathrm{d2305ebc7a98f614},\;\mathrm{G}=\mathrm{bda5e92c0687431f}\);
TWOFISH [31]
-
1.
\(q1, t1\): \(\mathrm{F}=\mathrm{a0f2d785c139b64e},\;\mathrm{G}=\mathrm{0c483e7a6f2b195d}\);
-
2.
\(q1, t0\): \(\mathrm{F}=\mathrm{2847ba6e1c9d350f},\;\mathrm{G}=\mathrm{069c8d1734aebf25}\);
-
3.
\(q0, t0\): \(\mathrm{F}=\mathrm{50d87b3fa6e29c14},\;\mathrm{G}=\mathrm{b4ace16058732f9d}\);
-
4.
\(q0, t2\): \(\mathrm{F}=\mathrm{456f09ba23e781dc},\;\mathrm{G}=\mathrm{0d841cb73e952fa6}\);
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Kutzner, S., Nguyen, P.H., Poschmann, A. (2014). Enabling 3-Share Threshold Implementations for all 4-Bit S-Boxes. In: Lee, HS., Han, DG. (eds) Information Security and Cryptology -- ICISC 2013. ICISC 2013. Lecture Notes in Computer Science(), vol 8565. Springer, Cham. https://doi.org/10.1007/978-3-319-12160-4_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-12160-4_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12159-8
Online ISBN: 978-3-319-12160-4
eBook Packages: Computer ScienceComputer Science (R0)