Efficient and Composable Masked AES S-Box Designs Using Optimized Inverters
Hardware implementations of cryptographic algorithms are susceptible to power analysis attacks, allowing attackers to break the otherwise strong security guarantees. A theoretically sound countermeasure against such attacks is masking, where all key- and data-dependent intermediate values in the co...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Ruhr-Universität Bochum
2024-12-01
|
| Series: | Transactions on Cryptographic Hardware and Embedded Systems |
| Subjects: | |
| Online Access: | https://tosc.iacr.org/index.php/TCHES/article/view/11942 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850107553698021376 |
|---|---|
| author | Vedad Hadžic Roderick Bloem |
| author_facet | Vedad Hadžic Roderick Bloem |
| author_sort | Vedad Hadžic |
| collection | DOAJ |
| description |
Hardware implementations of cryptographic algorithms are susceptible to power analysis attacks, allowing attackers to break the otherwise strong security guarantees. A theoretically sound countermeasure against such attacks is masking, where all key- and data-dependent intermediate values in the computation are split into so-called shares, requiring an attacker to learn all of them before recovering the secret key. Masking a cryptographic hardware design against power analysis attacks incurs large area and latency overheads due to their nonlinear components, especially when implemented using composable masking schemes.
These overheads disproportionately affect ciphers with highly nonlinear monolithic S-Boxes like the Advanced Encryption Standard (AES). The masking of the AES S-Box is well studied, and most implementations use Canright’s F28 inverter design that decomposes operations in a larger field into a combination of multiplications, additions and inversions in a smaller field. While remarkable, Canright’s inverter design has a sub-optimal multiplicative depth, and can thus not take full advantage of recent developments in low-latency composable masking schemes.
In this paper, we present a F28 inverter that achieves the optimal multiplicative depth of three, and use it to construct a more efficient trivially composable masked implementation of the AES S-Box. Moreover, we present HPC3.1, a better low-latency multiplication gadget that works in all finite fields Fpn, and a randomness reuse strategy for both HPC1 and HPC3.1 gadgets that preserves side-channel security. Orthogonally, we also propose an improved bit-level implementation of the F24 inverter for more efficient masked S-Box designs based on Canright’s original F28 inverter.
We develop, functionally test, and formally verify the trivially composable side-channel security of all masked AES S-Box designs. Our evaluation shows that the designs outperform or match the state-of-the-art in terms of latency, randomness use and area cost.
|
| format | Article |
| id | doaj-art-7f9ec9d69797431d98d0d83fd5666414 |
| institution | OA Journals |
| issn | 2569-2925 |
| language | English |
| publishDate | 2024-12-01 |
| publisher | Ruhr-Universität Bochum |
| record_format | Article |
| series | Transactions on Cryptographic Hardware and Embedded Systems |
| spelling | doaj-art-7f9ec9d69797431d98d0d83fd56664142025-08-20T02:38:33ZengRuhr-Universität BochumTransactions on Cryptographic Hardware and Embedded Systems2569-29252024-12-012025110.46586/tches.v2025.i1.656-683Efficient and Composable Masked AES S-Box Designs Using Optimized InvertersVedad Hadžic0Roderick Bloem1Graz University of Technology, Graz, AustriaGraz University of Technology, Graz, Austria Hardware implementations of cryptographic algorithms are susceptible to power analysis attacks, allowing attackers to break the otherwise strong security guarantees. A theoretically sound countermeasure against such attacks is masking, where all key- and data-dependent intermediate values in the computation are split into so-called shares, requiring an attacker to learn all of them before recovering the secret key. Masking a cryptographic hardware design against power analysis attacks incurs large area and latency overheads due to their nonlinear components, especially when implemented using composable masking schemes. These overheads disproportionately affect ciphers with highly nonlinear monolithic S-Boxes like the Advanced Encryption Standard (AES). The masking of the AES S-Box is well studied, and most implementations use Canright’s F28 inverter design that decomposes operations in a larger field into a combination of multiplications, additions and inversions in a smaller field. While remarkable, Canright’s inverter design has a sub-optimal multiplicative depth, and can thus not take full advantage of recent developments in low-latency composable masking schemes. In this paper, we present a F28 inverter that achieves the optimal multiplicative depth of three, and use it to construct a more efficient trivially composable masked implementation of the AES S-Box. Moreover, we present HPC3.1, a better low-latency multiplication gadget that works in all finite fields Fpn, and a randomness reuse strategy for both HPC1 and HPC3.1 gadgets that preserves side-channel security. Orthogonally, we also propose an improved bit-level implementation of the F24 inverter for more efficient masked S-Box designs based on Canright’s original F28 inverter. We develop, functionally test, and formally verify the trivially composable side-channel security of all masked AES S-Box designs. Our evaluation shows that the designs outperform or match the state-of-the-art in terms of latency, randomness use and area cost. https://tosc.iacr.org/index.php/TCHES/article/view/11942AESMaskingPINILow-latencyMask Reuse |
| spellingShingle | Vedad Hadžic Roderick Bloem Efficient and Composable Masked AES S-Box Designs Using Optimized Inverters Transactions on Cryptographic Hardware and Embedded Systems AES Masking PINI Low-latency Mask Reuse |
| title | Efficient and Composable Masked AES S-Box Designs Using Optimized Inverters |
| title_full | Efficient and Composable Masked AES S-Box Designs Using Optimized Inverters |
| title_fullStr | Efficient and Composable Masked AES S-Box Designs Using Optimized Inverters |
| title_full_unstemmed | Efficient and Composable Masked AES S-Box Designs Using Optimized Inverters |
| title_short | Efficient and Composable Masked AES S-Box Designs Using Optimized Inverters |
| title_sort | efficient and composable masked aes s box designs using optimized inverters |
| topic | AES Masking PINI Low-latency Mask Reuse |
| url | https://tosc.iacr.org/index.php/TCHES/article/view/11942 |
| work_keys_str_mv | AT vedadhadzic efficientandcomposablemaskedaessboxdesignsusingoptimizedinverters AT roderickbloem efficientandcomposablemaskedaessboxdesignsusingoptimizedinverters |