scispace - formally typeset
Search or ask a question
Journal ArticleDOI

Threshold Implementations of $\mathtt{GIFT}$ : A Trade-Off Analysis

TL;DR: An in-depth analysis of the various ways in which TI can be implemented for a lightweight cipher, and chooses GIFT for its analysis as it is currently one of the most energy-efficient lightweight ciphers.
Abstract: Threshold Implementation ( TI ) is one of the most widely used countermeasure for side channel attacks. Over the years several TI techniques have been proposed for randomizing cipher execution using different variations of secret-sharing and implementation techniques. For instance, sharing without decomposition ( 4-shares ) is the most straightforward implementation of the threshold countermeasure. However, its usage is limited due to its high area requirements. On the other hand, sharing using decomposition ( 3-shares ) countermeasure for cubic non-linear functions significantly reduces area and complexity in comparison to 4-shares . Nowadays, security of ciphers using a side channel countermeasure is of utmost importance. This is due to the wide range of security critical applications from smart cards, battery operated IoT devices, to accelerated crypto-processors. Such applications have different requirements (higher speed, energy efficiency, low latency, small area etc.) and hence need different implementation techniques. Although, many TI strategies and implementation techniques are known for different ciphers, there is no single study comparing these on a single cipher. Such a study would allow a fair comparison of the various methodologies. In this work, we present an in-depth analysis of the various ways in which TI can be implemented for a lightweight cipher. We chose GIFT for our analysis as it is currently one of the most energy-efficient lightweight ciphers. The experimental results show that different implementation techniques have distinct applications. For example, the 4-shares technique is good for applications demanding high throughput whereas 3-shares is suitable for constrained environments with less area and moderate throughput requirements. The techniques presented in the paper are also applicable to other blockciphers. For security evaluation, we performed TVLA (test vector leakage assessment) on all the design strategies. Experiments using up to 50 million traces show that the designs are protected against first-order attacks.
Citations
More filters
01 Jan 2016
TL;DR: The logic minimization algorithms for vlsi synthesis is universally compatible with any devices to read, and is available in the book collection an online access to it is set as public so you can get it instantly.
Abstract: logic minimization algorithms for vlsi synthesis is available in our book collection an online access to it is set as public so you can get it instantly. Our book servers saves in multiple countries, allowing you to get the most less latency time to download any of our books like this one. Kindly say, the logic minimization algorithms for vlsi synthesis is universally compatible with any devices to read.

166 citations

Book ChapterDOI
10 May 2020
TL;DR: This paper exploits the fact that activation and propagation of a fault through a given combinational circuit is data-dependent, which leads to powerful Fault Template Attacks (FTA), even for implementations having dedicated protections against both power and fault-based vulnerabilities.
Abstract: Fault attacks (FA) are one of the potent practical threats to modern cryptographic implementations. Over the years the FA techniques have evolved, gradually moving towards the exploitation of device-centric properties of the faults. In this paper, we exploit the fact that activation and propagation of a fault through a given combinational circuit (i.e., observability of a fault) is data-dependent. Next, we show that this property of combinational circuits leads to powerful Fault Template Attacks (FTA), even for implementations having dedicated protections against both power and fault-based vulnerabilities. The attacks found in this work are applicable even if the fault injection is made at the middle rounds of a block cipher, which are out of reach for most of the other existing fault analysis strategies. Quite evidently, they also work for a known-plaintext scenario. Moreover, the middle round attacks are entirely blind in the sense that no access to the ciphertexts (correct/faulty) or plaintexts are required. The adversary is only assumed to have the power of repeating an unknown plaintext several times. Practical validation over a hardware implementation of SCA-FA protected PRESENT, and simulated evaluation on a public software implementation of protected AES prove the efficacy of the proposed attacks.

38 citations

Book ChapterDOI
23 Apr 2018
TL;DR: This work presents a new construction based on Threshold Implementations and Changing of the Guards to realize a first-order secure AES with zero per-round randomness, thereby enhancing security and reducing the overhead.
Abstract: Since the advent of Differential Power Analysis (DPA) in the late 1990s protecting embedded devices against Side-Channel Analysis (SCA) attacks has been a major research effort. Even though many different first-order secure masking schemes are available today, when applied to the AES S-box they all require fresh random bits in every evaluation. As the quality criteria for generating random numbers on an embedded device are not well understood, an integrated Random Number Generator (RNG) can be the weak spot of any protected implementation and may invalidate an otherwise secure implementation. We present a new construction based on Threshold Implementations and Changing of the Guards to realize a first-order secure AES with zero per-round randomness. Hence, our design does not need a built-in RNG, thereby enhancing security and reducing the overhead.

26 citations

Book ChapterDOI
14 Dec 2020
TL;DR: This paper investigates the simplest possible protected circuit: the one in which only the state path of the underlying block cipher is shared, and explores how design choices like number of shares, implementation of the masked s-box and the circuit structure of the AEAD scheme affect the energy consumption.
Abstract: The selection criteria for NIST’s Lightweight Crypto Standardization (LWC) have been slowly shifting towards the lightweight efficiency of designs, given that a large number of candidates already establish their security claims on conservative, well-studied paradigms The research community has accumulated a decent level of experience on authenticated encryption primitives, thanks mostly to the recently completed CAESAR competition, with the advent of the NIST LWC, the de facto focus is now on evaluating efficiency of the designs with respect to hardware metrics like area, throughput, power and energy

15 citations

Journal ArticleDOI
TL;DR: In this paper, the P permutation law of PRESENT and GIFT was studied, and a general differential fault attack (DFA) method with their differential characteristics was presented.
Abstract: Lightweight block cipher PRESENT is an algorithm with SPN structure. Due to its excellent hardware performance and simple round function design, it can be well applied to Internet of things terminals with limited computing resources. As an improved cipher of PRESENT, GIFT is similar in structure to PRESENT and has been widely concerned by academia and industry. This article studies the P permutation law of PRESENT and GIFT, and presents a general differential fault attack(DFA) method with their differential characteristics. For PRESENT, this article chooses to inject a nibble fault before the 30th and 31st rounds of S-box operation. A total of 32 nibble fault ciphertexts are needed to recover the original key. The computational complexity and data complexity are 210.94 and 28, respectively. For GIFT, this article chooses to inject a nibble fault before the 25th, 26th, 27th and 28th rounds of S-box operation. A total of 64 nibble fault ciphertexts are needed to recover the original key. The computational complexity and data complexity are 211.91 and 29, respectively. Compared with other public cryptoanalysis results of PRESENT and GIFT, this general attack method has great advantages. In this article, the DFA of GIFT is experimentally verified and the effectiveness is proved. These experiments have been done on a personal computer and run in a very reasonable time(around 500ms).

13 citations

References
More filters
Book ChapterDOI
15 Aug 1999
TL;DR: In this paper, the authors examine specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. And they also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.
Abstract: Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.

6,757 citations

Book ChapterDOI
18 Aug 1996
TL;DR: By carefully measuring the amount of time required to perform private key operalions, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems.
Abstract: By carefully measuring the amount of time required tm perform private key operalions, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems. Against, a valnerable system, the attack is computationally inexpensive and often requires only known ciphertext. Actual systems are potentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements. Techniques for preventing the attack for RSA and Diffie-Hellman are presented. Some cryptosystems will need to be revised to protect against the attack, and new protocols and algorithms may need to incorporate measures to prevenl timing attacks.

3,989 citations


"Threshold Implementations of $\math..." refers background in this paper

  • ...[1], [2] in the late 90’s showed that unprotected cryptographic algorithms are vulnerable against side-channel attacks....

    [...]

Proceedings Article
01 Jan 1996

3,526 citations

Book ChapterDOI
11 Aug 2004
TL;DR: A classical model is used for the power consumption of cryptographic devices based on the Hamming distance of the data handled with regard to an unknown but constant reference state, which allows an optimal attack to be derived called Correlation Power Analysis.
Abstract: A classical model is used for the power consumption of cryptographic devices. It is based on the Hamming distance of the data handled with regard to an unknown but constant reference state. Once validated experimentally it allows an optimal attack to be derived called Correlation Power Analysis. It also explains the defects of former approaches such as Differential Power Analysis.

2,346 citations


"Threshold Implementations of $\math..." refers methods in this paper

  • ...First, we present a Correlation Power Analysis (CPA) [13] attack for an unprotected FPGA implementation of the GIFT cipher in § IV-A....

    [...]

  • ...Considering CPA for a successful attack, the correct key has the highest correlation value across the trace points....

    [...]

  • ...Index Terms— Side-channel attack, threshold implementation, DPA, CPA, GIFT, TI, lightweight cryptography, TVLA....

    [...]

  • ...Our Contributions: First, we present a Correlation Power Analysis (CPA) [13] attack for an unprotected FPGA implementation of the GIFT cipher in § IV-A....

    [...]

  • ...This leads to only two key bits being used per S-box leading to reduced effectiveness of the CPA attack....

    [...]

Book ChapterDOI
10 Sep 2007
TL;DR: An ultra-lightweight block cipher, present, which is competitive with today's leading compact stream ciphers and suitable for extremely constrained environments such as RFID tags and sensor networks.
Abstract: With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultra-lightweight block cipher, present . Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today's leading compact stream ciphers.

2,202 citations


"Threshold Implementations of $\math..." refers background in this paper

  • ...Unlike PRESENT, GIFT uses only 64 bits of the round key every round....

    [...]

  • ...For example, in [8], the authors showed how to apply TI on the PRESENT cipher....

    [...]

  • ...Its design is strongly influenced by the cipher PRESENT [19]....

    [...]