Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order

Hannes Groß, Stefan Mangard, Thomas Korak

Research output: Contribution to conferenceAbstractResearchpeer-review

Abstract

Passive physical attacks, like power analysis, pose a serious threat to the security of embedded systems and corresponding countermeasures need to be implemented. In this talk, we demonstrate how the costs for protecting digital circuits against passive physical attacks can be lowered significantly. We introduce a novel masking approach called domain-oriented masking (DOM). Our approach provides the same level of security as threshold implementations (TI), while it requires less chip area and less randomness. DOM can also be scaled easily to arbitrary protection orders for any circuit. To demonstrate the flexibility of our scheme, we apply DOM to a hardware design of the Advanced Encryption Standard (AES). The presented AES implementation is built in a way that it can be synthesized for any protection order. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6 kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15th protection order. Beside our theoretical security analysis, we also evaluate the security of the AES implementation with a t-test based side-channel leakage assessments up to the second protection order.

To demonstrate the flexibility of our scheme, we apply DOM to a hardware design of the Advanced Encryption Standard (AES). The presented AES implementation is built in a way that it can be synthesized for any protection order. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6~kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15th protection order. Beside our theoretical security analysis, we also evaluate the security of the AES implementation with a t-test based side-channel leakage assessments up to the second protection order.
Original languageEnglish
Pages3
Number of pages3
DOIs
Publication statusPublished - 24 Oct 2016
EventACM Workshop on Theory of Implementation Security - Vienna, Austria
Duration: 24 Oct 2016 → …
https://www.cosic.esat.kuleuven.be/events/acm-ccs2016/

Workshop

WorkshopACM Workshop on Theory of Implementation Security
Abbreviated titleTIS '16
CountryAustria
CityVienna
Period24/10/16 → …
Internet address

Fingerprint

Cryptography
Hardware
Computer hardware
Digital circuits
Embedded systems

Keywords

  • masking
  • domain-oriented masking
  • private circuits
  • threshold implementations
  • ISW
  • side-channel analysis
  • DPA
  • hardware security
  • AES

Cite this

Groß, H., Mangard, S., & Korak, T. (2016). Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order. 3. Abstract from ACM Workshop on Theory of Implementation Security, Vienna, Austria. https://doi.org/10.1145/2996366.2996426

Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order. / Groß, Hannes; Mangard, Stefan; Korak, Thomas.

2016. 3 Abstract from ACM Workshop on Theory of Implementation Security, Vienna, Austria.

Research output: Contribution to conferenceAbstractResearchpeer-review

Groß, H, Mangard, S & Korak, T 2016, 'Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order' ACM Workshop on Theory of Implementation Security, Vienna, Austria, 24/10/16, pp. 3. https://doi.org/10.1145/2996366.2996426
Groß H, Mangard S, Korak T. Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order. 2016. Abstract from ACM Workshop on Theory of Implementation Security, Vienna, Austria. https://doi.org/10.1145/2996366.2996426
Groß, Hannes ; Mangard, Stefan ; Korak, Thomas. / Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order. Abstract from ACM Workshop on Theory of Implementation Security, Vienna, Austria.3 p.
@conference{d77365dd2f334a07961050364bae248d,
title = "Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order",
abstract = "Passive physical attacks, like power analysis, pose a serious threat to the security of embedded systems and corresponding countermeasures need to be implemented. In this talk, we demonstrate how the costs for protecting digital circuits against passive physical attacks can be lowered significantly. We introduce a novel masking approach called domain-oriented masking (DOM). Our approach provides the same level of security as threshold implementations (TI), while it requires less chip area and less randomness. DOM can also be scaled easily to arbitrary protection orders for any circuit. To demonstrate the flexibility of our scheme, we apply DOM to a hardware design of the Advanced Encryption Standard (AES). The presented AES implementation is built in a way that it can be synthesized for any protection order. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6 kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15th protection order. Beside our theoretical security analysis, we also evaluate the security of the AES implementation with a t-test based side-channel leakage assessments up to the second protection order.To demonstrate the flexibility of our scheme, we apply DOM to a hardware design of the Advanced Encryption Standard (AES). The presented AES implementation is built in a way that it can be synthesized for any protection order. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6~kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15th protection order. Beside our theoretical security analysis, we also evaluate the security of the AES implementation with a t-test based side-channel leakage assessments up to the second protection order.",
keywords = "masking, domain-oriented masking, private circuits, threshold implementations, ISW, side-channel analysis, DPA, hardware security, AES",
author = "Hannes Gro{\ss} and Stefan Mangard and Thomas Korak",
year = "2016",
month = "10",
day = "24",
doi = "10.1145/2996366.2996426",
language = "English",
pages = "3",
note = "ACM Workshop on Theory of Implementation Security, TIS '16 ; Conference date: 24-10-2016",
url = "https://www.cosic.esat.kuleuven.be/events/acm-ccs2016/",

}

TY - CONF

T1 - Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order

AU - Groß, Hannes

AU - Mangard, Stefan

AU - Korak, Thomas

PY - 2016/10/24

Y1 - 2016/10/24

N2 - Passive physical attacks, like power analysis, pose a serious threat to the security of embedded systems and corresponding countermeasures need to be implemented. In this talk, we demonstrate how the costs for protecting digital circuits against passive physical attacks can be lowered significantly. We introduce a novel masking approach called domain-oriented masking (DOM). Our approach provides the same level of security as threshold implementations (TI), while it requires less chip area and less randomness. DOM can also be scaled easily to arbitrary protection orders for any circuit. To demonstrate the flexibility of our scheme, we apply DOM to a hardware design of the Advanced Encryption Standard (AES). The presented AES implementation is built in a way that it can be synthesized for any protection order. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6 kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15th protection order. Beside our theoretical security analysis, we also evaluate the security of the AES implementation with a t-test based side-channel leakage assessments up to the second protection order.To demonstrate the flexibility of our scheme, we apply DOM to a hardware design of the Advanced Encryption Standard (AES). The presented AES implementation is built in a way that it can be synthesized for any protection order. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6~kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15th protection order. Beside our theoretical security analysis, we also evaluate the security of the AES implementation with a t-test based side-channel leakage assessments up to the second protection order.

AB - Passive physical attacks, like power analysis, pose a serious threat to the security of embedded systems and corresponding countermeasures need to be implemented. In this talk, we demonstrate how the costs for protecting digital circuits against passive physical attacks can be lowered significantly. We introduce a novel masking approach called domain-oriented masking (DOM). Our approach provides the same level of security as threshold implementations (TI), while it requires less chip area and less randomness. DOM can also be scaled easily to arbitrary protection orders for any circuit. To demonstrate the flexibility of our scheme, we apply DOM to a hardware design of the Advanced Encryption Standard (AES). The presented AES implementation is built in a way that it can be synthesized for any protection order. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6 kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15th protection order. Beside our theoretical security analysis, we also evaluate the security of the AES implementation with a t-test based side-channel leakage assessments up to the second protection order.To demonstrate the flexibility of our scheme, we apply DOM to a hardware design of the Advanced Encryption Standard (AES). The presented AES implementation is built in a way that it can be synthesized for any protection order. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6~kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15th protection order. Beside our theoretical security analysis, we also evaluate the security of the AES implementation with a t-test based side-channel leakage assessments up to the second protection order.

KW - masking

KW - domain-oriented masking

KW - private circuits

KW - threshold implementations

KW - ISW

KW - side-channel analysis

KW - DPA

KW - hardware security

KW - AES

U2 - 10.1145/2996366.2996426

DO - 10.1145/2996366.2996426

M3 - Abstract

SP - 3

ER -