Smart Card Research and Advanced Application Conference - Yet … · 2018. 12. 10. · Example...

Yet Another Size Record for AES: A First-Order SCA Secure AES S-box Based on 𝑮𝑭(𝟐𝟖)

Multiplication

Cardis 2018, Montpellier

Felix Wegener, Amir Moradi

Ruhr University Bochum, Horst Görtz Institute for IT-Security, Germany

Grant. Nr.

16KIS0666

SYSKIT_HW

Embedded Security Group

Problem: How to find a small AES S-box implementation

(with side-channel protection)?

Cardis 2018, Montpellier Felix Wegener

AES S-box Implementations

▪ Naive implementation:

AES S-boxdeg = 78 8

AES S-box Implementations

▪ Canright:

▪ Boyar, Matthews, Peralta:

Canright. A Very Compact S-box for AES. CHES 2005

195 Gates

115 Gates

Linear Non-linear Linear8 22 18 8

Boyar et al., Logic Minimization Techniques with Applications to Cryptology, J. Cryptology 2013

Issue I: Registers for Bypass Wires

▪ Canright:

195 Gates

115 Gates

Issue II: No Serialization Possible

▪ Canright:

195 Gates

115 Gates

A Different Structure

▪ In previous work:

cubic cubic8 8 8

Wegener, Moradi. A first-order SCA resistant AES without fresh randomness. COSADE 2018

A Different Structure: Multiplication-based

▪ In previous work:

▪ This work:

cubic cubic8 8 8

Wegener, Moradi. A first-order SCA resistant AES without fresh randomness. COSADE 2018

Mult Mult

Mult Multlin

Decomposition into Multiplications

Structure of AES S-box

▪ AES-Sbox (x): 𝐴𝑓𝑓( 𝑥−1)

▪ Inversion in 𝐺𝐹 28 : 𝑥−1 = 𝑥254

Structure of AES S-box

▪ AES-Sbox (x): 𝐴𝑓𝑓( 𝑥−1)

▪ Inversion in 𝐺𝐹 28 : 𝑥−1 = 𝑥254

▪ How many multiplications are necessary?

→ Find shortest multiplication chain

Multiplication Chain

▪ Start: 𝑖𝑑 = 𝑥1

▪ Step:

– Square a previous element → cost = 0

– Multiply two previous elements → cost = 1

▪ Step:

▪ Example chain for 𝑥13 :

Chain: 𝑥1,

Cost: 0,

▪ Step:

Chain: 𝑥1, 𝑥2,

Cost: 0, 0,

▪ Step:

Chain: 𝑥1, 𝑥2, 𝑥4,

Cost: 0, 0, 0,

▪ Step:

Chain: 𝑥1, 𝑥2, 𝑥4, 𝑥8,

Cost: 0, 0, 0, 0,

▪ Step:

Chain: 𝑥1, 𝑥2, 𝑥4, 𝑥8, 𝑥12 ,

Cost: 0, 0, 0, 0, 1,

▪ Step:

Chain: 𝑥1, 𝑥2, 𝑥4, 𝑥8, 𝑥12 , 𝑥13

Cost: 0, 0, 0, 0, 1, 2

▪ Step:

Chain: 𝑥1, 𝑥2, 𝑥4, 𝑥8, 𝑥12 , 𝑥13

Cost: 0, 0, 0, 0, 1, 2

▪ Lowest cost of chain for 𝑥254: 4

▪ Start: 𝑥1

▪ Step:

– Chain: 𝑥1, 𝑥2, 𝑥4, 𝑥8, 𝑥12, 𝑥13

– Cost: 0, 0, 0, 0, 1, 2

▪ Lowest cost for 𝑥254 : 4

What is the “best“ way to implement 𝑥254 with 4 multiplications?

Area Reduction Techniques

Mult Mult

▪ Limit bypass wires

Mult Mult

▪ Minimize linear components

Mult Mult

▪ Minimize linear components

▪ Serialize: One Multiplier instance

Mult Mult

▪ One multiplier instance

Our Design: High-Level Structure

𝐴𝑓𝑓 ∘ 𝑜𝑝5

𝐺𝐹 28

𝑜𝑝1 𝑜𝑝2 𝑜𝑝3 𝑜𝑝4

▪ One bypass wire

𝐺𝐹 28

▪ One bypass wire

▪ 𝑌 = 𝑆𝑏𝑜𝑥(𝑋) (after 4 iterations)

𝐺𝐹 28

▪ One bypass wire

▪ Linear power functions of form

𝑜𝑝𝑖 = 𝑥2𝑘

𝐺𝐹 28

▪ One bypass wire

▪ Linear power functions of form

𝑜𝑝𝑖 = 𝑥2𝑘

Goal: Minimize total area

𝐺𝐹 28

Area Minimization

Two Steps:

▪ Determine area of eachlinear component

▪ Choose op1, …, op5 tominimize the total area

Function Area (GE)

UMC 180 nm

Area Minimal Choice

𝐺𝐹 28

𝑖𝑑 𝑥8 𝑥4 𝑖𝑑

𝐴𝑓𝑓 ∘ 𝑥2

▪ Iteration 1:𝑥12 = 𝑀𝑢𝑙𝑡(𝑥8, 𝑥4)

Area Minimal Choice

𝐺𝐹 28

▪ Iteration 2:

𝑥13 = 𝑀𝑢𝑙𝑡 𝑥1, 𝑥12 =: 𝑧

Area Minimal Choice

𝐺𝐹 28

Area Minimal Choice

𝐺𝐹 28

▪ Iteration 2:

𝑥13 = 𝑀𝑢𝑙𝑡 𝑥1, 𝑥12 =: 𝑧

▪ Iteration 3:

𝑧12 = 𝑀𝑢𝑙𝑡(𝑧8, 𝑧4)

Area Minimal Choice

𝐺𝐹 28

▪ Iteration 2:

𝑥13 = 𝑀𝑢𝑙𝑡 𝑥1, 𝑥12 =: 𝑧

▪ Iteration 3:

𝑧12 = 𝑀𝑢𝑙𝑡(𝑧8, 𝑧4)

▪ Iteration 4:

𝑧49 = 𝑀𝑢𝑙𝑡(𝑧1, 𝑧48)

Area Minimal Choice

𝐺𝐹 28

▪ Iteration 2:

𝑥13 = 𝑀𝑢𝑙𝑡 𝑥1, 𝑥12 =: 𝑧

▪ Iteration 3:

𝑧12 = 𝑀𝑢𝑙𝑡(𝑧8, 𝑧4)

▪ Iteration 4:

𝑧49 = 𝑀𝑢𝑙𝑡(𝑧1, 𝑧48)

▪ Output:

𝑌 = 𝐴𝑓𝑓(𝑥13⋅49⋅2) = 𝐴𝑓𝑓 𝑥254

Achieving SCA Security

Domain-oriented Masking

𝐺𝐹 2𝑛 Mult 𝐺𝐹 2𝑛 Mult𝐺𝐹 2𝑛 Mult 𝐺𝐹 2𝑛 Mult

𝑋𝐴 𝑋𝐵

𝑍𝐴 𝑍𝐵

𝑌𝐴 𝑌𝐵𝑅

⊕ ⊕

First-order DOM-independent multiplier:

Groß et al. Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order, CCS 2016

Domain-oriented Masking

𝐺𝐹 2𝑛 Mult 𝐺𝐹 2𝑛 Mult𝐺𝐹 2𝑛 Mult 𝐺𝐹 2𝑛 Mult

𝑋𝐴 𝑋𝐵

𝑍𝐴 𝑍𝐵

𝑌𝐴 𝑌𝐵𝑅

⊕ ⊕

First-order DOM-independent multiplier:

Preconditions: ▪ X, Y are independently masked▪ R provides n bits of randomness

Groß et al. Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order, CCS 2016

First-order Secure Design (Generic)

Design I: Fully-Parallel Multiplier

First-order Secure Design (Fully-parallel)

1 clock cycle

randomness(alternating)

Latency:

8 cycles

Randomness:

8 bits / cyc.

2321 GE

Design II: Serial-Parallel Multiplier

First-order Secure Design (Serial-parallel)

8 clock cycles

Restoringindependence

▪ Goal: 1 bit of randomness / cycle

– Different path for MSB

– Re-masked value from Register

Restoring Independence

𝑏𝑖 ⊕ 𝑟𝑖

Cross-domainremasking

×𝑎0 ×𝑎1 ×𝑎2 ×𝑎3 ×𝑎4 ×𝑎5 ×𝑎6 ×𝑎7

𝑏𝑖

⊕𝑅 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

Serial-Parallel Multiplier▪ Inputs:

– a: 8 bits parallel

– b: 1 bit serial

×𝑎0 ×𝑎1 ×𝑎2 ×𝑎3 ×𝑎4 ×𝑎5 ×𝑎6 ×𝑎7

𝑏𝑖

⊕𝑅 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

Serial-Parallel Multiplier▪ Inputs:

– a: 8 bits parallel

– b: 1 bit serial

▪ Inject 1 random bit over 8 cycles

Latency:

36 cycles

Randomness:

2 bits / cyc.

1378 GE

Side-Channel Evaluation

SCA Evaluation: Method and Setup

▪ MC-DPA evaluation

▪ Sequential execution of S-box

– First: Derive Power Model

– Second: CPA

Sample Trace

Setup:• Sakura-G board @ 6Mhz• Picoscope 6000 @ 625 MS/s• No. traces: 10 million

SCA Evaluation: Results

Serial Design Parallel Design1st order 1st order

2nd order 2nd order

Comparison: Unprotected Designs

Design Latency(cycles)

Crit. Path(ns)

Size(GE)

Boyar et al. 1 5.6 205

Serial Design(unprotected)

32 1.5 520

Comparison: Protected Designs

Design Shares Latency(cycles)

Crit. Path(ns)

Rand/Cyc(bits)

Size(GE)

Bilgin et al. 3 3 N/A 16 2224

Cnudde et al. 2 6 N/A 46 1872

Groß et al. 2 8 N/A 18 2600

Ueno et al. 2 5 1.5 56 1656

Former Work 4 16 3.3 0 4200

Parallel Design 2 8 1.6 8 2321

Serial Design 2 36 1.5 2 1378

Summary

▪ New first-order secure AES S-box designs:

– Parallel Design: Interesting trade-off

– Serial Design:

• Smallest first-order secure AES S-box

• Only 2 bits of randomness per cycle

▪ Methodology:

Smallest unprotected design

Smallest protected design

Thanks!

any questions?

Ruhr University Bochum, Horst Görtz Institute for IT-Security, Germany

felix.wegener@rub.de

Smart Card Research and Advanced Application Conference - Yet … · 2018. 12. 10. · Example...

Documents

Conveyor chain catalogue · e-mail: contact@brampton-renold.com Germany Einbeck Tel: + 49 (0) 5562 81248 ... Conveyor chain catalogue Conveyor Chain Catalogue

Chain Reaction Cycles · +,-,.+,-,/+,-,0+,-!"#$%#&'()#$ +,-,.+,-,/+,-,0+,-!"#$%#&'()#$ +,-,.+,-,/+,-,0+,-!"#$%#&'()#$ +,-,.+,-,/+,-,0+,-!"#$%#&'()#$ *+,-,.+,-,/+,-,0

FSC CHAIN OF CUSTODY CROSSWALK V3-0 and V2-1 · Page 1 of 38 FSC CHAIN OF CUSTODY CROSSWALK V3-0 and V2-1 Last updated on 01 February 2017 The FSC Chain of Custody Certification standard

Winning with the SEA Integrated Supply Chain · 2017. 5. 31. · Accelerating Supply Chain Performance 8 $0 $5,000,000 $10,000,000 $15,000,000 $20,000,000 $25,000,000 1 9 9 9 2 0

Designing the Distribution Network in a Supply Chain 0. Introduction

Theory behind GAN - 國立臺灣大學speech.ee.ntu.edu.tw/~tlkagk/courses/MLDS_2018/Lecture...•Sample m examples 𝑥1,𝑥2,…,𝑥𝑚from data distribution 𝑃𝑑𝑎𝑡𝑎𝑥

Markov Chain Practice Set - 1 - WordPress.com · 2019-11-22 · Consider a Markov chain with five states {1,2,3,4,5} and transition matrix 0 0 oo- 0 0 Which of the following are true?

Timing Chain – Renew (21 314 0) - Ford Scorpio · Timing Chain – Renew (21 314 0) Special Tools 21140 21–140 Engine support bar 2114001 21–140–01 Adaptor for 21-140 2114003

DCOR 1 0 Design Chain Operations Reference Model DCOR 1 0 1

Chain of Custody Certification - fsc-deutschland.de · FSC-STD-40-004 V3-0 EN Chain of Custody Certification – 3 of 65 – Introduction Einleitung The FSC chain of custody (CoC)

Web personal de Edgardo Adrián Franco Martínez - …•Un conjunto finito de ecuaciones lineales en las variables 𝑥1,𝑥2,…,𝑥 se denomina sistema de ecuaciones lineales

삼에스주식회사 HLD.pdf · 2020. 5. 22. · HLD HLD PH stabilizers 0 4B Alkyl dimethyl benzyl ammonium chloridel| amine oxide¥ e 0 (Single chain)1F 481 CH 4Z (Double chain

Standard Conveyor Chain - Industrial and Bearing Supplies ... · Standard Conveyor Chain. ... contact@brampton-renold.com Germany Einbeck Tel: +49(0) ... ukchain@renold.com USA MorristownTN

TOCICO 0 to 60 Introduction to Distribution /Supply Chain

Meta-Complexity Theoretic Approach to Complexity Theoryigorcarb/complexity... · 2020. 9. 17. · Theorem [Ilango-Loff-Oliveira (CCC’20)] Definition (Multi-MCSP) ∧ 𝑥1 ∨ 𝑥2

PENILAIAN KINERJASUPPLY CHAIN MANAGEMENTeprints.umm.ac.id/38107/1/jiptummpp-gdl-dinanovita... · 0 “PENILAIAN KINERJASUPPLY CHAIN MANAGEMENT PADA CV. LINTAS MANDIRI GROUP BOJONEGORO”

UK Aerospace Supply Chain Study · PDF fileUK Aerospace Supply Chain Study . ... was distributed to over 1,000 aerospace companies within the UK supply chain. ... 100% 0-19 (22 responses)

Industry 4: How ready are you? - University of Warwick...Real-time data inventory… Supply chain integration Supply chain visibility Supply chain agility Lead time 0% 20% 40% 60%

Official launch of the SOCALCO 0 Net Deforestation Supply Chain initiative

1 Lecture 2 Ch.9 Supply Chain Policy Deployment. 2 Agenda 0. What have enterprises done that is distinctive in supply chain? 1. Supply Chain Policy Deployment