RS-Mask: Random Space Masking as an Integrated Countermeasure against
  Power and Fault Analysis by Ramezanpour, Keyvan et al.
IEEE Copyright Notice
© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be
obtained for all other uses, in any current or future media, including reprinting/republishing
this material for advertising or promotional purposes, creating new collective works, for
resale or redistribution to servers or lists, or reuse of any copyrighted component of this
work in other works.
Accepted to be Published in: Proceedings of the 2020 IEEE International Symposium
on Hardware Oriented Security and Trust (HOST), May 4-7, 2020, San Jose, CA, USA
ar
X
iv
:1
91
1.
11
27
8v
1 
 [c
s.C
R]
  2
5 N
ov
 20
19
RS-Mask: Random Space Masking as an Integrated
Countermeasure against Power and Fault Analysis
Keyvan Ramezanpour, Paul Ampadu, and William Diehl
The Bradley Department of Electrical and Computer Engineering
Virginia Tech
Blacksburg, VA 24061, USA
{rkeyvan8,ampadu,wdiehl}@vt.edu
Abstract—While modern masking schemes provide provable
security against passive side-channel analysis (SCA), such as
power analysis, single faults can be employed to recover the secret
key of ciphers even in masked implementations. In this paper, we
propose random space masking (RS-Mask) as a countermeasure
against both power analysis and statistical fault analysis (SFA)
techniques. In the RS-Mask scheme, the distribution of all
sensitive variables, faulty and/or correct values is uniform, and it
therefore protects the implementations against any SFA technique
that exploits the distribution of intermediate variables, including
fault sensitivity analysis (FSA), statistical ineffective fault analysis
(SIFA) and fault intensity map analysis (FIMA). We implement
RS-Mask on AES, and show that a SIFA attack is not able to
identify the correct key. We additionally show that an FPGA
implementation of AES, protected with RS-Mask, is resistant to
power analysis SCA using Welch’s t-test. The area of the RS-
Masked AES is about 3.5 times that of an unprotected AES
implementation of similar architecture, and about 2 times that
of a known FPGA SCA-resistant AES implementation. Finally,
we introduce infective RS-Mask that provides security against
differential techniques, such as differential fault analysis (DFA)
and differential fault intensity analysis (DFIA), with a slight
increase in overhead.
Index Terms—Masking, Power Analysis, RS-Mask, Statistical
Fault Analysis, SIFA, Threshold Implementation.
I. INTRODUCTION
Physical implementations of cryptographic algorithms, even
with desirable algorithmic security, can leak information about
secret data. In side-channel analysis (SCA), an attacker an-
alyzes the data-dependent signatures or internal states of a
cryptographic device to infer secret information. It is therefore
critical to protect hardware implementations against SCA to
achieve the promised security level of cryptographic algo-
rithms.
In passive SCA, an attacker observes signals leaked from a
device processing secret data. These techniques include simple
power analysis (SPA) and differential power analysis (DPA)
[1]–[5]. Correlation power analysis (CPA) [6] generalizes DPA
by evaluating the correlation of the power samples with a
mathematical leakage model, such as Hamming weight (HW)
of the processed data [7], Hamming distance (HD) [6], [8]
or the number of glitches during the operation of non-linear
functions [9]. Deep learning has also been employed in [10]
to extract higher order statistics of power traces. In contrast
to model-based analysis, mutual information analysis (MIA)
in [11] and template attacks [12], assume a probability dis-
tribution, such as multivariate Gaussian, with data-dependent
parameters.
Fault analysis (FA) is a popular and powerful active SCA
technique in which a fault injected into the operations of a
cipher might result in an error depending on the values of
internal secret states [13]. As such, a data-dependent response
is induced in the hardware via fault injection. Differential fault
analysis (DFA) inspects the data flow in the internal state of a
cipher implementation [14]–[16]. The strong adversary model
in DFA is difficult to employ on modern nonce-based ciphers.
Statistical fault analysis (SFA) relaxes the assumptions of
DFA to achieve more powerful FA attacks. SFA techniques
such as fault sensitivity analysis (FSA) [17], differential fault
intensity analysis (DFIA) [18], ciphertext-only fault analysis
(CFA) [19], fault intensity map analysis (FIMA) [20] and
one version of statistical ineffective fault analysis (SIFA)
[21], exploit the bias induced in the distribution of sensitive
variables and/or their differences, via faults leading to timing
failure of logic circuits. Biased fault injection, such as laser
beams, have also been employed in [22] to induce a biased
distribution of variables. Fault attacks such as [23]–[25] and
a second version of SIFA in [26] induce a biased distribution
of values by corrupting the instruction registers of processors
or internal registers of non-linear functions.
A popular countermeasure against passive SCA that pro-
vides provable security is masking, in which secret variables
are split into random independent shares. Cipher computations
are conducted on separate shares, which are independent of se-
cret data, in a similar way as multi-party computation protocols
[27]. A widely accepted masking scheme providing security
against d-th order SCA with d + 1 shares is the Threshold
Implementation (TI) [28], [29]. The main properties of TI
schemes that provide provable security are non-completeness
(i.e., any combination of d shares of a masked function is
independent of at least one share of data), correctness (i.e.,
the final result is correct), and uniformity (i.e., output statistics
match the input statistics). Hence, no d-th order statistics of
the observed signals leak information about the secret.
Most existing countermeasures against DFA employ redun-
dancy to detect an error in computations. Different forms of
redundancies include redundant arithmetic [30]–[32], time and
spatial redundancies [33], [34], and information redundancy
using coding theory [35], [36] or MACs [37]. However,
redundancy-based countermeasures cannot protect against SFA
techniques that do not need faulty values for analysis, such as
FSA, SIFA and FIMA.
In this paper we present random space masking (RS-Mask)
as a countermeasure against both passive SCA and fault
analysis, and implement this countermeasure in the Advanced
Encryption Standard (AES). The linear operations of the cipher
are protected in the same way as in a masked scheme. The
S-box computations are carried out in a random space of
intermediate variables with uniform distribution. The mapping
of intermediate variables to the random space is designed
such that the output of the S-box is the correct value covered
with a Boolean mask. Therefore, any bias induced by fault
injection will be randomized with uniform distribution. This
countermeasure can be adapted for other ciphers by tailoring
proper mapping of the variables to a random space for the
specific non-linear operations involved.
We verify the fault resistance of the RS-Masked AES by
observing the distribution of sensitive variables under fault
injection, and attempting to recover a secret key through
computer simulations of SIFA. We further verify its resistance
to power analysis SCA through the Test Vector Leakage
Assessment (TVLA) methodology (i.e., Welch’s t-test) using
an open-source test bench on the Artix-7 FPGA. We also
benchmark the RS-Masked AES implementation, and quantify
the overhead of the new countermeasure.
Our contributions in this work are as follows:
1) We introduce an integrated countermeasure, Ran-
dom Space Masking (RS-Mask) with provable secu-
rity against a bounded-complexity adversary leveraging
power analysis SCA and absolute SFA attacks.
2) We implement RS-Mask on the popular AES cipher, and
demonstrate its resistance to statistical ineffective fault
analysis (SIFA) and power analysis SCA.
3) We derive conditions for provable security against dif-
ferential fault attacks, such as DFA and DFIA, and
introduce infective RS-Mask to provide security against
these attacks.
The paper is organized as follows. Section II reviews ex-
isting countermeasures against power and fault analysis. Sec-
tion III introduces random space masking. The mathematical
derivations and the corresponding hardware implementation is
discussed in Section IV. The security proof of the RS-Mask
scheme agasint statistical fault analysis is given in Section
V. Infective RS-Mask against differential fault analysis is
introduced in Section VI and the results are shown in Section
VII. The paper concludes in Section VIII.
II. BACKGROUND AND RELATED WORK
A. Combined Countermeasures for Power and Fault Analysis
A first solution to protect against both power and fault
analysis is to employ separate countermeasures which provide
protection against different types of attacks. As an example,
[38] employs redundant hardware along with shuffling of
cipher operations to achieve protection against both fault and
power analysis. It also employs fault space transformation
(FST) in which the computations of redundant states are
carried out in different domains, thus, making it difficult to
induce the same error in the redundant states [34].
Shuffling of computations randomizes the timing of internal
operations of a cipher, hence, making it difficult for an attacker
to align the power traces. Shuffling of datapath is employed in
[39] to protect an AES implementation against localized EM
fault attacks. Spatio-temporal randomization on reconfigurable
hardware is also used in [40] to protect different ciphers such
as AES against double fault injections. However, shuffling
cannot provide perfect security against SCA. Data-dependent
features still exist in the power trace even with randomized
timing which can be extracted using machine learning algo-
rithms [41], [42]. Further, considering fault analysis, shuffling
randomizes the fault location and/or timing which can be
tolerated in most statistical analysis techniques.
In addition to larger overhead, a major drawback of using
separate countermeasures against power and fault analysis
is the possibility of a negative impact of countermeasures
against one type of attack on the other type, if not designed
properly. Several works have shown that fault countermeasures
employing concurrent error detection (CED) codes facilitate
power analysis [43], [44]. The effect of hardware redundancy
and parity-based error detection is also studied in [36]. The
results show that both types of countermeasures for fault
detection increase the speed of key recovery using CPA.
B. Masked Redundancy
To alleviate the negative impact of fault detection on power
analysis resistance, [35] employs a concurrent error detection
scheme in a threshold implementation, called ParTI. A sys-
tematic code is employed to generate shares of parity bits at
the input and output of a cipher operation. A predictor logic
predicts the correct parity bits at the output of the operation
from the input parity shares. The calculated and predicted
parity bits are compared to detect an error. Rather than
concurrent error detection, Countermeasure Against Physical
Attacks (CAPA) [37] and Masks and MACs (M&M) [45]
employ information-theoretic MACs to detect errors as a result
of fault injection.
Coarse-grained error detection, at the level of cipher op-
erations, as employed in ParTI, CAPA and M&M, are not
sufficient to protect against most SFA techniques, such as
FSA, SIFA and FIMA. A solution is using error correction
codes (ECC) to correct all faulty values. In [46], a 3-repetition
Hamming code is employed at the gate level to correct any
faulty node in the S-box of GIFT-64 cipher. The area of this
scheme increases by a factor of 6× in an ASIC implemen-
tation. The countermeasure introduced in [46] is only against
fault analysis. Further, the ECC itself processes sensitive data
and can be a target of fault attack.
Fine-grained error detection schemes, at the level of internal
nodes of a logic function, similar to fine-grained ECC, can
also be employed to protect against SIFA. Such a scheme is
employed in [47] with Toffoli-gates that implement non-linear
permutations. In this work, 3-, 4- and 5-bit S-boxes that can
be represented as non-linear permutations are protected against
single-fault attacks with redundant masked Toffoli-gates. It is
shown that in a masked Toffoli-gate, if a fault propagates to
the input of at most one AND gate, then the event of a correct
computation depends only on one share of the input which
are independent of sensitive variables. It is argued that to
protect against a fault injection that affects d wires of the logic
function, d + 1 redundant masked Toffoli-gates are required,
which incurs a large overhead.
C. Integrated Countermeasures
An alternative to the error detection/correction schemes is
randomizing the effect of fault, while providing SCA security,
introduced in [48], which is called orthogonal direct sum
masking (ODSM). In this scheme, the sensitive variables of
the cipher are encoded with an orthogonal binary linear code.
A random value from the complementary domain of the code
is also added to the sensitive variables as a random mask.
Exploiting the orthogonality property of the code, the sensitive
variables can be recovered from the masked version using
generating matrix of the code. By deriving the equivalent
operations of the cipher in the encoded/masked domain, the
correctness of computations is ensured. As the computations
are conducted on masked values, the leakage signals are
assumed to be independent of the secret. By adding the random
mask, the effect of fault is also randomized, thus, resistance
against statistical analysis is achieved.
Although ODSM promised a generic countermeasure
against SCA and fault analysis, studies of [49] demonstrated
that ODSM fails to provide the assumed security. The major
vulnerability of ODSM arises from the fact that the random
mask added to sensitive variables is not perfectly uniform as
opposed to Boolean masking, since the mask is chosen from
the orthogonal space to the encoded sensitive variables. As a
result, the distribution of masked variables cannot be uniform.
This property is exploited in [49] to deploy a first order
DPA attack to recover the secret key of AES implemented
with ODSM scheme. We will also prove that the non-uniform
distribution of a mask makes the scheme vulnerable to fault
analysis.
III. RANDOM SPACE MASKING
A. Primary Idea
The basic idea of RS-Mask is to map the intermediate
variables of a cipher to a random space. After operations
in the random space, the output is transformed back to the
original space of the cipher. As a result, if the random mapping
is uniform, the intermediate variables on which the cipher
operations are conducted become independent of the sensitive
data, hence, the implementation is robust against SCA. When
a fault is injected into intermediate variables in a random
space, any effect that the fault has on the data depends on
random values which are independent from the sensitive data.
The main challenge in implementing such a scheme is finding
Figure 1. Conceptual representation of random space (RS) masking that
randomizes the effect of fault; shaded area is the distribution of values under
fault injection.
the proper random mapping, such that after performing the
non-linear operations of the cipher in the random space, the
correct values of the variables can be recovered.
The concept of RS-Mask is depicted in Fig. 1. The effect of
a biased fault is shown in part (b) of the figure. Fault injection
maps the space of internal variables of a logic function to a
particular set of values, which is depicted as the shaded area
in the figure. If the input to the function results in the values
of internal variables in the shaded area, the fault injection will
be ineffective; the result of computations is still correct under
fault injection. Depending on the fault type and location, only
particular values might result in this set of internal values,
hence, the distribution of correct values under fault injection
will be non-uniform, or biased. Similarly, distribution of faulty
values might also be biased.
In RS-Mask, we map the input of a logic function to any
possible value with equal probability, as shown in part (c)
of Fig. 1. As a result, during the operation of the logic
function under attack, any input can result in all possible
values of internal variables with equal probability. Hence,
the distribution of faulty values and correct values under
ineffective faults will be uniform.
B. Masking as a Random Mapping
Masking can be considered as a random mapping for
sensitive variables. In a masking scheme, a sensitive variable x
is split into d+1 shares xi, i = 0, 1, · · · , d such that the sum of
all xi’s is equal to the correct value x and any d combination
of the shares are uniformly distributed. A function y = f(x)
is split into d + 1 function shares yi = fi(x0, x1, · · · , xd)
such that the sum of yi’s is equal to the correct result y with
any d combination of yi’s uniformly distributed. While linear
functions process input shares separately, a non-linear function
share fi is possibly a function of all input shares.
Since, for linear functions, each share of the function
depends only on one share of the sensitive variables, if an
attacker injects biased faults into any combination of d shares,
there is still one correct share with a uniform distribution.
Hence, the sum of all shares is still uniformly distributed
under fault injection. Therefore, masking can be considered
as a sound countermeasure against statistical fault analysis
techniques with d faults.
However, this argument does not hold for non-linear func-
tions. First, each share of a non-linear function depends on all
shares of the input in most masked implementations. Hence, a
faulty value of a single input share can propagate to all output
shares, possibly making all biased. Second, to induce bias into
most non-linear functions, such as S-boxes, it is not necessary
to employ a biased fault mechanism; any type of fault can
result in a biased distribution of the function output.
The reason a random fault can induce a biased distribution
in most non-linear functions is the non-bijective constituent
components of a non-linear function. In the case of AES S-
box, the Canright composite field computation for the GF (28)
inverter, as shown in Fig. 2, is popular due to its compact
implementation [50]. The basic non-linear building blocks of
this implementation are GF (22) multipliers. The truth table
of the multiplier is shown in Fig. 2 (b), which represents 2-
bit multiplication q = s × t in the normal basis of Canright
scheme. The multiplier is a non-bijective function of an input
t, if s = 0. This is the origin of the bias at the output of the
multiplier even for uniform faults.
The uniformity of masking schemes, i.e., uniform distribu-
tion of the shares for all intermediate variables, is a funda-
mental property to provide security against SCA. However,
the uniformity property alone does not help in protecting
against biased-fault analysis. One might speculate that both
the non-completeness and uniformity properties can inhibit a
bias as a result of single faults, because there exists at least
one share of the function which is independent of a given
input share, and has a uniformly distributed output. As we
will show, this argument is true only if the function shares
are implemented as atomic operations, and uniformity is not
achieved via remasking.
As most implementations of non-linear functions of a cipher
consist of a series of non-linear operations, the final output
shares depend on all shares of variables at the early stages
of the function, even with the non-completeness property. In
Fig. 3, a non-linear function is implemented as a series of
two components f(·) and g(·), each split into three shares.
The sharing also satisfies the non-completeness property; each
function share is independent of one share of its input. We
observe that a fault injected at a single share of the input
propagates to all shares of the output. Due to the non-linearity
of the functions, all output shares might be biased.
If a single fault is injected at the input of the function
component g(·) in Fig. 3, there is at least one share of the
output which is fault-free and uniform. One might conclude
that the single fault, at this location, cannot induce a bias into
the output of g(·). This is true only if the output shares are
uniform by the design of function shares gi(·), i = 0, 1, 2.
Remasking is a popular technique to achieve uniformity, in
which uniform refreshing masks are added to the output shares
of non-linear functions. However, remasking is not sufficient
to protect against biased fault analysis, since the refreshing
masks are cancelled out after combining the shares. Further,
adding linear combinations of input shares to the output of
non-linear shares, as in [51], is equivalent to remasking, since
these additional terms also cancel out after combining the
shares.
In a masking scheme in which the function shares result
in uniform output shares by design, and not using remasking,
the non-completeness property might help inhibit a bias only
if single faults are injected at final stages of calculations;
faults at early stages can quickly propagate to all output
shares, as shown in Fig. 3, leading to biased distribution of all
shares. Random space masking is a solution to achieve uniform
distribution at the output of a bijective non-linear function
under any type of fault attack, via pre-randomization of the
input to the function.
C. Random Space (RS) Mapping
In the proposed RS-Mask scheme, the linear functions of
a cipher are protected according to conventional masking
schemes. One of the shares, called RS share, is always
independent of the sensitive data shares; neither the secret
key nor any key-dependent intermediate variables are ever
combined with the RS share during cipher operations. The
RS share can be further split into multiple shares to increase
the complexity of a fault attack. The sub-shares of the RS
share can be combined at any stage of the cipher operations
to reduce the overhead of computations.
The non-linear function of the cipher, i.e., the S-box in the
case of AES, is protected against biased fault analysis using
RS mapping. The general block diagram of random mapping
is shown in Fig. 4. At the input of the non-linear function g(·),
the sensitive variable X is transformed to X
′
with a random
mapping E1. The correct output Z is recovered from the output
Z
′
by applying the dual mapping E2.
The necessary and sufficient conditions for the RS mappings
E1 and E2 to protect the bijective function g(·) against biased
fault analysis are as follows:
• Correctness: We must have E2 ◦ g(E1 ◦X) = g(X).
• Uniformity: The mapping E1 must be uniform; i.e, for any
value X ∈ Fn the result of E1 ◦X must be any value in
Fn with equal probability.
• Robustness: The mapping E2 itself must be robust against
biased fault analysis; i.e., the distribution of values at
the output of E2 must be uniform under fault injection
without remasking.
The main challenge in designing an RS-Mask for a given
cipher is finding the proper mappings E1 and E2 that satisfy the
above conditions. In this work, we define the random mapping
E1 such that
g(E1 ◦X) = g(X)⊕R (1)
Figure 2. Canright composite field implementation of GF (28) inverter in AES S-box, (a) inverter block diagram, (b) GF (22) multiplier, q = s× t.
Figure 3. Propagation of a fault in a single share of internal variables to all
shares of output.
Figure 4. General block diagram of random mapping to protect a bijective
non-linear function g(·) against biased fault analysis.
in which R is a uniformly distributed mask. The output is thus
comprised of two shares, i.e., the calculated value Z
′
and a
random mask R. Such a scheme satisfies the above conditions
with the following advantages:
• The result of the function g(·) on the transformed input
X
′
is a linear combination of a Boolean mask and the
correct output Z which is compatible with traditional
masking schemes. Hence, there is no need to convert the
output to a masked version required for subsequent steps
of the cipher operations.
• No non-linear operation, such as E2, is required to recover
the correct value from the random space. As a result,
the robustness property is satisfied. The uniformity of the
masked output is inherent in designing the proper E1.
We notice that, in the proposed RS mapping scheme, fault
injection at the input mapping E1 cannot induce a bias into the
correct output Z. The calculated output Z
′
should normally be
uniform. If a fault injection, either in E1 and/or g(·), induces a
bias into the distribution of Z
′
, the correct value Z = Z
′ ⊕R
would still be uniform.
IV. IMPLEMENTATION OF RS-MASK
A. Derivation of RS Mapping
In order to protect the GF (28) inverter in the AES S-box
against biased fault analysis, we need a random mapping on
the input X such that the output is Z
′
= X−1 ⊕ R with a
uniformly distributed R. By representing the input and output
of the GF (28) inverter with their most and least significant
nibbles as X = x1||x0 and Z = z1||z0, we have z1 = x0 ⊗ y
and z0 = x1 ⊗ y, in which y is the output of the GF (24)
inverter as shown in Fig. 2, and ⊗ is GF (24) multiplier. We
find the desired random mapping in two cases of zero and
nonzero input values.
1) Zero Input: We note that the inverse of X = 0 in the
field GF (2m) is 0 while the inverse of all nonzero values of
X is nonzero. According to the block diagram of Fig. 2, if
y = 0, then the output of the inverter is 0. Hence, y = 0 only
if X = 0. Assuming y 6= 0, which corresponds to a nonzero
input to the GF (28) inverter, we can write
z
′
1 = z1 ⊕ r1 = [x0 ⊕ (y−1 ⊗ r1)]⊗ y
z
′
0 = z0 ⊕ r0 = [x1 ⊕ (y−1 ⊗ r0)]⊗ y
(2)
in which R = r1||r0 is the random mask. The terms in the
brackets can be considered as the required mapping to achieve
the desired output. The value of y−1 is also available at the
input of the GF (24) inverter.
The mapping in (2) is not sufficient to protect against
faults injected at the earlier operations of the inverter. Assume
y−1 takes a faulty value, denoted by (y−1)∗, then the output
of GF (24) inverter also takes a faulty value y∗. Since the
operations of GF (24) inverter is fault-free, we have (y−1)∗ =
(y∗)−1. Using this relation, the faulty value of the output in
(2) reads
(z
′
1)
∗ = [x0 ⊕ ((y∗)−1 ⊗ r1)]⊗ y∗ = x0 ⊗ y∗ ⊕ r1 (3)
A similar equation also holds for the least significant nibble
of the output. At the end of cipher operations, the mask r1
will be combined with the calculated value (z
′
1)
∗. Hence, the
recovered value will be x0 ⊗ y∗ which is clearly biased.
To prevent the leakage of a faulty value to the output of the
non-masked output Z in (2), we must use a separate datapath
for calculating y−1 used in the random mapping. According
to the block diagram of Fig. 2, we can write
y−1 = ν(x0 ⊕ x1)2 ⊕ (x0 ⊗ x1) (4)
in which ν ∈ GF (24) is a scaling constant in the Canright
scheme. By substituting (4) into (2), we can derive the desired
random mapping. However, to derive a single mapping for all
input values we will need an auxiliary variable as discussed
later.
2) Zero Input: When X = 0, then y = y−1 = 0 and the
equations in (2) do not hold. Hence, the random mapping in (2)
is not correct for zero input. In this case, we use the linearity
property of the GF (28) for X = 0, i.e.,
(0⊕R)−1 = 0−1 ⊕R−1 (5)
Using this property, if we add R−1 to the input, when it is
zero, the output of the inverter will be the masked correct
value Z
′
= 0⊕R = R. However, in this case, the mapping in
(2) must not be applied during the calculations of the inverter.
Similarly, when the input is nonzero, R−1 must not be added
to the input. The above derivation is explained separately
for zero and nonzero inputs for clarity. However, the final
mapping processes all input values within the same datapath
as discussed below.
3) All Input Values: We use an auxiliary variable f to
achieve a single random mapping for all values of the input
X defined as
f =
{
15, X 6= 0
0, X = 0
(6)
Note that the value 15 is the multiplicative unity in the field
GF (24). Now, with a random mask R, we add the value f¯⊗R
to the input in which f¯ is the bitwise inverse of f . In this
case, the value of R−1 is added to the input only if X = 0.
Similarly, by combining (2) and (4) with f , we get the final
random mapping as
z
′
1 =
(
x0 ⊕ [(x0 ⊕ x1)2 ⊗ νr0]⊕ [(x0 ⊗ r0)⊗ x1]⊗ f
)⊗ y
z
′
0 =
(
x1 ⊕ [(x0 ⊕ x1)2 ⊗ νr1]⊕ [(x1 ⊗ r1)⊗ x0]⊗ f
)⊗ y
(7)
B. Hardware Implementation
The overall block diagram of the AES S-box with composite
field implementation in the RS-Mask scheme is shown in
Fig. 5. The GF (24) multipliers are implemented as a parallel
of three GF (22) multipliers as shown in [35]. All AND-
gates and multipliers in Fig. 5 are masked according to TI
with three shares. To protect against SCA in the presence of
glitches, the output of all non-linear components are registered.
The output linear transformations include the combined affine
transformation and normal basis conversion as well as the
MixColumn operation of AES. After four bytes of state reach
register level 10, the result of one column of the state is ready
by applying MixColumn and AddRoundKey.
In our implementation, the entire state of AES is split into
three shares. One of the shares is the RS share R. The round
keys are also split into two shares with the RS share set to
0 to save extra randomness and registers. Since fault analysis
techniques induce a bias into the distribution of state bytes,
it is not necessary to mask the round keys with an RS share.
As observed in Fig. 5, the RS share is combined with one
share of the data at the input of the S-box, after normal basis
conversion. The output of the S-box consists of the processed
data and the RS share. At the end of a round, the two shares of
the round keys are added to the two shares of data excluding
the RS share.
The structure of the GF (28) inverter in Fig. 5 that processes
the random mask R is the same as in Fig. 2. This inverter is
implemented with only one share as R is independent of any
sensitive variable. In order to prevent an attacker from inferring
the value of R by observing the number of glitches, the output
of non-linear components in this inverter are also registered,
as shown in Fig. 2.
There are two types of GF (24) multipliers in the RS-Mask
scheme of Fig. 5. In one type, i.e., multipliers 1 to 6, an
intermediate variable, with three shares, is multiplied by a
random mask which has only one share. In other multipliers,
both inputs have three shares. For masking multipliers with
a single-share input, the overhead increases linearly with the
number of shares, since x⊗ r = (Σixi)⊗ r = Σi(xi ⊗ r).
The random mapping of the proposed scheme, in Fig. 5,
requires four extra multipliers with three shares at both inputs.
The overhead of masking six multipliers with a single-share
input is equivalent to two fully masked multipliers with three
shares. The overall overhead of the random mapping is thus
equivalent to six fully masked GF (24) multipliers. Including
the extra single-share GF (28) inverter for the RS mask and
the logic for calculating the auxiliary variable f , the overall
overhead of the RS-Mask S-box is almost equivalent to 3×
the area of a TI S-box with the same number of shares.
According to Fig. 5, nine register levels are required,
after every stage of non-linear operations, to achieve security
against SCA in the presence of glitches. The output shares of
every non-linear operation are remasked before being stored
in the registers. An extra register level is required at the output
of S-box calculations to perform MixColumn operation on the
bytes of a column. In order to maintain throughput, the AES
algorithm is implemented in a 10-stage pipelined design. The
same instance of the S-box in Fig. 5 is reused for calculating
the state bytes and the round keys.
The entire AES encryption algorithm with three shares of
the state according to the RS-Mask scheme is implemented
on Artix-7 FPGA. A comparison of an unprotected AES, a
TI implementation secure against only SCA, and the proposed
RS-Mask AES with three shares, secure against both SCA and
statistical fault analysis is shown in Table I. The relative cost
of TI and RS-Mask implementations versus unprotected AES
is also given in Table II. Frequency and area are optimized in
Xilinx Vivado using the Minerva automated optimization tool
[52]. The TI implementation of AES in these tables, available
at [53], has two shares for the linear operations and three
shares for S-box calculations.
As observed in Tables I and II, the major overhead of RS-
Mask is the increase in area and dynamic power. The overall
area of the AES implementation with RS-Mask is around 3.5×
the area of an unprotected AES and 2× the TI AES. The RS-
Mask AES consumes 44.3 mW of total power (31 mW static
power) measured at 20 MHz on CW305 Artix-7 target board
Figure 5. RS-Mask Implementation of AES S-box, according to Canright composite field implementation, with a uniformly distributed mask R for random
mapping; Red connections represent additional computations required for RS mapping; Numbered vertical lines represent pipeline stages.
Table I
COMPARISON OF UNPROTECTED, TI AND RS-MASK AES.
Result of Optimization AES TI AES RS-Mask AES
Max frequency [MHz] 242 195 218
LUT 508 1373 2273
Slices 264 583 827
Throughput [Mbps] 151.1 121.8 116.8
Power [mW] @ 20MHz 31.8 – 44.3
Energy [nJ/bit] 2.55 – 4.14
Table II
OVERHEAD OF TI AND RS-MASK VERSUS UNPROTECTED AES.
Cost TI AES RS-Mask AES
Decrease in frequency [%] 19.4 9.9
Decrease in TPA [%] 70.2 82.7
Increase in Area [%] 170.3 347.4
Increase in Total Power [%] – 39.3
Increase in Dynamic Power [%] – 375
compared with 31.8 mW (29 mW static) power consumption
of unprotected AES. With the 10-stage pipeline design of RS-
Mask, the throughput is degraded by around 22% which is
mainly due to the decrease in the operation frequency, but also
due to the number of clock cycles of RS-Mask increasing to
239 per block, vice 205 per block in the AES unprotected and
AES TI. The decrease in throughput per area (TPA) of the
RS-Mask scheme is 82.7% which is mainly due to the large
area cost, while, the TPA degradation of TI implementation is
70.2%, close to that of RS-Mask.
V. SECURITY PROOF
The security of the proposed RS-Mask scheme against
passive SCA is based on the security promises of TI masking
schemes, as all building blocks of the RS mapping are im-
plemented according to TI. We make no further claims on the
security of RS-Mask against power analysis. In this section, we
prove the security of the proposed RS-Mask scheme against
absolute statistical fault analysis. Further, we derive conditions
for security of a countermeasure against differential fault
analysis.
We categorize all statistical fault analysis techniques into
two classes of absolute and differential analysis. We define
absolute fault analysis as any technique that employs the
distribution of an intermediate variable of a cipher under fault
injection as the observable. The differential fault analysis is
defined as any technique that observes the distribution of the
difference induced in an intermediate variable as a result of
fault injection. The absolute and differential fault analysis
techniques are analogous to the classical linear and differential
cryptanalysis. In the classical cryptanalysis, the bias is due to
the imperfect design of the non-linear operations in a cipher,
while, in fault analysis it is the result of fault injection.
The following theorem proves the security of RS-Mask
against absolute fault analysis.
Theorem 1. Consider an arbitrary random Boolean variable
X and an independent Boolean mask R. The mutual informa-
tion between the masked variable Z = X ⊕R and X is zero
if and only if R is uniformly distributed.
Proof. First, assume the random mask R is uniformly dis-
tributed. Considering m-bit Boolean variables, we can derive
the probability mass function (pmf) of Z as a circular convo-
lution of the pmf of X and R, i.e.,
pZ(z) =
∑
r
pR(r) · pX(z ⊕ r) = 1
2m
∑
r
pX(z ⊕ r) (8)
in which the second equality is due to the uniform distribution
of R. Since
∑
x pX(x) = 1, we have pZ(z) = 1/2
m. Hence,
Z is also uniformly distributed. Now, the mutual information
between Z and X can be written as
I(Z;X) = H(Z)−H(Z|X) = m−m = 0 (9)
where H(·) is the Shannon entropy. Since Z is uniformly
distributed, H(Z) takes the maximum value which is equal
to m for an m-bit variable. Further, given X , the distribution
of Z is equal to the distribution of R which is also uniform;
hence, H(Z|X) = m.
To prove the converse of the theorem, we consider a non-
uniform variable R and we show that it is not possible that
I(Z;X) = 0. Assume I(Z;X) = 0. From the definition
of mutual information, I(Z;X) = 0 implies that H(Z) =
H(Z|X). Additionally, we know that
H(Z|X) = −
∑
x
P (X = x) · [∑
z
P (R = z ⊕ x|X = x) · log (P (R = z ⊕ x|X = x))]
(10)
which is equal to H(R|X) by definition. Since R and X are
independent, H(R|X) = H(R). Hence, we conclude that
H(Z) = H(Z|X) = H(R|X) = H(R) (11)
On the other hand, from the property that conditioning reduces
entropy, we have
H(Z) ≥ H(Z|X) = H(R|X) = H(R)
H(Z) ≥ H(Z|R) = H(X|R) = H(X) (12)
The second equation can be proved the same way as in (10).
From (12), we conclude that H(Z) ≥ max{H(X), H(R)}.
Since X is an arbitrary random variable, we can choose
H(X) > H(R). Hence, H(Z) > H(R). But from (11), we
must have H(Z) = H(R) which is a contradiction.
According to Theorem 1, since the calculated output Z
′
=
X−1⊕R in Fig. 5 is the sensitive variable X−1 masked with
a uniformly distributed variable R, the output is independent
of the sensitive variable. To achieve the claimed security, the
distribution of the RS mask must be uniform. As a result, by
observing the distribution of the calculations at the output of
the S-box, no information can be retrieved about the sensitive
variables. Similarly, for linear operations of the cipher, masked
with d+ 1 shares, observation of at most d variables leaks no
information about the sensitive data as there is at least one
share that works as a uniform mask. However, a differential
fault analysis technique can still retrieve information about the
secret data. The following theorems demonstrate this claim.
Proposition 1. Consider a bijective non-linear function X =
S(Y ) such that for a random variable Y and an independent
constant K, X = S(Y ⊕K) is uniformly distributed for any
nonzero K. Consider non-equal random variables Y1 and Y2
such that the distribution of S(Y1) ⊕ S(Y2) is non-uniform.
The distribution of S(Y1⊕K)⊕S(Y2⊕K) is uniform if and
only if K 6= 0.
Proof. Assume K 6= 0. From the definition of the function
S(·), we know that X1 = S(Y1 ⊕K) and X2 = S(Y2 ⊕K)
are uniformly distributed. From Theorem 1, we can conclude
that X1 ⊕ X2 is independent of both X1 and X2, thus, is
uniformly distributed.
Proof of the converse is trivial. When K = 0, the difference
S(Y1) ⊕ S(Y2) is non-uniformly distributed as stated in the
proposition.
The above proposition is a statement of the fundamental
property of well-designed ciphers. For the example of AES,
we can represent the relationship between one byte of the
output ciphertext, i.e., Ci, and the corresponding byte at the
output of round 9, Xi, as Xi = S(Ci ⊕Ki), in which, Ki is
a constant related to the round key 10 and S(·) is the inverse
of the S-box. Although the linear operations of the cipher are
discarded, this relation provides a sound model for the non-
linear behavior of the cipher. If an incorrect value of the round
key 10 is used to calculate the intermediate variables at round 9
from the output ciphertext, the distribution of calculated values
will always be uniform.
Theorem 2. Consider arbitrary random variables Y1 and Y2
with a non-uniform difference S(Y1) ⊕ S(Y2), in which S(·)
is a bijective non-linear function with the properties stated in
Proposition 1. The mutual information I(X1;X2), with X1 =
S(Y1 ⊕K) and X2 = S(Y2 ⊕K), is nonzero if and only if
K = 0.
Proof. When K = 0, it is known that the difference ∆ =
X1⊕X2 is non-uniformly distributed as stated in the theorem.
We have X2 = X1 ⊕∆. According to Theorem 1, since ∆ is
non-uniformly distributed, the mutual information I(X1;X2)
is nonzero.
To prove the converse, assume K 6= 0. According to
Proposition 1, the distribution of the difference ∆ = X1⊕X2
is uniformly distributed. By representing X2 = X1 ⊕ ∆ and
from Theorem 1, we conclude that I(X1;X2) = 0.
The above theorem is a statement of differential fault
analysis. Assume X1 and X2 represent the correct and faulty
values of an intermediate variable with a biased difference.
An attacker has access to the correct and faulty outputs
of the cipher, i.e., Y1 and Y2, respectively. To calculate
the intermediate variables, the secret key K is required as
Xi = S(Yi ⊕ K), i = 1, 2. From Theorem 2, we know that
the mutual information between the correct and faulty values
is nonzero only for the correct key. If we consider the mutual
information as a test statistic for ranking key candidates, the
correct key exhibit the highest rank; thus, it can be identified.
VI. INFECTIVE RS-MASK
While the RS-Mask scheme of Fig. 5 randomizes inter-
mediate variables, there is no guarantee that the distribution
of differences induced by the fault is also uniform. Hence,
differential fault analysis techniques are still able to attack this
scheme. Among all SFA techniques, the statistical DFA in [54]
and DFIA are differential analysis. They both observe the bias
in the error distribution. All other SFA techniques, including
SIFA and FIMA, are absolute techniques which observe the
distribution of the intermediate variables. In this section, we
introduce infective RS-Mask as an extension, that additionally
provides security against differential FA.
The intrinsic redundancy of RS-Mask in Fig. 5 can be
exploited to detect an error with a small overhead. The output
of the RS-Mask S-box is Z
′
= Z ⊕R. We can also calculate
Z by using two additional GF (24) multipliers as shown in
Fig. 6. The difference between Z ′ and Z must be equal to
R if there is no error. The values x0, x1 and y are available
from the calculations of Fig. 5. Having a random mask R1
Figure 6. Additional redundancy required for protecting RS-Mask against
differential fault attacks.
with uniform distribution, we can add E×R1 to the output of
the S-box. If the error is nonzero, the distribution of E ×R1
is uniform; otherwise, E×R1 = 0. Hence, if an error occurs,
the values of the state bytes are randomized, or infected. With
uniform distribution of errors, no differential SFA technique
can be successful. The multiplication E × R1 can also be
optimally implemented to have an overhead equivalent to 2×
a masked GF (24) multiplier with a single-share input.
The infective RS-Mask scheme with the error-detection as
shown in Fig. 6 can protect against all statistical fault analysis
techniques. However, classical differential fault analysis (DFA)
can still attack this scheme. In AES, an error in one byte of
the state propagates into the entire column, after MixColumn,
with deterministic relations of errors in different bytes of the
column. The error detection scheme in Fig. 6 can also be used
to provide security against DFA. Having four random masks
Ri, i = 0, · · · , 3, we can calculate four random variables Ei =
E × Ri, i = 0, · · · , 3. By adding Ei to the i-th byte of a
column, the errors of all bytes in a column are randomized
with no deterministic relations.
VII. RESULTS
We evaluate the robustness of an FPGA implementation of
the RS-Mask against power analysis using the Flexible Open-
source workBench fOr Side-channel analysis (FOBOS) [55].
Our FOBOS instance uses the NewAE CW305 Artix-7 FPGA
target for instantiation of the RS-Mask AES, and Digilent
Nexys A7 as the control board for synchronization with a
host PC and target FPGA. We employ t-test statistics to show
any leakage of sensitive data into the power traces. For fault
analysis, we employ a simulated fault injection mechanism
into the internal variables of the S-box. We use a similar fault
model as described in [26]; the attacker can inject any type of
fault into the internal operations of the S-box.
A. Resistance against Power Analysis
In order to demonstrate the resistance of the proposed
RS-Mask against power analysis, we use test vector leakage
assessment (TVLA) methodology with t-test statistics. TVLA
is independent of leakage models while it can detect potential
leakages of secret information to the power traces.
To conduct t-test on the RS-Mask scheme, we measured
the power traces of FPGA implementation of AES during en-
cryption of multiple plaintexts. Depending on the intermediate
variable, i.e., the output of the S-box, the power traces are
Figure 7. T-test statistics on a FPGA implementation of RS-Masked AES
with no observable leakage.
Figure 8. T-test statistics on a FPGA implementation of unprotected AES
showing leakage of sensitive information.
divided into two separate sets TA and TB . To detect a first
order leakage in the power traces, the t-test statistic is
t =
µA − µB√
σ2A/NA + σ
2
B/NB
(13)
in which, µi, σ2i and Ni are the sample mean, variance and
the number of samples in the power trace set i ∈ {A,B}. The
results of t-test statistics on 100K measured power traces are
shown in Fig. 7. We observe |t| < 4.5 which implies the lack
of first-order leakage with a confidence level of 99.999%.
For comparison, the t-test results of an unprotected imple-
mentation of AES are shown in Fig. 8. It is observed that
the t-values extend beyond the threshold of 4.5 at multiple
time samples. It implies that at those time samples, the power
consumption of computations are strongly correlated with the
processed secret data. Hence, a power analysis technique can
likely exploit this correlation to recover the secret key.
B. Resistance against Fault Analysis
To demonstrate the resistance of the RS-Mask scheme
against statistical fault analysis, we inspect the distribution
of intermediate variables under fault injection, which ideally
must be uniform. Next, we conduct a SIFA attack on an RS-
Masked implementation of AES to show that the secret key
is not distinguishable using the distribution of intermediate
variables.
In Fig. 9, the distribution of faulty values with a single
fault injected into the internal computations of the S-box is
compared for two masked implementation of AES, i.e., TI-
Masked and RS-Masked implementations. The fault location
is at the output of the GF (22) multiplier, marked with a red
circle, shown in Fig. 2.
In Fig. 9 we observe that, in the TI implementation, a
single fault can induce a significant bias into the distribution of
values at the output – even with 3 shares. However, in the RS-
Mask scheme, the distribution of faulty values is uniform. For
Figure 9. Distribution of faulty values at the output of the S-box under attack
on TI-Masked and RS-Masked AES implementation.
Figure 10. Distribution of correct values at the output of the S-box under
attack on TI-Masked and RS-Masked AES implementation.
comparison, the distribution of intermediate values calculated
with an incorrect key guess is also shown in the figure,
which is very similar to the distribution of values calculated
with the correct key in the RS-Mask scheme. This result
shows that the correct key is indistinguishable in the RS-
Mask implementation with any SFA technique that exploits
the distribution of faulty values.
The distribution of correct values under ineffective faults
is also compared in Fig. 10. Similar to the faulty values,
the distribution of correct values in the TI implementation is
biased as a result of single fault injection. However, in the RS-
Mask implementation, distribution of correct values is nearly
uniform and is close to the distribution of values calculated
with an incorrect key candidate. As a result, the correct key
is not distinguishable using correct values.
C. Resistance against SIFA attack
To further demonstrate the resistance of RS-Mask against
SIFA, we deploy a fault attack on the RS-Mask and TI
implementations of AES with a single fault injected at the
internal operations of the S-box at the beginning of round 9.
The square Euclidean Imbalance (SEI) of the data distribution
with the correct key and the maximum SEI of incorrect key
candidates versus the size of data samples is shown in Fig. 11.
We observe that there is always an incorrect key with a larger
bias than the correct key, irrespective of the size of data
samples used. Hence, the correct key is indistinguishable using
the distribution of correct values under fault injection.
Figure 11. Comparing SEI of the correct key with maximum SEI of incorrect
key candidates versus the number of correct ciphertexts in RS-Mask.
Figure 12. Comparing SEI of the correct key with maximum SEI of incorrect
key candidates versus the number of correct ciphertexts in TI implementation.
For comparison, the SIFA attack is also deployed on the TI
implementation of AES. The SEI of the correct key and the
max SEI of incorrect key candidates versus the size of data
samples are compared in Fig. 12. After collecting almost 2000
correct ciphertexts, the SEI of correct key is always larger than
all incorrect key candidates, which denotes a key recovery.
VIII. CONCLUSION AND FUTURE WORK
We proposed random space masking (RS-Mask) as an inte-
grated countermeasure against both power and fault analysis.
All sensitive variables in the RS-Mask assume a uniform
distribution even under fault injection. We proved that the pro-
posed scheme provides security against statistical fault anal-
ysis techniques that observe the distribution of intermediate
variables. The security of the scheme against power analysis
is based on the guarantees of threshold implementations (TI).
We implemented the RS-Mask scheme for the AES algorithm
on an FPGA with 10 pipeline stages, and showed that the area
of the design with three shares is around 3.5× an unprotected
AES and 2× a TI implementation. We employed a SIFA attack
on RS-Mask which was unable to detect the correct key. In
future work, we will further implement infective RS-Mask
to demonstrate its robustness to all differential fault analysis
techniques with a slight increase in overhead.
ACKNOWLEDGEMENT
This work was supported by NIST award 70NANB18H219
for Lightweight Cryptography in Hardware and Embedded
Systems.
REFERENCES
[1] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Annual
International Cryptology Conference. Springer, 1999, pp. 388–397.
[2] H. J. Mahanta, A. K. Azad, and A. K. Khan, “Power analysis attack: A
vulnerability to smart card security,” in 2015 International Conference
on Signal Processing and Communication Engineering Systems. IEEE,
2015, pp. 506–510.
[3] T. Fabsˇicˇ, O. Gallo, and V. Hromada, “Simple power analysis attack on
the QC-LDPC McEliece cryptosystem,” Tatra Mountains Mathematical
Publications, vol. 67, no. 1, pp. 85–92, 2016.
[4] A. Chakraborty, A. Mondal, and A. Srivastava, “Correlation Power
Analysis Attack against STT-MRAM Based Cyptosystems.” IACR Cryp-
tology ePrint Archive, vol. 2017, p. 413, 2017.
[5] C. Luo, Y. Fei, L. Zhang, A. A. Ding, P. Luo, S. Mukherjee, and
D. Kaeli, “Power analysis attack of an AES GPU implementation,”
Journal of Hardware and Systems Security, vol. 2, no. 1, pp. 69–82,
2018.
[6] E. Brier, C. Clavier, and F. Olivier, “Correlation power analysis with a
leakage model,” in International Workshop on Cryptographic Hardware
and Embedded Systems. Springer, 2004, pp. 16–29.
[7] J.-S. Coron, P. Kocher, and D. Naccache, “Statistics and secret leakage,”
in International Conference on Financial Cryptography. Springer, 2000,
pp. 157–173.
[8] H. Li, K. Wu, B. Peng, Y. Zhang, X. Zheng, and F. Yu, “Enhanced
correlation power analysis attack on smart card,” in 2008 The 9th
International Conference for Young Computer Scientists. IEEE, 2008,
pp. 2143–2148.
[9] S. Mangard, N. Pramstaller, and E. Oswald, “Successfully attacking
masked aes hardware implementations,” in International Workshop on
Cryptographic Hardware and Embedded Systems. Springer, 2005, pp.
157–171.
[10] B. Timon, “Non-profiled deep learning-based side-channel attacks with
sensitivity analysis,” IACR Transactions on Cryptographic Hardware
and Embedded Systems, pp. 107–131, 2019.
[11] B. Gierlichs, L. Batina, P. Tuyls, and B. Preneel, “Mutual information
analysis,” in International Workshop on Cryptographic Hardware and
Embedded Systems. Springer, 2008, pp. 426–442.
[12] O. Choudary and M. G. Kuhn, “Efficient template attacks,” in Interna-
tional Conference on Smart Card Research and Advanced Applications.
Springer, 2013, pp. 253–270.
[13] B. Robisson and P. Manet, “Differential behavioral analysis,” in Interna-
tional Workshop on Cryptographic Hardware and Embedded Systems.
Springer, 2007, pp. 413–426.
[14] Y. Liu, X. Cui, J. Cao, and X. Zhang, “A hybrid fault model for
differential fault attack on AES,” in 2017 IEEE 12th International
Conference on ASIC (ASICON). IEEE, 2017, pp. 784–787.
[15] W. Li, W. Zhang, D. Gu, Y. Cao, Z. Tao, Z. Zhou, Y. Liu, and
Z. Liu, “Impossible differential fault analysis on the LED lightweight
cryptosystem in the vehicular ad-hoc networks,” IEEE Transactions on
Dependable and Secure Computing, vol. 13, no. 1, pp. 84–92, 2016.
[16] A. Siddhanti, S. Sarkar, S. Maitra, and A. Chattopadhyay, “Differential
fault attack on grain v1, acorn v3 and lizard,” in International Con-
ference on Security, Privacy, and Applied Cryptography Engineering.
Springer, 2017, pp. 247–263.
[17] Y. Li, K. Sakiyama, S. Gomisawa, T. Fukunaga, J. Takahashi, and
K. Ohta, “Fault Sensitivity Analysis,” in International Workshop on
Cryptographic Hardware and Embedded Systems. Springer, 2010, pp.
320–334.
[18] N. F. Ghalaty, B. Yuce, M. Taha, and P. Schaumont, “Differential Fault
Intensity Analysis,” in Fault Diagnosis and Tolerance in Cryptography
(FDTC), 2014 Workshop on. IEEE, 2014, pp. 49–58.
[19] W. Li, L. Liao, D. Gu, C. Li, C. Ge, Z. Guo, Y. Liu, and Z. Liu,
“Ciphertext-only Fault Analysis on the LED Lightweight Cryptosystem
in the Internet of Things,” IEEE Transactions on Dependable and Secure
Computing, 2018.
[20] K. Ramezanpour, P. Ampadu, and W. Diehl, “Fima: Fault intensity
map analysis,” in International Workshop on Constructive Side-Channel
Analysis and Secure Design. Springer, 2019, pp. 63–79.
[21] C. Dobraunig, M. Eichlseder, T. Korak, S. Mangard, F. Mendel, and
R. Primas, “SIFA: Exploiting Ineffective Fault Inductions on Symmetric
Cryptography,” IACR Transactions on Cryptographic Hardware and
Embedded Systems, pp. 547–572, 2018.
[22] C. Dobraunig, M. Eichlseder, T. Korak, V. Lomne´, and F. Mendel, “Sta-
tistical fault attacks on nonce-based authenticated encryption schemes,”
in International Conference on the Theory and Application of Cryptology
and Information Security. Springer, 2016, pp. 369–395.
[23] N. Moro, A. Dehbaoui, K. Heydemann, B. Robisson, and E. Encrenaz,
“Electromagnetic fault injection: towards a fault model on a 32-bit
microcontroller,” in 2013 Workshop on Fault Diagnosis and Tolerance
in Cryptography. IEEE, 2013, pp. 77–88.
[24] T. Korak and M. Hoefler, “On the effects of clock and power supply
tampering on two microcontroller platforms,” in 2014 Workshop on Fault
Diagnosis and Tolerance in Cryptography. IEEE, 2014, pp. 8–17.
[25] B. Yuce, N. F. Ghalaty, H. Santapuri, C. Deshpande, C. Patrick, and
P. Schaumont, “Software fault resistance is futile: Effective single-
glitch attacks,” in 2016 Workshop on Fault Diagnosis and Tolerance
in Cryptography (FDTC). IEEE, 2016, pp. 47–58.
[26] C. Dobraunig, M. Eichlseder, H. Gross, S. Mangard, F. Mendel, and
R. Primas, “Statistical ineffective fault attacks on masked aes with
fault countermeasures,” in International Conference on the Theory and
Application of Cryptology and Information Security. Springer, 2018,
pp. 315–342.
[27] E. Prouff and T. Roche, “Higher-order glitches free implementation of
the aes using secure multi-party computation protocols,” in Interna-
tional Workshop on Cryptographic Hardware and Embedded Systems.
Springer, 2011, pp. 63–78.
[28] T. De Cnudde, B. Bilgin, O. Reparaz, V. Nikov, and S. Nikova, “Higher-
order threshold implementation of the AES S-box,” in International Con-
ference on Smart Card Research and Advanced Applications. Springer,
2015, pp. 259–272.
[29] A. Moradi, A. Poschmann, S. Ling, C. Paar, and H. Wang, “Pushing
the limits: a very compact and a threshold implementation of AES,”
in Annual International Conference on the Theory and Applications of
Cryptographic Techniques. Springer, 2011, pp. 69–88.
[30] C.-Y. Lee and J. Xie, “High capability and low-complexity: Novel fault
detection scheme for finite field multipliers over gf (2 m) based on
mspb,” in 2019 IEEE International Symposium on Hardware Oriented
Security and Trust (HOST). IEEE, 2019, pp. 21–30.
[31] M. M. Kermani, A. Jalali, R. Azarderakhsh, J. Xie, and K.-K. R. Choo,
“Reliable inversion in gf (2 8) with redundant arithmetic for secure
error detection of cryptographic architectures,” IEEE Transactions on
Computer-Aided Design of Integrated Circuits and Systems, vol. 37,
no. 3, pp. 696–704, 2017.
[32] M. Mozaffari-Kermani, K. Tian, R. Azarderakhsh, and S. Bayat-
Sarmadi, “Fault-resilient lightweight cryptographic block ciphers for
secure embedded systems,” IEEE Embedded Systems Letters, vol. 6,
no. 4, pp. 89–92, 2014.
[33] T. G. Malkin, F.-X. Standaert, and M. Yung, “A comparative
cost/security analysis of fault attack countermeasures,” in International
Workshop on Fault Diagnosis and Tolerance in Cryptography. Springer,
2006, pp. 159–172.
[34] S. Patranabis, A. Chakraborty, D. Mukhopadhyay, and P. P. Chakrabarti,
“Fault space transformation: A generic approach to counter differential
fault analysis and differential fault intensity analysis on aes-like block
ciphers,” IEEE Transactions on Information Forensics and Security,
vol. 12, no. 5, pp. 1092–1102, 2016.
[35] T. Schneider, A. Moradi, and T. Gu¨neysu, “Parti–towards combined
hardware countermeasures against side-channel and fault-injection at-
tacks,” in Annual International Cryptology Conference. Springer, 2016,
pp. 302–332.
[36] J. Dofe, H. Pahlevanzadeh, and Q. Yu, “A comprehensive fpga-based
assessment on fault-resistant aes against correlation power analysis
attack,” Journal of Electronic Testing, vol. 32, no. 5, pp. 611–624, 2016.
[37] O. Reparaz, L. De Meyer, B. Bilgin, V. Arribas, S. Nikova, V. Nikov, and
N. Smart, “Capa: the spirit of beaver against physical attacks,” in Annual
International Cryptology Conference. Springer, 2018, pp. 121–151.
[38] S. Patranabis, D. B. Roy, A. Chakraborty, N. Nagar, A. Singh,
D. Mukhopadhyay, and S. Ghosh, “Lightweight design-for-security
strategies for combined countermeasures against side channel and fault
analysis in iot applications,” Journal of Hardware and Systems Security,
vol. 3, no. 2, pp. 103–131, 2019.
[39] G. Li, V. Iyer, and M. Orshansky, “Securing AES against Localized
EM Attacks through Spatial Randomization of Dataflow,” in 2019 IEEE
International Symposium on Hardware Oriented Security and Trust
(HOST). IEEE, 2019, pp. 191–197.
[40] B. Wang, L. Liu, C. Deng, M. Zhu, S. Yin, and S. Wei, “Against double
fault attacks: injection effort model, space and time randomization
based countermeasures for reconfigurable array architecture,” IEEE
Transactions on Information Forensics and Security, vol. 11, no. 6, pp.
1151–1164, 2016.
[41] S. Picek, A. Heuser, A. Jovic, S. A. Ludwig, S. Guilley, D. Jakobovic,
and N. Mentens, “Side-channel analysis and machine learning: A
practical perspective,” in 2017 International Joint Conference on Neural
Networks (IJCNN). IEEE, 2017, pp. 4095–4102.
[42] B. Hettwer, S. Gehrer, and T. Gu¨neysu, “Applications of machine
learning techniques in side-channel attacks: a survey,” Journal of Cryp-
tographic Engineering, pp. 1–28, 2019.
[43] F. Regazzoni, T. Eisenbarth, J. Grobschadl, L. Breveglieri, P. Ienne,
I. Koren, and C. Paar, “Power attacks resistance of cryptographic s-
boxes with added error detection circuits,” in 22nd IEEE International
Symposium on Defect and Fault-Tolerance in VLSI Systems (DFT 2007).
IEEE, 2007, pp. 508–516.
[44] F. Regazzoni, T. Eisenbarth, L. Breveglieri, P. Ienne, and I. Koren,
“Can knowledge regarding the presence of countermeasures against
fault attacks simplify power attacks on cryptographic devices?” in 2008
IEEE International Symposium on Defect and Fault Tolerance of VLSI
Systems. IEEE, 2008, pp. 202–210.
[45] L. De Meyer, V. Arribas, S. Nikova, V. Nikov, and V. Rijmen, “M&m:
Masks and macs against physical attacks,” IACR Transactions on Cryp-
tographic Hardware and Embedded Systems, pp. 25–50, 2019.
[46] J. Breier, M. Khairallah, X. Hou, and Y. Liu, “A Countermeasure Against
Statistical Ineffective Fault Analysis,” Cryptology ePrint Archive, Report
2019/515, 2019, https://eprint.iacr.org/2019/515.
[47] J. Daemen, C. Dobraunig, M. Eichlseder, H. Gross, F. Mendel, and
R. Primas, “Protecting against Statistical Ineffective Fault Attacks,”
Cryptology ePrint Archive, Report 2019/536, 2019, https://eprint.iacr.
org/2019/536.
[48] J. Bringer, C. Carlet, H. Chabanne, S. Guilley, and H. Maghrebi,
“Orthogonal direct sum masking,” in IFIP International Workshop on
Information Security Theory and Practice. Springer, 2014, pp. 40–56.
[49] G. Barbu and A. Battistello, “Analysis of a code-based countermeasure
against side-channel and fault attacks,” in IFIP International Conference
on Information Security Theory and Practice. Springer, 2016, pp. 153–
168.
[50] D. Canright, “A Very Compact Rijndael S-box,” Defense Technical In-
formation Center, 2005, https://apps.dtic.mil/docs/citations/ADA434781.
[51] S. Nikova, C. Rechberger, and V. Rijmen, “Threshold implementations
against side-channel attacks and glitches,” in International conference
on information and communications security. Springer, 2006, pp. 529–
545.
[52] F. Farahmand, A. Ferozpuri, W. Diehl, and K. Gaj, “Minerva: Auto-
mated hardware optimization tool,” in 2017 International Conference
on ReConFigurable Computing and FPGAs (ReConFig). IEEE, 2017,
pp. 1–8.
[53] CERG, “Source Code for AES-GCM (RTL VHDL) AES-GCM v2.0,”
GMU Source Code, 2018, https://cryptography.gmu.edu/athena/index.
php?id=CAESAR source codes.
[54] R. Lashermes, G. Reymond, J.-M. Dutertre, J. Fournier, B. Robisson,
and A. Tria, “A dfa on aes based on the entropy of error distributions,”
in 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography.
IEEE, 2012, pp. 34–43.
[55] CERG, “Flexible Open-source workBench fOr Side-channel
analysis (FOBOS),” October 2016, https://cryptography.gmu.edu/fobos/.
[Online]. Available: https://cryptography.gmu.edu/fobos/
