Authenticated ciphers are designed to provide two security requirements simultaneously, i.e. confidentiality and integrity. The CAESAR competition was ended with introducing six authenticated ciphers for several applications as the winners. The OCB and COLM authenticated ciphers are two AESbased winners, respectively for high-speed and defense in-depth applications. Similar to the implementation of any other cryptographic algorithm, unprotected implementations of these ciphers could also be vulnerable to side-channel attacks, especially differential power analysis (DPA). In this work, first, the OCB and COLM ciphers are implemented on FPGA of SAKURA-G board. Then their vulnerability is shown with power leakage detection using t-test over the power traces. Also, the first-order protected version of these ciphers is presented using two masking scheme, i.e. threshold implementation (TI) and domain-oriented masking (DOM). To verify these countermeasures, the first and second-order t-test is conducted, to indicate the resistance of protected schemes to the first-order DPA attacks. Finally, the hardware implementation of two protected and unprotected versions of ciphers on FPGA are benchmarked based on the criteria of area, maximum frequency, and throughput. Additionally, the ratio of the increased area and decreased throughput to the unprotected ciphers have been compared with previous works.
I. INTRODUCTION
Authenticated encryption (AE) provides two security objectives, i.e. confidentiality and integrity of plaintext simultaneously. The most important reason to use these ciphers is to prevent message forgery. By adding authentication service to the message, the received ciphertext does not accept as it is and it will be verified to see whether it has been manipulated or forged. A large number of application and protocols need those two services simultaneously. Until recently, these two services were provided separately. Unfortunately, traditional methods to design an AE scheme have low efficiency because they are two passes and need two separate keys. Motivated by the CAESAR competition, several new AE schemes have been proposed in literature that are based on block ciphers, stream ciphers, permutations, or dedicated schemes (in January 2013, a competition began to design AE ciphers with the support of NIST called CAESAR competition with two objectives: widespread application and superiority over The associate editor coordinating the review of this manuscript and approving it for publication was Rakesh Matam . GCM). In the block ciphers-based AE schemes, one of the block ciphers off-the-shelf, e.g., AES, is used in a particular mode as a black box. For example, SP800-38C standard [1] suggests CCM (Counter with CBC-MAC) [2] with AES cipher. For high-performance application, SP800-38D standard [3] suggest the GCM (Galois/Counter mode). Currently, these two schemes are widely used, but unfortunately, none of these schemes are efficient and multi-purpose [4] .
In 2019, the CAESAR competition ended with six winners in three use-cases. The cryptographic algorithms that are selected through the competition process and evaluated publicly are usually resistant to known statistical attacks, while yet they may be vulnerable in an unprotected hardware implementation against side-channel attacks. Hence, protecting the equipment that implementing the cryptographic algorithms against side-channel attacks is an important issue. These attacks use computation time, power consumption, or electromagnetic radiations to extract sensitive information such as the keys. One of the major kind of the sidechannel attacks is the differential power analysis (DPA) attack [5] and its improved version, i.e., correlation power VOLUME 7, 2019 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/ analysis (CPA) attack [6] . Several techniques have been suggested to protect the hardware [7] - [15] . These techniques are classified into two groups of hiding and masking [8] . Masking schemes have received lots of attention in the literature. In these schemes, by randomization the intermediate values, power consumption becomes independent of the values being processed.
In this paper, we consider the security analysis of two CAESAR winners, i.e., OCB [16] and COLM [17] against differential power analysis and also provide the required countermeasures.
A. CONTRIBUTION
The OCB [16] and COLM [17] ciphers are the only winners of CAESAR competition that use AES cipher with full round as primitive. Although no security vulnerabilities have been reported for these ciphers, vulnerabilities to power analysis should be researched. As the input and output of AES in these ciphers are masked with values, the power analysis attack is not trivial and is a challenging task. Hence, as our primer aim, we will show the vulnerability of these selected ciphers against side-channel attacks, the key recovery is not considered in this work. This issue can be investigated using leakage detection methods such as the t-test. Therefore, in this research, the unprotected version of these ciphers are implemented on FPGA and t-test is conducted. In the proposed protected architectures, the nonlinear part, i.e., AES S-box is protected via TI masking scheme using hybrid 2-/3 shares and DOM masking scheme using two shares, and all linear parts are repeated as many times as the number of shares. Then the power leakage is investigated using the first and secondorder t-test. Finally, the protection costs are calculated and compared with others.
B. ORGANIZATION
The rest of the paper is organized as follows: Section II is associated with the literature review, including masking schemes, description of OCB and COLM ciphers, power leakage assessment, and related works. In Section III, the protected version of OCB and COLM schemes are presented and implemented with an 8-bit architecture in hardware. The experimental results of power leakage on protected and unprotected OCB and COLM and the cost of protecting them are reported in Section IV. The conclusion and suggestions for further research are presented in Section V.
II. BACKGROUND INFORMATION
In this section, the two masking schemes, leakage assessment, OCB and COLM ciphers specifications, and related works to protect winners of CAESAR competition against sidechannel attacks are described.
A. MASKING SCHEMES
A masking scheme describes a secret sharing scheme to break sensitive values and defines the secure operation on shares as multi-party computation (MPC). Boolean masking uses XOR operator for operation between shares in a way that the sensitive value of x ∈ GF(2 M ) is broken down to d+1 shares (x 1 , . . . , x d ) such that x = ⊕ d+1 i=1 x d . Masking schemes can be implemented in software or hardware. Due to the existence of physical faults such as glitches in hardware, the assumption of independence, which is required for secure masking, is removed. Therefore, the efforts began to design glitches-resistant schemes.
1) THRESHOLD IMPLEMENTATION (TI)
One of the glitch resistant approaches is TI [9] , which is algorithmically simple and resistant to first-order DPA attacks. If the number of shares is shown by s, the lower bound of the number of input and output shares is a function of required security order d and the algebraic degree of non-linear function t, which is calculated based on Equation (1) [10] :
A TI scheme is secure if the three properties correctness, non-completeness, and uniformity made are satisfied as follows:
Correctness: suppose TI representation of the function y = F(x) is intended, whichx = (x 1 , . . . , x s ) is the shared representation of input x with s shares such that x = ⊕ s i=1 x i , then for output sharesȳ = (y 1 , . . . , y n ) we have y = ⊕ n i=1 y i to ensure correctness property. For this purpose, we can use component functions f i∈{1,..,n} (x) = y i to calculate F. Although, it is not easy to find these component functions when function F is non-linear.
Non-completeness: The function F is d th -order noncomplete if each combination of d component functions f i is independent of at least one input share x i , where d is a security order.
Uniformity: the security of a Boolean masking scheme is based on the uniform distribution of the shares and masks. If the input of a TI function is shared uniformly, the output should be a uniform sharing as well, because the output of a nonlinear function such as S-box is used as the input of the next function (for example the next round of cipher). Hence, given all possible input shares X = x|⊕ s i=1x = x , all output shares set f 1 , . . . , f n |x = X should be selected uniformly from set Y = ȳ|⊕ n i=1ȳ = y as all possible shares of y = F (x). Providing uniformity for nonlinear functions, especially functions with the high algebraic degree is a challenge ahead of this structure. One solution is the re-masking using uniform fresh random in case of the non-uniform output of component functions [8] , [10] . This value is produced by a pseudo-random number generators (PRNG). For example, if the TI version of multiplication z = xy in GF (2 m ) is desirable then products x i y i , for i, j ∈ {1, 2, . . . , d + 1}, are calculated, i.e. (d + 1) 2 components are computed. To calculate the output, the number of output shares should be compressed securely. The first-order TI for this multiplication with t = 1, d = 1, s in = s out = 3, r = 2 is described as FIGURE 1. First-order DOM-secure AND gate [14] .
Equation (2) [8]
:
Note that three shares have been used to achieve the firstorder security and uniformity was obtained by adding two fresh random r 1 and r 2 .
2) DOMAIN-ORIENTED MASKING (DOM)
Another masking scheme that provides the same level of security as TI, while it requires less area and randomness, is domain-oriented masking (DOM). DOM can also be scaled easily to arbitrary protection orders for any circuit. DOM has based on the distribution of shares in d+1 domain such that shares in each domain are independent of the other domains. For cross-domain computations, fresh random is added to make these terms independent. Also, to prevent glitch propagating, the registers are added between domains. For example, the first-order secure AND gate is computed in three stages of calculation, resharing, and integration as shown in Fig. 1 . Compared to TI, the number of shares has reduced from td +1 to d +1 for a d th -order security and the number of fresh random bits has reduced from (d+1) 2 to d(d+1) 2, with the cost of extra clocks.
B. POWER LEAKAGE EVALUATION
Differential power analysis (DPA) was used to analyze the difference between the measured powers and guessed power based on the power model. However, the proper selection of the power model is a difficult and time-consuming task and requires knowing underlying architecture. In recent years, a power leakage evaluation method has been proposed in [18] and [19] with the further description that used the Welch test to distinguish between two distributions. Unlike DPA, this test is independent of the basic leakage model, but it does not lead to key recovery. After collecting enough number of traces, traces are divided into two sets based on an intermediate value. In order to conduct the first-order t-test using the first-order statistical moment, t-statistics is calculated as Equation (3).
where µ 0 and µ 1 are the mean of two distributions Q 0 and Q 1 , s 0 and s 1 are the standard deviations, and n 0 and n 1 are the number of distribution samples. To use the t-test, the null hypothesis indicates that the samples are selected from one distribution and cannot be distinguished. The threshold |t| > 4.5 is determined to reject the null hypothesis with the probability of 99.999%. In this case, the samples have two different distributions, and therefore, the power consumption is statistically related to intermediate values that are being processed. The non-specific t-test is a kind of test that investigates leakage detection without real attack. In this type of test, a set has constant input D (e.g., the plaintext, AD, or Npub) and another set has random input. The constant input value D or random value is selected randomly. According to [19] , the next inputs are calculated as follows:
where random bit is equal to tossing the coin to select the input. For the first-order protected scheme, the variables are shown with two shares, and the constant input (INPUT) is broken down into shares:
Then the next inputs are calculated as follows [19] :
where r is the mask random value. The higher-order t-test is used to evaluate the leakage of masked schemes and is conducted on preprocessed traces. For this purpose, the variances of the preprocessed traces are required to be estimated. For the second-order t-test, at first, the traces are converted to mean-free squared, i.e., Y = (X − µ) 2 , then the variance Y is estimated as follows [19] :
So far, scant studies have been conducted to protect CAESAR competition schemes against side-channel attacks. These research studies are tabulated in Tab. (1) . In all of these studies, the vulnerability of ciphers have been shown using DPA attack or t-test. The reviewed schemes show that most researches use TI masking as the protecting method. only OCB [16] and COLM [17] ciphers use full round AES algorithm as the underlying block cipher. The number of AES and multiplication in GF (2 128 ) in OCB ciphers is 3 + N |AD| + N |M | and 4 + N |AD| + 2N |M | , respectively. Also, the number of AES and multiplication in GF(2 128 ) in COLM is 4 + N |AD| + 2N |M | and 21+N |AD| +2N |M | , respectively (N |AD| and N |M | are the number of AD and plaintext blocks, respectively). In both chippers, the inputs and output of AES are masked with the variable . In this study, we intend to show whether these ciphers are resistant against side-channel attacks.
1) OCB AUTHENTICATED CIPHER
Offset Codebook (OCB) authenticated cipher is a block cipher mode. The initial version of OCB (OCB1) [29] was presented in 2001. Its current version (OCB3) was presented in FSE 2011 and accepted as RFC 7253 [16] . Also, OCB3 has been selected as one of the winners of CAESAR competition for high-performance applications. This cipher uses a tweakable block cipher structure that makes the power analysis attack difficult compared to block ciphers. This cipher supports key lengths of 128, 192, and 256. The plaintext is processed in 128-bit blocks and produces 128-bit ciphertext and tags with lengths of 64, 96, and 128 bits. Fig. 3 shows the structure of OCB3. In the top section of the figure, the calculation of masking values ( ) is shown. The nonce N is 96 bits which use 10 * -padding to make the 128-bit block. For each encryption, the new values for the nonce are generated. If the nonce is used with the same key, the confidentiality and authenticity of the scheme will be endangered. values are calculated using Fig. 2 .
According to Fig. 2 , if N is chosen as counter and increased by 1 for every new message, the Top and Ktop values change for every 64 messages. The ciphertext is calculated as
plaintext. AD is processed in the bottom part of Fig. 3 and used to calculate the final tag.
2) COLM AUTHENTICATED CIPHER COLM authenticated cipher [17] is a block cipher mode that uses the Encrypt-Linear mix-Encrypt structure. COLM use 128-bit key and message, 64-bit tag. The security level (as log 2 of the number of AES calls) for confidentially and integrity is 64-bit. COLM τ refers to COLM with the intermediate tag with period τ . COLM 0 is recommended for defense in depth scenario. COLM has linear mixing functions ρ and ρ −1 that calculated as Equation (7):
where x, st ∈ {0, 1} 128 and y, st ∈ {0, 1} 128 . values are calculated using Fig. 4 . The tagged ciphertext is computed from the padded plaintext and IV. Decryption is the same as encryption. The verification will be successful if we have C [m + 1] = C [m + 1]. COLM 0 is depicted in Fig. 5 . The stages of COLM include generation of subkey L, IV, tagged ciphertext, decryption, and verification.
III. PROTECTED ARCHITECTURES
A review of previous studies in Section II-C showed that so far, no protection scheme has been proposed for OCB and COLM. Additionally, most of CAESAR candidates are protected with TI method. Therefore, in this section, a hardware architecture based on TI and DOM masking scheme is proposed to protect them against the first order DPA attacks. As mentioned in Section II-D, OCB and COLM ciphers have AES as primitive, several functions and multiplication in GF (2 128 ). The finite field multiplications used in these ciphers are with constant 2 that are linear operations [31] . The AES cipher includes linear parts and a non-linear S-box part. To protect the linear parts of the cipher, these parts are repeated as many times as the number of the shares, but for non-linear parts (Section II-A), the complicated methods are needed. Therefore, in the next section, the protected AES based on TI and DOM masking schemes will be presented. A. PROTECTED AES So far, several architectures have been proposed to protect AES against DPA attacks [8] - [14] , [32] . These architectures are based on TI or DOM masking scheme. Protecting S-box as the non-linear part of AES is the most complicated and sensitive part. The algebraic degree of AES S-box is seven. Thus, its direct sharing needs at least 8 shares, which is not feasible. As AES S-box is equivalent to inversion in GF(2 8 ), its hardware implementation usually is done using combinatorial logic based on Canright architecture [33] . In this case, the inversion in GF(2 8 ) is represented as the operation in GF(2 4 ) with three multiplications, a square-scaler and an inversion in GF 2 4 . In GF(2 4 ) with a normal basis, each multiplication needs three GF(2 2 ) multiplier, the squarescaler consist of wiring and XOR and the inversion require three GF(2 2 ) multiplier.
1) TI PROTECTED S-BOX ARCHITECTURE
GF(2 n ) multiplier as non-linear part of S-box do not satisfy uniformity feature due to not being a permutation. Therefore, fresh random bits are needed during computation. The total number of the required fresh random bits leads to an increase in the number of I/O or the hardware area. Therefore, it would be better to distribute this requirement along with several clocks. The protected S-boxes need a larger area and fresh random bits for implementation. Additionally, the long data path leads to an increase in glitch. Therefore, to implement protected AES, we use an 8-bit protected S-box is implemented based on [10] and [24] , that used TI approach with hybrid 2-/3 shares, as shown in Fig. 6 . The protected S-box has five pipeline stages that separated by a dotted line, as shown in Fig. 6 . This architecture requires 16 bit fresh random bits to re-share from 2 to 3 share and two fresh random bits per each GF(2 2 ) multiplier. In total, 40 fresh random bits are required for each S-box per clock.
2) DOM PROTECTED S-BOX ARCHITECTURE
The DOM-protected S-box is presented in [14] with two shares. Like TI, this scheme uses the tower field method to turn the operation in lower subfields GF(2 2 ). The main VOLUME 7, 2019 FIGURE 7. First-order protected AES S-box using DOM masking scheme [14] . difference of two schemes is in the implementation of GF(2 n ) multipliers. These multipliers are implemented with the generalization of the first-order secure AND described in Section II-A. Protected design, as shown in Fig 7. has five stages of the pipeline to increase throughput. In the first stage, the linear mapping gets 8-bit inputs shares A x and B x and combines them in their domain. Two registers are added after linear transformation to avoid glitch propagation. Also, GF(2 4 ) multipliers receive their inputs from the linear mapping. In the second and third stages, the glitch can occur due to the combination of square-scalar outputs and multiplication gates. The inputs of stage 4 are independent and so do not require any register. In the last stage, linear mapping produces the S-box outputs that are stored in a state or key registers or fed into the next S-box. For three GF(2 4 ) multiplier, 12 bits fresh random are needed. Six bits fresh random are required for a GF(2 4 ) inverter. Thus, every S-box running requires 18 fresh random bits.
3) PROTECTED AES ARCHITECTURE
The protected AES with 8-bit architecture implemented using a TI/DOM protected S-box is shown in Fig. 8 . Using the mask m k and m d , the key and message were broken down into two shares of k 1 = m k , k 2 = m k ⊕ k, d 1 = m d and d 2 = m d ⊕ d. Therefore, the shares are saved in two data register and two key registers. Additionally, two 32 bits mixcolumn have been implemented. In the 10 th round of AES, the AES output is obtained when done signal becomes 1. Every block encryption of DOM-protected AES needs 246 clocks whereas TI-protected need 205 clocks.
B. PROTECTED OCB ARCHITECTURE
OCB cipher has several stages and function include AES cipher, stretch, trunc, and multiplication in GF(2 128 ) field. The AD and plaintext/ciphertext are processed with AES, and its output enters the next AES after passing through strech, mul, and trunc functions. Then the ciphertext/plaintext and tag are generated. As each protected AES module consume a high area of the circuit, one module of protected AES has been implemented and is used serially. Fig. 9 shows the firstorder protected 8-bit hardware architecture for OCB using TI/DOM masking scheme. The only non-linear part of OCB is AES S-box that is protected with three shares in TI and two shares in DOM. Thus we use the same architecture for TI and DOM protected OCB with different protected-AES. Each linear part has been repeated twice. The linear function Mul and stretch functions are used to calculate and δ. Mul function only requires multiplication by constants 2 in GF (2 128 ). The register R is used to save these outputs. The register checksum R is used to keep the sum of inputs and register Auth R is used to save AD processing results, and finally, the results obtained from both of them are used to calculate the tag.
C. PROTECTED COLM ARCHITECTURE
As mentioned in Section II-D2, COLM has three stages: generation of L, IV, and tagged ciphertext. AES processes the AD, and the plaintext/ciphertext and output enters the second AES after passing through the function ρ. Finally, ciphertext/plaintext and the tag are generated. COLM include AES, linear function ρ, calculations and several linear multiplications in GF (2 128 ). Similar to OCB, the same architecture proposed for TI and DOM-protected COLM with two different protected AES and each linear unit has been repeated twice. Fig. 10 shows the proposed first-order protected 8-bit hardware architecture for TI/DOM-protected COLM.
Generating
requires multiplication by constants 2, 3, 7 and 49 in GF (2 128 ). Filed multiplication has the heavy computation, but multiplication by 2 (doubling) on this field can be reduced to a shift and a few XORs. Other multiplication can be calculated as mul3(x) = mul2(x) ⊕ x; mul7(x) = mul3(mul2(x)) ⊕ x; mul49(x) = mul7(mul7(x)). Two 128-bit registers l and h are used to store the output. The outputs of function ρ are stored in two 128-bit registers of R W and R Y , respectively. Because the function ρ and should be computed simultaneously, mul2(x) is implemented two times. The 128-bit registers R T are responsible for keeping the sum of inputs to calculate the tag.
IV. PRACTICAL RESULTS
In this section, the practical result for power leakage assessment on unprotected and protected of selected authenticated ciphers is presented. Then the implemented ciphers are benchmarked, and costs of protection are compared. For these analyses, some equipment is needed that described as bellow.
A. EXPERIMENTAL SETUP
Practical experiments were done on SAKURA-G board [34] ( Fig. 11 ). This board contains the main FPGA, a Xilinx Spartan 6 XC6SLX75 which used to implement the ciphers and a control FPGA, a Xilinx Spartan 6 XC6SLX9 which controls the communications between the main FPGA and a PC. In all experiments, the power measurement was made in target FPGA on V dd path. This measurement was made using digital oscilloscope Infinium Keysight DS090604A [35] with a sampling rate of 20 Gs/s and bandwidth of 6 GHz. The output of the AC amplifier embedded on the SAKURA-G is measured. In order to implement selected ciphers on FPGA, the proposed architecture of Fig. 9 and 10 were coded in VHDL language at RTL level and synthesized using Xilinx ISE V14.7 software. The correctness of the circuit functionality is checked with Mentor Graphic Modelsim 10.1c tools. The main FPGA has been clocked in different frequencies of 0.5 MHz to 10 MHz. The frequency change was done using frequency dividers inside control FPGA. Additionally, the random values and initial inputs sharing are generated by control FPGA and is sent to main FPGA. The outputs also are in a shared form with equal to the number of the input shares. For t-test, the selection of the constant or random inputs also is done in control FPGA.
To synchronize the oscilloscope with FPGA and determine the start and end time of the algorithm running, the trigger signal is generated by control FPGA and sent to the oscilloscope. To establishes a relationship between SAKURA-G board, PC and oscilloscope, a software program written in C# language. This program generates the plaintexts/ciphertexts and send/receive them to FPGA via USB port. Also, this program communicate with oscilloscope with some commands to save the power trace. After traces were transferred to PC, the traces are processed. In order to reduce the noise effect on the trace, each input is sent repetitively 1000 times, and the traces are averaged using MATLAB R2017 software and saved as one trace of that input.
B. POWER LEAKAGE ASSESSMENT
In this subsection, the amount of power leakage of the unprotected and protected version of OCB and COLM ciphers is done by first and second-order t-test.
1) POWER LEAKAGE ASSESSMENT ON THE UNPROTECTED OCB AND COLM
In order to assess the power leakage and run the t-test, the unprotected OCB and COLM are implemented on FPGA based on the architecture of Fig. 9 and 10 (only the black section on top of the figures with unprotected AES). In the total number of 18,000 traces were collected based on the method described in the Section II-B using a non-specific t-test, the t values were calculated based on Equation (5) and using ttest2 command in MATLAB software as shown in Fig. 12 . The results for both ciphers show |t| > 4.5 that indicate a considerable leakage, which is expected for unprotected schemes.
2) POWER LEAKAGE ASSESSMENT ON THE PROTECTED OCB AND COLM
This study focuses on the first-order DPA resistant selected authenticated ciphers, thus the first and second-order t-test is done. To validate the countermeasures taken to protect OCB and COLM ciphers, the TI-protected version with hybrid 2-/3 shares and DOM-protected with 2 shares were implemented on FGPA based on the proposed architecture of Fig. 9 and 10 . The results of the implementation of nonspecific first-order t-test on 18,000 collected traces in Fig. 13 show that TI and DOM-protected OCB and COLM ciphers passes the t-test, and can be resistant against the first-order DPA attacks. But as expected, the results of the second-order t-test in Fig. 14 show that the scheme is not resistant against the second-order DPA.
C. PROTECTION COST OF OCB AND COLM CIPHERS
To benchmark the unprotected and protected versions of OCB and COLM ciphers, our proposed architectures are described in VHDL code at RTL level, synthesized, and implemented on SAKURA-G board FPGA. The results of the hardware implementation of the proposed architectures for unprotected and protected in term of area (slice and LUT), maximum frequency, throughput, and efficiency are compared in Tab. 3, and Fig. 15 .
The unprotected OCB has about, 11% lower area (LUT), 5% higher maximum frequency, 23% higher throughput and 31% higher efficiency than COLM. Also, comparison of protected versions shows that OCB has better performance in all of the criteria. DOM-protected OCB has the lowest area and TI-protected OCB has the highest throughput while TI-protected OCB has the highest efficiency. Therefore, if the area is important DOM-protected OCB is selected and if throughput or efficiency is important, TI-protected OCB is selected. Fig. 15 shows that TI-protected COLM has the highest increased area by a factor 2.25 and DOM-protected COLM has the lowest increase area by a factor 2.03. In term of throughput, TI-protected COLM has the lowest decrease by a factor 1.47, and DOM-protected COLM has highest decreased by a factor 1.87.
Comparison of results on
To the best of our knowledge, so far, no protected architecture has been proposed for OCB and COLM ciphers except [25] (previous research by authors which presented a DOM-protected COLM). Therefore, we can compare the increased area ratio and the decreased throughput ratio of this research with other protected AE ciphers as a shown in Tab. 4. Although decreased throughput ratio of proposed protected ciphers is not lowest, the increased area ratio is better than the others (2.03 for DOM-protected OCB).
V. CONCLUSION AND FUTURE RESEARCH
In this research, the resistance of two authenticated ciphers OCB and COLM, as two winners of CAESAR competition, were investigated against DPA attacks. Despite the existence of inherent masking in the algorithm, we demonstrate that these two ciphers are vulnerable to DPA attacks and do not pass the t-test. The proposed protected versions of these ciphers using TI masking scheme based on hybrid 2-/3 shares and DOM masking scheme with 2 shares are resistant against the first-order power analysis attacks, considering the results of the first and second-order t-test. The unprotected OCB cipher has about 11% lower area and 23% higher throughput compared to COLM cipher. In term of protection cost, DOMprotected OCB has the lowest area cost by a factor 2.03. Also, TI-protected OCB has the highest throughput by a factor 1.47. While TI-protected OCB has the highest efficiency. The increased area ratio for DOM-protected OCB is equal to 2.03 that is better than others. If the resistant against higher-order attacks is required, it is necessary to use a higher number of shares, with more costs.
The future research includes the investigation of the vulnerability of the four remained winners of CAESAR competition, as well as representation of the protected version against DPA attacks. Moreover, instead of t-test, the DPA attack can be used that leads to key recovery. Additionally, introducing the protected versions of CAESAR winners against higherorder attacks is proposed as future work. ZEINOLABEDIN NOROZI received the B.S. and M.S. degrees in applied mathematics from the University of Tehran, in 2004 and 2007, respectively, and the Ph.D. degree in applied mathematics and cryptography from Kharazmi University, in 2012. In 2007, he joined as an Assistant Professor with Electrical Engineering Department, Imam Hossein University, Tehran, Iran. He has published several technical articles and participated in many scientific conferences in information security and cryptology. His research interests include symmetric cryptology, with an emphasis on block cipher and authenticated encryption, steganography algorithms, and lightweight implementation and side-channel attacks.
NASOUR BAGHERI received the M.S. and Ph.D. degrees in electrical engineering from the Iran University of Science and Technology (IUST), Tehran, Iran, in 2002 and 2010, respectively. He is currently an Associate Professor with Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran. He is also a parttime Researcher with the Institute for Research in Fundamental Sciences. He is the author of more than 100 articles in information security and cryptology. His research interests include cryptology, more precisely, designing and analysis of symmetric schemes, such as lightweight ciphers, e.g., block ciphers, hash functions, and authenticated encryption schemes, cryptographic protocols for constrained environment, such as RFID tags and the IoT edge devices and hardware security, e.g., the security of symmetric schemes against side-channel attacks, such as fault injection and power analysis. A record of his publication is available at google scholar: https://scholar.google.com/citations?user=32llx44AAAAJ&hl=en.
