KLEIN: A New Family of Lightweight Block Ciphers

Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has advantage in the software performance on legacy sensor platforms, while in the same time its hardware implementation can also be compact

A new countermeasure against side-channel attacks based on hardware-software co-design

This paper aims at presenting a new countermeasure against Side-Channel Analysis (SCA) attacks, whose implementation is based on a hardware-software co-design. The hardware architecture consists of a microprocessor, which executes the algorithm using a false key, and a coprocessor that performs several operations that are necessary to retrieve the original text that was encrypted with the real key. The coprocessor hardly affects the power consumption of the device, so that any classical attack based on such power consumption would reveal a false key. Additionally, as the operations carried out by the coprocessor are performed in parallel with the microprocessor, the execution time devoted for encrypting a specific text is not affected by the proposed countermeasure. In order to verify the correctness of our proposal, the system was implemented on a Virtex 5 FPGA. Different SCA attacks were performed on several functions of AES algorithm. Experimental results show in all cases that the system is effectively protected by revealing a false encryption key.Peer ReviewedPreprin

Threshold Implementations of the Present Cipher

The process of securing data has always been a challenge since it is related to the safety of people and society. Nowadays, there are many cryptographic algorithms developed to solve security problems. However, some applications have constraints which make it difficult to achieve high levels of security. Light weight cryptography aims to address this issue while trying to maintain low costs. Side-channel attacks have changed the way of cryptography significantly. In this kind of attacks, the attacker has physical access to the crypto-system and can extract the sensitive data by monitoring and measuring the side-channels such as power consumption, electromagnetic emanation, timing information, sound, etc. These attacks are based on the relationship between side-channels and secret data. Therefore, there need to be countermeasures to eliminate or reduce side channel leaks or to break the relationship between side-channels and secret data to protect the crypto systems against side-channel attacks. In this work, we explore the practicality of Threshold Implementation (TI) with only two shares for a smaller design that needs less randomness but is still leakage resistant. We demonstrate the first two-share Threshold Implementations of light-weight block cipher Present. Based on implementation results, two-share TI has a lower area overhead and better throughput when compared with a first-order resistant three-share scheme. Leakage analysis of the developed implementations reveals that two-share TI can retain perfect first-order resistance. However, the analysis also exposes a strong second-order leakage

AES Side-Channel Countermeasure using Random Tower Field Constructions

International audienceMasking schemes to secure AES implementations against side-channel attacks is a topic of ongoing research. The most sensitive part of the AES is the non-linear SubBytes operation, in particular, the inversion in GF(2^8), the Galois field of 2^8 elements. In hardware implementations, it is well known that the use of the tower of extensions GF(2) ⊂ GF(2^2) ⊂ GF(2^4) ⊂ GF(2^8) leads to a more efficient inversion. We propose to use a random isomorphism instead of a fixed one. Then, we study the effect of this randomization in terms of security and efficiency. Considering the field extension GF(2^8)/GF(2^4), the inverse operation leads to computation of its norm in GF(2^4). Hence, in order to thwart side-channel attack, we manage to spread the values of norms over GF(2^4). Combined with a technique of boolean masking in tower fields, our countermeasure strengthens resistance against first-order differential side-channel attacks

Higher-Order Threshold Implementation of the AES S-Box

In this paper we present a threshold implementation of the Advanced Encryption Standard’s S-box which is secure against first- and second-order power analysis attacks. This security guarantee holds even in the presence of glitches, and includes resistance against bivariate attacks. The design requires an area of 7849 Gate Equivalents and 126 bits of randomness per S-box execution. The implementation is tested on an FPGA platform and its security claim is supported by practical leakage detection tests

Higher-order CIS codes

We introduce {\bf complementary information set codes} of higher-order. A binary linear code of length $tk$ and dimension $k$ is called a complementary information set code of order $t$ ($t$-CIS code for short) if it has $t$ pairwise disjoint information sets. The duals of such codes permit to reduce the cost of masking cryptographic algorithms against side-channel attacks. As in the case of codes for error correction, given the length and the dimension of a $t$-CIS code, we look for the highest possible minimum distance. In this paper, this new class of codes is investigated. The existence of good long CIS codes of order $3$ is derived by a counting argument. General constructions based on cyclic and quasi-cyclic codes and on the building up construction are given. A formula similar to a mass formula is given. A classification of 3-CIS codes of length $\le 12$ is given. Nonlinear codes better than linear codes are derived by taking binary images of $\Z_4$-codes. A general algorithm based on Edmonds' basis packing algorithm from matroid theory is developed with the following property: given a binary linear code of rate $1/t$ it either provides $t$ disjoint information sets or proves that the code is not $t$-CIS. Using this algorithm, all optimal or best known $[tk, k]$ codes where $t=3, 4, \dots, 256$ and $1 \le k \le \lfloor 256/t \rfloor$ are shown to be $t$-CIS for all such $k$ and $t$, except for $t=3$ with $k=44$ and $t=4$ with $k=37$.Comment: 13 pages; 1 figur

Constructing TI-Friendly Substitution Boxes Using Shift-Invariant Permutations

The threat posed by side channels requires ciphers that can be efficiently protected in both software and hardware against such attacks. In this paper, we proposed a novel Sbox construction based on iterations of shift-invariant quadratic permutations and linear diffusions. Owing to the selected quadratic permutations, all of our Sboxes enable uniform 3-share threshold implementations, which provide first order SCA protections without any fresh randomness. More importantly, because of the shift-invariant property, there are ample implementation trade-offs available, in software as well as hardware. We provide implementation results (software and hardware) for a four-bit and an eight-bit Sbox, which confirm that our constructions are competitive and can be easily adapted to various platforms as claimed. We have successfully verified their resistance to first order attacks based on real acquisitions. Because there are very few studies focusing on software-based threshold implementations, our software implementations might be of independent interest in this regard