A Note on 5-bit Quadratic Permutations’ Classification

Classification of vectorial Boolean functions up to affine equivalence is used widely to analyze various cryptographic and implementation properties of symmetric-key algorithms. We show that there exist 75 affine equivalence classes of 5-bit quadratic permutations. Furthermore, we explore important cryptographic properties of these classes, such as linear and differential properties and degrees of their inverses, together with multiplicative complexity and existence of uniform threshold realizations

Changing of the Guards: a simple and efficient method for achieving uniformity in threshold sharing

Since they were first proposed as a countermeasure against differential power analysis (DPA) in 2006, threshold schemes have attracted a lot of attention from the community concentrating on cryptographic implementations. What makes threshold schemes so attractive from an academic point of view is that they come with an information-theoretic proof of resistance against a specific subset of side-channel attacks: first-order DPA. From an industrial point of view they are attractive as a careful threshold implementation forces adversaries to DPA of higher order, with all its problems such a noise amplification. A threshold scheme that offers the mentioned provable security must exhibit three properties: correctness, incompleteness and uniformity. A threshold scheme becomes more expensive with the number of shares that must be implemented and the required number of shares is lower bound by the algebraic degree of the function being shared plus 1. Defining a correct and incomplete sharing of a function of degree d in d+1 shares is straightforward. However, up to now there is no generic method to achieve uniformity and finding uniform sharings of degree-d functions with d+1 shares is an active research area. In this paper we present a simple and relatively cheap method to find a correct, incomplete and uniform d+1-share threshold scheme for any S-box layer consisting of degree-d invertible S-boxes. The uniformity is not implemented in the sharings of the individual S-boxes but rather at the S-box layer level by the use of feed-forward and some expansion of shares. When applied to the Keccak-p nonlinear step Chi, its cost is very small

Threshold Implementation in Software - Case Study of PRESENT

Masking is one of the predominantly deployed countermeasures in order to prevent side-channel analysis (SCA) attacks. Over the years, various masking schemes have been proposed. However, the implementation of Boolean masking schemes has proven to be difficult in particular for embedded devices due to undisclosed architecture details and device internals. In this article, we investigate the application of Threshold Implementation (TI) in terms of Boolean masking in software using the PRESENT cipher as a case study. Since TI has proven to be a proper solution in order to implement Boolean masking for hardware circuits, we apply the same concept for software implementations and compare it to classical first- and second-order Boolean masking schemes. Eventually, our practical security evaluations reveal that amongst all our considered implementation variants only the TI can provide first-order security while all others still exhibit detectable first-order leakage

An Optimal Universal Construction for the Threshold Implementation of Bijective S-boxes

Threshold implementation is a method based on secret sharing to secure cryptographic ciphers (and in particular S-boxes) against differential power analysis side-channel attacks which was proposed by Nikova, Rechberger, and Rijmen in 2006. Until now, threshold implementations were only constructed for specific types of functions and some small S-boxes, but no generic construction was ever presented. In this paper, we present the first universal threshold implementation with $t+2$ shares that is applicable to any bijective S-box, where $t$ is its algebraic degree (or is larger than the algebraic degree). While being universal, our construction is also optimal with respect to the number of shares, since the theoretically smallest possible number, $t+1$, is not attainable for some bijective S-boxes. Our results enable low latency secure hardware implementations without the need for additional randomness. In particular, we apply this result to find two uniform sharings of the AES S-box. The first sharing is obtained by using the threshold implementation of the inversion in $\mathbb{F}_{2^8}$ and the second by using two threshold implementations of two cubic power permutations that decompose the inversion. Area and performance figures for hardware implementations are provided

От криптоанализа шифра к криптографическому свойству булевой функции

Настоящий обзор посвящён описанию основных криптографических свойств булевых функций, таких, как высокая алгебраическая степень, уравновешенность и совершенная уравновешенность, лавинные характеристики, отсутствие линейных структур, корреляционная иммунность и устойчивость, высокая нелинейность, статистическая независимость, алгебраическая иммунность, уровень аффинности и k-нормальность, дифференциальная равномерность, разложимость в сумму специальных функций, мультипликативная сложность, высокие мощности линеари-зационных множеств. Исследуются вопросы формирования данных свойств на основе атак на блочные и поточные шифры, использующих определённые уязвимости булевых функций, являющихся компонентами шифров; приводятся основные идеи данных атак. Кратко рассмотрены базовые теоретические результаты, полученные для каждого из свойств, и сформулированы открытые проблемы в данной области

DPA-Resistant ASIC implementation of AES

With the increased proliferation of small embedded systems connected to the internet and the internet-of-things, the security concerns becomes increasingly important. Encryption, and the protection of encrypted circuits can be of great importance. With this thesis the aim was to design an encryption chip that was able to operate without leaking sensitive information even in the presence of a malicious adversary, specifically to be able to withstand differential power analysis attacks. A masked 128-bit data-path AES encryption and decryption architecture is proposed, supporting AES-128, 192 and 256 using cipher-block chaining mode of operation. Synthesized to 65nm technology, the system achieves a keymode- dependent throughput of 0.99-1.32 Gb/s operating at 400MHz with an average power consumption of 167.9mW. Our masking approach should withstand second order DPA-attacks at an area cost of 486% compared to the unmasked equivalent circuit

CRAFT: Lightweight Tweakable Block Cipher with Efficient Protection Against DFA Attacks

Traditionally, countermeasures against physical attacks are integrated into the implementation of cryptographic primitives after the algorithms have been designed for achieving a certain level of cryptanalytic security. This picture has been changed by the introduction of PICARO, ZORRO, and FIDES, where efficient protection against Side-Channel Analysis (SCA) attacks has been considered in their design. In this work we present the tweakable block cipher CRAFT: the efficient protection of its implementations against Differential Fault Analysis (DFA) attacks has been one of the main design criteria, while we provide strong bounds for its security in the related-tweak model. Considering the area footprint of round-based hardware implementations, CRAFT outperforms the other lightweight ciphers with the same state and key size. This holds not only for unprotected implementations but also when fault-detection facilities, side-channel protection, and their combination are integrated into the implementation. In addition to supporting a 64-bit tweak, CRAFT has the additional property that the circuit realizing the encryption can support the decryption functionality as well with very little area overhead

CRAFT: Lightweight Tweakable Block Cipher with Efficient Protection Against DFA Attacks

Traditionally, countermeasures against physical attacks are integrated into the implementation of cryptographic primitives after the algorithms have been designed for achieving a certain level of cryptanalytic security. This picture has been changed by the introduction of PICARO, ZORRO, and FIDES, where efficient protection against Side-Channel Analysis (SCA) attacks has been considered in their design. In this work we present the tweakable block cipher CRAFT: the efficient protection of its implementations against Differential Fault Analysis (DFA) attacks has been one of the main design criteria, while we provide strong bounds for its security in the related-tweak model. Considering the area footprint of round-based hardware implementations, CRAFT outperforms the other lightweight ciphers with the same state and key size. This holds not only for unprotected implementations but also when fault-detection facilities, side-channel protection, and their combination are integrated into the implementation. In addition to supporting a 64-bit tweak, CRAFT has the additional property that the circuit realizing the encryption can support the decryption functionality as well with very little area overhead

Threshold Implementations of Small S-boxes

© 2014, Springer Science+Business Media New York. Threshold implementation (TI) is a masking method that provides security against first-order DPA with minimal assumptions on the hardware. It is based on multi-party computation and secret sharing. In this paper, we provide an efficient technique to find TIs for all 3 and 4-bit permutations which also covers the set of 3×3 and 4×4 invertible S-boxes. We also discuss alternative methods to construct shared functions by changing the number of variables or shares. Moreover, we further consider the TI of 5-bit almost bent and 6-bit almost perfect nonlinear permutations. Finally, we compare the areas of these various TIs.status: publishe