Uniform First-Order Threshold Implementations

Most masking schemes used as a countermeasure against side-channel analysis attacks require an extensive amount of fresh random bits on the fly. This is burdensome especially for lightweight cryptosystems. Threshold implementations (TIs) that are secure against firstorder attacks have the advantage that fresh randomness is not required if the sharing of the underlying function is uniform. However, finding uniform realizations of nonlinear functions that also satisfy other TI properties can be a challenging task. In this paper, we discuss several methods that advance the search for uniformly shared functions for TIs. We focus especially on three-share implementations of quadratic functions due to their low area footprint. Our methods have low computational complexity even for 8-bit Boolean functions

Extended Analysis of DES S-boxes

For more than three decades, the Data Encryption Standard (DES) was one the most widely used cryptographic algorithms. It is still the dominating block cipher for banking applications. The DES was designed by IBM, verified by NSA and published by the National Bureau of Standards as a US Federal Information Processing Standard (FIPS) in 1977. The algorithm itself was fully public but the complete design criteria were only revealed by Coppersmith in 1994. He states that the IBM team was aware of differential cryptanalysis; the DES S-boxes are chosen to satisfy eight design criteria in order to resist this powerful attack. In their 1982 book, Meyer and Matyas state that the DES S-boxes were chosen so that they can be implemented with a minimum number of logic\ud circuits. They mention that for an early design, in which not all of the design criteria are satisfied, the number of minterms varies between 40 and 48. However, for the final design the number of minterms is either 52 or 53, which is the smallest possible number that satisfies all the design criteria. Our research attempts to validate the IBM claims by generating a large number of candidate DES S-boxes satisfying specific criteria and by evaluating their number of minterms

A Note on 5-bit Quadratic Permutations’ Classification

Classification of vectorial Boolean functions up to affine equivalence is used widely to analyze various cryptographic and implementation properties of symmetric-key algorithms. We show that there exist 75 affine equivalence classes of 5-bit quadratic permutations. Furthermore, we explore important cryptographic properties of these classes, such as linear and differential properties and degrees of their inverses, together with multiplicative complexity and existence of uniform threshold realizations

Higher-Order Threshold Implementation of the AES S-Box

In this paper we present a threshold implementation of the Advanced Encryption Standard’s S-box which is secure against first- and second-order power analysis attacks. This security guarantee holds even in the presence of glitches, and includes resistance against bivariate attacks. The design requires an area of 7849 Gate Equivalents and 126 bits of randomness per S-box execution. The implementation is tested on an FPGA platform and its security claim is supported by practical leakage detection tests

Consolidating masking schemes

In this paper we investigate relations between several masking schemes. We show that the Ishai--Sahai--Wagner private circuits construction is closely related to Threshold Implementations and the Trichina gate. The implications of this observation are manifold. We point out a higher-order weakness in higher-order Threshold Implementations, suggest a mitigation and provide new sharings that use a lower number of input shares

Üreteç fonksiyonlar ve uygulamaları.

Generating functions are important tools that are used in many areas of mathematics and especially statistics. Besides analyzing the general structure of sequences and their asymptotic behavior; these functions, which can be roughly thought as the transformation of sequences into functions, are also used effciently to solve combinatorial problems. In this thesis, the effects of the transformations of generating functions on their corresponding sequences and the effects of the change in sequences on the generating functions are examined. With these knowledge, the generating functions for the resulting sequence of some combinatorial problems such as number of partitions, number of involutions, Fibonacci numbers and Catalan numbers are found. Moreover, some mathematical identities are proved by using generating functions. The sequences are the bases of especially symmetric key cryptosystems in cryptography. It is seen that by using generating functions, linear complexities and periods of sequences generated by constant coeffcient linear homogeneous recursions, which are used in linear feedback shift register (LFSR) based stream ciphers, can be calculated. Hence studying generating functions leads to have a better understanding in them. Therefore, besides combinatorial problems, such recursions are also examined and the results are used to observe the linear complexity and the period of LFSR’s combined in different ways to generate “better” system of stream cipher.M.S. - Master of Scienc

Threshold implementations : as countermeasure against higher-order differential power analysis

Embedded devices are used pervasively in a wide range of applications some of which require cryptographic algorithms in order to provide security. Sensitive information, such as the secret key used in the algorithm, can be derived from the physical leakage of these devices. The most common attack based on the physical leakages is differential power analysis (DPA) which exploits the correlation between the instantaneous power consumption of a device and the intermediate results of a cryptographic algorithm.\ud \ud Different countermeasures have been proposed to prevent DPA. Here, we focus on a powerful approach called threshold implementation (TI) which is based on secret sharing and multi-party computation and is proven secure even in the presence of glitches by Nikova et al. in ICICS’06. TI relies on four properties, namely correctness, non- completeness, uniformity of the shared variables and uniformity of the shared functions. Achieving all four properties for linear functions is straight-forward. However, it can be challenging when nonlinear functions, such as the S-boxes of symmetric-key algorithms, are considered. Satisfying all the properties can impose using extra randomness or increasing the number of shares both of which imply an increase of resources.\ud \ud The contribution of this thesis is two-fold. In the first part of the thesis, we introduce the theory for generating higher-order TI which can counteract higher-order DPA. The early works of TI provide security against first-order DPA attacks. However, it has been shown that second-order attacks are also feasible even though the amount of traces required for a successful attack increases exponentially in the noise standard deviation. Therefore, increasing the security using higher-order TI is valuable.\ud \ud In the second part of the thesis, we examine area- randomness-security trade-offs during a TI. In order to do that, we first investigate all 3 × 3 and 4 × 4, and some cryptographically significant classes of 5 × 5 and 6 × 6 invertible S-boxes. Then, we extend our research to the TIs of standardized symmetric-key algorithms AES and SHA-3 with detailed investigation on the trade-offs

Multiplicative Masking for AES in Hardware

Hardware masked AES designs usually rely on Boolean masking and perform the computation of the S-box using the tower-field decomposition. On the other hand, splitting sensitive variables in a multiplicative way is more amenable for the computation of the AES S-box, as noted by Akkar and Giraud. However, multiplicative masking needs to be implemented carefully not to be vulnerable to first-order DPA with a zero-value power model. Up to now, sound higher-order multiplicative masking schemes have been implemented only in software. In this work, we demonstrate the first hardware implementation of AES using multiplicative masks. The method is tailored to be secure even if the underlying gates are not ideal and glitches occur in the circuit. We detail the design process of first- and second-order secure AES-128 cores, which result in the smallest die area to date among previous state-of-the-art masked AES implementations with comparable randomness cost and latency. The first- and second-order masked implementations improve resp. 29% and 18% over these designs. We deploy our construction on a Spartan-6 FPGA and perform a side-channel evaluation. No leakage is detected with up to 50 million traces for both our first- and second-order implementation. For the latter, this holds both for univariate and bivariate analysis

Consolidating Security Notions in Hardware Masking

In this paper, we revisit the security conditions of masked hardware implementations. We describe a new, succinct, information-theoretic condition called d-glitch immunity which is both necessary and sufficient for security in the presence of glitches. We show that this single condition includes, but is not limited to, previous security notions such as those used in higher-order threshold implementations and in abstractions using ideal gates. As opposed to these previously known necessary conditions, our new condition is also sufficient. On the other hand, it excludes avoidable notions such as uniformity. We also treat the notion of (strong) noninterference from an information-theoretic point-of-view in order to unify the different security concepts and pave the way to the verification of composability in the presence of glitches. We conclude the paper by demonstrating how the condition can be used as an efficient and highly generic flaw detection mechanism for a variety of functions and schemes based on different operations

A Note on 5-bit Quadratic Permutations’ Classification

Classification of vectorial Boolean functions up to affine equivalence is used widely to analyze various cryptographic and implementation properties of symmetric-key algorithms. We show that there exist 75 affine equivalence classes of 5-bit quadratic permutations. Furthermore, we explore important cryptographic properties of these classes, such as linear and differential properties and degrees of their inverses, together with multiplicative complexity and existence of uniform threshold realizations