ARTICLES

Side-channel attack-resistant AES S-box with hidden subfield inversion and glitch-free masking

Xiangyu Li1, 2, , Pengyuan Jiao1, 3 and Chaoqun Yang1, 3

+ Author Affiliations

 Corresponding author: Xiangyu Li, xiangyuli@tsinghua.edu.cn

PDF

Turn off MathJax

Abstract: A side-channel attack (SCA)-resistant AES S-box implementation is proposed, which is an improvement from the power-aware hiding (PAH) S-box but with higher security and a smaller area. We use the composite field approach and apply the PAH method to the inversion in the nonlinear kernel and a masking method to the other parts. In addition, a delay-matched enable control technique is used to suppress glitches in the masked parts. The evaluation results show that its area is contracted to 63.3% of the full PAH S-box, and its power-delay product is much lower than that of the masking implementation. The leakage assessment using simulation power traces concludes that it has no detectable leakage under t-test and that it at least can thwart the moment-correlation analysis using 665 000 noiseless traces.

Key words: ASICside-channel attackAES S-boxpower-aware hidingglitch-free



[1]
Dinu D, Kizhvatov I. EM analysis in the IoT context: Lessons learned from an attack on thread. IACR Trans Cryptogr Hardw Embed Syst, 2018, 73
[2]
Tsai K L, Huang Y L, Leu F Y, et al. AES-128 based secure low power communication for LoRaWAN IoT environments. IEEE Access, 2018, 6, 45325 doi: 10.1109/ACCESS.2018.2852563
[3]
Taha M, Schaumont P. Key updating for leakage resiliency with application to AES modes of operation. IEEE Trans Inform Forensic Secur, 2015, 10, 519 doi: 10.1109/TIFS.2014.2383359
[4]
Moradi A, Poschmann A, Ling S, et al. Pushing the limits: A very compact and a threshold implementation of AES. Adv Cryptol - EUROCRYPT 2011, 2011, 69 doi: 10.1007/978-3-642-20465-4_6
[5]
Gao S, Roy A, Oswald E. Constructing TI-friendly substitution boxes using shift-invariant permutations. Cryptographers Track RSA Conference, 2019, 433
[6]
Boss E, Grosso V, Güneysu T, et al. Strong 8-bit Sboxes with efficient masking in hardware extended version. J Cryptogr Eng, 2017, 7, 149 doi: 10.1007/s13389-017-0156-7
[7]
Burns F, Bystrov A, Koelmans A, et al. Security evaluation of balanced 1-of-n circuits. IEEE Trans VLSI Syst, 2011, 19, 2135 doi: 10.1109/TVLSI.2010.2064793
[8]
Liu P C, Chang H C, Lee C Y. A low overhead DPA countermeasure circuit based on ring oscillators. IEEE Trans Circuits Syst II, 2010, 57, 546 doi: 10.1109/TCSII.2010.2048400
[9]
Singh A, Kar M, Mathew S, et al. Improved power side channel attack resistance of a 128-bit AES engine with random fast voltage dithering. European Solid-State Device Research Conference, 2017, 51
[10]
van Woudenberg J G J, Witteman M F, Bakker B. Improving differential power analysis by elastic alignment. Cryptographers Track RSA Conference, 2011, 104
[11]
Lu S, Zhang Z, Papaefthymiou M C. A 1.25 pJ/bit 0.048 mm2 AES core with DPA resistance for IoT devices. IEEE Asian Solid-State Circuits Conference, 2017, 65
[12]
Ma J S, Wang M Y, Li X Y. Power-aware hiding method for S-box protection. Electron Lett, 2014, 50, 1604 doi: 10.1049/el.2014.1559
[13]
Li X Y, Yang C Q, Ma J S, et al. Energy-efficient side-channel attack countermeasure with awareness and hybrid configuration based on it. IEEE Trans VLSI Syst, 2017, 25, 3355 doi: 10.1109/TVLSI.2017.2752212
[14]
Yang C Q, Li X Y, Yin S J. Low-cost energy-efficient side-channel attacks resistant AES S-box with power-aware hiding inverter in GF(24). International Conference on Trust, Security and Privacy in Computing and Communications, 2018, 1526
[15]
Canright D, Batina L. A very compact “perfectly masked” S-box for AES. Applied Cryptography and Network Security. Berlin, Heidelberg: Springer Berlin Heidelberg, 2008, 446
[16]
Nikova S, Rijmen V, Schläffer M. Secure hardware implementation of nonlinear functions in the presence of glitches. J Cryptol, 2011, 24, 292 doi: 10.1007/s00145-010-9085-7
[17]
Canright D. A very compact S-box for AES. Conference on Cryptographic Hardware and Embedded Systems, 2005, 441
[18]
Schneider T, Moradi A. Leakage assessment methodology. Conference on Cryptographic Hardware and Embedded Systems, 2015, 495
[19]
Moradi A, Standaert F X. Moments-correlating DPA. Proceedings of the 2016 ACM Workshop on Theory of Implementation Security - TIS'16, 2016, 5
[20]
Zeng J L, Wang Y, Xu C, et al. Improvement on masked S-box hardware implementation. IEEE International Conference on Innovations in Information Technology, 2012, 113
Fig. 1.  (Color online) PAH-masking mixed S-box structure (modified from Ref. [14]).

Fig. 2.  (Color online) PAH-masking mixed S-box timing diagram (modified from Ref. [14]).

Fig. 3.  (Color online) PAH inversion in GF(24) unit. (a) Circuit[14]. (b) Layout (62 × 56 μm2).

Fig. 4.  Modification of XOR gates in RMU.

Fig. 5.  Structure of $\widetilde {A_0^{ - 1}}$ calculation logic with enable chain.

Fig. 6.  (Color online) Nonspecific t-test results (with 10 000 traces). (a) Unprotected. (b) Full-masking. (c) Full-PAH. (d) Proposed.

Fig. 7.  (Color online) MCP-DPA attack result (332 500 traces for profiling and 332 500 traces for correlation).

Table 1.   Comparison with other DPA-resistant S-box in terms of security.

DesignRef. [17]Full-maskingRef. [13]Ref. [9]This work (with glitches)This work
CountermeasureUnprotectedFull-maskingFull-PAHRFVDPAH-maskingPAH-glitch-free masking
${\left| t \right|_{\rm{max }}}$69.825.237.24.214.43.9
DownLoad: CSV

Table 2.   Comparison with other DPA-resistant S-box in terms of delay, energy, and cost.

ParameterRef. [17]Ref. [20]Ref. [13]This work (with glitches)This work
CountermeasureNoMaskingFull-PAHPIU+maskingProposed
Technology (nm)180180180180180
Delay (ns)49.441.565.555.71
Area (GE)373635386515582365
Energy (pJ)24.56152.935.624.0826.87
DownLoad: CSV
[1]
Dinu D, Kizhvatov I. EM analysis in the IoT context: Lessons learned from an attack on thread. IACR Trans Cryptogr Hardw Embed Syst, 2018, 73
[2]
Tsai K L, Huang Y L, Leu F Y, et al. AES-128 based secure low power communication for LoRaWAN IoT environments. IEEE Access, 2018, 6, 45325 doi: 10.1109/ACCESS.2018.2852563
[3]
Taha M, Schaumont P. Key updating for leakage resiliency with application to AES modes of operation. IEEE Trans Inform Forensic Secur, 2015, 10, 519 doi: 10.1109/TIFS.2014.2383359
[4]
Moradi A, Poschmann A, Ling S, et al. Pushing the limits: A very compact and a threshold implementation of AES. Adv Cryptol - EUROCRYPT 2011, 2011, 69 doi: 10.1007/978-3-642-20465-4_6
[5]
Gao S, Roy A, Oswald E. Constructing TI-friendly substitution boxes using shift-invariant permutations. Cryptographers Track RSA Conference, 2019, 433
[6]
Boss E, Grosso V, Güneysu T, et al. Strong 8-bit Sboxes with efficient masking in hardware extended version. J Cryptogr Eng, 2017, 7, 149 doi: 10.1007/s13389-017-0156-7
[7]
Burns F, Bystrov A, Koelmans A, et al. Security evaluation of balanced 1-of-n circuits. IEEE Trans VLSI Syst, 2011, 19, 2135 doi: 10.1109/TVLSI.2010.2064793
[8]
Liu P C, Chang H C, Lee C Y. A low overhead DPA countermeasure circuit based on ring oscillators. IEEE Trans Circuits Syst II, 2010, 57, 546 doi: 10.1109/TCSII.2010.2048400
[9]
Singh A, Kar M, Mathew S, et al. Improved power side channel attack resistance of a 128-bit AES engine with random fast voltage dithering. European Solid-State Device Research Conference, 2017, 51
[10]
van Woudenberg J G J, Witteman M F, Bakker B. Improving differential power analysis by elastic alignment. Cryptographers Track RSA Conference, 2011, 104
[11]
Lu S, Zhang Z, Papaefthymiou M C. A 1.25 pJ/bit 0.048 mm2 AES core with DPA resistance for IoT devices. IEEE Asian Solid-State Circuits Conference, 2017, 65
[12]
Ma J S, Wang M Y, Li X Y. Power-aware hiding method for S-box protection. Electron Lett, 2014, 50, 1604 doi: 10.1049/el.2014.1559
[13]
Li X Y, Yang C Q, Ma J S, et al. Energy-efficient side-channel attack countermeasure with awareness and hybrid configuration based on it. IEEE Trans VLSI Syst, 2017, 25, 3355 doi: 10.1109/TVLSI.2017.2752212
[14]
Yang C Q, Li X Y, Yin S J. Low-cost energy-efficient side-channel attacks resistant AES S-box with power-aware hiding inverter in GF(24). International Conference on Trust, Security and Privacy in Computing and Communications, 2018, 1526
[15]
Canright D, Batina L. A very compact “perfectly masked” S-box for AES. Applied Cryptography and Network Security. Berlin, Heidelberg: Springer Berlin Heidelberg, 2008, 446
[16]
Nikova S, Rijmen V, Schläffer M. Secure hardware implementation of nonlinear functions in the presence of glitches. J Cryptol, 2011, 24, 292 doi: 10.1007/s00145-010-9085-7
[17]
Canright D. A very compact S-box for AES. Conference on Cryptographic Hardware and Embedded Systems, 2005, 441
[18]
Schneider T, Moradi A. Leakage assessment methodology. Conference on Cryptographic Hardware and Embedded Systems, 2015, 495
[19]
Moradi A, Standaert F X. Moments-correlating DPA. Proceedings of the 2016 ACM Workshop on Theory of Implementation Security - TIS'16, 2016, 5
[20]
Zeng J L, Wang Y, Xu C, et al. Improvement on masked S-box hardware implementation. IEEE International Conference on Innovations in Information Technology, 2012, 113
  • Search

    Advanced Search >>

    GET CITATION

    shu

    Export: BibTex EndNote

    Article Metrics

    Article views: 2845 Times PDF downloads: 59 Times Cited by: 0 Times

    History

    Received: 05 August 2020 Revised: 09 September 2020 Online: Accepted Manuscript: 27 November 2020Uncorrected proof: 27 November 2020Published: 10 March 2021

    Catalog

      Email This Article

      User name:
      Email:*请输入正确邮箱
      Code:*验证码错误
      Xiangyu Li, Pengyuan Jiao, Chaoqun Yang. Side-channel attack-resistant AES S-box with hidden subfield inversion and glitch-free masking[J]. Journal of Semiconductors, 2021, 42(3): 032402. doi: 10.1088/1674-4926/42/3/032402 X Y Li, P Y Jiao, C Q Yang, Side-channel attack-resistant AES S-box with hidden subfield inversion and glitch-free masking[J]. J. Semicond., 2021, 42(3): 032402. doi: 10.1088/1674-4926/42/3/032402.Export: BibTex EndNote
      Citation:
      Xiangyu Li, Pengyuan Jiao, Chaoqun Yang. Side-channel attack-resistant AES S-box with hidden subfield inversion and glitch-free masking[J]. Journal of Semiconductors, 2021, 42(3): 032402. doi: 10.1088/1674-4926/42/3/032402

      X Y Li, P Y Jiao, C Q Yang, Side-channel attack-resistant AES S-box with hidden subfield inversion and glitch-free masking[J]. J. Semicond., 2021, 42(3): 032402. doi: 10.1088/1674-4926/42/3/032402.
      Export: BibTex EndNote

      Side-channel attack-resistant AES S-box with hidden subfield inversion and glitch-free masking

      doi: 10.1088/1674-4926/42/3/032402
      More Information
      • Author Bio:

        Xiangyu Li was born in Tianjin, China, in 1977. He received his B.S. degree in microelectronics and solid-state electronics from Tsinghua University, Beijing, China, in 2000 and his Ph.D. degree in science and technology of electronics from Tsinghua University, Beijing, China, in 2006. From 2006 to 2012, he was an Assistant Researcher with the Integrated Circuit and System Design Laboratory, Institute of Microelectronics, Tsinghua University, Beijing, China. Since 2012, he has been an Associate Professor with the Institute of Microelectronics, Tsinghua University, Beijing. He is the author of more than 60 articles and 9 inventions. His research interests include Internet of Things devices, energy-efficient integrated circuits, and hardware security. Prof. Li has been a reviewer of manuscripts for some journals, including IEEE Transactions on VLSI Systems, Science China and Circuit Word

      • Corresponding author: xiangyuli@tsinghua.edu.cn
      • Received Date: 2020-08-05
      • Revised Date: 2020-09-09
      • Published Date: 2021-03-10

      Catalog

        /

        DownLoad:  Full-Size Img  PowerPoint
        Return
        Return