![Page 1: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/1.jpg)
RUHR-UNIVERSITÄT BOCHUM
Strong 8-bit Sboxes withE�cient Masking in Hardware
18th August, 2016.
Erik Boss1 Vincent Grosso1 Tim Güneysu2
Gregor Leander1 Amir Moradi1 Tobias Schneider1
1Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany2University of Bremen and DFKI, Germany
![Page 2: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/2.jpg)
RUHR-UNIVERSITÄT BOCHUM
Side-channel attacks
Side-channelinformation
0 200 400 600 800 1000 1200 1400 1600 1800 2000
time samples
pow
er
42
inputs
outputs
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 2
![Page 3: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/3.jpg)
RUHR-UNIVERSITÄT BOCHUM
Masking: principle
x⊕
k
S-box y
Attack
0 200 400 600 800 1000 1200 1400 1600 1800 2000
time samples
pow
er
x⊕
m
k ⊕m
S-box’
C
y ⊕m′
m′
Attack
0 200 400 600 800 1000 1200 1400 1600 1800 2000
time samples
pow
er
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 3
![Page 4: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/4.jpg)
RUHR-UNIVERSITÄT BOCHUM
Masking: summary
Expecting: number of measurements grows up exponentiallyin the number of shares with noise as a basis
Security conditions
NoiseRandomnessIndependence of the leakages: possible issue in hardware dueto glitches
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 4
![Page 5: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/5.jpg)
RUHR-UNIVERSITÄT BOCHUM
Threshold implementations
z1
z2
z3
z⊕
f1
f2
f3
y1
y2
y3
⊕y
f
Correctness: the shared functions compute the actualfunctionNon-completeness: each sub-circuit is independent of oneshareUniformity: the output of the shared function is a uniformsharing (use fresh randomness if needed)
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 5
![Page 6: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/6.jpg)
RUHR-UNIVERSITÄT BOCHUM
Algebraic decomposition
Number of shares for TI:degree of f + 1
z1
z2
z3
...
zt+1
z⊕
f1
f2
f3
...
ft+1
y1
y2
y3
...
yt+1
⊕y⇒
f = h ◦ g
g h
z1
z2
z3
z⊕
g1
g2
g3
y1
y2
y3
h1
h2
h3
x1
x2
x3
⊕x
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 6
![Page 7: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/7.jpg)
RUHR-UNIVERSITÄT BOCHUM
Di�erent implementation techniques
1F1 2 3 nF2
Sbox
F3F4
Raw
1F 2 3 n
Iterative
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 7
![Page 8: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/8.jpg)
RUHR-UNIVERSITÄT BOCHUM
Previous work
Exhaustive search for small S-boxes (i.e. n 6 4)4-bit S-boxes: 302 bijective classes ⇒ 35 e�cient TI with 3shares [CHES 2012]
Look for interesting S-boxes and try to �nd a nice thresholdimplementation, e.g.:
AES [EUROCRYPT 2011, Africacrypt 2014] 8-bitFides [CHES 2013] 5-bit, 6-bitKeccak [CARDIS 2013] 5-bit
Large S-box with good cryptographic/thresholdimplementation properties?
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 8
![Page 9: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/9.jpg)
RUHR-UNIVERSITÄT BOCHUM
Idea
Use results for small S-boxes to �nd TI of larger S-boxes
Lot of existing S-boxes use small S-boxes to build larger one
CLEFIA
Crypton
Fantomas
ICEBERG
Khazad
Robin (iterativeimplementation)
Scream v3
Whirlpool
Can we achieve better results? Can we take advantage ofiterative implementation?
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 9
![Page 10: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/10.jpg)
RUHR-UNIVERSITÄT BOCHUM
Idea
Use results for small S-boxes to �nd TI of larger S-boxes
Lot of existing S-boxes use small S-boxes to build larger one
CLEFIA
Crypton
Fantomas
ICEBERG
Khazad
Robin (iterativeimplementation)
Scream v3
Whirlpool
Can we achieve better results? Can we take advantage ofiterative implementation?
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 9
![Page 11: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/11.jpg)
RUHR-UNIVERSITÄT BOCHUM
Idea
Use results for small S-boxes to �nd TI of larger S-boxes
Lot of existing S-boxes use small S-boxes to build larger one
CLEFIA
Crypton
Fantomas
ICEBERG
Khazad
Robin (iterativeimplementation)
Scream v3
Whirlpool
Can we achieve better results? Can we take advantage ofiterative implementation?
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 9
![Page 12: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/12.jpg)
RUHR-UNIVERSITÄT BOCHUM
From small to large S-box: SPN
F2F1
A
Structure used for: Iceberg,Khazad, Whirlpool,. . .
16! choices for F1 and F2
→ F1,F2 easy to share4-bit S-box → 35
A bit permutation 8!A F16-linear layer 61200
Constant: 256
Cost ' 232
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 10
![Page 13: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/13.jpg)
RUHR-UNIVERSITÄT BOCHUM
From small to large S-box: Feistel
F1
Structure used for: Robin,Scream v3,. . .Structure well studied up to 3rounds
264 choices for F1
Feistel gives uniformity for �free� (if F1 can be computed in oneclock cycle)
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 11
![Page 14: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/14.jpg)
RUHR-UNIVERSITÄT BOCHUM
Reduce the search space
A�ne equivalence: F1 = A ◦ F ◦ B+ C
A ◦ F ◦ A−1F
A−1 A−1
A A
Reduce the search space from all function 264 to function of theA ◦ F+ C
F is an instance of an a�ne classA is an a�ne permutationC is a linear mapping
Cost ' 246.5 ⇒ use GPUs
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 12
![Page 15: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/15.jpg)
RUHR-UNIVERSITÄT BOCHUM
Cryptographic properties
Bijective
Non-linearity
Di�erential uniformity
Algebraic degree
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 13
![Page 16: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/16.jpg)
RUHR-UNIVERSITÄT BOCHUM
Comparison
Di�. Lin. Deg.Threshold Implementation
TypeArea[GE] Stage Mask
Iter. raw # #
AES
Best Known 4244 5 48
Inversion3708 3 44
4 32 7 3653 3 442835 3 32
Whirlpool 8 56 7 2203 9 0 SPNSB4 (this work) 8 56 7 202 1507 5 0 FeistelSB3 (this work) 8 60 7 273 1498 4 0 SPNICEBERG 8 64 7 2115 9 0 SPNKhazad 8 64 7 2062 9 0 SPNScream v3 8 64 6 2204 6 0 FeistelFantomas 16 64 5 766 4 0 SPNRobin 16 64 6 319 1180 6 0 FeistelSB1 (this work) 16 64 6 51 1189 8 0 SPNSB2 (this work) 16 64 4 253 631 2 0 SPN
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 14
![Page 17: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/17.jpg)
RUHR-UNIVERSITÄT BOCHUM
Comparison
Di�. Lin. Deg.Threshold Implementation
TypeArea[GE] Stage Mask
Iter. raw # #
AES
Best Known 4244 5 48
Inversion3708 3 44
4 32 7 3653 3 442835 3 32
Whirlpool 8 56 7 2203 9 0 SPNSB4 (this work) 8 56 7 202 1507 5 0 FeistelSB3 (this work) 8 60 7 273 1498 4 0 SPNICEBERG 8 64 7 2115 9 0 SPNKhazad 8 64 7 2062 9 0 SPNScream v3 8 64 6 2204 6 0 FeistelFantomas 16 64 5 766 4 0 SPNRobin 16 64 6 319 1180 6 0 FeistelSB1 (this work) 16 64 6 51 1189 8 0 SPNSB2 (this work) 16 64 4 253 631 2 0 SPN
Same round functions allow us to make iterative implementation
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 14
![Page 18: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/18.jpg)
RUHR-UNIVERSITÄT BOCHUM
Comparison
Di�. Lin. Deg.Threshold Implementation
TypeArea[GE] Stage Mask
Iter. raw # #
AES
Best Known 4244 5 48
Inversion3708 3 44
4 32 7 3653 3 442835 3 32
Whirlpool 8 56 7 2203 9 0 SPNSB4 (this work) 8 56 7 202 1507 5 0 FeistelSB3 (this work) 8 60 7 273 1498 4 0 SPNICEBERG 8 64 7 2115 9 0 SPNKhazad 8 64 7 2062 9 0 SPNScream v3 8 64 6 2204 6 0 FeistelFantomas 16 64 5 766 4 0 SPNRobin 16 64 6 319 1180 6 0 FeistelSB1 (this work) 16 64 6 51 1189 8 0 SPNSB2 (this work) 16 64 4 253 631 2 0 SPN
Interesting tradeo� for di�erent implementation
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 14
![Page 19: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/19.jpg)
RUHR-UNIVERSITÄT BOCHUM
Comparison
Di�. Lin. Deg.Threshold Implementation
TypeArea[GE] Stage Mask
Iter. raw # #
AES
Best Known 4244 5 48
Inversion3708 3 44
4 32 7 3653 3 442835 3 32
Whirlpool 8 56 7 2203 9 0 SPNSB4 (this work) 8 56 7 202 1507 5 0 FeistelSB3 (this work) 8 60 7 273 1498 4 0 SPNICEBERG 8 64 7 2115 9 0 SPNKhazad 8 64 7 2062 9 0 SPNScream v3 8 64 6 2204 6 0 FeistelFantomas 16 64 5 766 4 0 SPNRobin 16 64 6 319 1180 6 0 FeistelSB1 (this work) 16 64 6 51 1189 8 0 SPNSB2 (this work) 16 64 4 253 631 2 0 SPN
No 8-bit balanced Feistel with identical round functions up to 5iterations achieve better cryptographic properties than SB4
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 14
![Page 20: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/20.jpg)
RUHR-UNIVERSITÄT BOCHUM
Conclusion
Various S-boxes with decent cryptographic properties ande�cient TI
Even for unprotected implementation they are e�cient (cf.the paper)
Some S-boxes have also good behavior for (masked) bitsliceimplementation (cf. the paper, SB2 have similar number ofAND gates as Robin and Scream v3)
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 15
![Page 21: Strong 8-bit Sboxes with Efficient Masking in Hardware · S-box y Attack 0 200 400 600 800 1000 1200 1400 1600 1800 2000 time samples power x L m k m S-box' C y m 0 m 0 ... implementation](https://reader034.vdocuments.us/reader034/viewer/2022042418/5f341569f86eb87f99034a48/html5/thumbnails/21.jpg)
Thanks!
Questions?
Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 16