strong 8-bit sboxes with efficient masking in hardware · s-box y attack 0 200 400 600 800 1000...

RUHR-UNIVERSITÄT BOCHUM

Strong 8-bit Sboxes withE�cient Masking in Hardware

18th August, 2016.

Erik Boss1 Vincent Grosso1 Tim Güneysu2

Gregor Leander1 Amir Moradi1 Tobias Schneider1

1Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany2University of Bremen and DFKI, Germany


Side-channel attacks

Side-channelinformation

0 200 400 600 800 1000 1200 1400 1600 1800 2000

time samples

pow

er

42

inputs

outputs

Vincent Grosso | Strong 8-bit Sboxes with E�cient Masking in Hardware | CHES 2016 2


Masking: principle

x⊕

k

S-box y

Attack

0 200 400 600 800 1000 1200 1400 1600 1800 2000

time samples

pow

er

x⊕

m

k ⊕m

S-box’

C

y ⊕m′

m′

Attack

0 200 400 600 800 1000 1200 1400 1600 1800 2000

time samples

pow

er



Masking: summary

Expecting: number of measurements grows up exponentiallyin the number of shares with noise as a basis

Security conditions

NoiseRandomnessIndependence of the leakages: possible issue in hardware dueto glitches



Threshold implementations

z1

z2

z3

z⊕

f1

f2

f3

y1

y2

y3

⊕y

f

Correctness: the shared functions compute the actualfunctionNon-completeness: each sub-circuit is independent of oneshareUniformity: the output of the shared function is a uniformsharing (use fresh randomness if needed)



Algebraic decomposition

Number of shares for TI:degree of f + 1

z1

z2

z3

...

zt+1

z⊕

f1

f2

f3

...

ft+1

y1

y2

y3

...

yt+1

⊕y⇒

f = h ◦ g

g h

z1

z2

z3

z⊕

g1

g2

g3

y1

y2

y3

h1

h2

h3

x1

x2

x3

⊕x



Di�erent implementation techniques

1F1 2 3 nF2

Sbox

F3F4

Raw

1F 2 3 n

Iterative



Previous work

Exhaustive search for small S-boxes (i.e. n 6 4)4-bit S-boxes: 302 bijective classes ⇒ 35 e�cient TI with 3shares [CHES 2012]

Look for interesting S-boxes and try to �nd a nice thresholdimplementation, e.g.:

AES [EUROCRYPT 2011, Africacrypt 2014] 8-bitFides [CHES 2013] 5-bit, 6-bitKeccak [CARDIS 2013] 5-bit

Large S-box with good cryptographic/thresholdimplementation properties?



Idea

Use results for small S-boxes to �nd TI of larger S-boxes

Lot of existing S-boxes use small S-boxes to build larger one

CLEFIA

Crypton

Fantomas

ICEBERG

Khazad

Robin (iterativeimplementation)

Scream v3

Whirlpool

Can we achieve better results? Can we take advantage ofiterative implementation?



From small to large S-box: SPN

F2F1

A

Structure used for: Iceberg,Khazad, Whirlpool,. . .

16! choices for F1 and F2

→ F1,F2 easy to share4-bit S-box → 35

A bit permutation 8!A F16-linear layer 61200

Constant: 256

Cost ' 232



From small to large S-box: Feistel

F1

Structure used for: Robin,Scream v3,. . .Structure well studied up to 3rounds

264 choices for F1

Feistel gives uniformity for �free� (if F1 can be computed in oneclock cycle)



Reduce the search space

A�ne equivalence: F1 = A ◦ F ◦ B+ C

A ◦ F ◦ A−1F

A−1 A−1

A A

Reduce the search space from all function 264 to function of theA ◦ F+ C

F is an instance of an a�ne classA is an a�ne permutationC is a linear mapping

Cost ' 246.5 ⇒ use GPUs



Cryptographic properties

Bijective

Non-linearity

Di�erential uniformity

Algebraic degree



Comparison

Di�. Lin. Deg.Threshold Implementation

TypeArea[GE] Stage Mask

Iter. raw # #

AES

Best Known 4244 5 48

Inversion3708 3 44

4 32 7 3653 3 442835 3 32

Whirlpool 8 56 7 2203 9 0 SPNSB4 (this work) 8 56 7 202 1507 5 0 FeistelSB3 (this work) 8 60 7 273 1498 4 0 SPNICEBERG 8 64 7 2115 9 0 SPNKhazad 8 64 7 2062 9 0 SPNScream v3 8 64 6 2204 6 0 FeistelFantomas 16 64 5 766 4 0 SPNRobin 16 64 6 319 1180 6 0 FeistelSB1 (this work) 16 64 6 51 1189 8 0 SPNSB2 (this work) 16 64 4 253 631 2 0 SPN



Comparison



Iter. raw # #

AES


Inversion3708 3 44

4 32 7 3653 3 442835 3 32


Same round functions allow us to make iterative implementation



Comparison



Iter. raw # #

AES


Inversion3708 3 44

4 32 7 3653 3 442835 3 32


Interesting tradeo� for di�erent implementation



Comparison



Iter. raw # #

AES


Inversion3708 3 44

4 32 7 3653 3 442835 3 32


No 8-bit balanced Feistel with identical round functions up to 5iterations achieve better cryptographic properties than SB4



Conclusion

Various S-boxes with decent cryptographic properties ande�cient TI

Even for unprotected implementation they are e�cient (cf.the paper)

Some S-boxes have also good behavior for (masked) bitsliceimplementation (cf. the paper, SB2 have similar number ofAND gates as Robin and Scream v3)


Thanks!

Questions?


strong 8-bit sboxes with efficient masking in hardware · s-box y attack 0 200 400 600 800 1000...

Documents