Hailiang Fu,Guoqiang Bai,Xingjun Wu

DOI: https://doi.org/10.1007/978-3-319-59608-2_39

2016-01-01

Abstract:Implementations of the SM4 algorithm, including different hardware applications with limited resources, are vulnerable to Side-Channel Attacks. This paper presents a countermeasure against such attacks by adding a random “mask” to the input plaintext and protect all variables through the whole encryption process. As is known to all, the unique nonlinear step in each round of SM4 algorithm is the “S-Box” and the previous works using lookup-table method to implement the S-Box always incur large area and high power. Here we give the compact design of masked S-Box using the normal basis in the composite field (consisting of a Galois inversion and several affine transformations). Then we compute the different masks diffused to all the steps in the SM4 algorithm process. The proposed design results in ultra-low cost of hardware and capability to resist first-order differential power analysis (DPA), which is suitable for the resource constrained devices. The synthesis result of masked S-Box shows that the area under the SMIC 0.13 (upmu )m is only about 978-gates, 46.8% fewer than the other works. Further, we apply the pipeline technique to our proposed “masked S-Box”, thereby to the whole masked SM4 algorithm. The results of FPGA implementation present that our works have achieved an ultra-high speed with frequency nearly 551 MHz and the throughput over 70 Gbps.

Jiang Jiuxing,Zhao Yuying,Huang Hai,Xie Guanghui,Hou Jiao,Feng Xinxin

DOI: https://doi.org/10.11999/jeit190257

2020-01-01

Abstract:Based on the in-depth research on the S-box constitution arithmetic of composite, an area optimized generic low-entropy higher-order masking scheme is proposed in this paper. The low entropy masking method is introduced on GF(2(4)), and the partial module reusing design is adopted, which reduces effectively the number of multiplications based on the S-box inversion operation of the composite. The algorithm can be applied to any order masking scheme of arbitrary S-box composed of inversion operation. This scheme is applied to AES, gives detailed simulation results and optimizes the layout area, compared with the traditional masking scheme, reduces effectively the use of logical resources. In addition, the security is theoretically proved.

LIANG Hao,WU Li-ji,ZHANG Xiang-min

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2015.05.004

2015-01-01

Abstract:In this paper, a new method based on composite field is proposed. Through isomorphism bit matrices, the calculation by changing finite field inversion from GF(28) to GF(((22)2)2) is simplified to reduce the computational difficulty and a more compact S-box is realized. The area decreases by 27% than Look-up Table. On the basis of that, the SM4 algorithm is implemented. The area of this IP core is only 7 612 gates synthesized under the smic0.13 μmCMOS process. Therefore this improved design is very helpful for area-limited condition such as IC cards.

Dongyan Zhao,Yubo Wang,Yan Li,Xiaobo Hu,Yanyan Yu,Shi Chen,Shihui Zheng

DOI: https://doi.org/10.3390/electronics13122326

IF: 2.9

2024-06-15

Electronics

Abstract:Differential computation analysis (DCA) is a powerful method for extracting secret information from carefully designed white-box schemes without reverse engineering. Consequently, white-box solutions typically require substantial storage and computing resources to withstand DCAs, as demonstrated by the schemes proposed by Zhang et al. and Yuan et al. for the ISO/IEC standard algorithm SM4. Our approach employs Boolean masking to obscure the correlation between the key and intermediate states. Additionally, we introduce nonlinear permutations to reuse random mask values, thereby reducing space consumption. Experimental results indicate that DCAs against both the simplified version and the algebraic enhancement version of our scheme fail to retrieve the correct keys. Moreover, the former version can be implemented with approximately 1.62 MB of memory and the latter with 7.8 MB, which is much less than 24.3 MB (Zhang et al.) and 34.5 MB (Yuan et al.). Consequently, our design can thwart first-order DCA with lower overhead.

engineering, electrical & electronic,computer science, information systems,physics, applied

Sihang Pu,Zheng Guo,Junrong Liu,Dawu Gu,Yingxuan Yang,Xiaoke Tang,Jie Gan

DOI: https://doi.org/10.1109/cis.2017.00059

2017-01-01

Abstract:SM4, a proposed commercial block cipher to be used in IEEE 802.11i standard, has been widely performed in the Chinese National Standard for Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure). Although it provides mathematical security in theory, implementation of the algorithm can be vulnerable to some side-channel analysis, especially Differential Power Analysis (DPA). To counter this kind of attacks, various masking schemes and other countermeasures have been well developed. In this paper, we propose and implement a new masking scheme for SM4 to defend DPA-like attacks. This countermeasure is based on Boolean matrix product masking which is a provable security masking scheme and consists of both additive Boolean masking and inner product masking directions. We develop a first variant version of this full-masking scheme on SM4 and implement it particularly on ATMega2560 in pure C language. Though the security potential of this matrix masking scheme has been proved, we evaluate performance and efficiency of this masking scheme through experiments in the paper.

Wei Wei,Cui Xiaoxin,Wu Di,Li Rui,Ma Kaisheng,Yu Dunshan,Cui Xiaole

DOI: https://doi.org/10.1109/icsict.2012.6466685

2012-01-01

Abstract:A masking scheme of AES algorithm is analyzed, and the optimal masked S-box is implemented in this paper. By using the "tower field" representation, all nonlinear process of unmasked S-box is mapped to multiplication in GF(2), which is a single AND gate in circuits, and power consumption is hidden by using additive masked. In order to further reduce the hardware cost, a simplified masked AND gate is adopted and masks are reused safely. Both gate-level simulation and FPGA testing result have proved that our implementation provides good resistance against DPA attack.

Hailiang Fu,Guoqiang Bai,Xingjun Wu

DOI: https://doi.org/10.1109/ITNEC.2016.7560361

2016-01-01

Abstract:This paper presents an iterative encryption architecture of SM4 arithmetic in combinational logic. Previous works using Lookup Tables to implement the Sbox function have relied on circuits with a large area. Using the Normal Basis in the Composite Field, the proposed design reduces the circuits' area. We test all feasible sets of Normal Basis and finally find 8 sets for correct encryption of SM4. Through the simulation in Modelsim, the proposed architecture achieves the right result within 32 rounds. Compared with the other designs, our design uses less hardware and has a big advantage in resource constrained applications.

Wei Li,Guoqiang Bai,Xingjun Wu

DOI: https://doi.org/10.1109/EDSSC.2018.8487087

2018-01-01

Abstract:In this paper, we implemented the SM4 block cipher algorithm based on both composite filed S-box and look up tables (LUTs) S-box. We also explored the performance of SM4 against machine learning attack, including conventional classifiers, SVM for example, and convolutional neural network (CNN). Implementation of SM4 based on composite filed S-box has a great advantage on area consumption compared with conventional implementation based on LUTs, which can be widely used in resource constrained applications. On the other hand, power attack based on CNN poses a serious threat to the security of block cipher using S-box in LUTs, while experiment show that SM4 using composite filed S-box has a better security against linear classifiers and CNN attack.

XU Yan-hua,BAI Xue-fei,GUO Li

2009-01-01

Journal of University of Science and Technology of China

Abstract:In order to solve the problem of the implementation algorithm of S-box based on the inversion transformation over Galois field,methods such as composite field computation,altering calculation order and sharing factors have been used to optimize operations.A low hardware overhead implementation algorithm of S-box based on the inversion transformation approach from GF(28) to GF(22) was presented.Compared with the implementations based on look-up table method,this algorithm can reduce circuit area by 34%~68% using 0.18 μm and 0.35 μm CMOS technology.This design method can make SMS4 algorithm more suitable for area-critical devices.

Yi-cheng CHEN,Xue-cheng ZOU,Zheng-lin LIU,Xiao-fei CHEN,Yu HAN

DOI: https://doi.org/10.1016/s1005-8885(08)60087-4

2008-01-01

Abstract:It is an important challenge to implement a low- cost power analysis immune advanced encryption standard (AES) circuit. The previous study proves that substitution boxes (S-Boxes) in AES are prone to being attacked, and hard to mask for its non-linear characteristic. Besides, large amounts of circuit resources in chips and power consumption are spent in protecting S-Boxes against power analysis. Thus, a novel power analysis immune scheme is proposed, which divides the data-path of AES into two parts: inhomogeneous S-Boxes instead of fixed S-Boxes are selected randomly to disturb power and logic delay in the non-linear module; at the same time, the general masking strategy is applied in the linear part of AES. This improved AES circuit was synthesized with united microelectronics corporation (UMC) 0.25 μm 1.8 V complementary metal-oxide-semiconductor (CMOS) standard cell library, and correlation power analysis experiments were executed. The results demonstrate that this secure AES implementation has very low hardware cost and can enhance the AES security effectually against power analysis.

Yue WANG,Shu-guo LI

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2014.07.003

2014-01-01

Abstract:SBOX is the most time consuming part in block cipher SM4 algorithm ,so it′s of great importance to construct a sbox of high performance .In order to reduce latency of encryption algorithms in SM4 ,We introduce the N-dimensional hypercube method to construct SBOX ,the delay reduced six percent and the area reduced seventeen percent Compared with the traditional Sbox using look-up table method .what′s more ,this method is portable that it can apply to SBOX transformations of other algorithms .

Xiangyu Li,Pengyuan Jiao,Chaoqun Yang

DOI: https://doi.org/10.1088/1674-4926/42/3/032402

2021-01-01

Abstract:A side-channel attack (SCA)-resistant AES S-box implementation is proposed, which is an improvement from the power-aware hiding (PAH) S-box but with higher security and a smaller area. We use the composite field approach and apply the PAH method to the inversion in the nonlinear kernel and a masking method to the other parts. In addition, a delay-matched enable control technique is used to suppress glitches in the masked parts. The evaluation results show that its area is contracted to 63.3% of the full PAH S-box, and its power-delay product is much lower than that of the masking implementation. The leakage assessment using simulation power traces concludes that it has no detectable leakage under t-test and that it at least can thwart the moment-correlation analysis using 665 000 noiseless traces.

Qianmei Wu,Wei Cheng,Sylvain Guilley,Fan Zhang,Wei Fu

DOI: https://doi.org/10.46586/tches.v2022.i3.192-222

2022-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Code-based masking is a highly generalized type of masking schemes, which can be instantiated into specific cases by assigning different encoders. It captivates by its side-channel resistance against higher-order attacks and the potential to withstand fault injection attacks. However, similar to other algebraically-involved masking schemes, code-based masking is also burdened with expensive computational overhead. To mitigate such cost and make it efficient, we contribute to several improvements to the original scheme proposed by Wang et al. in TCHES 2020. Specifically, we devise a computationally friendly encoder and accordingly accelerate masked gadgets to leverage efficient implementations. In addition, we highlight that the amortization technique introduced by Wang et al. does not always lead to efficient implementations as expected, but actually decreases the efficiency in some cases. From the perspective of practical security, we carry out an extensive evaluation of the concrete security of code-based masking in the real world. On one hand, we select three representative variations of code-based masking as targets for an extensive evaluation. On the other hand, we aim at security assessment of both encoding and computations to investigate whether the state-of-the-art computational framework for code-based masking reaches the security of the corresponding encoding. By leveraging both leakage assessment tool and side-channel attacks, we verify the existence of “security order amplification” in practice and validate the reliability of the leakage quantification method proposed by Cheng et al. in TCHES 2021. In addition, we also study the security decrease caused by the “cost amortization” technique and redundancy of code-based masking. We identify a security bottleneck in the gadgets computations which limits the whole masked implementation. To the best of our knowledge, this is the first time that allows us to narrow down the gap between the theoretical security order under the probing model (sometimes with simulation experiments) and the concrete side-channel security level of protected implementations by code-based masking in practice.

PAN Hong-liang,GAO De-yuan,ZHANG Sheng-bing,CAO Liang-shuai

DOI: https://doi.org/10.3969/j.issn.1000-7180.2006.03.031

2006-01-01

Abstract:S-Box is the key step of hardware implementation of AES, which can be designed by two approaches. The first method is constructing a single circuit directly from the look-up table. The second method is using the inverse transformation in Galois field. This paper first maps an element in GF(28) to the corresponding element in GF(24)2 and expresses the element in GF(24)2 by the linear sum of two elements in GF(24), and then presents a low hardware overhead implementation algorithm of S-Box based on the inverse transformation approach from GF(28) to GF(24). Compared with look-up tables' implementation, this algorithm can reduce area by 57% and is suitable for smart cards or mobile devices that need small area.

Zhao-Huei Wang,Xiao Zhang,Sitao Wang,Zhisong Hao,Zhiming Zheng

2014-01-01

Abstract:The hardware implementation of the Substitution-Box (S-box) of the Advanced Encryption Standard (AES) always employs composite field GF ((2)) to obtain better efficiency. In this paper, an improved class of S-boxes by direct inversion in composite field is presented, and the choice of the subfield leading to the most efficient implementation is discussed. Eliminating the field isomorphic transformations, such a composite field is easier to fix and the resulting hardware implementation is more efficient than that of AES S-box. Some common cryptographic characteristics for the composite field based S-boxes are examined, and it turns out that direct inversion in composite field does not weaken the cryptographic characteristics. In addition, a demonstration for the immunity against the potential algebraic attack on AES with the replacement of our S-box is given, and it is proven that the revised AES is even more secure than the original AES against the algebraic attack. As a result of this work, it could be predicted that the isomorphism implies equal immunity from certain cryptanalysis. Our S-box is suitable for the area-limited hardware production. Keywords–AES; Composite field; S-box; Hardware implementation.

Chaoqun Yang,Xiangyu Li,Shujuan Yin

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2018.00217

2018-01-01

Abstract:Power-Aware Hiding (PAH) has been proposed as a kind of energy-efficient Side Channel Attacks (SCA) countermeasure for S-boxes. However, it has large area overhead. In this paper, an improved SCA-resistant AES S-box implementation, which is based on PAH technique but has smaller area, is proposed. It implements the S-Box in the masked composited field approach but applies the PAH method to the inversion in GF(2^4). Evaluation result shows that its area is shrunken to 47.7% of the full PAH S-box, and that its power-delay product is about 81% lower than that of the traditional masking implementation. Simulation shows that the PAH inverteru0027s power difference is smaller than the other candidates, including the PAH S-box. It is secure under moment-correlating power analysis with 70,000 noiseless power traces at least.

刘政林,曾永红,邹雪城,陈黎明,陈毅成,韩煜

DOI: https://doi.org/10.3969/j.issn.0255-8297.2008.06.013

2008-01-01

Journal of Applied Sciences

Abstract:A full-custom AES S-box architecture based on composite field is proposed.In this S-box,pass transmission gate(PTG) logic style is used to obtain a compact and low-power data-path circuit.Latches controlled by an asynchronous handshake circuit are inserted in the data-path to prevent propagation of the signal glitch,resulting in reduction of the total S-box circuit power.The property of resisting differential power analysis(DPA) attack of the S-box is improved by inserting random delay chains.The layout-simulations for the S-box circuit using 0.25 μm CMOS technology show that it has low power consumption and highsecurity,and remains small-area overhead as in the corresponding composite field S-box.

Chao Jin,Zhejing Bao,Weiwei Miao,Zeng,Xiaogang Wei,Rui Zhang

DOI: https://doi.org/10.1109/access.2023.3290211

2021-01-01

Abstract:The white-box implementation of cryptography algorithm can hide key information even in the white-box attack context owing to the means of obfuscation. However, under the deliberately designed attack, there is still a risk of the information being recovered within a certain time complexity. In this paper, a lightweight nonlinear white-box SM4 implementation is proposed to prevent several typical attacks from extracting the secret key, which hides the encryption and decryption process in obfuscated lookup tables. Aiming to improve the diversity and ambiguity of the lookup tables as well as resist the different types of white-box attacks, the random bijective nonlinear mappings are applied as scrambling encodings of the lookup tables. Moreover, the memory occupation of the implementation doesn't increase significantly by simplifying the structure and using concatenation code. Through several quantitative indicators, including memory size, diversity, ambiguity, the time complexity required to extract the key, and the value space of the key and external encodings, it is proved that the security of the proposed implementation could been enhanced significantly, while no sacrificing the practicality, compared with the existing schemes.

Xiaoqiang Zhang,Xinggan Zhang,Lan Tang,Xinxing Zheng,Tianming Ni,Ning Wu

DOI: https://doi.org/10.1587/elex.17.20200035

2020-01-01

IEICE Electronics Express

Abstract:In this paper, a low critical path delay (CPD) circuit structure is proposed for composite field S-box circuit. In the low CPD structure, multiplicative inverse over GF(2(4)) and multiplicative over GF(2(4)) are constructed by AND-XOR-networks. The XOR-networks in the last two multiplications over GF(2(4)) are further merged with the following constant matrix multiplication operation to shorten the CPD. Finally, hardware complexities of our designs are compared with previous works. The comparisons indicate that our proposed method is effective. Our design of S-box/InvS-box based on the proposed method has lower CPD.

Yicheng Chen,Xuecheng Zou,Zhenglin Liu,Yu Han,Zhaoxia Zheng

2008-01-01

Abstract:Substitution boxes (S-Boxes) in advanced encryption standard (AES) are vulnerable to attacks by power analysis.The general S-Boxes masking schemes in circuit level need to adjust the design flow and library databases.The masking strategies in algorithm level view each S-Box as an independent module and mask them respectively,which are costly in size and power for non-linear characteristic of S-Boxes. The new method uses dynamic inhomogeneous S-Boxes instead of traditional homogeneous S-Boxes,and arranges the S-Boxes randomly.So the power and data path delay of substitution unit become unpre- dictable.The experimental results demonstrate that this scheme takes advantages of the circuit character- istics of various S-Box implementations to eliminate the correlation between crypto operation and power.It needs less extra circuits and suits resource constrained applications.