On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security...
Transcript of On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security...
![Page 1: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/1.jpg)
On the Simplicity of Converting Leakages from Multivariate to Univariate
21. Aug. 2013
Amir Moradi, Oliver MischkeEmbedded Security Group + Hardware Security GroupRuhr University Bochum, Germany
![Page 2: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/2.jpg)
2
Embedded Security Group
Outline Definitions, Masking, etc. Target masking scheme The story behind our findings Practical issues
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 3: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/3.jpg)
3
Embedded Security Group
Masking Well‐known SCA countermeasure
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 4: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/4.jpg)
4
Embedded Security Group
Masking Well‐known SCA countermeasure to make the SC leakages independent of expected intermediate values
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 5: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/5.jpg)
5
Embedded Security Group
Masking Well‐known SCA countermeasure to make the SC leakages independent of expected intermediate values Randomness is required
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 6: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/6.jpg)
6
Embedded Security Group
Masking Well‐known SCA countermeasure to make the SC leakages independent of expected intermediate values Randomness is required Let’s consider the most common one, Boolean Masking
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 7: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/7.jpg)
7
Embedded Security Group
Masking Well‐known SCA countermeasure to make the SC leakages independent of expected intermediate values Randomness is required Let’s consider the most common one, Boolean Masking
Sbox
kp S(p⊕k)
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 8: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/8.jpg)
8
Embedded Security Group
Masking Well‐known SCA countermeasure to make the SC leakages independent of expected intermediate values Randomness is required Let’s consider the most common one, Boolean Masking
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 9: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/9.jpg)
9
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 10: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/10.jpg)
10
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 11: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/11.jpg)
11
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 12: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/12.jpg)
12
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 13: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/13.jpg)
13
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 14: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/14.jpg)
14
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
DPA/CPA/MIA
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 15: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/15.jpg)
15
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
DPA/CPA/MIA bivariate MIA
combining: DPA/CPA
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 16: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/16.jpg)
16
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
DPA/CPA/MIA bivariate MIA
combining: DPA/CPA
multiply: 2nd order bivariate
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 17: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/17.jpg)
17
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
DPA/CPA/MIA bivariate MIA
combining: DPA/CPA
multiply: 2nd order bivariatesquaring: 2nd order univariate
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 18: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/18.jpg)
18
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
DPA/CPA/MIA bivariate MIA
combining: DPA/CPA
multiply: 2nd order bivariate
addition: 1st order bivariate
squaring: 2nd order univariate
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 19: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/19.jpg)
19
Embedded Security Group
Masking in Hardware
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 20: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/20.jpg)
20
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 21: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/21.jpg)
21
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 22: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/22.jpg)
22
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 23: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/23.jpg)
23
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons ad‐hoc/heuristic schemes
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 24: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/24.jpg)
24
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons ad‐hoc/heuristic schemes Processing the mask (m) and masked data (i⊕m) simultaneously
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 25: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/25.jpg)
25
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons ad‐hoc/heuristic schemes Processing the mask (m) and masked data (i⊕m) simultaneously
– joint distribution of SC leakages mainly because of GLITCHES– possible attacks
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 26: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/26.jpg)
26
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons ad‐hoc/heuristic schemes Processing the mask (m) and masked data (i⊕m) simultaneously
– joint distribution of SC leakages mainly because of GLITCHES– possible attacks
Systematic schemes
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 27: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/27.jpg)
27
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons ad‐hoc/heuristic schemes Processing the mask (m) and masked data (i⊕m) simultaneously
– joint distribution of SC leakages mainly because of GLITCHES– possible attacks
Systematic schemes– Threshold Implementation, Security against 1st order attacks
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 28: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/28.jpg)
28
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons ad‐hoc/heuristic schemes Processing the mask (m) and masked data (i⊕m) simultaneously
– joint distribution of SC leakages mainly because of GLITCHES– possible attacks
Systematic schemes– Threshold Implementation, Security against 1st order attacks
Desired: security against univariate attacks of any order
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 29: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/29.jpg)
29
Embedded Security Group
Target Scheme Prouff, Roche: Higher‐Order Glitches Free Implementation of the AES
Using Secure Multi‐party Computation Protocols. CHES 2011.
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 30: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/30.jpg)
30
Embedded Security Group
Target Scheme Prouff, Roche: Higher‐Order Glitches Free Implementation of the AES
Using Secure Multi‐party Computation Protocols. CHES 2011. Multi‐party computation + Shamir’s secret sharing
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 31: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/31.jpg)
31
Embedded Security Group
Target Scheme Prouff, Roche: Higher‐Order Glitches Free Implementation of the AES
Using Secure Multi‐party Computation Protocols. CHES 2011. Multi‐party computation + Shamir’s secret sharing Basic GF(28) operations, e.g., addition is easy
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 32: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/32.jpg)
32
Embedded Security Group
Target Scheme Prouff, Roche: Higher‐Order Glitches Free Implementation of the AES
Using Secure Multi‐party Computation Protocols. CHES 2011. Multi‐party computation + Shamir’s secret sharing Basic GF(28) operations, e.g., addition is easy
– Multiplication needs more effort
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 33: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/33.jpg)
33
Embedded Security Group
Target Scheme Prouff, Roche: Higher‐Order Glitches Free Implementation of the AES
Using Secure Multi‐party Computation Protocols. CHES 2011. Multi‐party computation + Shamir’s secret sharing Basic GF(28) operations, e.g., addition is easy
– Multiplication needs more effort An Sbox computation
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 34: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/34.jpg)
34
Embedded Security Group
Target Scheme Prouff, Roche: Higher‐Order Glitches Free Implementation of the AES
Using Secure Multi‐party Computation Protocols. CHES 2011. Multi‐party computation + Shamir’s secret sharing Basic GF(28) operations, e.g., addition is easy
– Multiplication needs more effort An Sbox computation
Our goal– Hardware implementation using minimum settings– Using a Virtex‐5 FPGA (SASEBO‐GII)
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 35: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/35.jpg)
35
Embedded Security Group
Target Scheme ‐ Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 36: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/36.jpg)
36
Embedded Security Group
Target Scheme ‐ Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 37: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/37.jpg)
37
Embedded Security Group
Target Scheme ‐ Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 38: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/38.jpg)
38
Embedded Security Group
Target Scheme ‐ Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 39: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/39.jpg)
39
Embedded Security Group
Target Scheme ‐ Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 40: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/40.jpg)
40
Embedded Security Group
Target Scheme ‐ Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 41: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/41.jpg)
41
Embedded Security Group
Target Scheme ‐ Performance
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 42: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/42.jpg)
42
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 43: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/43.jpg)
43
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 44: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/44.jpg)
44
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles One full MixColumns + AddRoundKey in 12 × 16 = 192 clock cycles
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 45: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/45.jpg)
45
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles One full MixColumns + AddRoundKey in 12 × 16 = 192 clock cycles
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 46: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/46.jpg)
46
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles One full MixColumns + AddRoundKey in 12 × 16 = 192 clock cycles
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 47: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/47.jpg)
47
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles One full MixColumns + AddRoundKey in 12 × 16 = 192 clock cycles
Hard to convince the industry sector?
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 48: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/48.jpg)
48
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles One full MixColumns + AddRoundKey in 12 × 16 = 192 clock cycles
Hard to convince the industry sector? getting close to software?
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 49: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/49.jpg)
49
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles One full MixColumns + AddRoundKey in 12 × 16 = 192 clock cycles
Hard to convince the industry sector? getting close to software? Gaining univariate resistance at what price?
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 50: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/50.jpg)
50
Embedded Security Group
Target Scheme ‐ Evaluation
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 51: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/51.jpg)
51
Embedded Security Group
Target Scheme ‐ Evaluation A variant by processing all three shares at the same time
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 52: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/52.jpg)
52
Embedded Security Group
Target Scheme ‐ Evaluation
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 53: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/53.jpg)
53
Embedded Security Group
Target Scheme ‐ Evaluation A variant by processing all three shares at the same time
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 54: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/54.jpg)
54
Embedded Security Group
Target Scheme ‐ Evaluation A variant by processing all three shares at the same time
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 55: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/55.jpg)
55
Embedded Security Group
Target Scheme ‐ Evaluation A variant by processing all three shares at the same time
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 56: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/56.jpg)
56
Embedded Security Group
Target Scheme ‐ Evaluation A variant by processing all three shares at the same time
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 57: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/57.jpg)
57
Embedded Security Group
Target Scheme ‐ Evaluation A variant by processing all three shares at the same time
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 58: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/58.jpg)
58
Embedded Security Group
Target Scheme ‐ Evaluation Original Design, 3MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 59: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/59.jpg)
59
Embedded Security Group
Target Scheme ‐ Evaluation Original Design, 3MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 60: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/60.jpg)
60
Embedded Security Group
Target Scheme ‐ Evaluation Original Design, 3MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 61: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/61.jpg)
61
Embedded Security Group
Target Scheme ‐ Evaluation Original Design, 3MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 62: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/62.jpg)
62
Embedded Security Group
Measurement Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 63: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/63.jpg)
63
Embedded Security Group
Measurement Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 64: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/64.jpg)
64
Embedded Security Group
Measurement Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 65: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/65.jpg)
65
Embedded Security Group
Measurement Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 66: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/66.jpg)
66
Embedded Security Group
Measurement Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 67: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/67.jpg)
67
Embedded Security Group
Measurement Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 68: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/68.jpg)
68
Embedded Security Group
Measurement Setup
Standard Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 69: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/69.jpg)
69
Embedded Security Group
Measurement Setup
Standard SetupAmplified Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 70: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/70.jpg)
70
Embedded Security Group
Target Scheme – Evaluation (Standard Setup) Original Design, 3MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 71: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/71.jpg)
71
Embedded Security Group
Standard vs. Amplified Setup Exemplary Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 72: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/72.jpg)
72
Embedded Security Group
Standard vs. Amplified Setup Exemplary Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 73: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/73.jpg)
73
Embedded Security Group
Standard vs. Amplified Setup Exemplary Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 74: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/74.jpg)
74
Embedded Security Group
Standard vs. Amplified Setup Exemplary Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 75: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/75.jpg)
75
Embedded Security Group
Standard vs. Amplified Setup Exemplary Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 76: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/76.jpg)
76
Embedded Security Group
SAKURA‐G
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 77: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/77.jpg)
77
Embedded Security Group
SAKURA‐G
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 78: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/78.jpg)
78
Embedded Security Group
Efficiency as a Factor
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 79: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/79.jpg)
79
Embedded Security Group
Efficiency as a Factor
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 80: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/80.jpg)
80
Embedded Security Group
Efficiency as a Factor Original Design, Standard Setup, 24MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 81: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/81.jpg)
81
Embedded Security Group
Efficiency as a Factor Original Design, Standard Setup, 24MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 82: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/82.jpg)
82
Embedded Security Group
Efficiency as a Factor Original Design, Standard Setup, 24MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 83: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/83.jpg)
83
Embedded Security Group
Efficiency as a Factor Original Design, Standard Setup, 24MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 84: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/84.jpg)
84
Embedded Security Group
Summing Up / Future Issues
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 85: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/85.jpg)
85
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 86: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/86.jpg)
86
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
a light at the end of the tunnel by [pure] masking in hardware?
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 87: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/87.jpg)
87
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
a light at the end of the tunnel by [pure] masking in hardware?– slowly reaching the software performance?
• making a processor by giant hardware?
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 88: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/88.jpg)
88
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
a light at the end of the tunnel by [pure] masking in hardware?– slowly reaching the software performance?
• making a processor by giant hardware?– relatively easy ways to combine the leakages
• measurement setup & high clock freq.
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 89: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/89.jpg)
89
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
a light at the end of the tunnel by [pure] masking in hardware?– slowly reaching the software performance?
• making a processor by giant hardware?– relatively easy ways to combine the leakages
• measurement setup & high clock freq.
What to do when evaluating a countermeasure / product?
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 90: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/90.jpg)
90
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
a light at the end of the tunnel by [pure] masking in hardware?– slowly reaching the software performance?
• making a processor by giant hardware?– relatively easy ways to combine the leakages
• measurement setup & high clock freq.
What to do when evaluating a countermeasure / product?– without any addition/modification on measurement setup?
• not fair, the attacker may do it
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 91: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/91.jpg)
91
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
a light at the end of the tunnel by [pure] masking in hardware?– slowly reaching the software performance?
• making a processor by giant hardware?– relatively easy ways to combine the leakages
• measurement setup & high clock freq.
What to do when evaluating a countermeasure / product?– without any addition/modification on measurement setup?
• not fair, the attacker may do it
– with any sophisticated measurement setup?• not fair, its security relies on a univariate leak‐free scheme
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
![Page 92: On the Simplicity of Converting · 8/21/2013 · Amir Moradi, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany. 2 Embedded Security](https://reader034.fdocuments.us/reader034/viewer/2022050406/5f83a2ae63859c76330e4cee/html5/thumbnails/92.jpg)
92
Embedded Security Group
Thanks!Any questions?
Embedded Security Group, Ruhr University Bochum, Germany