Conference Paper

A Systematic Evaluation of Compact Hardware Implementations for the Rijndael S-Box.

DOI: 10.1007/978-3-540-30574-3_22 Conference: Topics in Cryptology - CT-RSA 2005, The Cryptographers' Track at the RSA Conference 2005, San Francisco, CA, USA, February 14-18, 2005, Proceedings
Source: DBLP

ABSTRACT This work proposes a compact implementation of the AES S-box using composite field arithmetic in GF(((22) 2 ) 2 ). It describes a sys- tematic exploration of different choices for the irreducible polynomials that generate the extension fields. It also examines all possible transfor- mation matrices that map one field representation to another. We show that the area of Satoh's S-box, which is the most compact to our knowl- edge, is at least 5% away from an optimal solution. We implemented this optimal solution and Satoh's design using a 0.18 µm standard cell library.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: We provide a comprehensive evaluation of several lightweight block ciphers with respect to various hardware performance metrics, with a particular focus on the energy cost. This case study serves as a background for discussing general issues related to the relative nature of hardware implementations comparisons. We also use it to extract intuitive observations for new algorithm designs. Implementation results show that the most significant differences between lightweight ciphers are observed when considering both encryption and decryption architectures, and the impact of key scheduling algorithms. Yet, these differences are moderated when looking at their amplitude, and comparing them with the impact of physical parameters tuning, e.g. frequency / voltage scaling.
    Proceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems; 09/2012
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The continuous scaling of VLSI technology and the possibility to run circuits in subthreshold voltage range make it possible to implement standard cryptographic primitives within the very limited circuit and power budget of radio frequency identification (RFID) devices. However, such cryptographic implementations raise concerns regarding their vulnerability to both active and passive side-channel attacks. In particular, when focusing on RFID targeted designs, it is important to evaluate their resistance against low-cost physical attacks. A low-cost fault injection attack can be mounted, for example, by lowering the supply voltage of the chip with the goal of causing setup time violations. In this paper, we provide an in-depth characterization of a chip implementation of the AES cipher. The chip has been designed using a 65-nm low-power standard cell library and operates in a subthreshold voltage range. We first show that it is possible to inject faults (through lowering the supply voltage) compliant with the fault models required to perform attacks against the AES cipher. We then investigate the possibility of predicting, at design time, which parts of the chip are more likely to be sensitive to such fault injection attacks and produce the desirable (from the point of view of the attacker) faulty behavior. Identifying such sensitive logic signals allows us to suggest to the designer a tailored countermeasure strategy for thwarting these attacks, with a minimal impact on the circuit's performance.
    Emerging Topics in Computing, IEEE Transactions on. 06/2014; 2(2):107-118.
  • [Show abstract] [Hide abstract]
    ABSTRACT: Operation in subthreshold region is tested for increasing resistance of the AES S-box against power analysis attacks. The non-linear S-box (substitute bytes) operation is one of the major building blocks of the AES algorithm. A compact 4 stage pipelined and asynchronous S-box is implemented in 90 nm CMOS technology. The S-box is simulated in normal superthreshold and subthreshold operation. The correlation and standard deviation of instantaneous power consumption is calculated. Our simulation results indicate orders of magnitude lower correlation between power consumption and processed data. The increased resistance against power analysis attacks comes at the cost of 340 times longer execution time. Our S-box has a throughput of 7.37 Mbit/s in subthreshold operation. The throughput is increased to 19.88 Mbit/s when introducing 4 pipeline stages.
    NORCHIP, 2008.; 01/2008

Full-text (2 Sources)

Available from
Jun 3, 2014