Abstract:
Threshold Implementation (TI) is one of the most
widely used countermeasure for side channel attacks. Over the
years several TI techniques have been proposed for randomizing
cipher execution using different variations of secret-sharing and
implementation techniques. For instance, sharing without decomposition (4-shares) is the most straightforward implementation
of the threshold countermeasure. However, its usage is limited due
to its high area requirements. On the other hand, sharing using
decomposition (3-shares) countermeasure for cubic non-linear
functions significantly reduces area and complexity in comparison
to 4-shares. Nowadays, security of ciphers using a side channel
countermeasure is of utmost importance. This is due to the wide
range of security critical applications from smart cards, battery
operated IoT devices, to accelerated crypto-processors. Such
applications have different requirements (higher speed, energy
efficiency, low latency, small area etc.) and hence need different
implementation techniques. Although, many TI strategies and
implementation techniques are known for different ciphers,
there is no single study comparing these on a single cipher.
Such a study would allow a fair comparison of the various
methodologies. In this work, we present an in-depth analysis
of the various ways in which TI can be implemented for a
lightweight cipher. We chose GIFT for our analysis as it is
currently one of the most energy-efficient lightweight ciphers.
The experimental results show that different implementation
techniques have distinct applications. For example, the 4-shares
technique is good for applications demanding high throughput
whereas 3-shares is suitable for constrained environments with
less area and moderate throughput requirements. The techniques
presented in the paper are also applicable to other blockciphers.
For security evaluation, we performed TVLA (test vector leakage
assessment) on all the design strategies. Experiments using up
to 50 million traces show that the designs are protected against
first-order attacks