This repository contains source code of hardware implementations related to a TCHES 2023 publication (Volume 2023, Issue 2) titled "Prime-Field Masking in Hardware and its Soundness against Low-Noise SCA Attacks" (https://doi.org/10.46586/tches.v2023.i2.482-518).
Boolean masking is arguably the most well-known countermeasure to protect cryptographic implementations against side-channel analysis attacks. Unfortunately, Boolean masking schemes operating in binary (extension) fields are known to remain "ineffective" when the noise level in adversarial observations is too low. "Ineffective" is hereby a term to describe that the cost to apply the countermeasure grows faster in the security parameter than the minimum complexity of attacks against it. Since more and more sophisticated techniques to extract as much information as possible from a minimum number of side-channel observations are discovered/introduced every year, such low-noise attacks are indeed a realistic threat to Boolean masked implementations. Luckily, recent studies show that arithmetic masking schemes in prime-order fields can avoid this issue due to their natural ability to amplify arbitrarily low noise levels. In other words, any adversarial uncertainty about the processed intermediates, however small, can be amplified exponentially in the number of shares, providing exactly the type of exponential security gains that Boolean masking fails to deliver under low noise conditions.
AES-prime is a block cipher proposed at EUROCRYPT 2023 (https://doi.org/10.1007/978-3-031-30634-1_20) which partially resembles the standard AES (Rijndael), but is based on arithmetic operations modulo a small Mersenne prime instead of binary extension field arithmetic. The goal of the AES-prime design is to illustrate the potential benefits of prime masking by serving as an early study object. We stress that AES-prime does not inherit the mature and well-understood security properties of the AES. It is only used as a proof of concept to demonstrate that block ciphers operating in small and implementation-friendly prime fields can be constructed using similar design principles as common binary-field ciphers and, given the current understanding of cryptanalysis of such instances, may offer similar security levels with a similar number of rounds. Yet, unlike AES-128 which has a 128-bit security claim with 10 cipher rounds, AES-prime with p=2^7-1 has a 112-bit security claim with 14 rounds and has not received any third-party cryptanalysis, yet. In the long term, dedicated lightweight ciphers deliberately optimized for masking in prime fields are needed to fully explore the interest of this design space.
In this repository we share RTL source code (VHDL) of our novel masked hardware gadgets for secure squaring in prime fields which are proven glitch-robust probing secure and composable at arbitrary order under the PINI notion. Concrete implementations for up to 4 shares are provided -- with (PINI SQ Gadgets/Mersenne Prime Fields - Pipeline/) and without (PINI SQ Gadgets/Mersenne Prime Fields - No Pipeline/) optional registers for pipelining. We also share the RTL code of our proven glitch-robust probing secure and composable masked AES-prime S-boxes for optimized (Ciphers/AES-prime/Masked S-boxes/Optimized - Pipeline/) and trivial (Ciphers/AES-prime/Masked S-boxes/HPC1 - Pipeline/) composition strategy. Additionally, we provide source code of full round-based AES-prime encryption implementations, unmasked (Ciphers/AES-prime/Round-based Implementation/Unmasked/) and up to 4 shares (Ciphers/AES-prime/Round-based Implementation/Masked/). Additionally, a reference software implementation of the AES-prime encryption written in C language is provided in Ciphers/AES-prime/Reference Implementation/aes_prime_enc.c.
Please contact Thorben Moos ([email protected]) if you have any questions, comments or if you found a bug that should be fixed.
Please see LICENSE.txt for licensing instructions.