Paper 2017/1040

Threshold Implementations of GIFT: A Trade-off Analysis

Naina Gupta and Arpan Jati and Anupam Chattopadhyay and Somitra Kumar Sanadhya and Donghoon Chang

Abstract

Threshold Implementation (TI) is one of the most widely used countermeasure for side channel attacks. Over the years several TI techniques have been proposed for randomizing cipher execution using different variations of secret-sharing and implementation techniques. For instance, direct-shares is the most straightforward implementation of the threshold countermeasure. But, its usage is limited due to its high area requirements, whereas, the 3-shares countermeasure for cubic non-linear functions significantly reduces area and complexity compared to direct-shares. Nowadays, security of ciphers using a side channel countermeasure is of utmost importance. This is due to the wide range of security critical applications from smart cards, battery operated IOT devices to accelerated crypto-processors. Such applications have different requirements (higher speed, energy efficiency, low latency, small area etc.) and hence need different implementation techniques. This paper presents an in-depth analysis of the various ways in which TI can be implemented for a lightweight cipher. We chose GIFT for our analysis as it is currently the most energy-efficient lightweight cipher. We present nine different profiles using different implementation techniques and show that no single technique is good for all scenarios. For example, the direct-shares technique is good for high throughputs whereas 3-shares is suitable for constrained environments with less area and moderate throughput requirements. The techniques presented in the paper are also applicable to other blockciphers. For security evaluation, we performed CPA on the 3-shares technique as it has good area versus speed trade-off. Experiments using 3 million traces show that it is protected against first-order attacks.