An Optimal Universal Construction for the Threshold Implementation of Bijective S-boxes

Enrico Piccione; Samuele Andreoli; Lilya Budaghyan; Claude Carlet; Siemen Dhooghe; Svetla Nikova; George Petrides; Vincent Rijmen

Paper 2022/1141

An Optimal Universal Construction for the Threshold Implementation of Bijective S-boxes

Enrico Piccione

, University of Bergen, Bergen, Norway

Samuele Andreoli, University of Bergen, Bergen, Norway

Lilya Budaghyan

, University of Bergen, Bergen, Norway

Claude Carlet

, University of Bergen, Bergen, Norway, University of Paris 8, Saint-Denis, France

Siemen Dhooghe

, KU Leuven, Leuven, Belgium

Svetla Nikova, University of Bergen, Bergen, Norway, KU Leuven, Leuven, Belgium

George Petrides, University of Cyprus, Nicosia, Cyprus

Vincent Rijmen

, KU Leuven, Leuven, Belgium, University of Bergen, Bergen, Norway

Abstract

Threshold implementation is a method based on secret sharing to secure cryptographic ciphers (and in particular S-boxes) against differential power analysis side-channel attacks which was proposed by Nikova, Rechberger, and Rijmen in 2006. Until now, threshold implementations were only constructed for specific types of functions and some small S-boxes, but no generic construction was ever presented. In this paper, we present the first universal threshold implementation with $t+2$ shares that is applicable to any bijective S-box, where $t$ is its algebraic degree (or is larger than the algebraic degree). While being universal, our construction is also optimal with respect to the number of shares, since the theoretically smallest possible number, $t+1$, is not attainable for some bijective S-boxes. Our results enable low latency secure hardware implementations without the need for additional randomness. In particular, we apply this result to find two uniform sharings of the AES S-box. The first sharing is obtained by using the threshold implementation of the inversion in $\mathbb{F}_{2^8}$ and the second by using two threshold implementations of two cubic power permutations that decompose the inversion. Area and performance figures for hardware implementations are provided.

Metadata

Available format(s): PDF
Category: Implementation
Publication info: Preprint.
Keywords: AES DPA Glitches Masking Permutation Polynomials Sharing Threshold Implementations Vectorial Boolean Functions
Contact author(s): enrico piccione @ uib no
samuele andreoli @ uib no
lilya budaghyan @ uib no
siemen dhooghe @ esat kuleuven be
svetla nikova @ esat kuleuven be
g petrides @ yahoo com
History: 2022-12-23: revised; 2022-09-01: received; See all versions
Short URL: https://ia.cr/2022/1141
License: CC BY

BibTeX

@misc{cryptoeprint:2022/1141,
      author = {Enrico Piccione and Samuele Andreoli and Lilya Budaghyan and Claude Carlet and Siemen Dhooghe and Svetla Nikova and George Petrides and Vincent Rijmen},
      title = {An Optimal Universal Construction for the Threshold Implementation of Bijective S-boxes},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1141},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/1141}},
      url = {https://eprint.iacr.org/2022/1141}
}