International Association for Cryptologic Research

International Association
for Cryptologic Research

Transactions on Cryptographic Hardware and Embedded Systems, Volume 2024

Low-Latency Masked Gadgets Robust against Physical Defaults with Application to Ascon


Gaëtan Cassiers
Crypto Group, ICTEAM, UCLouvain, Louvain-la-Neuve, Belgium

François-Xavier Standaert
Crypto Group, ICTEAM, UCLouvain, Louvain-la-Neuve, Belgium

Corentin Verhamme
Crypto Group, ICTEAM, UCLouvain, Louvain-la-Neuve, Belgium


Keywords: Lightweight Authenticated Encryption, Masking, Probing Security, Glitches, Transitions, Leakage-Resistance, Leveled Implementations


Abstract

Low-latency masked hardware implementations are known to be a difficult challenge. On the one hand, the propagation of glitches can falsify their independence assumption (that is required for security) and can only be stopped by registers. This implies that glitch-robust masked AND gates (maintaining a constant number of shares) require at least one cycle. On the other hand, Knichel and Moradi’s only known single-cycle multiplication gadget that ensures (composable) security against glitches for any number of shares requires additional care to maintain security against transition-based leakages. For example, it cannot be integrated in a single-cycle roundbased architecture which is a natural choice for low-latency implementations. In this paper, we therefore describe the first single-cycle masked multiplication gadget that is trivially composable and provides security against transitions and glitches, and prove its security in the robust probing model. We then analyze the interest of this new gadget for the secure implementation of the future lightweight cryptography standard Ascon, which has good potential for low-latency. We show that it directly leads to improvements for uniformly protected implementations (where all computations are masked). We also show that it is can be handy for integration in so-called leveled implementations (where only the key derivation and the tag generation are masked, which provides integrity with leakage in encryption and decryption and confidentiality with leakage in encryption only). Most importantly, we show that it is very attractive for implementations that we denote as multi-target, which can alternate between uniformly protected and leveled implementations, without latency overheads and at limited cost. We complete these findings by evaluating different protected implementations of Ascon, clarifying its hardware design space.

Publication

Transactions of Cryptographic Hardware and Embedded Systems, Volume 2024, Issue 3

Paper

Artifact

Artifact number
tches/2024/a22

Artifact published
August 15, 2024

Badge
🏆 IACR CHES Results Reproduced

README

ZIP (3377838 Bytes)  

License


BibTeX How to cite

Gaëtan Cassiers, François-Xavier Standaert, Corentin Verhamme. Low-Latency Masked Gadgets Robust against Physical Defaults with Application to Ascon. (2024). IACR Transactions on Cryptographic Hardware and Embedded Systems, 2024(3), 603-633. https://doi.org/10.46586/tches.v2024.i3.603-633 Artifact available at https://artifacts.iacr.org/tches/2024/a22