Beyond algorithmic noise or how to shuffle parallel implementations?

摘要

Noise is an important ingredient for side-channel-analysis countermeasures security. However, physical noise is in most cases not sufficient to achieve high-security levels. As an outcome, designers traditionally aim to emulate noise by harnessing shuffling in the time domain and algorithmic noise in the amplitude domain. On one hand, harnessing algorithmic noise is limited in architectures/devices which have a limited data-path width. On the other hand, the performance degradation due to shuffling is considerable. A natural complement to operation shuffling is the hardware-based intra-cycle shuffling (ICS), which typically shuffles the sample time of bits within a clock cycle (instead of micro-processor operations). Such architecture eliminates the performance overhead due to shuffling within a single cycle, it is algorithm-independent, i.e., no need in partitioning of operations, and as it is hardware-based, the data-path width can be tailored to better exploit algorithmic-noise. In this manuscript, we first analyze the noise components in physical designs to better model the algorithmic noise. We then perform an information-theoretic (IT) analysis of both shuffling countermeasures . The last part of the manuscript deals with real-world architectures analysis: IT analysis of an Advanced Encryption Standard (AES) core implemented over a 32- and 128-bit wide data-path embedded with intra-cycle shuffling and two flavors of shuffling generation (memory-based and on-line permutation generation). The manuscript is concluded by underling the benefits which can be achieved with the ICS architecture.