SYSTEM AND METHOD FOR IMPLEMENTING A SPN BLOCK CIPHER WITH MASKED S-BOX UTILIZING FINITE FIELDS

Abstract

The present disclosure relates to a system (100) for enhancing security of substitution-permutation network (SPN) structure, the system includes a masked S-box (102) architecture integrated into the SPN structure, the masked S-box utilizing composite field arithmetic to compute substitution values of input data in a finite field GF(2⁴). An isomorphic transformation unit (202) configured to map the input data from the finite field GF(2⁴) to a product of smaller fields GF(2²) × GF(2²). A multiplicative inversion unit (204) that computes multiplicative inverse of the input data within composite field GF((2²)²). An inverse isomorphism unit (206) configured to transform result of multiplicative inverse operation back from the composite field GF((2²)²) to a higher-order field GF(2⁴) and an affine transformation unit (208) configured to apply a scaling and addition operation to the transformed computed values.

Specification

Description:TECHNICAL FIELD
[0001] The present disclosure relates, in general, to lightweight cryptographic systems, and more specifically, relates to a lightweight Substitution-Permutation Network (SPN) block cipher architecture incorporating a masked Substitution Box (S-box) utilizing finite fields to enhance resistance against side-channel attacks.

BACKGROUND
[0002] In the field of cryptographic algorithms, focusing on addressing critical challenges associated with enhancing security, efficiency, and resilience against side-channel attacks (SCA). Side-channel attacks are a class of cryptographic attacks that exploit physical leakages, such as power consumption or electromagnetic radiation, during cryptographic operations to extract sensitive information, including cryptographic keys. Lightweight cryptographic algorithms, especially Substitution-Permutation Network (SPN) based algorithms such as PRESENT, have gained popularity due to their efficiency in resource-constrained environments like IoT devices. However, these algorithms are inherently prone to side-channel vulnerabilities, necessitating the development of enhanced protection mechanisms.
[0003] In the current state of the art, significant advancements have been made to mitigate the risks posed by side-channel attacks. One key area of focus has been the design of the substitution box (S-box), a non-linear component of cryptographic algorithms, which plays a vital role in ensuring security. Traditional S-box designs, often implemented using look-up tables (LUT), are susceptible to side-channel leakages due to their predictable behavior during cryptographic operations. To counter this, innovative S-box architectures have been introduced, such as the one proposed by Prathiba et al., which is derived from the Euclidean algorithm. This novel design replaces traditional LUT-based S-boxes with a lightweight, non-linear 4x4 S-box implemented in finite fields GF(2⁴) and GF((2²)²), using multiplicative inversion and affine transformation techniques. The combinational finite field S-box architecture not only enhances security but also significantly reduces the gate count for subfield operations by 86.5% in GF((2²)²) compared to GF(2⁴), resulting in a 5% reduction in gate equivalent area compared to LUT-based designs. Additionally, this architecture is designed to support sub-pipelining, ensuring compliance with the highest security standards according to linear and differential cryptanalysis.
[0004] Moreover, the literature highlights several advanced methodologies for resisting side-channel attacks, broadly categorized into techniques such as additive masking, multiplicative masking, threshold implementations, and the Ishai, Sahai, and Wagner (ISW) scheme. Each of these techniques aims to conceal the sensitive intermediate values generated during cryptographic operations, thereby reducing the risk of side-channel leakages.
[0005] Research in this area of additive masking focuses on applying Boolean masking techniques to hide side-channel leakage. For instance, a study demonstrated a Boolean masking scheme applied to the PRESENT algorithm, implemented using high-level synthesis (HLS) and synthesized for an FPGA. This method leverages dynamic logic reconfiguration to conceal leakage effectively while maintaining reasonable overhead and increased throughput. Other studies combine composite field arithmetic with masking to create highly compact and secure S-box designs, particularly for AES, ensuring robust protection against higher-order side-channel attacks. For example, masked implementations of AES using merged architectures have been verified through rigorous mathematical testing to show enhanced resilience against side-channel attacks.
[0006] This method of multiplicative masking involves applying multiplicative masks to cryptographic operations, specifically to non-linear components like the S-box. Research in this domain has explored the development of hardware implementations of AES with multiplicative masking, focusing on optimizing security while minimizing area and performance overhead. For example, studies have introduced hardware designs incorporating multiplicative masks to achieve glitch resistance and protect against univariate or multivariate leakages in cryptographic operations. However, challenges remain in addressing vulnerabilities such as the zero problem and balancing the trade-off between security and complexity.
[0007] Another prominent technique is threshold implementation, which secures cryptographic algorithms by dividing sensitive data into multiple shares. For instance, the Boyar-Peralta AES S-box, known for its minimal depth, has been enhanced using threshold implementations, achieving significant reductions in area, randomness, and clock cycles compared to existing designs. This method is particularly effective in ensuring security without the need for additional randomness.
[0008] The method of Ishai, Sahai, and Wagner (ISW) Scheme focuses on masking non-linear components of cryptographic algorithms, such as the S-box, to resist side-channel attacks. A study on the PRESENT cipher analyzed several implementations of masking schemes, including ISW, and identified it as the most secure approach, particularly due to its ability to protect against side-channel leakage without relying on complex randomization schemes.
[0009] Despite these advancements, there are still significant challenges in optimizing masked implementations of cryptographic algorithms to balance security and performance. For example, the design and manufacture of Application-Specific Integrated Circuits (ASICs), such as the ARES platform, have been used to evaluate various masking schemes for AES implementations. These studies highlight the trade-offs involved in masking non-linear functions like the SubBytes transformation, with a focus on achieving a practical balance between security and computational efficiency.
[0010] Therefore, it is desired to overcome the drawbacks, shortcomings, and limitations associated with existing solutions, and develop a lightweight Substitution-Permutation Network (SPN) block cipher architecture incorporating a masked Substitution Box (S-box) utilizing finite fields to enhance resistance against side-channel attacks.

OBJECTS OF THE PRESENT DISCLOSURE
[0011] An object of the present disclosure relates, in general, to lightweight cryptographic systems, and more specifically, relates to a lightweight Substitution-Permutation Network (SPN) block cipher architecture incorporating a masked Substitution Box (S-box) utilizing finite fields to enhance resistance against side-channel attacks.
[0012] Another object of the present disclosure is to provide a system that enhances security against side-channel power attacks by implementing additive masking techniques, preventing attackers from inferring sensitive information from power consumption variations.
[0013] Another object of the present disclosure is to provide a system that optimizes the S-box operations within lightweight SPN architectures, ensuring that the masking technique introduces minimal computational overhead, making it suitable for resource-constrained devices like IoT systems.
[0014] Another object of the present disclosure is to provide a system that utilizes composite field arithmetic to reduce the complexity of Galois field operations, allowing for efficient computation of substitution values while maintaining high levels of security.
[0015] Another object of the present disclosure is to provide a system that combines both the multiplicative inversion and affine transformation into a compact architecture, minimizing hardware area while preserving cryptographic strength.
[0016] The present disclosure is to provide a system that employs secure hardware design principles to ensure that no unmasked data is exposed at any stage of computation, effectively mitigating the risk of power analysis attacks.
[0017] Yet another object of the present disclosure is to provide a system that enables reusable cryptographic modules, such as a shared multiplicative inversion module for both encryption and decryption processes, leading to more efficient hardware utilization.

SUMMARY
[0018] The present disclosure relates in general, to lightweight cryptographic systems, and more specifically, relates to a lightweight Substitution-Permutation Network (SPN) block cipher architecture incorporating a masked Substitution Box (S-box) utilizing finite fields to enhance resistance against side-channel attacks. The main objective of the present disclosure is to overcome the drawbacks, limitations, and shortcomings of the existing system and solution, by addressing the vulnerability to Side Channel Attacks (SCA) in lightweight cryptographic implementations utilizing a 4-bit S-box by replacing existing LUT-based approaches and the limited combinatorial 4-bit S-box structures that lack systematic masking capabilities to counteract side channel power or electromagnetic attacks. The proposed solution employs a masked finite field non-LUT architecture for the 4-bit S-box, thereby significantly enhancing security through masking techniques that reduce the correlation between the physical implementation and the secret data. This innovative approach effectively mitigates existing vulnerabilities, providing a more secure foundation for lightweight cryptographic applications within finite fields.
[0019] The present disclosure provides a system for enhancing the security of a substitution-permutation network (SPN) structure, the system comprising a masked S-box architecture integrated into the SPN structure, wherein the masked S-box utilizes composite field arithmetic to compute substitution values of input data in a finite field GF(2⁴). The system further comprises an isomorphic transformation unit configured to map the input data from the finite field GF(2⁴) to a product of smaller fields GF(2²) × GF(2²), and a multiplicative inversion unit that computes the multiplicative inverse of the input data within the composite field GF((2²)²) to prevent the exposure of unmasked data.
[0020] Various objects, features, aspects, and advantages of the inventive subject matter will become more apparent from the following detailed description of preferred embodiments, along with the accompanying drawing figures in which like numerals represent like components.

BRIEF DESCRIPTION OF THE DRAWINGS
[0021] The following drawings form part of the present specification and are included to further illustrate aspects of the present disclosure. The disclosure may be better understood by reference to the drawings in combination with the detailed description of the specific embodiments presented herein.
[0022] FIG. 1 illustrates an exemplary view of the look-up table-based substitution box, in accordance with an embodiment of the present disclosure.
[0023] FIG. 2 illustrates an exemplary block diagram of SPN S-box, in accordance with an embodiment of the present disclosure.
[0024] FIG. 3 illustrates an exemplary view of SPN block diagram with an Unmasked S-box, in accordance with an embodiment of the present disclosure.
[0025] FIG. 4 illustrates an exemplary view of SPN layout with an unmasked S-box, in accordance with an embodiment of the present disclosure.
[0026] FIG. 5 illustrates an exemplary view of SPN layout with a masked S-box, in accordance with an embodiment of the present disclosure.
[0027] FIG. 6 illustrates an exemplary flow chart of a method for enhancing security of substitution-permutation network (SPN) structure, in accordance with an embodiment of the present disclosure.

DETAILED DESCRIPTION
[0028] The following is a detailed description of embodiments of the disclosure depicted in the accompanying drawings. The embodiments are in such detail as to clearly communicate the disclosure. If the specification states a component or feature "may", "can", "could", or "might" be included or have a characteristic, that particular component or feature is not required to be included or have the characteristic.
[0029] As used in the description herein and throughout the claims that follow, the meaning of "a," "an," and "the" includes plural reference unless the context clearly dictates otherwise. Also, as used in the description herein, the meaning of "in" includes "in" and "on" unless the context clearly dictates otherwise.
[0030] Side-channel attacks exploit the physical characteristics of cryptographic algorithm implementations, such as power consumption, electromagnetic emissions, timing, and acoustic signals, rather than targeting the cryptographic algorithms themselves. These attacks enable attackers to infer sensitive information, such as secret keys, by analyzing side-channel data. To mitigate the impact of such attacks, cryptographic systems employ masking techniques that introduce random values to obscure the relationship between the key and the side-channel data, as well as hiding techniques that randomize or minimize side-channel signals. Developing cryptographic architectures with resistance to side-channel attacks is crucial for enhancing the security of cryptographic devices. In Very Large Scale Integration (VLSI) architectures of block cipher implementations, resistance to side-channel attacks is primarily achieved by masking the Substitution box (S-box) operations. Finite field arithmetic has been utilized as an alternative method for implementing the S-box, replacing the traditional Look-Up Table (LUT) structure in Substitution-Permutation Network (SPN) algorithms. This method involves breaking down cryptographic computations into lower-order finite fields and performing the inversion in these fields, thus reducing the area required for S-box implementation and enhancing resistance to power attacks by masking S-box operations within the SPN block cipher.
[0031] The present disclosure proposes a compact masked S-box for lightweight SPN block ciphers, utilizing finite field structures and performing masking inversion on a normal basis. The proposed S-box architecture is implemented and analyzed using the industry-standard electronic design automation (EDA) suite, with a 180 nm technology library, under various operating conditions. Performance evaluations reveal that, under fast conditions, the masked S-box architecture incurs only a 12% increase in worst-case delay, a 68% increase in area, and a 72% increase in power consumption compared to the unmasked version. Under typical conditions, the architecture exhibits a 6% increase in worst-case delay, with no significant change in power or area. Under slow conditions, the masked architecture matches the unmasked version in terms of critical path delay (CPD), area, and power consumption. Additionally, compared to a LUT-based S-box, the proposed masked S-box architecture achieves a 68.8% reduction in cell area and a 94% reduction in power consumption under slow conditions, while maintaining comparable CPD. This masked S-box architecture significantly enhances security against side-channel attacks while optimizing performance, area, and power efficiency compared to conventional LUT-based implementations. The present disclosure can be described in enabling detail in the following examples, which may represent more than one embodiment of the present disclosure.
[0032] The advantages achieved by the system of the present disclosure can be clear from the embodiments provided herein. The system is configured to enhance security against side-channel power attacks by employing additive masking techniques, preventing adversaries from inferring sensitive cryptographic information through power consumption variations. Additionally, the system optimizes S-box operations within lightweight SPN architectures, implementing the masking technique with minimal computational overhead, making it suitable for resource-constrained environments such as IoT devices. The system further utilizes composite field arithmetic to reduce the complexity of Galois field operations, enabling efficient computation of substitution values while maintaining a high level of security. By combining multiplicative inversion and affine transformation into a compact architecture, the system minimizes hardware area while preserving cryptographic strength. Moreover, the system employs secure hardware design principles, ensuring that no unmasked data is exposed during computation, thereby mitigating the risk of power analysis attacks. Furthermore, the system incorporates reusable cryptographic modules, where a shared multiplicative inversion module is utilized for both encryption and decryption processes, leading to more efficient hardware utilization. The description of terms and features related to the present disclosure shall be clear from the embodiments that are illustrated and described; however, the invention is not limited to these embodiments only. Numerous modifications, changes, variations, substitutions, and equivalents of the embodiments are possible within the scope of the present disclosure. Additionally, the invention can include other embodiments that are within the scope of the claims but are not described in detail with respect to the following description.
[0033] FIG. 1 illustrates an exemplary view of look-up table-based substitution box, in accordance with an embodiment of the present disclosure.
[0034] Referring to FIG. 1, the present disclosure provides a secure hardware system 100 for addressing the vulnerabilities in the existing lightweight Substitution Box (S-box) implementation of the Substitution Permutation Network (SPN) encryption algorithm, which is prone to side-channel attacks, by introducing a masked S-box design. The Look-Up Table (LUT)-based S-box 102, as depicted in FIG. 1, performs substitution operations commonly utilized in cryptographic algorithms by precomputing and storing substitution values within a table. This allows for efficient substitution of input values with corresponding output values during encryption and decryption processes. However, LUT-based S-box 102 implementations require additional memory resources to store precomputed values, which poses a constraint in memory-limited environments. Moreover, accessing the LUT 104 introduces observable memory access patterns, rendering it susceptible to side-channel attacks. To mitigate these issues, the present disclosure replaces the LUT-based S-box 102 with a finite field-based S-box, thereby eliminating the reliance on a lookup table, reducing memory utilization, and enhancing resistance to side-channel attacks.
[0035] The present disclosure provides a system for enhancing the security of a substitution-permutation network (SPN) structure, the system comprising a masked S-box architecture integrated into the SPN structure, wherein the masked S-box utilizes composite field arithmetic to compute substitution values of input data in a finite field GF(2⁴). The system further comprises an isomorphic transformation unit configured to map the input data from the finite field GF(2⁴) to a product of smaller fields GF(2²) × GF(2²), and a multiplicative inversion unit that computes the multiplicative inverse of the input data within the composite field GF((2²)²) to prevent the exposure of unmasked data.
[0036] Additionally, the system includes an inverse isomorphism unit configured to transform the result of the multiplicative inverse operation back from the composite field GF((2²)²) to the higher-order field GF(2⁴). The system also incorporates an affine transformation unit configured to apply a scaling and addition operation to the transformed computed values, wherein the system employs additive masking of both the input and output data to prevent the leakage of sensitive cryptographic information during S-box operations, thereby ensuring security in resource-constrained environments and mitigating side-channel power attacks.
[0037] Furthermore, the proposed system eliminates the look-up table (LUT) storage and implements a masked S-box to perform substitution operations, generating output data based on the input data, with additive masking applied to prevent power consumption variations from being exploited in side-channel attacks. The isomorphic transformation unit utilizes a linear mapping function that preserves the operation characteristics in the finite field. The composite field GF((2²)²) is defined using irreducible polynomials for arithmetic operations, and the masked S-box operates with 4-bit input and output data for compatibility with lightweight cryptographic applications. The additive masking ensures that all intermediate values in the S-box computation remain masked throughout the process, effectively mitigating power analysis vulnerabilities. The multiplicative inversion unit employs the extended Euclidean algorithm to compute the multiplicative inverse of the input data within the lower-order composite field. The affine transformation unit utilizes a fixed 4x4 transformation matrix to perform an affine operation on the masked input data. Additionally, the system includes a masked multiplicative inversion unit implemented within the S-box computation, which enhances security against power analysis attacks by combining the input data 𝐴 with a random mask 𝑀, ensuring that unmasked data is not exposed during the computation process.
[0038] FIG. 2 illustrates an exemplary block diagram of SPN S-box, in accordance with an embodiment of the present disclosure. Referring to FIG. 2, substitution box (S-box) 102 serves as a fundamental component in symmetric key cryptographic algorithms, particularly in Substitution-Permutation Network (SPN) block ciphers such as the PRESENT cipher. The S-box 102 is responsible for ensuring security through non-linear transformation by executing a substitution process, wherein each input comprising 4 bits is replaced by a corresponding unique output of 4 bits. In the lightweight SPN algorithm, the Galois Field GF(24) is employed due to the algorithm's operation on 4-bit data blocks. Elements within GF(24) are represented as polynomials over GF(24), and an irreducible polynomial of degree 4, such as x4 + x + 1, is typically used to define this field. The S-box computation involves two principal sub-steps: determining the multiplicative inverse within the Galois Field and applying an affine transformation to enhance cryptographic security.
Isomorphism
[0039] An isomorphic mapping unit 202 is configured to perform an isomorphic transformation, wherein the input data is mapped into a form more suitable for subsequent arithmetic operations. Specifically, the isomorphic transformation involves mapping an element from the finite field GF(24) into a product of smaller subfields, namely GF(2²) × GF(2²). The isomorphic transformation of these subfields is performed based on the primitive element of the higher-order field. The isomorphism is defined as a one-to-one and onto mapping that preserves the operational characteristics between structures, typically executed as a linear mapping, although additional conditions are applied in certain cases to maintain the structural integrity of the operations.
[0040] For fields, the conditions for isomorphism include:
Φ (x + y) = ϕ (x) + ϕ (y)
ϕ (x.y) = ϕ (x). ϕ (y)
ϕ (1) = 1
Multiplicative Inverse unit 204:
[0041] The system for computing the Substitution Box (S-box) 102 by performing a multiplicative inverse in the finite field GF(24), followed by an affine transformation, wherein the efficient hardware implementation of the multiplicative inversion unit 204 is essential for the combinational realization of the S-box, enabling enhanced security through masking techniques. The multiplicative inverse is computed using the extended Euclidean algorithm, and to address the complexity of inversion in the higher-order field, a lower-order composite field GF((2²)²) is utilized. In this composite field, with n = 2, m = 2, and k = 2 × 2 = 4, all arithmetic operations are executed based on the corresponding degree field polynomials. The system performs the multiplicative inverse in the composite field by executing a series of predefined steps aimed at optimizing computational efficiency and reducing vulnerability to side-channel attacks.
• An isomorphic transformation from the higher-order field representation GF (24) to the lower-order composite field representation GF ((2²) ²)
• Multiplicative inversion in the composite field GF ((2²) ²) using the Euclidean theorem.
• Inverse isomorphic transformation of the result obtained by the multiplicative inverse back to the higher-order field GF ((2²) ²).
s-1 = ah.θ.x + (ah + al). θ
• θ = [ah2 λ + al. (ah + al)]-1
[0042] The above equation indicates that there are multiply, addition, squaring and multiplication inversion in GF ((2²) ²) operations in Galois Field. Each of these operators are transformed into individual blocks when constructing the circuit for computing the multiplicative inverse.
[0043] For decryption, the inverse affine transformation is applied first, followed by the computation of the multiplicative inverse. Both the encryption and decryption transformations involve a multiplicative inversion operation, allowing them to share the same multiplicative inversion module within a combined architecture. The process begins with the computation of the multiplicative inverse, followed by the affine transformation to complete the construction methodology of the S-box for encryption. For decryption, the same multiplicative inversion module can be reused in combination with the inverse affine transformation.
Inverse Isomorphic unit 206:
[0044] The present disclosure provides an inverse isomorphic unit 206 that performs inverse isomorphic mapping, transforming data back to its original field representation following non-linear operations. The module is designed to decompose the computation of the inverse into operations conducted within the smaller field GF(2^4), thereby enhancing computational efficiency. This approach allows for optimization suitable for hardware implementations, particularly in cryptographic algorithms such as the Substitution-Permutation Network (SPN), ensuring that the transformation is executed with minimal resource utilization while maintaining performance integrity.
Affine Transformation unit 208:
[0045] The present disclosure provides a method for deriving an output by performing an affine transformation on an input value c. The output, represented as a 4-bit vector s, is computed using the equation s=M⋅c⊕b , where M is a fixed 4x4 matrix of bits, b is a 4-bit constant, and c, b, and s are treated as 4-bit vectors. This affine transformation encompasses a series of linear operations and bitwise XOR operations with the constant vector. To optimize area utilization within the S-box, the inverse isomorphic mapping is merged with the affine transformation. Consequently, in VLSI implementations, the inverse mapping δ−¹ and affine transformation modules are integrated, thereby minimizing the number of slices occupied by the S-box.
Normal Basis:
• In a normal basis, an element (a1, a0) is represented in a form where computations exhibit symmetric properties.
• The inverse of an element (a1, a0) is given by:
(a1, a0)-1 = (d-1a0, d-1a1)
where d = (a12 + a02) v + a1a0
[0046] The system 100 for an unmasked S-box utilized in Substitution-Permutation Network (SPN) encryption, as illustrated in FIG. 2, which encompasses multiple components and a defined data flow. The system comprises one Isomorphism block, one Inverse Isomorphism block, two two-input addition blocks, three two-input multiplication boxes, one square-scaling block, and one Inverse block. This unmasked S-box design is configured to ensure that the requisite cryptographic transformations are effectively applied to the input value, thereby achieving the desired level of security during the encryption process.
[0047] The system 100 for a masked S-box within a Substitution-Permutation Network (SPN) that utilizes composite field arithmetic to enhance the security of SPN implementations against side-channel attacks. This system 100 incorporates a countermeasure wherein data is masked during calculations by adding or multiplying it with random values. In the SPN round, all computational steps are linear, with the exception of the Galois field inversion sub-step in the S-box. For the other steps, the mask correction calculations are linear; however, a noted vulnerability of multiplicative masking is the retention of zero data bits, which remain unmasked during multiplication. Consequently, the use of an additive mask is deemed more suitable and convenient for ensuring comprehensive data protection.
[0048] The present disclosure incorporates an additive masking approach into the compact S-box design of Canright, wherein optimizations similar to those employed in the unmasked S-box are applied to the mask correction terms, resulting in the formation of a compact masked S-box. This additive masking is facilitated by the inclusion of a "random" mask, ensuring that the statistical distribution of the masks appears uniform over the field, thereby rendering the operands seemingly random and uncorrelated to both the plaintext and the key. Consequently, the statistical data observable through side channels is rendered indistinguishable from noise, irrespective of the chosen sets of plaintexts, thus providing enhanced protection for the key. The associated cost of this design is the computational overhead required for the evaluation of the mask correction terms.
[0049] This method addresses the vulnerability of SPN to side-channel attacks, particularly power analysis attacks, by ensuring that no unmasked data is exposed during the computation process. Each and every data path is masked by symmetric additive masking technique. Inspired by AES masking, the foundation of this design lies in the use of composite field arithmetic, which breaks down complex field operations into simpler, lower-order fields.The process begins with masking the input data A with a random number M, producing a masked input A + M. The inversion operation is challenging to perform with the presence of additive masks. To overcome this, the design uses composite field arithmetic to map the 4-bit input value to elements in GF (24) and further to GF ((2²) ²). The input A + M is mapped to intermediate field elements Ahm and Alm, and the mask M is mapped to Mh and Ml. The inverse is then computed in these lower fields, ensuring that no unmasked data is present any stage of the process. The computations involve efficient handling of the masked values. The final implementation using this composite field arithmetic approach is compact, utilizing minimal gates and ensuring security against side channel attacks.
[0050] Masked Multiplicative Inversion Module:
[0051] Masked inversion is a technique used in cryptographic algorithms to enhance security against power analysis attacks. The key idea of masking is to combine the input data 𝐴 with a random mask M. This process is applied to all intermediate values to ensure that at no point in the computation is the unmasked data exposed, thus thwarting power analysis attacks. The additive masking is explained below.
[0052] Mask Generation: Before performing an S-box operation, a random mask m is generated.
[0053] Masked Input: The input to the S-box x is masked with m: x′=x⊕m, where ⊕ denotes bitwise XOR.
[0054] S-box Computation: The S-box operation is performed on x′, resulting in y′=S(x′).
[0055] Masked Output: The output y′ is then masked again with m to produce the final output y=y′⊕m.
[0056] Computing the multiplicative inverse in the composite field with masked inputs:
[0057] Input 4 bits split into ah (higher 2 bits) and al (lower 2 bits) is mapped to some ahm + alm and the mask 'm' is mapped to mh and ml. We are to find the ah-1+ mh and al-1+ ml (the inverses of ah and al having only ahm, alm, mh and ml. the final S-box equations comes as follows:
ah-1 = d−1ah = d−1(ahm + mh)
dmh = d + mh = (ah2 + al2) v + ah al + mh
= (ahm2 + mh2 + alm2 + ml2) + ahm alm + mh ml + ahm ml + alm mh + mh
al-1+ ml = (ahm dml + mh dml + fm) + (f + mh ml + ml + fm)
ah-1+ mh = (alm dmh + ml dmh + fm) + (g + mh ml + mh + fm)
f = ahm ml
g = alm mh
[0058] Thus, the present invention overcomes the drawbacks, shortcomings, and limitations associated with existing solutions, and provides a system configured to enhance security against side-channel power attacks by employing additive masking techniques, preventing adversaries from inferring sensitive cryptographic information through power consumption variations. Additionally, the system optimizes S-box operations within lightweight SPN architectures, implementing the masking technique with minimal computational overhead, making it suitable for resource-constrained environments such as IoT devices. The system further utilizes composite field arithmetic to reduce the complexity of Galois field operations, enabling efficient computation of substitution values while maintaining a high level of security. By combining multiplicative inversion and affine transformation into a compact architecture, the system minimizes hardware area while preserving cryptographic strength. Moreover, the system employs secure hardware design principles, ensuring that no unmasked data is exposed during computation, thereby mitigating the risk of power analysis attacks. Furthermore, the system incorporates reusable cryptographic modules, where a shared multiplicative inversion module is utilized for both encryption and decryption processes, leading to more efficient hardware utilization.
[0059] FIG. 3 illustrates an exemplary view of the SPN block diagram with Unmasked S-box, in accordance with an embodiment of the present disclosure. In FIG. 3, the architecture showcases a polynomial basis for the Substitution Box (S-box) computation, incorporating two-input and three-input additions, along with multiplications and square-scalings. The figure details the utilization of 9 two-input additions, 9 three-input additions (equivalent to 18 two-input additions), amounting to a total of 23 two-input additions. Furthermore, the architecture employs 9 multiplications and 2 squaring and scaling operations, contributing to the overall computational efficiency. These operations are performed within a finite field structure to optimize area, power consumption, and resistance to side-channel attacks. The figure elaborates on the flow and interconnections between the blocks, emphasizing the structural layout for secure block cipher implementation.
[0060] FIG. 4 illustrates the physical design layout of the Substitution-Permutation Network (SPN) algorithm with an unmasked Substitution Box (S-box), generated using the Cadence Innovus tool. The layout highlights the intricate and compact architecture, featuring a dense grid of interconnections between various components. The design employs color-coding to enhance clarity, where yellow represents metal interconnections, and green and red indicate distinct layers or types of connections. This layout demonstrates the optimization of space and routing for efficient signal flow, while maintaining the structural integrity required for secure cryptographic implementations, particularly in terms of resistance to side-channel attacks. The layout provides insight into the complexity of the hardware design, ensuring a balanced trade-off between performance, area, and security.
[0061] FIG. 5 demonstrates the complexity and precision of the SPN layout with a masked S-box, highlighting the detailed routing paths, component placements, and the layered structure necessary for implementing the masked S-box architecture efficiently. The inclusion of numerical labels, pinpointing specific cells and components, underscores the precision and attention to detail inherent in this design. This exacting layout is pivotal in optimizing the cryptographic algorithm's performance, energy efficiency, and security in hardware implementations, thereby underscoring the significance of rigorous design in ensuring the integrity of cryptographic systems.
[0062] For synthesis, critical path delay (CPD), area, and power estimation with clock frequency of 100 MHz was used. The tables below summarize the implementation figures and design parameters to highlight the overhead of each S-box architecture (masked, unmasked, and LUT), including relative figures. Under slow conditions power consumption was estimated at 100 MHz, 125°C maximum temperature, and a supply voltage of 0.9V. The masked implementation requires 463.352 µW, while the figures increase to 1798.85 µW for the Look-Up Table (LUT) S-box. All power figures are in the range of µW.
[0063] This compact architecture reduces the area compared to the LUT S-box architecture, with the masked implementation requiring 445.70 µm² and the LUT S-box requiring 1432.81 µm². Compared to the existing LUT S-box implementation, the current implementation improves speed by 23% and enhances security significantly by extracting the ciphertext within a single pass through the algorithm for each round and randomizing the power spectral density of the transition with the masked S-box implementation. Therefore, this compact and masked architecture is superior to the LUT S-box.
[0064] Performance Figures:
CPD (ps) Area (µm²) Power µW
Masked 1409 445.70 463.352
Unmasked 1409 445.72 463.352
LUT 1834 1432.81 1798.85
@slow library, 100 KHz operating frequency, 180 nm technology
[0065] The table below shows the post-synthesis results under fast conditions at 100 MHz, 0°C, and a supply voltage of 1.1V. The worst-case delay for the masked architecture is increased by 12%, the total area by 68%, and the power consumption by 72% compared to the unmasked version. These trade-offs are made to achieve a more secure architecture.
CPD (ps) Area (µm²) Power µW
Masked 1390 1432.7 2859.4
Unmasked 1223 445.70 786.6
LUT 1223 445.72 786.6
@fast library, 100 KHz operating frequency, 180 nm technology
[0066] Similarly, results under typical conditions at 100 MHz, 25°C, and a supply voltage of 1.8V. The worst-case delay for the masked architecture is increased by 6% while power and area consumption is unchanged compared to the masked version.
CPD (ps) Area (µm²) Power µW
Masked 1546 1432.7 2218.3
Unmasked 1446 1432.81 2218.6
LUT 1446 1432.81 2218.6
@typical library, 100 KHz operating frequency, 180 nm technology
[0067] For hardware implementations of SPN, countermeasures against side-channel attacks are important. Here we give a method for masking the S-box (the rest of a round being linear) that is secure, in that the distributions of all the masked operands are independent of the distribution of the data.
[0068] FIG. 6 illustrates an exemplary flow chart of a method for enhancing security of substitution-permutation network (SPN) structure, in accordance with an embodiment of the present disclosure.
[0069] The method 600 for enhancing the security of a substitution-permutation network (SPN) structure, the method comprising, at block 602, integrating a masked S-box architecture into the SPN structure, wherein the masked S-box utilizes composite field arithmetic to compute substitution values of input data in a finite field GF(2⁴). The method further comprises, at block 604, mapping the input data, by an isomorphic transformation unit, from the finite field GF(2⁴) to a product of smaller fields GF(2²) × GF(2²). At block 606, the method involves computing, by a multiplicative inversion unit, the multiplicative inverse of the input data within the composite field GF((2²)²) to prevent exposure of unmasked data. At block 608, the method comprises transforming, by an inverse isomorphism unit, the result of the multiplicative inverse operation back from the composite field GF((2²)²) to a higher-order field GF(2⁴). Finally, at block 610, the method includes applying, by an affine transformation unit, a scaling and addition operation to the transformed computed values, wherein the system employs additive masking to prevent leakage of sensitive cryptographic information during S-box operations, ensuring security in resource-constrained environments and mitigating the risk of side-channel power attacks
[0070] It will be apparent to those skilled in the art that the system 100 of the disclosure may be provided using some or all of the mentioned features and components without departing from the scope of the present disclosure. While various embodiments of the present disclosure have been illustrated and described herein, it will be clear that the disclosure is not limited to these embodiments only. Numerous modifications, changes, variations, substitutions, and equivalents will be apparent to those skilled in the art, without departing from the spirit and scope of the disclosure, as described in the claims.



ADVANTAGES OF THE PRESENT INVENTION
[0071] The present disclosure provides a system that enhances security against side-channel power attacks by implementing additive masking techniques, preventing attackers from inferring sensitive information from power consumption variations.
[0072] The present disclosure provides a system that optimizes the S-box operations within lightweight SPN architectures, ensuring that the masking technique introduces minimal computational overhead, making it suitable for resource-constrained devices like IoT systems.
[0073] The present disclosure provides a system that utilizes composite field arithmetic to reduce the complexity of Galois field operations, allowing for efficient computation of substitution values while maintaining high levels of security.
[0074] The present disclosure provides a system that combines both the multiplicative inversion and affine transformation into a compact architecture, minimizing hardware area while preserving cryptographic strength.
[0075] The present disclosure provides a system that employs secure hardware design principles to ensure that no unmasked data is exposed at any stage of computation, effectively mitigating the risk of power analysis attacks.
[0076] The present disclosure provides a system that enables reusable cryptographic modules, such as a shared multiplicative inversion module for both encryption and decryption processes, leading to more efficient hardware utilization.
, Claims:1. A system (100) for enhancing security of substitution-permutation network (SPN) structure, the system comprising:
a masked S-box (102) architecture integrated into the SPN structure, the masked S-box utilizing composite field arithmetic to compute substitution values of input data in a finite field GF(2⁴), wherein the masked S-box comprising:
an isomorphic transformation unit (202) configured to map the input data from the finite field GF(2⁴) to a product of smaller fields GF(2²) × GF(2²);
a multiplicative inversion unit (204) that computes multiplicative inverse of the input data within composite field GF((2²)²) to prevent exposure of unmasked data;
an inverse isomorphism unit (206) configured to transform result of multiplicative inverse operation back from the composite field GF((2²)²) to a higher-order field GF(2⁴); and
an affine transformation unit (208) configured to apply a scaling and addition operation to the transformed computed values, wherein the system employs additive masking of the input data and the output data to prevent leakage of sensitive cryptographic information during S-box operations, ensuring security in resource-constrained environments, and mitigating side channel power attacks.
2. The system as claimed in claim 1, wherein the masked S-box (102) is implemented using a non-look-up table (LUT) (104) and performs substitution operations to generate the output data based on the input data, wherein the additive masking applied to prevent power consumption variations from being exploited in side channel attacks.
3. The system as claimed in claim 1, wherein the isomorphic transformation unit (202) utilizes a linear mapping function that preserves operation characteristics in the finite field.
4. The system as claimed in claim 1, wherein the composite field GF((2²)²) is defined using irreducible polynomials for arithmetic operations.
5. The system as claimed in claim 1, wherein the masked S-box (102) operates with 4-bit input and output data for compatibility with lightweight cryptographic applications.
6. The system as claimed in claim 1, wherein the additive masking ensures that all intermediate values in the S-box computation remain masked throughout the process to mitigate power analysis vulnerabilities.
7. The system as claimed in claim 1, wherein the multiplicative inversion unit (204) employs extended Euclidean algorithm to compute the multiplicative inverse of the input data within the lower-order composite field.
8. The system as claimed in claim 1, wherein the affine transformation unit (208) utilizes a fixed 4x4 transformation matrix to perform affine operation on the masked input data.
9. The system as claimed in claim 1, wherein the system comprises a masked multiplicative inversion unit implemented on the S-box computation that is configured to enhance security against power analysis attacks by combining input data 𝐴 with a random mask 𝑀 ensuring that unmasked data not is exposed during computation.
10. A method (600) for enhancing security of substitution-permutation network (SPN) structure, the method comprising:
integrating (602), a masked S-box architecture into the SPN structure, the masked S-box utilizing composite field arithmetic to compute substitution values of input data in a finite field GF(2⁴);
mapping (604), by an isomorphic transformation unit, the input data from the finite field GF(2⁴) to a product of smaller fields GF(2²) × GF(2²);
computing (606), by a multiplicative inversion unit, multiplicative inverse of the input data within composite field GF((2²)²) to prevent exposure of unmasked data;
transforming (608), by an inverse isomorphism unit, result of multiplicative inverse operation back from the composite field GF((2²)²) to a higher-order field GF(2⁴); and
applying (610), by an affine transformation unit, a scaling and addition operation to the transformed computed values, wherein the system employs additive masking to prevent leakage of sensitive cryptographic information during S-box operations, ensuring security in resource-constrained environments, and mitigating side channel power attacks.

Documents