Cryptographic Hardware and Embedded Systems -- CHES 2015
17th International Workshop, Saint-Malo, France, September 13-16, 2015, Proceedings
Published on 31. August 2015
XIV, 704 pages
978-3-662-48324-4 (ISBN)
Description
This book constitutes the refereed proceedings of the 17th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2015, held in Saint Malo, France, in September 2015. The 34 full papers included in this volume were carefully reviewed and selected from 128 submissions. They are organized in the following topical sections: processing techniques in side-channel analysis; cryptographic hardware implementations; homomorphic encryption in hardware; side-channel attacks on public key cryptography; cipher design and cryptanalysis; true random number generators and entropy estimations; side-channel analysis and fault injection attacks; higher-order side-channel attacks; physically unclonable functions and hardware trojans; side-channel attacks in practice; and lattice-based implementations.
More details
Other editions
Additional editions
Tim Güneysu | Helena Handschuh
Cryptographic Hardware and Embedded Systems -- CHES 2015
17th International Workshop, Saint-Malo, France, September 13-16, 2015, Proceedings
Book
08/2015
Springer
€53.49
Shipment within 7-9 days
Content
- Intro
- Preface
- CHES 2015
- Workshop on Cryptographic Hardwareand Embedded Systems 2015
- Contents
- Processing Techniques in Side-Channel Analysis
- Robust Profiling for DPA-Style Attacks
- 1 Introduction
- 1.1 Motivation
- 1.2 Machine Learning for Profiling
- 1.3 Unsupervised Clustering in Conjunction with Partition-Based DPA
- 1.4 Our Contributions
- 1.5 Outline
- 2 Preliminaries
- 2.1 Differential Power Analysis
- 2.2 Unsupervised Clustering
- 2.3 Principal Component Analysis
- 3 Methodology
- 3.1 Our General Profiling Strategy
- 3.2 Model Building and Distinguishers
- 3.3 Experimentally Verifying `Robustness'
- 4 Experimental Results
- 4.1 `Straightforward' (Software) Scenario
- 4.2 `Problematic' (Hardware) Scenario
- 4.3 Discrepancy in Window Width and Location
- 4.4 Discrepancy in Measurement Resolution
- 4.5 Discrepancy in Measurement Error
- 4.6 Discrepancy in Trace Pre-processing
- 4.7 Non-fixed Sampling Frequency
- 5 Summary
- References
- Less is More
- 1 Introduction
- 2 Theoretical Solution in the Presence of Gaussian Noise
- 2.1 Notations
- 2.2 Model
- 2.3 Optimal Attack
- 2.4 Optimal Dimensionality Reduction
- 2.5 Discussion
- 3 Examples
- 3.1 White Noise
- 3.2 Correlated Autoregressive Noise
- 4 Comparison with PCA and LDA
- 4.1 Principal Components Analysis (PCA)
- 4.2 Linear Discriminant Analysis (LDA)
- 4.3 Numerical Comparison Between Asymptotic PCA and LDA
- 5 Practical Validation
- 5.1 Precharacterization of the Model Parameters D and
- 5.2 Computation of SNRs on the AES Traces from DPA Contest v2 Last Round
- 6 Conclusions and Perspectives
- References
- Blind Source Separation from Single Measurements Using Singular Spectrum Analysis
- 1 Introduction
- 2 Background
- 2.1 Attacks
- 2.2 Evaluation Metrics
- 3 Singular Spectrum Analysis
- 3.1 Decomposition
- 3.2 Reconstruction
- 4 Practical Experiments
- 4.1 Measurement Setup
- 4.2 Unprotected and Masked AES in an Atmel Microcontroller
- 4.3 Unprotected PRESENT in a Xilinx FPGA
- 5 Conclusions
- A Univariate Attacks
- References
- Cryptographic Hardware Implementations
- Highly Efficient GF(28) Inversion Circuit Based on Redundant GF Arithmetic and Its Application to AES Design
- 1 Introduction
- 2 Preliminaries and Related Works
- 2.1 Inversion Circuits by Tower Fields
- 2.2 Redundant Representations for Galois Fields
- 3 Proposed GF(28) Inversion Circuit
- 4 Performance Evaluation
- 5 Application to AES S-Box
- 6 Conclusion
- References
- NaCl's Crypto_box in Hardware
- 1 Introduction
- 2 Preliminaries -- The Crypto_box Function
- 3 A Crypto_box Specific Instruction-Set Processor
- 3.1 Hardware Implementation Overview
- 3.2 The Controller
- 3.3 The Arithmetic Logic Unit
- 4 Machine-Code Implementations
- 4.1 The X25519 Key Exchange
- 4.2 A Streaming API for Crypto_box
- 5 Implementation Results
- References
- Lightweight Coprocessor for Koblitz Curves: 283-Bit ECC Including Scalar Conversion with only 4300 Gates
- 1 Introduction
- 2 Preliminaries
- 3 Koblitz Curve Scalar Conversion
- 3.1 Scalar Reduction
- 3.2 Computation of -adic Representation
- 4 Point Multiplication
- 5 Architecture
- 6 Results and Comparisons
- 7 Conclusions
- A Implementation of Operations Used by Algorithm 5
- B Estimates for B-163 and K-163
- References
- Single Base Modular Multiplication for Efficient Hardware RNS Implementations of ECC
- 1 Introduction
- 2 Notations and Definitions
- 3 State of Art
- 3.1 Base Extension
- 3.2 RNS Montgomery Modular Multiplication
- 4 Proposed RNS Modular Multiplication Algorithm
- 4.1 Decomposition of the Operands
- 4.2 Proposed RNS Modular Multiplication SBMM
- 4.3 Selecting P=Ma2-2 for RNS Efficient Implementations
- 4.4 Controlling the Size of SBMM Outputs
- 5 Theoretical Cost Analysis
- 6 Hardware Implementation
- 6.1 Proposed Architecture
- 6.2 Implementation Results on Various FPGAs
- 7 Examples of ECC Computations
- 8 Conclusion
- References
- Homomorphic Encryption in Hardware
- Accelerating Homomorphic Evaluation on Reconfigurable Hardware
- 1 Introduction
- 2 Background
- 2.1 Somewhat Homomorphic Scheme YASHE
- 2.2 Number Theoretic Transform
- 2.3 Cached-FFT
- 2.4 Catapult Architecture/Target Hardware
- 3 High Level Description
- 4 Hardware Architecture
- 4.1 Implementation of the Cached-NTT and Memory Addressing
- 4.2 Computation of the C-NTT on the Cache
- 5 Configuration of Our Core for YASHE
- 5.1 Implementation of RMult
- 5.2 Implementation of KeySwitch
- 6 Results and Comparison
- 6.1 Resource Consumption and Performance
- 6.2 Comparison with Previous Work
- 7 Future Work
- References
- Modular Hardware Architecture for Somewhat Homomorphic Function Evaluation
- 1 Introduction
- 2 System Setup
- 2.1 Modular Polynomial Rings
- 2.2 YASHE
- 3 High Level Optimizations
- 4 Architecture
- 4.1 Polynomial Arithmetic Unit
- 4.2 CRT Unit
- 4.3 Division and Rounding Unit
- 5 Results
- 6 Conclusions and Future Work
- References
- Accelerating LTV Based Homomorphic Encryption in Reconfigurable Hardware
- 1 Introduction
- 2 Background
- 2.1 LTV-Based Fully Homomorphic Encryption
- 2.2 Arithmetic Operations
- 3 Architecture Overview
- 3.1 Software/Hardware Interface
- 3.2 PCIe Interface
- 3.3 Arithmetic Core Units
- 4 215215 Polynomial Multiplier
- 4.1 NTT Operation
- 4.2 Inner Multiplication
- 4.3 Inverse NTT
- 4.4 Final Scaling
- 5 Implementation Results
- 6 Comparison
- 7 Conclusions
- References
- Side-Channel Attacks on Public Key Cryptography
- Stealing Keys from PCs Using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation
- 1 Introduction
- 1.1 Overview
- 1.2 Our Contribution
- 1.3 Vulnerable Software and Hardware
- 1.4 Related Work
- 2 Cryptanalysis
- 2.1 GnuPG's Sliding-Window Exponentiation Routine
- 2.2 ElGamal Attack Algorithm
- 2.3 RSA Attack Algorithm
- 3 Experimental Results
- 3.1 SDR Experimental Setup
- 3.2 Signal Analysis
- 3.3 ElGamal Key Extraction
- 3.4 RSA Key Extraction
- 3.5 Untethered SDR Attack
- 3.6 Consumer-Radio Attack
- 4 Discussion
- References
- Exclusive Exponent Blinding May Not Suffice to Prevent Timing Attacks on RSA
- 1 Introduction
- 2 Modular Exponentiation with Montgomery's Multiplication Algorithm
- 3 Theoretical Background of Our Attack
- 3.1 Exponentiation (modpi)
- 3.2 Further Arithmetic Operations and Noise
- 3.3 The Distinguisher
- 4 The Attack
- 4.1 The Attack Algorithm
- 4.2 Experimental Results
- 4.3 Table-Based Exponentiation Algorithms
- 4.4 Countermeasures
- 5 Conclusion
- References
- Who Watches the Watchmen?: Utilizing Performance Monitors for Compromising Keys of RSA on Intel Platforms
- 1 Introduction
- 2 Preliminaries
- 2.1 Exponentiation Algorithms and Underlying Multiplication Primitive
- 2.2 RSA-OAEP Randomized Padding Scheme
- 2.3 Dynamic Branch Predictor
- 3 Modelling Branch Miss as Side-Channel from HPC
- 3.1 Using Event Branch-Misses as Side-Channel
- 3.2 Strong Correlation Between Two-Bit Predictor and System Branch Predictor
- 4 Attack Algorithm Featuring Performance Counters Monitoring Branch Misses
- 4.1 Threat Model for the Attack
- 4.2 Offline Phase
- 4.3 Online Phase
- 5 Formally Modelling the Success
- 6 Experimental Validation for the Online Phase of the Attack
- 6.1 Experiments on Square and Multiply and Montgomery Ladder Algorithm
- 6.2 Comparing Timing as Side-Channel to Branch Misses from HPC
- 6.3 Variation of Parameters Such as Number of Inputs (L) and Iteration (I)
- 6.4 Revealing Secret Exponent in RSA-OAEP Randomized Padding Procedure
- 7 Discussions
- 8 Conclusion
- References
- Cipher Design and Cryptanalysis
- Improved Cryptanalysis of the DECT Standard Cipher
- 1 Introduction
- 2 The DECT Standard Cipher
- 2.1 The DSC Internal Configuration
- 2.2 The Output Combiner
- 2.3 Notations Used in the Rest of the Paper
- 3 The Nohl-Tews-Weinmann Attack
- 3.1 Guessing Correctly a Status
- 3.2 Determination of More Equations
- 3.3 Results of the Nohl-Tews-Weinmann Attack
- 4 A Theoretical Model of an Improved Cryptanalysis
- 4.1 Computation of the Weights
- 4.2 Determination of the Best Candidates
- 4.3 Exhaustive Search Among the Remaining Bits
- 5 Improved Implementation of the Cryptanalysis
- 5.1 Efficiency Consideration
- 5.2 A Time-Accuracy Trade-Off
- 5.3 Selection of the Relevant Equations
- 6 Experimental Results of Our Attack
- 6.1 Results Based on Simulated Data
- 6.2 Results Based on Real Data
- 6.3 Partially-Known Plaintext Attack
- 7 Conclusions and Future Developments
- References
- Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
- 1 Introduction
- 2 Preliminaries
- 3 Erasure Correction Scenario
- 3.1 The Attack Knowing Two Signatures
- 3.2 The Attack Knowing t Signatures
- 3.3 Experimental Results
- 4 Error Correction Scenario
- 5 Conclusion
- References
- The Simeck Family of Lightweight Block Ciphers
- 1 Introduction
- 2 Design Specifications and Rationales
- 2.1 Specifications of Simeck
- 2.2 Design Rationales
- 3 Hardware Implementations
- 3.1 Metrics and Design Flow
- 3.2 Two Different Hardware Architectures for Simeck
- 3.3 Hardware Evaluations of Simeck
- 4 Result Comparisons Between Simeck and SIMON
- 5 Security Analysis
- 6 Concluding Remarks
- References
- TriviA: A Fast and Secure Authenticated Encryption Scheme
- 1 Introduction
- 2 Preliminaries
- 2.1 Authenticated Encryption and Its Security Definitions
- 2.2 Examples of Universal Hash Functions
- 3 EHC Hash
- 3.1 ECCode
- 3.2 EHC Hash
- 3.3 Discussions
- 4 TriviA Authenticated Encryption
- 4.1 Specification of TriviA
- 4.2 Discussions
- 5 Security Analysis
- 5.1 Security Against Known Attacks
- 5.2 Privacy of TriviA
- 5.3 Authenticity of TriviA
- 6 Hardware Implementation of TriviA-Ck
- 6.1 Cycles per Byte (cpb) Analysis
- 6.2 Hardware Architectures
- 6.3 Performance Results and Comparison
- 7 Conclusion
- References
- True Random Number Generators and Entropy Estimations
- A Physical Approach for Stochastic Modeling of TERO-Based TRNG
- 1 Introduction
- 2 The TERO Based RNG -- Background
- 3 Physical and Stochastic Model of TERO
- 3.1 Modeling the Number of Temporary Oscillations
- 3.2 Experimental Validation of the TERO Stochastic Model
- 4 Stochastic Model of the Complete TERO-Based TRNG
- 5 Discussion
- 6 Conclusion
- References
- Predictive Models for Min-entropy Estimation
- 1 Introduction
- 1.1 Entropy and Predictability
- 1.2 Our Contributions
- 1.3 Guide to the Rest of the Paper
- 2 Preliminaries
- 3 Entropy Estimation Using Predictors
- 3.1 Predictor Performance and Entropy Bounds
- 3.2 Global Predictability
- 3.3 Local Predictability
- 3.4 Deriving a Final Estimate
- 3.5 Underestimates and Overestimates
- 4 A Concrete Set of Predictors for Entropy Estimation
- 4.1 Ensemble Predictors
- 4.2 Categorical Data Predictors
- 4.3 Numerical Predictors
- 5 Results
- 5.1 NIST Entropy Estimation Suite
- 5.2 Simulated Data
- 5.3 Real-World Data
- 5.4 General Discussion
- 6 Conclusions
- 6.1 Future Work
- References
- Side-Channel Analysis and Fault Injection Attacks
- Improved Side-Channel Analysis of Finite-Field Multiplication
- 1 Introduction
- 2 Preliminaries
- 2.1 Galois Field Multiplication
- 2.2 Probabilities
- 2.3 Leakage Model
- 2.4 Learning Parities with Noise
- 2.5 The BKW Algorithm and Its Variants
- 3 Our New Attack
- 3.1 Overview
- 3.2 Filtering
- 3.3 Solving the LPN Problem
- 3.4 Comparison with State-of-the Art Attacks
- 4 Extension to Chosen Inputs
- 4.1 Comparing Leaks
- 4.2 Key Recovery
- 5 Adaptation to Fresh Re-Keying
- 6 Practical Experiments
- 6.1 ATMega328p Leakage Behaviour
- 6.2 Attacks on AES-GCM with Known Inputs
- 6.3 Attack on Fresh Re-Keying
- References
- Evaluation and Improvement of Generic-Emulating DPA Attacks
- 1 Introduction
- 2 Background
- 2.1 Differential Power Analysis
- 2.2 Generic DPA and its limitations
- 2.3 From LR-based DPA to Generic-Emulating DPA
- 3 Alternative Generic-Emulating Distinguishers
- 3.1 Ridge-Based Distinguisher
- 3.2 Lasso-Based Distinguisher
- 4 Generic-Emulating DPAs with Cross-Validation
- 5 Experimental Results
- 5.1 Simulation-Based Experiments
- 5.2 Experiments on Smart Cards
- 6 Conclusion
- A Least Angle Regression
- References
- Transient-Steady Effect Attack on Block Ciphers
- 1 Introduction
- 2 Preliminaries
- 2.1 AES S-box and Masking
- 2.2 Fault-Based Clockwise Collision Analysis
- 3 Transient-Steady Effect Attack
- 3.1 Basic Idea
- 3.2 Attack Scenario on Unmasked S-box
- 3.3 Attack Scenario on Masked S-box
- 4 Experiments and Efficiency
- 4.1 Experiment on Unmasked S-box A
- 4.2 Experiment on Unmasked S-box B
- 4.3 Experiment on Masked S-box C
- 4.4 Efficiency Comparison
- 5 Further Discussion
- 5.1 Key Recovery for Parallel AES Implementation
- 5.2 Attack Scenario for WDDL-AES
- 5.3 Glitch Injection
- 6 Conclusions
- References
- Higher-Order Side-Channel Attacks
- Assessment of Hiding the Higher-Order Leakages in Hardware
- 1 Introduction
- 2 GliFreD
- 3 Case Studies
- 3.1 Threshold Implementation
- 3.2 KATAN-32
- 3.3 PRESENT
- 3.4 Implementation
- 4 Empirical Results
- References
- Multi-variate High-Order Attacks of Shuffled Tables Recomputation
- 1 Introduction
- 2 Preliminary and Notations
- 3 Masking Scheme with Table Recomputation
- 3.1 Algorithm
- 3.2 Classical Attacks
- 3.3 Classical Countermeasure
- 4 Totally Random Permutation and Attack
- 4.1 Defeating the Countermeasure
- 4.2 Multivariate Attacks Against Table Recomputation
- 4.3 Leakage Analysis
- 4.4 Simulation Results
- 5 An Example on High-Order Countermeasure
- 5.1 Coron Masking Scheme Attack and Countermeasure
- 5.2 Attack on the Countermeasure
- 5.3 Leakage Analysis
- 5.4 Simulation Results on Coron Masking Scheme
- 6 A Note on Affine Model
- 6.1 Properties of the affine model
- 6.2 Theoretical Analysis
- 6.3 Simulation Results
- 7 Practical Validation
- 8 Conclusions and Perspectives
- References
- Leakage Assessment Methodology
- 1 Introduction
- 2 Statistical Background
- 3 Methodology
- 4 Efficient Computation
- 4.1 Incremental One-Pass Computation of All Moments
- 4.2 Variance of Preprocessed Traces
- 4.3 Parallel Computation
- 5 Multivariate
- 6 Case Studies
- 6.1 Framework
- 7 Conclusions
- References
- Physically Unclonable Functions and Hardware Trojans
- Secure Key Generation from Biased PUFs
- 1 Introduction
- 2 PUF-based Key Generation and Bias
- 2.1 General Construction
- 2.2 Entropy Leakage
- 2.3 Entropy Leakage Due to PUF Bias
- 2.4 Effect of PUF Bias on a PUF-based Key Generator
- 3 Debiasing Solutions
- 3.1 Basic Concept
- 3.2 CVN: Classic von Neumann (VN) Debiasing
- 3.3 Pair-Output (2O-VN) and Multi-Pass Tuple-Output VN Debiasing (MP-TO-VN)
- 3.4 -2O-VN: Pair-Output VN Debiasing with Erasures
- 4 Objective Comparison of Debiasing Solutions
- 4.1 Relation Between PUF Bias and Bit Error Rate
- 4.2 Comparison of Debiasing Solutions
- 5 Conclusion
- References
- The Gap Between Promise and Reality: On the Insecurity of XOR Arbiter PUFs
- 1 Introduction
- 1.1 Related Work
- 1.2 Contribution and Organization
- 2 Background
- 2.1 Arbiter PUF
- 2.2 Evolution Strategies
- 3 The PUF-based RFID Tags
- 4 Attacking the PUF Tags
- 4.1 Machine Learning Attack
- 4.2 Cloning a PUF Tag
- 5 Reliability-Based Machine Learning Attacks
- 5.1 CMA-ES Attack Based on Reliability
- 5.2 Attacking XOR PUFs
- 6 Discussion
- References
- End-To-End Design of a PUF-Based Privacy Preserving Authentication Protocol
- 1 Introduction
- 2 Secure and Private PUF-Based Authentication Protocol
- 2.1 Notation
- 2.2 Parties and Trust Model
- 2.3 Secure and Privacy-Preserving Authentication Protocol
- 3 Instantiation of Protocol Components
- 3.1 Architecture Assumptions
- 3.2 Design of SRAM PUF
- 3.3 Design of SRAM TRNG
- 3.4 Symmetric Key Encryption and PRF
- 3.5 Design of Fuzzy Extractor
- 3.6 Relevant Data Sizes and Key Lengths in Protocol
- 4 Architecture Design
- 4.1 System Design
- 4.2 Hardware Engine
- 5 Evaluation
- 5.1 Implementation Cost
- 5.2 Performance
- 5.3 Related Work
- 5.4 Benchmark Analysis
- 6 Conclusion
- References
- Improved Test Pattern Generation for Hardware Trojan Detection Using Genetic Algorithm and Boolean Satisfiability
- 1 Introduction
- 1.1 Main Idea and Our Contribution
- 2 GA and SAT in the Context of ATPG for Trojan Detection
- 2.1 Hardware Trojan Models
- 2.2 Genetic Algorithm (GA) for ATPG
- 2.3 SAT for Hard--to--Activate Trigger Conditions
- 3 Improving the Proposed Scheme: Payload Aware Test Set Selection and Test Compaction
- 3.1 Payload Aware Test Vector Selection
- 3.2 Evaluation of Effectiveness
- 4 Experimental Results and Discussion
- 4.1 Experimental Setup
- 4.2 Test Set Evaluation Results
- 4.3 Application to Trojan Diagnosis
- 4.4 Application to Side Channel Analysis Based Trojan Detection
- 5 Conclusions
- References
- Side-Channel Attacks in Practice
- DPA, Bitslicing and Masking at 1 GHz
- 1 Introduction
- 1.1 Related Work
- 1.2 Contributions
- 2 A Bitsliced AES Implementation
- 3 Developing an Attack
- 3.1 Strategies for Side-Channel Measurements
- 3.2 Experimental Setup
- 3.3 Approach
- 3.4 Attack
- 4 Masking a Bitsliced AES Implementation
- 5 Evaluation of Masked Implementation
- 5.1 Attack When RNG is Off
- 5.2 Attack When RNG is On
- 6 Conclusion
- References
- SoC It to EM: ElectroMagnetic Side-Channel Attacks on a Complex System-on-Chip
- 1 Introduction
- 2 Background
- 2.1 An Overview of the BeagleBone Platform
- 2.2 Experimental Environment
- 2.3 Leakage Detection and Exploitation Strategy
- 3 Software-Based AES
- 3.1 Experimental Outline
- 3.2 Analysis and Discussion
- 4 Hardware-Based AES
- 4.1 Experimental Outline
- 4.2 Analysis and Discussion
- 5 NEON
- 5.1 Instruction-Level Characterisation
- 5.2 A Concrete Attack on AES
- 5.3 A Theoretical Attack on NORX
- 6 Conclusions
- References
- Finding the AES Bits in the Haystack: Reverse Engineering and SCA Using Voltage Contrast
- 1 Introduction
- 2 Related Work
- 3 Voltage Contrast
- 3.1 Static Voltage Contrast
- 3.2 Dynamic Voltage Contrast
- 4 Voltage Contrast Analysis
- 5 Voltage Contrast Side Channel Analysis (VCSCA)
- 5.1 Obtaining Voltage Contrast Traces
- 5.2 Locating AES Bit Wires in a VCSCA
- 5.3 Extracting Additional Netlist Information
- 5.4 Template Attack with VCSCA
- 5.5 Simple VCSCA
- 6 Conclusion
- References
- Lattice-Based Implementations
- Efficient Ring-LWE Encryption on 8-Bit AVR Processors
- 1 Introduction
- 1.1 Research Contributions
- 1.2 Paper Outline
- 2 Background
- 2.1 The Ring-LWE Encryption Scheme
- 2.2 Key Generation, Encryption, and Decryption
- 2.3 Number Theoretic Transform
- 2.4 Gaussian Sampler
- 2.5 Parameter Selection
- 3 Optimization Techniques for NTT Computation
- 3.1 Look-Up Table for Twiddle Factors
- 3.2 Algorithmic Optimizations
- 3.3 Fast Coefficient Multiplication
- 3.4 Fast Reduction of Coefficient-Products
- 3.5 Minimizing the Number of Reduction Operations
- 3.6 Reducing the RAM Consumption
- 4 Optimization of the Knuth-Yao Sampler
- 4.1 Pseudo-Random Number Generation Using AES Accelerator
- 5 Performance Evaluation and Comparison
- 5.1 Experimental Platform
- 5.2 Experimental Results
- 5.3 Comparison with Related Work
- 6 Conclusions
- References
- A Masked Ring-LWE Implementation
- 1 Introduction
- 2 Preliminaries
- 3 High-Level Overview
- 4 Masked Decoder
- 4.1 Rules
- 4.2 Masked Table Lookup
- 5 Implementation Results
- 5.1 Area
- 5.2 Cycle Count
- 5.3 Comparison with an Elliptic-Curve Cryptosystem
- 5.4 Trade-offs
- 5.5 Maximum Frequency
- 6 Discussion
- 6.1 Error Rates
- 6.2 Comparison with Other Decoding Strategies
- 6.3 Post-Processing
- 6.4 Extension to Higher-Order Security
- 7 Evaluation
- 7.1 PRNG Off
- 7.2 PRNG On
- 7.3 Second-Order Attacks
- 7.4 Horizontal DPA Attacks
- 8 Conclusion
- References
- Author Index
