### Citations

1118 | Differential Power Analysis
- Kocher, Jaffe, et al.
- 1999
(Show Context)
Citation Context ... in 1998 thatsmicrocomputers and microchips leak informationscorrelated with the data handled and introduced a newskind of attacks which were radically different fromssoftware and algorithmic attacks =-=[1]-=-. These attacks usesleaking or side-channel information, like powersconsumption data, electromagnetisemanations orscomputing time to recover the secret key. Because ofsthe simplicity of these attacks,... |

105 | A dynamic and differential CMOS logic with signal independent power consumption to withstand differential power analysis on smart cards. In:
- Tiri, Akmal, et al.
- 2002
(Show Context)
Citation Context ...ent power dissipation. This issdone with dynamic differential logic, sometimes alsosreferred to as dual rail with precharge logic to assuresthat every logic gate has a single charging event perscycle =-=[26]-=-. In self-timed asynchronous logic [27], thesterminology refers to dual rail encoded data interleavedswith spacers.sThe increased power attack resistance does not comesfor free. The algorithmic level ... |

81 | Masked Dual-Rail Pre-charge Logic: DPA Resistance without the Routing Constraints
- Popp, Mangard
- 2005
(Show Context)
Citation Context ...yption and removedsafterwards without changing the encryption result (e.g.s[23]) or at the circuit level where a random mask-bitsequalizes the output transition probabilities of eachslogic gate [24], =-=[25]-=-. Flattening the power consumptionsis done at the circuit level such that each individual gateshas a quasi data-independent power dissipation. This issdone with dynamic differential logic, sometimes a... |

71 | Differential Power Analysis in the Presence of Hardware Countermeasures.
- Clavier, Coron, et al.
- 1965
(Show Context)
Citation Context ...uitively put forward,ssuch as the randomization of the execution sequence orsthe addition of a random power consuming module or ascurrent sink, hardly improve the resistance against thespower attacks =-=[22]-=-. In the present state-of-the-art, thescountermeasures try to make the power consumption ofsthe cryptographic device independent of the signalsvalues at the internal circuit nodes by eithersrandomizin... |

62 | A Side-Channel Analysis Resistant Description
- Oswald, Mangard, et al.
- 2005
(Show Context)
Citation Context ...ynomial. This makes the method more efficient thansin the general case and suitable for Rijndael. However,sit suffers from considerable decrease in performance.sTower Fields Methods by Oswald, et al. =-=[16, 17]-=- aresdesigned for hardware implementations. In thesesmethods, the computing of Inv in GF(22k) is reduced tosa secure computation with masked values ofsmultiplications and inverses in GF(2k), by repres... |

57 | V.: Provably Secure Masking of AES.
- Blomer, Guajardo, et al.
- 2004
(Show Context)
Citation Context ...teresting but introduces significantshardware cost with almost 300% increase in area ands60% decrease in speed. Another method based onsunivariate polynomials of Blomeret. al. has beensillustrated in =-=[15]-=-. This can be seen as a perfectlysgeneral method that can be applied to any S-box, as anysfunction over a finite field can be seen as a univariatespolynomial. This makes the method more efficient than... |

38 | High-Speed VLSI Architectures for the AES Algorithm,
- Zhang, Parhi
- 2004
(Show Context)
Citation Context ... combinational logic only, such as the compositesfield (or tower field) inversion over GF(28) are used tosavoid the unbreakable delay of LUTs, and it can be usedsto create compact AES implementations =-=[12]-=-.sComposite field arithmetic can be employed, such thatsthe field elements of GF(28) are mapped to elements inssome isomorphic composite fields, in which the fieldsoperations can be implemented by low... |

32 | Side Channel Cryptanalysis of a Higher Order Masking Scheme
- Coron, Prouff, et al.
- 2007
(Show Context)
Citation Context ...smeasurements of the power consumption of the devicesduring the execution of one encryption. There are twosdifferent degrees of sophistication involved in suchspower analysis, simple and differential =-=[2, 3]-=-.sA Simple Power Analysis (SPA) attack is described assan attack where the attacker can directly use a powersconsumption of a cipher system to break asIranian Journal of Electrical & Electronic Engine... |

19 | Balanced self checking asynchronous logic for smart card applications
- Moore, Anderson, et al.
- 2003
(Show Context)
Citation Context ...Some of thesestechniques require about twice as much area and willsconsume twice as much power as an implementationsthat is not protected against power attacks. For example,sthe technique proposed in =-=[9]-=- adds area three times andsreduces throughput by a factor of four. Another wellknown method is masking which involves ensuring thesattacker cannot predict any full registers in the systemswithout maki... |

16 |
Towards an AES crypto-chip resistant to differential power analysis
- Pramstaller, Gurkaynak, et al.
- 2004
(Show Context)
Citation Context ...the correct cipher text. This can besdone at the algorithmic level where a random mask issadded to the data prior to the encryption and removedsafterwards without changing the encryption result (e.g.s=-=[23]-=-) or at the circuit level where a random mask-bitsequalizes the output transition probabilities of eachslogic gate [24], [25]. Flattening the power consumptionsis done at the circuit level such that e... |

11 | Simulation models for side-channel information leaks” DAC
- Tiri, Verbauwhede
- 2005
(Show Context)
Citation Context ...ith a lower overhead?sYet, one has to be careful to declare a (new)smitigation as secure. A visual inspection, or even thesstandard deviation of the power consumption, does notsprovide any indication =-=[29]-=-. Thus far, the best figure ofsmerit is probably the required number of measurementssfor a successful attack on a realistic circuit. The successsof an attack, however, depends both on the informations... |

9 | Verbauwhede I., “AES-Based cryptographic, biometric security coprocessor IC in 0.18-μm CMOS resistant to side-channel power analysis attacks”, VLSI Sympusium
- Tiri, Hwang, et al.
- 2005
(Show Context)
Citation Context ...r 1.5soverhead when compared with a regular (unprotected)sdesign [23]. The masked logic styles have a factor 2 ands5 area overhead [24], [25]. The dual rail logic stylesshave a factor 3 area overhead =-=[28]-=-. Yet, the figures forsthe algorithmic and logic masking do not include thesrandom number generator. It is thus important that thesfull implementation cost of a countermeasure is clearlyscommunicated ... |

5 |
A Systems Approach to Information Technology (IT) Infrastructure Design for Utility Management Automation Systems
- Fereidunian, Lesani, et al.
- 2006
(Show Context)
Citation Context ... In recent years,sthe security of the Advanced Encryption Standards(AES) against DPA has received considerable attentionsand there is a growing interest in efficient and securesrealization of the AES =-=[5]-=-. As a result of these attacks,snumerous hardware and algorithmic countermeasuresshave been proposed. Unfortunately, most of thesestechniques are inefficient or costly or vulnerable toshigher-order at... |

5 | AES side channel attack protection using random isomorphisms”, Available on: http://eprint.iacr.org/2005/087.pdf - Rostovtsev, Shemyakina |

5 |
Introduction to finite field and applications
- Lidl, Niederreiter
- 1986
(Show Context)
Citation Context ...ransformations from GF(28) to itself or allsautoisomorphism over GF(28) and it can be proved thatsthere are ∏ (2଼୧ୀ − 2 ୧) of such transformations. So wescan have the same number of different δ/δ-1 =-=[19, 20]-=- andsconsiderable number of sets {Ф, λ, δ, δ-1} for Rijndael.sIt must be mentioned that all of the possiblescombinations of {Ф, λ, δ, δ-1} will not result in ansappropriate field isomorphism. We have ... |

4 | An Algebraic Masking Method to Protect AES against Power Attacks
- Courtois, Goubin
(Show Context)
Citation Context ... result of these attacks,snumerous hardware and algorithmic countermeasuresshave been proposed. Unfortunately, most of thesestechniques are inefficient or costly or vulnerable toshigher-order attacks =-=[6]-=-. They include randomizedsclocks, memory encryption/decryption schemes, powersconsumption randomization, and decorrelating thesexternal power supply from the internal powerswww.SID.ir Ar chi vesof S I... |

2 |
A lowvoltage, low-power, two-stage amplifier for switched-capacitor applications in 90 nm CMOS process
- Mirhosseini, Ayatollahi
- 1992
(Show Context)
Citation Context ...tosystem with …s17sconsumed by the chip. Moreover, the use of differentshardware logic, such as complementary logic, sensesamplifier based logic (SABL), and asynchronous logicshave been also proposed =-=[7, 8]-=-. Some of thesestechniques require about twice as much area and willsconsume twice as much power as an implementationsthat is not protected against power attacks. For example,sthe technique proposed i... |

2 |
Behavioral modeling and simulation of semiconductor devices and circuits using VHDL-AMS
- Karimi, Mirzakuchaki
- 2008
(Show Context)
Citation Context ...tosystem with …s17sconsumed by the chip. Moreover, the use of differentshardware logic, such as complementary logic, sensesamplifier based logic (SABL), and asynchronous logicshave been also proposed =-=[7, 8]-=-. Some of thesestechniques require about twice as much area and willsconsume twice as much power as an implementationsthat is not protected against power attacks. For example,sthe technique proposed i... |

2 |
A novel AES cryptographic core highly resistant to differential power attack”, BCCI’08
- Ghellar, Lubaszewski
- 2008
(Show Context)
Citation Context ...kssIn [13] Rostovtsev and Shemyakina describe usingsofisomorphisms of the underlying finite field. But as thesauthors admit, their method has comparatively smallsefficiency. The technique proposed in =-=[14]-=- randomizesspower consumption of SBox by randomly choosingsirreducible generator polynomials of the field GF(28).sThe approach is interesting but introduces significantshardware cost with almost 300% ... |

1 |
Ahmadian M., “A practical differential power analysis attack against an FPGA implementation of AES cryptosystem
- Masoomi, Masoumi
- 2010
(Show Context)
Citation Context ...smeasurements of the power consumption of the devicesduring the execution of one encryption. There are twosdifferent degrees of sophistication involved in suchspower analysis, simple and differential =-=[2, 3]-=-.sA Simple Power Analysis (SPA) attack is described assan attack where the attacker can directly use a powersconsumption of a cipher system to break asIranian Journal of Electrical & Electronic Engine... |

1 |
Updates in security of FPGA against differential power attacks
- Standaert, Peeters, et al.
- 2006
(Show Context)
Citation Context ...so calledsCorrelation Power Analysis (CPA) technique based onsthe correlation between the real power consumption ofsthe device and a power consumption model, has beenswidely studied in the literature =-=[3, 4]-=-. In recent years,sthe security of the Advanced Encryption Standards(AES) against DPA has received considerable attentionsand there is a growing interest in efficient and securesrealization of the AES... |

1 |
Power analysis attacks against FPGA, first experimental results
- Ors, Oswald
- 2003
(Show Context)
Citation Context ...susceptible to highersorder DPA attacks. Even techniques that were shown tosbe theoretically provably secure were susceptible tosDPA using predictions based on simulations and a backannotated netlist =-=[10]-=-.sIn this work, we concentrate on algorithmicscountermeasures to protect AES against power attacksand present a novel core implementation which is veryssimple and effective with very low hardware cost... |

1 |
Secure and efficient masking of AES -amission impossible
- Oswald, Mangard, et al.
(Show Context)
Citation Context ...ynomial. This makes the method more efficient thansin the general case and suitable for Rijndael. However,sit suffers from considerable decrease in performance.sTower Fields Methods by Oswald, et al. =-=[16, 17]-=- aresdesigned for hardware implementations. In thesesmethods, the computing of Inv in GF(22k) is reduced tosa secure computation with masked values ofsmultiplications and inverses in GF(2k), by repres... |

1 |
Advanced methods in side‐channel cryptanalysis
- Schramm
- 2006
(Show Context)
Citation Context ...y representingsGF(22k) as a quadratic extension of GF(2k).sMultiplications can be computed with additive maskingsand we are left with the problem of a securescomputation of Inv at the lower level. In =-=[18]-=- Schrammsproposes mask multipliers for GF(22) and GF(24) whichsare used in the masked composite field-based AESsSBox for software applications. However, this approachsneeds 1536 bytes ROM to store the... |

1 |
Hardware design and analysis of block cipher components
- M
- 2002
(Show Context)
Citation Context ...ransformations from GF(28) to itself or allsautoisomorphism over GF(28) and it can be proved thatsthere are ∏ (2଼୧ୀ − 2 ୧) of such transformations. So wescan have the same number of different δ/δ-1 =-=[19, 20]-=- andsconsiderable number of sets {Ф, λ, δ, δ-1} for Rijndael.sIt must be mentioned that all of the possiblescombinations of {Ф, λ, δ, δ-1} will not result in ansappropriate field isomorphism. We have ... |

1 |
An overview onside-channel analysis attacks” ASIACCS’08
- Lee, Canovas, et al.
(Show Context)
Citation Context ...tput of SBox is greatersthan four, and otherwise it returns zero. It has beensshown that the efficiency of the attack is increased inssuch a case since the ghost peaks and secondary peakssare lowered =-=[21]-=-.sThe experimental results for the differential powerstraces for the correct and a wrong subkey guesses aresshown in Fig. 13 and Fig. 14 respectively. As it is seen,sthe plots confirm the assumption a... |

1 |
Random switching logic: acountermeasure against DPA based on transition probability”, IACR ePrint, rep
- Suzuki, Saeki, et al.
- 2004
(Show Context)
Citation Context ...e encryption and removedsafterwards without changing the encryption result (e.g.s[23]) or at the circuit level where a random mask-bitsequalizes the output transition probabilities of eachslogic gate =-=[24]-=-, [25]. Flattening the power consumptionsis done at the circuit level such that each individual gateshas a quasi data-independent power dissipation. This issdone with dynamic differential logic, somet... |