Shuffling across rounds: A lightweight strategy to counter side-channel attacks

Abstract

Side-channel attacks are a potent threat to the security of devices implementing cryptographic algorithms. Designing lightweight countermeasures against side-channel analysis that can run on resource constrained devices is a major challenge. One such lightweight countermeasure is shuffling, in which the designer randomly permutes the order of execution of potentially vulnerable operations. State of the art shuffling countermeasures advocate shuffling a set of independent operations in a single round of a cryptographic algorithm, but are often found to be insufficient as standalone countermeasures. In this paper, we propose a two-round version of the shuffling countermeasure, and test its security when applied to a serialized implementation of AES-128 using Test Vector Leakage Assessment (TVLA). Our results show that the required number of traces to break AES-128 implemented using our proposed countermeasure is significantly larger than the implementations using simple one-round shuffling. Furthermore, the new shuffling method has significantly lower overhead of around 1.3 times, as compared to other side-channel countermeasures such as masking that have an overhead of approximately two times.