Side-channel resistant crypto for less than 2,300 GE

Axel Poschmann*, Amir Moradi, Khoongming Khoo, Chu Wee Lim, Huaxiong Wang, San Ling

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

164 Citations (Scopus)


A provably secure countermeasure against first order side-channel attacks was proposed by Nikova et al. (P. Ning, S. Qing, N. Li (eds.) International conference in information and communications security. Lecture notes in computer science, vol. 4307, pp. 529-545, Springer, Berlin, 2006). We have implemented the lightweight block cipher PRESENT using the proposed countermeasure. For this purpose we had to decompose the S-box used in PRESENT and split it into three shares that fulfill the properties of the scheme presented by Nikova et al. (P. Lee, J. Cheon (eds.) International conference in information security and cryptology. Lecture notes in computer science, vol. 5461, pp. 218-234, Springer, Berlin, 2008). Our experimental results on real-world power traces show that this countermeasure provides additional security. Post-synthesis figures for an ASIC implementation require only 2,300 GE, which makes this implementation suitable for low-cost passive RFIDtags.

Original languageEnglish
Pages (from-to)322-345
Number of pages24
JournalJournal of Cryptology
Issue number2
Publication statusPublished - Apr 2011


  • ASIC
  • Countermeasures
  • Lightweight
  • Secret sharing
  • Side-channel attacks


Dive into the research topics of 'Side-channel resistant crypto for less than 2,300 GE'. Together they form a unique fingerprint.

Cite this