Beyond algorithmic noise or how to shuffle parallel implementations?

Summary Noise is an important ingredient for side‐channel‐analysis countermeasures security. However, physical noise is in most cases not sufficient to achieve high‐security levels. As an outcome, designers traditionally aim to emulate noise by harnessing shuffling in the time domain and algorithmic noise in the amplitude domain. On one hand, harnessing algorithmic noise is limited in architectures/devices which have a limited data‐path width. On the other hand, the performance degradation due to shuffling is considerable. A natural complement to operation shuffling is the hardware‐based intra‐cycle shuffling (ICS), which typically shuffles the sample time of bits within a clock cycle (instead of micro‐processor operations). Such architecture eliminates the performance overhead due to shuffling within a single cycle, it is algorithm‐independent, i.e., no need in partitioning of operations, and as it is hardware‐based, the data‐path width can be tailored to better exploit algorithmic‐noise. In this manuscript, we first analyze the noise components in physical designs to better model the algorithmic noise. We then perform an information‐theoretic (IT) analysis of both shuffling countermeasures . The last part of the manuscript deals with real‐world architectures analysis: IT analysis of an Advanced Encryption Standard (AES) core implemented over a 32‐ and 128‐bit wide data‐path embedded with intra‐cycle shuffling and two flavors of shuffling generation (memory‐based and on‐line permutation generation). The manuscript is concluded by underling the benefits which can be achieved with the ICS architecture. Physical noise is not sufficient to achieve high side‐channel analysis attacks security levels and time‐/amplitude‐domain noise emulations are expensive. As compared to software operation shuffling (or cyclic shuffling, CS), Intra‐cycle shuffling (ICS) eliminates implementations overheads, it is algorithm‐independent, and can be tailored to better exploit algorithmic noise. In this manuscript, we perform an information‐theoretic (IT) analysis of shuffling countermeasures. We demonstrate an analysis on real‐world architectures: an AES core implemented over 32‐ and 128‐bit wide data‐path with embedded intra‐cycle shuffling and provide two flavors of shuffling generation.