![Page 1: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/1.jpg)
FewMul
Begül Bilgin, Svetla Nikova
April 30, 2017 - FewMul - Paris, France 1
FewDepth FewLength
![Page 2: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/2.jpg)
2
Nutshell
Number of multiplications is not the only metric!
Especially when it comes to SCA countermeasures
1st-order security - can be generalised
![Page 3: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/3.jpg)
3
Side Channel Analysis
Timing SoundPower Consumption EM RadiationTiming SoundPower Consumption EM Radiation
Security cryptographic algorithm
+ Security implementations
Input OutputCrypto
AlgorithmCrypto
Algorithm
![Page 4: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/4.jpg)
Power Analysis
4
Device under attack
Clock generator, Power supply
• Simple Power Analysis • Differential Power Analysis • Correlation Power Analysis • ….
Time
• Simple Power Analysis • Differential Power Analysis • Correlation Power Analysis • ….
![Page 5: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/5.jpg)
5
Differential Power Analysis
• Encryptions of different pt using the same key
• Target intermediate results (e.g. Sbox output)
Sbox
pti
keyi ⊕
outi
• Power consumption variation is small
• Detectable using statistics
• Guess keyi
• Group traces
• Wrong key guess → random grouping, no difference
• Correct key guess → correct grouping, difference
![Page 6: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/6.jpg)
6
Differential Power Analysis
pt
1234…
abcd…
8aef…
0354...
7791…
c80d…
7e9e...
Take means
Take difference
S(pt1 ⊕ key1)&1
1
0
0
1
1
0
1
key1=00
[courtesy: B.Gierlichs]
![Page 7: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/7.jpg)
7
Differential Power Analysis
pt
1234…
abcd…
8aef…
0354...
7791…
c80d…
7e9e...
S(pt1 ⊕ key1)&1
0
1
0
0
0
1
1
key1=2b
Take means
Take difference
Difference of Means
[courtesy: B.Gierlichs]
![Page 8: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/8.jpg)
8
Differential Power Analysis
• CMOS: • Data dependent power consumption
0 —> 0 1 —> 1 0 —> 1 1 —> 0
00cc
• Divide and conquer principle
• Depend on a few key bits
![Page 9: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/9.jpg)
9
0 —> 0 1 —> 1 0 —> 1 1 —> 0
00cc
0 —> 0 1 —> 1 0 —> 1 1 —> 0
cccc
CountermeasuresConstant power
Wave Dynamic Differential Logic (WDDL)Gate level - change every AND, XOR, … gate
Glitch Free Duplication (GliFreD)LUT level - duplicate® every LUT
![Page 10: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/10.jpg)
10
S(x, y, z, ...) (a, b, c, ...)
Operates on sensitive (secret dependent) variable
Not only the nonlinear part of the algorithm
CountermeasuresMasking
![Page 11: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/11.jpg)
11
(x1,y1,z1, ...)
(x2,y2,z2, ...)
⊥
=(x, y, z, ...)
S1 (a1,b1,c1, ...)
S2 (a2,b2,c2, ...)
Many different versions: Boolean, multiplicative, polynomial, …
=(a, b, c, ...)
⊥
Always active
No unmasking!
CountermeasuresMasking
![Page 12: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/12.jpg)
12
Random input/output shares ➡ Random intermediate values
(x1,y1,z1, ...)
(x2,y2,z2, ...)
⊕
=(x, y, z, ...)
=(a, b, c, ...)
S1 (a1,b1,c1, ...)
S2 (a2,b2,c2, ...)
⊕
unshared shares HW mean
00,0 0
11,1 2
10,1 1
11,0 1
✓ 1st-order DPA security
Boolean Masking
![Page 13: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/13.jpg)
13
(x1,y1,z1, ...)
(x2,y2,z2, ...)
⊥
=(x, y, z, ...)
S1 (a1,b1,c1, ...)
S2 (a2,b2,c2, ...)
=(a, b, c, ...)
⊥
Si might be linear
CountermeasuresMasking
![Page 14: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/14.jpg)
14
(x1,y1,z1, ...)
(x2,y2,z2, ...)
⊥
=(x, y, z, ...)
S1 (a1,b1,c1, ...)
S2 (a2,b2,c2, ...)
=(a, b, c, ...)
⊥
Si might be AND gate, multiplication, any nonlinear layer, or any quadratic layer
CountermeasuresMasking
![Page 15: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/15.jpg)
15
CountermeasuresTrichina AND gate
a1 = x1y1 ⊕ (x1y2 ⊕ (x2y1 ⊕ (x2y2 ⊕ z1)))a2 = z2
a = xy
![Page 16: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/16.jpg)
16
CountermeasuresISW
c = a*b
Exponential areaLatency
![Page 17: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/17.jpg)
Any Function
•Consolidated Masking Scheme (CMS) / Threshold Implementation (TI)
17
Countermeasures
Some Functions
•GliFreD
•Prouff-Roche
•DoM•ISW
Mult.
•Inner ProductAND
•WDDL•Trichina
![Page 18: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/18.jpg)
18
1st-order TI
S1(x1,y1,z1, ...) (a1,b1,c1, ...)
S2(x2,y2,z2, ...) (a2,b2,c2, ...)
S3(x3,y3,z3, ...) (a3,b3,c3, ...)
⊕
⊕
⊕
⊕
= =(x, y, z, ...) (a, b, c, ...)
S1(x1,y1,z1, ...) (a1,b1,c1, ...)
S2(x2,y2,z2, ...) (a2,b2,c2, ...)
S3(x3,y3,z3, ...) (a3,b3,c3, ...)
⊕
⊕
⊕
⊕
= =(x, y, z, ...) (a, b, c, ...)
S4(x4,y4,z4, ...) (a4,b4,c4, ...)⊕ ⊕
td+1 shares
A=1+X+XY+XZ+YZ
nonlinear > 2 shares
![Page 19: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/19.jpg)
19
1st-order TI
F1(x1,y1,z1, ...) (a1,b1,c1, ...)
F2(x2,y2,z2, ...) (a2,b2,c2, ...)
F3(x3,y3,z3, ...) (a3,b3,c3, ...)
⊕
⊕
⊕
⊕
= =(x, y, z, ...) (a, b, c, ...)
R1
R2
R3
G1
G2
G3
S = G o F
Separate non-linear functions with registers
Area / latency trade-off
![Page 20: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/20.jpg)
20
1st-order TI
If the unshared function is a permutation, the shared function should also be a permutation.
Uniformity
• Apply re-maskinga1
a2
a3
a1 ⊕ m1
a2 ⊕ m2
a3 ⊕ m1 ⊕ m2
• Increase the number of shares
Area / randomness trade-off
S1(x1,y1,z1, ...) (a1,b1,c1, ...)
S2(x2,y2,z2, ...) (a2,b2,c2, ...)
S3(x3,y3,z3, ...) (a3,b3,c3, ...)
⊕
⊕
⊕
⊕
= =(x, y, z, ...) (a, b, c, ...)
![Page 21: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/21.jpg)
A. Moradi, A. Poschmann, S. Ling, C. Paar, and H. Wang: Pushing the Limits: A Very Compact and a Threshold Implementation of AES. EUROCRYPT 2011
4244 GE + 5 pipeline stages in S-box + 48 bits extra randomness per S-box
21
1st-order TI of AES
lin.map
GF(24) sq.sc.
GF(24) inverter
inv.lin.map
8-bit4-bit1-bit
l1GF(24) multiplier
l1 l2
l2
l1l3
l1GF(24) multiplier
l1
GF(24) multiplier
Mult : 12 GF(22) multiplications
Depth : 4
Length: 18bits (3x2bits)
![Page 22: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/22.jpg)
22
1st-order TI of AES
lin.map
GF(24) squarescaler
GF(24) multiplier
S1
......
S2
...
Ss
(x1, y1, z1, . . .)
(x2, y2, z2, . . .)
(xs, ys, zs, . . .)
(a1, b1, c1, . . .)
(as, bs, cs, . . .)
(a2, b2, c2, . . .)
�
�
�
�
�
�
= =
(x, y, z, . . .) (a, b, c, . . .)
GF(24) inverter
GF(24) multiplier
GF(24) multiplier
S1
......
S2
...
Ss
(x1, y1, z1, . . .)
(x2, y2, z2, . . .)
(xs, ys, zs, . . .)
(a1, b1, c1, . . .)
(as, bs, cs, . . .)
(a2, b2, c2, . . .)
�
�
�
�
�
�
= =
(x, y, z, . . .) (a, b, c, . . .)
inv.lin.map
3 pipeline stages in S-box + 32 bits extra randomness per S-box + 2838 GE
B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations Illustrated on AES. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2015
Mult : 3 GF(24) operations ~ 4 GF(24) mult.
Depth : 3
Length: 3x4bits (4bits)
![Page 23: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/23.jpg)
23
Alternative AES Decompositions
Matthieu Rivain and Emmanuel Prouff. Provably secure higher-order masking of AES. CHES 2010
Craig Gentry, Shai Halevi, and Nigel P. Smart. Homomorphic evaluation of the AES circuit. CRYPTO 2012
4mult + 4depth + 24bits length
4mult + 3depth + 24bits length
![Page 24: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/24.jpg)
24
Craig Gentry, Shai Halevi, and Nigel P. Smart. Homomorphic evaluation of the AES circuit. CRYPTO 2012
4mult + 3depth + 24bits length
4nonlinear + 4depth + 16bits length
Alternative AES Decompositions
Jean-Sebastien Coron, Aurelien Greuet, Emmanuel Prouff, and Rina Zeitoun.Faster Evaluation of SBoxes via Common Shares. CHES2016
Claude Carlet, Emmanuel Prouff, Matthieu Rivain, and Thomas Roche Algebraic Decomposition for Probing Security. CRYPTO2015
![Page 25: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/25.jpg)
25Boyar and R. Peralta, “A small depth-16 circuit for the AES S- box,” in Information Security and Privacy Research 2012. Courtesy: Jia Hao Kong,Li-Minn Ang,and Kah Phooi Seng. A Very Compact AES-SPIHT Selective Encryption Computer Architecture Design with Improved S-Box.
Hindawi Publishing Corporation Journal of Engineering
AND depth 4
Optimised for #AND and logical depth
Alternative AES Decompositions
![Page 26: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/26.jpg)
26
What is the issue?
• AES S-box is big and has a high degree
A. Poschmann, A. Moradi, K. Khoo, C.-W. Lim, H. Wang, and S. Ling. Side-channel resistant crypto for less than 2,300 GE
Present = oS1 S2 4x4
Sboxes:
cubic quadratics
B. Bilgin, S. Nikova, V. Nikov, V. Rijmen, N. Tokareva, and V. Vitkup,. Threshold Implementations of Small S-boxes
• Such a decomposition exists for many 4-bit S-boxes
unshared 3 shares
![Page 27: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/27.jpg)
27
DES
Si 6 4
Si1 6 4Si2
Si3 Si4
4
2
•SubBytes ➙ Eight 6x4 Sboxes ! Each Sbox ➙ deg>2
•Implementing all is inefficient
![Page 28: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/28.jpg)
28B.Bilgin, M. Knezevic, V. Nikov, S. Nikova, Compact Implementations of Multi-Sbox designs, Cardis 2015
DES
![Page 29: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/29.jpg)
29
What is the issue?
• AES S-box is big and has a high degree
• Can we think of these issues during the design process?
S = o oS1 S2 … Sn o
![Page 30: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/30.jpg)
30
What is the issue?
• AES S-box is big and has a high degree
• Can we think of these issues during the design process?
Erik Boss, Vincent Grosso, Tim Guneysu, Gregor Leander, Amir Moradi, and Tobias Schneider. Strong 8-bit S-boxes with Efficient Masking in Hardware, CHES 2016
![Page 31: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/31.jpg)
31
What is the issue?
• AES S-box is big and has a high degree
• Can we think of these issues during the design process?
• Is high degree round function really necessary?
• Maybe not: Keccak, LowMC, MimC, …
D. Bozilov, B. Bilgin, and H. A. Sahin, A Note on 5-bit Quadratic Permutations’ Classification, In IACR Transactions on Symmetric Cryptology, 2017.
![Page 32: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/32.jpg)
32
Conclusion
•First FewMul then SCA countermeasure can be
costly
•Consider SCA during design
•FewMul/FewDepth/FewLength trade-off
![Page 33: FewMul FewDepth FewLength - homes.esat.kuleuven.bebbilgin/slides/FewMul2017.pdf · B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: Trade-offs forThreshold Implementations](https://reader034.vdocuments.mx/reader034/viewer/2022051909/5ffe2a4f7fd0eb74af4727c9/html5/thumbnails/33.jpg)
33
Thank you!