Shuffling Across Rounds: A Lightweight Strategy
To Counter Side-channel Attacks
Sikhar Patranabis∗ , Debapriya Basu Roy∗ , Praveen Kumar Vadnala∗ , Debdeep Mukhopadhyay∗ , and Santosh Ghosh‡
∗
Department of Computer Science and Engineering, IIT Kharagpur, India,
sikhar.patranabis@iitkgp.ac.in, deb.basu.roy@cse.iitkgp.ernet.in, praveen.vadnala@gmail.com, debdeep@cse.iitkgp.ernet.in
‡ Intel Labs, Hillsboro, Oregon, USA,
santosh.ghosh@intel.com
Abstract—Side-channel attacks are a potent threat to the secu-
rity of devices implementing cryptographic algorithms. Designing
lightweight countermeasures against side-channel analysis that
can run on resource constrained devices is a major challenge.
One such lightweight countermeasure is shuffling, in which the
designer randomly permutes the order of execution of potentially
vulnerable operations. State of the art shuffling countermeasures
advocate shuffling a set of independent operations in a single
round of a cryptographic algorithm, but are often found to be
insufficient as standalone countermeasures. In this paper, we
propose a two-round version of the shuffling countermeasure,
and test its security when applied to a serialized implementation
of AES-128 using Test Vector Leakage Assessment (TVLA). Our
results show that the required number of traces to break AES-128
implemented using our proposed countermeasure is significantly
larger than the implementations using simple one-round shuffling.
Furthermore, the new shuffling method has significantly lower
overhead of around 1.3 times, as compared to other side-channel
countermeasures such as masking that have an overhead of
approximately two times.
I. I NTRODUCTION
Several side-channels such as timing, power and elec-
tromagnetic emission have been successfully exploited from
the devices implementing cryptographic algorithms to recover
the secret key [1], [2], [3], [4]. One of the most powerful
among them is the Differential Power Analysis (DPA) attack,
which consists of a four step procedure. In the first step, the
attacker records the power consumption of the device while it
is performing cryptographic operations at different instances in
time (samples) for a number of random inputs (traces). Next,
they compute the value of a chosen intermediate variable for
all the possible key candidates. Note that in a DPA attack we
use divide-and-conquer approach and hence the brute-force
search here is limited to a part of the full key (e.g. 8-bits in
case of AES). Then, they map the hypothetical intermediate
values computed in Step 2 to the hypothetical power values
using a suitable power model (e.g. Hamming weight, Hamming
distance). Finally, a statistical distinguisher (such as distance-
of-means and Pearson’s correlation coefficient) is used to
distinguish between the correct and wrong key candidates.
1. The authors would like to acknowledge Intel Corporation, Intel Labs for
partial funding of the work under the project ”LightCrypto: Ultra-Light-weight
Robust Crypto-Architectures for Performance and Energy”.
978-1-5090-5142-7/16/$31.00 2016
c IEEE
The main factor in quantifying the security of an imple-
mentation against side-channel attacks is the number of traces
required to recover the secret key. Hence, to protect against
these attacks, several countermeasures have been proposed to
increase the data complexity. One of the approaches often
employed here is to decrease the signal-to-noise ratio (SNR)
(i.e., the ratio of the variance of the leakage signal to the
variance of the noise present in the device) by adding noise
[5], [6]. However, these countermeasures are generally ad-hoc
and hence provide only limited resistance. On the other hand,
the countermeasures based on randomizing the intermediate
variables (called Masking) had shown to be highly resistant
against DPA attacks [7], [8], [9]. However, the cost of
implementing masking is at least twice compared to a naive
implementation and hence is not suitable for highly resource
constrained devices.
A. Shuffling
Shuffling is a lightweight countermeasure which can amplify
the device noise [10], [11], [12]. In shuffling, a set of
sensitive operations in a cryptographic algorithm are randomly
permuted in terms of their execution order, while ensuring the
overall correctness of the algorithm. An important aspect of
a shuffled implementation of any algorithm is the shuffling
range, that is, the set of operations shuffled in time. All the
shuffling based countermeasures appeared in the literature
permute a set of independent sensitive operations such as
S-box computations within a single round of the cryptographic
algorithm. This ensures that the additional cost of implementing
the countermeasure is relatively less compared to masking.
However, shuffling within a single round is often not enough
as a standalone countermeasure to resist side-channel attacks
[10], [13], [14].
B. Our Contributions
The contributions of this paper may be summarized as
follows:
1) In this paper, we explore the possibility of enhancing the
shuffling range to operations spanning multiple rounds
of a cryptographic algorithm, instead of a single round
as is prevalent in the current literature. We present a
general analysis of the security of such schemes against
440
 a powerful SCA adversary capable of mounting higher Algorithm 1 TRShuffling
order or integrated DPA attacks, which can serve as a Require: A set of N independent operations SI and N
design guideline for countermeasure designers. dependent operations SD , a parameter m where every
N
2) We propose a novel countermeasure for block ciphers partition of SD : SD,j such that |SD,j | = m ∀j ∈ {1, m }
that shuffles a set of sensitive operations (e.g. S-box depends on exactly one partition of SI : SI,j such that
N
computation) spanning across two consecutive rounds |SI,j | = m ∀j ∈ {1, m }, Function RInd (P, start, end)
r − 1 and r of a cryptographic algorithm, instead of which returns a random index j such that start ≤ j ≤ end
shuffling the operations within only one round r. The and P [j] = −1, and Function FindRearInd (P, m, l)
main advantage of this approach is that it increases which returns the index j such that there are exactly m
side-channel resistance by forcing the adversary to positions in (P [j + 1], P [end]) such that P [l] = −1 (for
enumerate a larger number of possible permutations j + 1 ≤ l ≤ end)
before mounting an attack. Additionally, it is still a Ensure: A shuffled permutation P of 2N operations respecting
lightweight countermeasure since it requires roughly the the dependency constraints
same number of calls to a random number generator 1: start ← 1
as in the case of one-round shuffling to generate the 2: end ← 2N − m
permutations. 3: P [2N ] ← {−1, · · · , −1}
N
3) We implement AES-128 using our proposed counter- 4: Create random permutation p1 for the set {1, · · · , m }
measure. We establish via simulation studies as well as 5: Create random permutation p2 for the set {1, · · · , m}
N
experiments on FPGA-based implementations that our 6: for i := 1 to m do
proposed countermeasure affords significantly greater 7: max empty pos ← 0
security than standard one-round shuffling based counter- 8: for j := 1 to m do
measures, while maintaining competitive area and timing 9: empty pos ← RInd (P, start, end)
overheads for lightweight applications. 10: P [empty pos] ← SI,p1 (i) [p2 (j)]
Thus, given a block cipher parameterized by (N, m), our 11: if empty pos > max empty pos then
aforementioned analysis allows us to evaluate a lower bound on 12: max empty pos ← empty pos
the side-channel security afforded by shuffling across k rounds. 13: end if
Finally, we point out that shuffling beyond 3 rounds becomes 14: end for
too computationally expensive to be useful as a lightweight 15: start ← max empty pos + 1
countermeasure. Hence, in the fothcoming section, we present 16: end ← 2n
our proposed countermeasure design using shuffling range 17: for j := 1 to m do
k = 2. 18: empty pos ← RInd (P, start, end)
19: P [empty pos] ← SD,p1 (i) [p2 (j)]
20: end for
II. O UR P ROPOSED C OUNTERMEASURE : A T WO -ROUND 21: start ← 1
S HUFFLING ALGORITHM 22: end ← FindRearInd (P, m, 2N )
23: end for
In this section, we introduce our proposed countermeasure 24: return P
against side-channel attacks: a two-round shuffling algorithm.
We first present our idea using a simple example and then
provide a formal description in Algorithm 1. Next, as a case B. Algorithm Description
study we consider AES-128 and describe how we can protect
it using our countermeasure. Algorithm 1 gives our proposed two-round shuffling coun-
termeasure against side-channel attacks. Given a set of N
independent operations SI and N dependent operations SD ,
A. Notations a parameter m where every partition of SD : SD,j such that
N
Let a cryptographic algorithm consists of R rounds, each |SD,j | = m ∀j ∈ {1, m } depends on exactly N
one partition
with N operations. For each pair of consecutive rounds (r − of S I : S I,j such that |S I,j | = m ∀j ∈ {1, m }, the algorithm
1, r), where 2 ≤ r ≤ R/2, we denote by SI the set of N outputs a shuffled permutation P of 2N operations respecting
independent operations in the first of these rounds, and by the dependency constraints.
SD the set of N dependent operations in the second of these
C. Security Analysis: Comparison with No Shuffling and One
rounds. Note that in this context, an independent operation
Round Shuffling
is one that does not depend on any of the other operations
in these two rounds only. Also, let the sets SI and SD be This section presents a comparison of our proposed two-
partitioned such that every partition of SD : SD,j such that round shuffling countermeasure with an unprotected imple-
n
|SD,j | = m ∀j ∈ {1, m } depends on exactly one partition of mentation as well as an implementation protected using the
n
SI : SI,j such that |SI,j | = m ∀j ∈ {1, m }. standard one-round shuffling. Note that we have the following

2016 IEEE 34th International Conference on Computer Design (ICCD) 441

 IV. S IMULATION R ESULTS
In this section, we experimentally validate the security of
our proposed shuffling countermeasure across two rounds
when applied to AES-128. We compare the security of our
countermeasure with two-other implementations of AES-128:
AES with no shuffling and AES with shuffling within a single
round. In order to evaluate and compare the security of the
different implementations, we use the Test Vector Leakage
Assessment (TVLA) [15], [16] methodology. We performed
non-specific TVLA test with two sets of side-channel traces
- one with randomly chosen plaintexts and the other with a
fixed plaintext, which are interleaved randomly. In side-channel
literature, a TVLA leakage less than ±4.5 across all sample
points of a trace, certifies a given implementation to be very
Fig. 1: Proposed Hardware Architecture for Two-Round difficult to break using side-channel attacks.
Shuffled AES-128 Figure 2 presents a comparative study of the TVLA leakage
from the two different implementations of AES-128, namely
AES with single round shuffling and our proposed counter-
security levels for one and two round shufflings respectively, measure involving shuffling across two rounds. The noise-free
as compared to an unprotected implementation: leakage is simulated assuming a Hamming distance model, and
is combined with zero mean Gaussian noise having different
variance levels to obtain different sets of power traces for the
S1−round shuffling 5
≥ N (1) comparison study. Each set comprises of 10 sample traces for
Sunprotected both fixed and random plaintexts. It is quite clear that in each
S2−round shuffling
≥ (2N − m) (2) of the three scenarios presented here, our proposed two round
Sunprotected shuffling countermeasure has appreciably lower side-channel
leakage compared to one round shuffling for the same number
Thus we conclude that our proposed countermeasure provides of traces.
better security against strong SCAs such as integrated DPA as
compared to the standard one-round shuffling countermeasure. V. E XPERIMENTAL R ESULTS ON H ARDWARE
In addition, the quantitative security of our countermeasure This section presents a comparative study of the TVLA
depends not only on the number of operations N , but also on leakage from the two serialized implementations of AES-128
the operation dependency parameter m. Lower values of m on a Virtex-5 FPGA (XC5VLX50), using a SAESBO-GII board.
seem to provide greater security in this regard. The TVLA test is executed on actual power traces, collected
using a Tektronix DPO4034B oscilloscope, comprising of 105
III. C ASE S TUDY: A PPLICATION OF O UR sample traces for both fixed and random plaintexts. Figure 3
C OUNTERMEASURE TO AES-128 summarizes the result. Once again, we observe that the TVLA
In this section, we present a case study where we apply our leakage for two-round shuffling is lower as compared to one
generic two-round shuffling algorithm to an implementation of round shuffling. In addition, while the leakage for one round
AES-128. Standard shuffled implementations of AES usually shuffling crosses the safe threshold of 4.5 in approximately
4
process the independent S-box computations within each round 7 × 10 traces, the leakage for two round shuffling does not
in a random order. In that case, the random permutation can exceed the safe threshold for 105 traces.
be easily obtained by generating 15 randoms corresponding VI. C ONCLUSION
to 16 S-box computations. In our shuffled implementation of
This paper presented a new lightweight shuffling based
AES, the permutation spawns across the S-box computations
countermeasure for cryptographic implementations secure
in two consecutive rounds r − 1 and r.
against side-channel attacks. Contrary to the existing shuffling
countermeasures that only derange various sensitive operations
A. Implementation
across a single round of the algorithm, our proposed coun-
The architecture for our shuffled implementation of AES- termeasure presents an adversary with a significantly higher
128 is demonstrated in Figure 1. The resource requirements number of possible derangements, spanning across two rounds,
on a Virtex-5 FPGA are presented in Table I, and compared that need to be enumerated for a successful attack.
with those for one round shuffling. In particular, the two- As a case study, we illustrated how our proposed countermea-
round shuffled implementation takes about 1.25 times more sure can be applied to the standard block cipher AES-128. We
slice count on a Virtex-5 FPGA than the one-round shuffled performed a test vector leakage assessment (TVLA) based side-
implementation. channel security evaluation on our proposed countermeasure

442 2016 IEEE 34th International Conference on Computer Design (ICCD)

 Architecture Look-Up Tables Registers Slices Min. Period
One Round Shuffling 842 464 403 12.13 ns
Two Round Shuffling 1188 689 503 14.28 ns

TABLE I: Resource Requirements on Virtex-5 FPGA : Shuffled AES-128

(a) Noise Variance = 500 (b) Noise Variance = 550 (c) Noise Variance = 600

Fig. 2: Comparison of TVLA Leakage from Simulated Power Traces

Fig. 3: Hardware Result : TVLA Leakage from Actual Power Traces

using leakages estimated from simulated power traces. Our
experiments illustrate that the leakage from our proposed
method is significantly lower compared to state of the art
one-round shuffling algorithms, with a resource overhead less
than two times.
R EFERENCES
[1] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Advances
in Cryptology, CRYPTO99. Springer, 1999, pp. 388–397.
[2] J.-F. Dhem, F. Koeune, P.-A. Leroux, P. Mestré, J.-J. Quisquater, and J.-L.
Willems, “A practical implementation of the timing attack,” in Smart
Card Research and Applications. Springer, 1998, pp. 167–182.
[3] E. De Mulder, P. Buysschaert, S. B. Örs, P. Delmotte, B. Preneel,
G. Vandenbosch, and I. Verbauwhede, “Electromagnetic analysis attack on
an fpga implementation of an elliptic curve cryptosystem,” in Computer
as a Tool, 2005. EUROCON 2005. The International Conference on,
vol. 2. IEEE, 2005, pp. 1879–1882.
[4] D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi, “The EM
side-channel(s),” in Cryptographic Hardware and Embedded Systems -
CHES 2002, 4th International Workshop, Redwood Shores, CA, USA,
August 13-15, 2002, Revised Papers, 2002, pp. 29–45.
[5] L. Benini, A. Macii, E. Macii, E. Omerbegovic, F. Pro, and M. Poncino,
“Energy-aware design techniques for differential power analysis protec-
tion,” in Proceedings of the 40th Design Automation Conference, DAC
2003, Anaheim, CA, USA, June 2-6, 2003, 2003, pp. 36–41.
[6] S. Yang, W. Wolf, N. Vijaykrishnan, D. N. Serpanos, and Y. Xie, “Power
attack resistant cryptosystem design: A dynamic voltage and frequency
switching approach,” in 2005 Design, Automation and Test in Europe
Conference and Exposition (DATE 2005), 7-11 March 2005, Munich,
Germany, 2005, pp. 64–69.
[7] M.-L. Akkar and C. Giraud, “An implementation of des and aes,
secure against some attacks,” in Cryptographic Hardware and Embedded
SystemsCHES 2001. Springer, 2001, pp. 309–318.
[8] F.-X. Standaert, E. Peeters, and J.-J. Quisquater, “On the masking
countermeasure and higher-order power analysis attacks,” in Information
Technology: Coding and Computing, 2005. ITCC 2005. International
Conference on, vol. 1. IEEE, 2005, pp. 562–567.
[9] H. Maghrebi, J.-L. Danger, F. Flament, S. Guilley, and L. Sauvage,
“Evaluation of countermeasure implementations based on boolean masking
to thwart side-channel attacks,” in Signals, Circuits and Systems (SCS),
2009 3rd International Conference on. IEEE, 2009, pp. 1–6.
[10] N. Veyrat-Charvillon, M. Medwed, S. Kerckhof, and F.-X. Standaert,
“Shuffling against side-channel attacks: A comprehensive study with
cautionary note,” in Advances in Cryptology–ASIACRYPT 2012. Springer,
2012, pp. 740–757.
[11] T. Güneysu and A. Moradi, “Generic side-channel countermeasures
for reconfigurable devices,” in Cryptographic Hardware and Embedded
Systems–CHES 2011. Springer, 2011, pp. 33–48.
[12] M. Rivain, E. Prouff, and J. Doget, “Higher-order masking and shuffling
for software implementations of block ciphers,” in Cryptographic
Hardware and Embedded Systems-CHES 2009. Springer, 2009, pp.
171–188.
[13] A. Moradi and A. Poschmann, “Lightweight cryptography and dpa
countermeasures: A survey,” in Financial Cryptography and Data
Security. Springer, 2010, pp. 68–79.
[14] S. Tillich and C. Herbst, “Attacking state-of-the-art software countermea-
sures - a case study for aes,” in Cryptographic Hardware and Embedded
Systems–CHES 2008. Springer, 2008, pp. 228–243.
[15] J. Cooper, E. De Mulder, G. Goodwill, J. Jaffe, G. Kenworthy, P. Rohatgi
et al., “Test vector leakage assessment (tvla) methodology in practice,”
in International Cryptographic Module Conference, 2013.
[16] T. Schneider and A. Moradi, “Leakage assessment methodology,” in
Cryptographic Hardware and Embedded Systems–CHES 2015. Springer,
2015, pp. 495–513.

2016 IEEE 34th International Conference on Computer Design (ICCD) 443