Threshold implementations have emerged as one of themost popular masking countermeasures for hardware implementations of cryptographic primitives. In this work, we provide three TI optimization techniques: First, a generic construction for d + 1 TI sharing achieves the minimal number of output shares for any n-input Boolean function of degree t = n - 1 and for any d. Next, we present a methodology for finding minimal number of output shares in d + 1 TI when t n - 1. Third, a heuristic for minimizing the number of output shares for higher-order td + 1 TI for any n, any t and d = 2 is proposed. In addition, we describe an optimization for the secure AES schedule which achieves maximum throughput for a serial implementation. Then, we demonstrate the applicability of our results on d + 1 and td + 1 TI versions, for first- and second-order secure, low-latency and low-energy implementations of the PRINCE block cipher. We show the fastest and the most energy efficient known TI-protected implementations of PRINCE.
展开▼