This article has been accepted for inclusion in a future issue of this journal.
Content is final as presented, with the exception of pagination.
IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS
Securing the PRESENT Block Cipher
Against Combined Side-Channel
Analysis and Fault Attacks
Thomas De Cnudde and Svetla Nikova
Abstract— In this paper, we present and evaluate a hardware
implementation of the PRESENT block cipher secured against
both side-channel analysis and fault attacks (FAs). The
side-channel security is provided by the first-order threshold
implementation masking scheme of the serialized PRESENT
proposed by Poschmann et al. For the FA resistance, we employ
the Private Circuits II countermeasure presented by Ishai et al.
at Eurocrypt 2006, which we tailor to resist arbitrary 1-bit faults.
We perform a side-channel evaluation using the state-of-the-art
leakage detection tests, quantify the resource overhead of the
Private Circuits II countermeasure, subdue the implementation
to established differential FAs against the PRESENT block
cipher, and contemplate on the structural resistance of the
countermeasure. This paper provides the detailed instructions
on how to successfully achieve a secure Private Circuits II
implementation for the data path as well as the control logic.
Index Terms— Countermeasures, differential fault analy-
sis (DFA), differential power analysis (DPA), masking, PRESENT,
private circuits, threshold implementations (TIs).
I. I NTRODUCTION
T HE presence of symmetric cryptography in embed-
ded systems is necessary to achieve confidentiality and
integrity for both the users and their data. Whereas modern
ciphers offer strong, computationally unbreakable security
on the algorithmic level, many of their implementations are
susceptible to physical attacks. Physical attacks exploit char-
acteristics of the implementation itself in order to retrieve
secret keys with much more ease compared with cryptana-
lytic or brute-force attacks.
Two well-known classes of physical attacks are side-channel
analysis (SCA) and fault attacks (FAs). In SCA, a passive
adversary observes, e.g., the time duration [1], the power
consumption [2], or the electromagnetic emanation [3], [4]
of the cryptosystem in an attempt to obtain information
about sensitive values of the computed algorithm. Popular
Manuscript received January 21, 2017; revised April 22, 2017; accepted
May 25, 2017. This work was supported in part by NIST under
Grant 60NANB15D346, in part by the Research Council KU Louvain under
Grant OT/13/071, and in part by the Flemish Government through the
FWO Project Cryptography secured against side-channel attacks by tailored
implementations enabled by future technologies under Grant G0842.13. The
work of T. De Cnudde was supported by the Institute for the Promotion of
Innovation through Science and Technology in Flanders (IWT-Vlaanderen).
(Corresponding author: Thomas De Cnudde.)
The authors are with KU Leuven, Leuven, Belgium, and also with
imec, 3001 Leuvan, Belgium (e-mail: thomas.decnudde@kuleuven.be;
svetla.nikova@kuleuven.be).
Digital Object Identifier 10.1109/TVLSI.2017.2713483
1063-8210 © 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
1
approaches to mount such attacks are differential power analy-
sis (DPA) [2] and correlation power analysis [5]. FAs, on the
other hand, require an active adversary, that is, the adversary
tampers with the device and exploits its behavior afterward [6].
An attack that illustrates the power of FAs is differential fault
analysis (DFA) [7]. SCA and FA can be combined to form
even more powerful attacks [8]–[12].
Countermeasures are required to harden embedded systems
against such real-world attacks. Similar to the classification
of the attacks, countermeasures have been predominantly
researched separately. For SCA, a popular and widely imple-
mented countermeasure is masking [13], [14]. It provides
provable security [15] by randomizing the computed interme-
diates on the algorithmic level in order to decorrelate secret
values from their side channels. Countermeasures against
FAs generally rely on some form of redundancy. Either a
given computation is repeated (time redundancy) or the same
operation is computed in parallel (area redundancy) in order
to check whether a fault was injected [16]. Appending error
correction or detection codes to the intermediate values forms
another option for increasing the system’s security [17]. Yet
another approach is to rely on shielding countermeasures,
e.g., shielding parts of an integrated circuit (IC) to prevent
optical attacks [18]. In case tampering is detected, an alarm
can be triggered to withhold the faulty ciphertexts from being
output to prevent DFA attacks.
An interesting approach toward provable resistance
against both passive and active attacks is Private Cir-
cuits II (PC-II) [19]. It is an extension of Private
Circuits (PC-I) [or the Ishai, Sahai and Wagner (ISW) masking
scheme] [20], on which it relies to obtain protection from
passive attacks.
A practical drawback of the ISW algorithm is that its
security relies on ideal gates, i.e., gates that evaluate only
once per clock cycle and in the right order. Satisfying the
ideal gate requirement in CMOS logic is costly and failing to
do so leads to a deterioration in the security of the masking
scheme through glitches and early evaluation [21]. As an
alternative to ISW, the threshold implementations (TIs) mask-
ing scheme [22]–[24] has gained in popularity for hardware
applications, since it does not require ideal gates.
A. Related Work
While the introduction of Private Circuits [20] and Pri-
vate Circuits II [19] date from 2003 and 2006, respectively,
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
2 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS
their most notable implementation-related aspects have only
recently been published. We provide a brief overview of these
different advances.
A first move toward a PC-II implementation was made by
Rakotomalala et al. [25] and presented at RECONFIG 2015.
In summary, the authors implement the PC-II countermea-
sure with tamper resistance against reset attacks on a field-
programmable gate array (FPGA). Their design is based on
a manually coded, fully combinational PC-I implementation
followed by a PC-II encoding using FPGA specific primitives.
In addition, an assessment of the security against critical path
violations is provided. The underlying PC-I implementation
has, however, been shown to contain security flaws [26],
of which the reasons were pointed out by Roy et al. [27].
Undesired circuit optimization by tools in the design flow,
glitches, and early propagation of signal values all have a
noticeable impact on the security of the masked implementa-
tions. By registering the output of every gate, a fully sequential
implementation of Private Circuits was established as a secure
but expensive solution.
At CRYPTO 2015, Reparaz et al. [28] presented a strategy
for secure Private Circuits implementations in the presence of
glitches. By inheriting the so-called noncompleteness property
from TI, their strategy provides a cheaper and more effi-
cient PC-I implementation compared with the fully sequential
realization of [27].
A different approach toward combined SCA and FA security
was presented by Schneider et al. [29] at CRYPTO 2016.
By combining TIs with error detection, the lightweight LED
cipher [30] was implemented to achieve the first-order SCA
resistance in combination with a fault detection capability that
exceeds duplication at a very low increase in area cost.
B. Contribution
This paper builds upon and extends this paper work pre-
sented at FDTC 2016 [31], where we compared PC-I and TI
in an equal and fair setting to obtain a novel and more efficient
approach toward PC-II. Due to limitation with respect to the
size of the targeted FPGA, no practical PC-II implementation
was possible, and instead, this paper focused primarily on
a comparative study between PC-I and TI as base for a
PC-II implementation. In addition, a theoretical description
was offered on how to securely implement Private Circuits II
in FPGAs.
In this extended version, we apply our theoretical initial
results in practice on a larger FPGA platform, where the PC-II
implementation benefits from larger lookup tables (LUTs).
Our results are applied on the lightweight PRESENT block
cipher [32] to achieve the combined first-order SCA security
and resistance against arbitrary 1-bit fault injection, i.e., a 1-bit
set, reset, or toggle attack. Since the PC-II implementation can
be accommodated in the newly targeted FPGA, we advance
the previous work by perform the security evaluation, con-
firming that the total PC-II design indeed offers SCA resis-
tance. In addition, we provide implementation costs of our
design in gate equivalents using an open-source library, allow-
ing for convenient comparison with other implementations.
Another novel addition is an extended security analysis
by evaluating the success of established DFA attacks on
PRESENT. Moreover, we discuss how to further increase the
FA resistance of our PC-II implementation by relying on
structural and topological aspects of the back-end placement
and routing steps. While applying the PC-II extensions over TI,
we detail every step taken to provide a guide for future PC-II
implementations.
C. Paper Organization
In Section II, we give the necessary theoretical background
with respect to the PRESENT algorithm, the TIs masking
scheme, PC-II, and leakage detection. We implement the TI of
PRESENT as in [33] and give the result of its leakage detec-
tion test in Section III, before we apply PC-II in Section IV.
We discuss the implementation cost and the security of our
resulting implementation against known DFAs in Section V.
We draw conclusions and propose directions for future work
in Section VI.
II. P RELIMINARIES
We now give an overview of the required background
theory. Due to the vast information given in the original Private
Circuit works [19], [20], we only provide the information
that we use throughout this paper. We start by providing our
notation conventions and definitions.
Using the standard convention that a dth-order SCA attack
exploits the dth-order statistical moment of the shares, a sensi-
tive value can be split in at least d + 1 new values, or shares,
such that all shares are required to reconstruct the original
value. If the reconstruction operation is the Boolean addition,
this process is referred to as Boolean masking. This way,
a (d + 1)t h DPA attack needs to be mounted to break the
dth-order masked implementation. Since the number of mea-
surements needed for a successful attack increases exponen-
tially with the masking order, one typically guarantees only
security up to a certain order.
Lower case letters represent the sensitive values in
GF(2m ). These elements are then split in sin shares a =
(a1 , a2 , . . . , asin ) using Boolean masking. The sharing is said
to be uniform if sin − 1 shares are assigned from a uniform
random distribution  in −1and the remaining share is chosen to sat-
isfy asin = a si=1 ai . We denote functions F : GF(2m ) →
GF(2n ) with the upper case letters. A function F(a) = b is
shared into s f component functions F = (F1 , F2 , . . . , Fs f ),
such that  functional equivalence or correctness is maintained,
sf
i.e., b = i=1 Fi (a). Boolean addition (XOR) of a and b is
denoted by a ⊕ b, their bitwise multiplication (AND) by ab,
and the inversion of a is denoted by ¬a.
We adopt a modified d-probing adversary model that
includes glitches. In the d-probing model with glitches,
the adversary is allowed to probe d wires in a circuit
per clock cycle and observes all values that occur on that
wire during a computation, even temporary or intermediate
ones. We modify the d-probing adversary of [20] slightly
by not allowing adaptive probes, i.e., we do not allow the
attacker to move probes within a clock cycle nor over clock
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
DE CNUDDE AND NIKOVA: SECURING THE PRESENT BLOCK CIPHER AGAINST COMBINED SCA AND FAs
cycle boundaries.1 While this adapted model might appear to
reduce the security, this model has shown to be more realistic
in hardware scenarios. Moreover, the ability of our adversary
to observe all intermediate values on a wire results in a more
flexible model, which keeps the security of our implementation
unaffected from Effects, such as glitches in CMOS.
A. PRESENT Block Cipher
The PRESENT symmetric key block cipher [32] is designed
with the heavy constraints on area and performance of light-
weight hardware applications in mind. As a result, it is
aggressively optimized for hardware environments and forms
an ideal candidate for Internet-of-Things applications. It was
made an ISO standard in 2012. Its block length equals 64 bit
and the key lengths of 80 and 128 bit are supported, referred
to as PRESENT-80 and PRESENT-128, respectively, of which
PRESENT-80 is recommended for lightweight applications
and is the target for our implementation. The PRESENT cipher
iterates through 31 rounds followed by a final key whitening
stage. Each round consists of a round key addition and a
substitution-permutation network. The permutation layer is a
bitwise rewiring governed by pout(i ) = pin(16 i mod 63) and
comes at no cost in hardware. The substitution layer applies a
4-bit S-box S : GF(24 ) → GF(24 ) on each nibble of the state
registers. We refer to the original work for the full details [32].
B. Threshold Implementations
The TIs masking technique achieves provable security
against the dth-order DPA attacks. By making minimal
assumptions on the underlying hardware, security can be
attained at any chosen order d even in the presence of
glitches [24].
The transformation of a circuit C to a dth-order
TI [22]–[24], [34] C  is obtained as follows.
1) Input Encoding: Each sensitive value is split into
sin ≥ d + 1 shares using uniform Boolean masking.
2) Function Encoding: The function y = F(x) is imple-
mented as a set of s f component functions F =
(F1 , F2 , . . . , Fs f ), where each Fi acts on a subset of
the vector of input shares x. The shared function F is
required to satisfy the following properties.
a) Correctness, i.e., functional equivalence.
b) The dth-order noncompleteness. Any combination
of up to d component functions Fi of F is inde-
pendent of at least one input share.
c) Uniform sharing of functions. The security of cas-
caded nonlinear functions relies on this property.
The outputs of the component functions should be
constructed to satisfy uniformity, just as the inputs
do. Several ways to achieve this property have been
proposed [33]–[38].
3) Output Decoding: The output value is reconstructed
 3) Error Cascading: Before values are registered or output,
from the output shares by unmasking c = ci .
1 This stronger adversary can be accommodated by adopting the refreshing
layers explored by Reparaz et al. [28], we, however, do not consider this
approach due to the resulting increase in implementation cost.
3
C. Private Circuits II
Private Circuits II is an extension of the Private Circuits
masking scheme that adds protection against an adversary
capable of modifying values anywhere in a circuit, on a
chosen number of individual wires between logical gates [19].
In contrast to other FA countermeasures [39], no part of the
circuit needs to be completely free from tampering.
Private Circuits II comes in two styles.
1) tamper resistance against an unbounded number of adap-
tive reset-only wire faults;
2) tamper resistance against a bounded number e of arbi-
trary wire faults (set, reset, or toggle) per clock cycle.
In both constructions, an (optionally infective [40]) circuit
is achieved, which resists both FAs and SCA attacks. Two
transformations are carried out to transform a circuit C to
a tamper resistant circuit C  : one for the circuit itself and
one for the data. The starting point is a side-channel resistant
circuit, which we achieve through TIs instead of the originally
proposed Private Circuits [31].
Since we protect the PRESENT block cipher against any
type of fault, we limit our overview to the more general PC-II
construction.
1) Tamper Resistance Against General Attacks on Wires:
In this model, the adversary can set the values in any of
the circuit wires to 0 or 1, as well as toggle its value.
A limit e on the number of newly targeted wires per clock
cycle is imposed, but the attacker is allowed to release the
perturbations without restrictions on the number or time of
release. Hence, persistent or permanent faults are only counted
on their introduction in the circuit.
To achieve the tamper resistance, a circuit is first trans-
formed into a dth-order SCA resistant circuit. Afterward,
a 2de repetition encoding is applied to all data values and
the gates are replaced by the so-called gadgets operating on
these encoded values.
These actions are formalized as follows.
1) Input Encoding: The encoder transforms bit value 0 to a
2de vector 02de = (0, 0, . . . , 0) and bit value 1 to a 2de
vector 12de = (1, 1, . . . , 1), where d is the SCA security
order and e is the limit on the number of faults and the
attacker can inject while not compromising the security.
All other values are considered invalid (⊥). Furthermore,
a special value ⊥∗ is defined as 0de 1de .
2) Gates Encoding: The gates of the SCA resistant circuit
are replaced by the gadgets of which the truth tables are
listed in Table I. Their implementation is of the form
OR of AND s of the input wires or their NOT s, or the
NOT of such a circuit. Standard OR and AND gates can
be used for constructing the gadgets, whereas the NOT
gates used should be reversible, so that faults occurring
on the output side of a NOT gate propagate to the input
side.
their wires go through an error cascading gadget. This
way, detected errors will propagate and erase the data
in the circuit and at the output. An error is detected
when an invalid encoding occurs in a wire vector.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
4 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS
TABLE I
T RUTH TABLES FOR THE G ADGETS
Fig. 1. Error cascading stage propagates any e-bit fault to all wires before
values are registered. Illustrated here for e = 1.
Fully infective behavior within one clock cycle is
achieved by following the structure shown in Fig. 1,
where the error cascading gadget is listed in Table I.
We recall that this stage is optional [19].
4) Output Decoding: The final output can be decoded by
ignoring all but the first of the 2de output wires.
D. T-Test-Based Leakage Detection
One way to test for potential side-channel leakages, which
might lead to successful key retrieval attacks in cryptographic
systems, is based on the t-test statistic [41]–[43]. This method
is convenient due to its independence of an underlying leak-
age model while still being sensitive enough to uncover a
wide range of potential problems. After acquiring a sufficient
number of power consumption traces, the traces are divided
in two sets, A and B, based on an intermediate value in the
computation. Throughout this paper, we employ the nonspe-
cific t-test, which fixes the input for one of the sets (we choose
to fix the input message to zero) while randomizing the input
message for the other set. For testing leakage in the first-order
statistical moment, the t-test statistic is calculated samplewise
on the two sets A and B as
T A − TB
t= 
s 2A s 2B
NA + NB
where Ti , si2 , and Ni are the sample mean, sample variance,
and sample size of the set Ti∈A,B , respectively. If no t-test
value exceeds a certain confidence threshold ±C, no rela-
tion between the processed intermediate value and the mean
instantaneous power consumption can be found. When the
t-test statistic exceeds ±C, the power consumption and their
processed intermediate values are related in a statistically
significant way with a confidence level related to C, mak-
ing the device potentially vulnerable to the first-order SCA
attacks. Throughout this paper, we set the confidence level to
±C = ±4.5, which corresponds to a 99.999% certainty of the
concluded outcome.
III. M ASKING P ROCESS
In this section, we reproduce and evaluate the TI of
PRESENT proposed by Poschmann et al. [33] in order to
assert a sound, SCA resistant basis for our PC-II implementa-
tion. We implement the first-order secure PRESENT with both
a masked state and key, and test the result with the state-of-
the-art leakage detection tests.
A. Masking PRESENT With Threshold Implementations
The round key addition and permutation of the cipher can
be performed on each share independently due to the linearity
of these operations. The S-box operation is correspondingly
harder to mask due to its nonlinearity. We therefore direct our
attention to masking the nonlinear PRESENT S-box, which
performs the substitution S(x) given in Table II.
A compact way of sharing the PRESENT S-box is proposed
by Poschmann et al. [33]. It decomposes the S-box S(x)
(of algebraic degree three) into two functions g = G(x) and
f = F(x) (each of algebraic degree two) such that S(x) =
F(G(x)). The S-box and its decomposed functions G and F
are given in Table II. In order to guarantee the uniformity at the
input of F, the evaluation of the nonlinear functions G and F
needs to be separated by registers. The total S-box is then
computed in two clock cycles. The algebraic normal forms
of (g3 , g2 , g1 , g0 ) = G(x 3 , x 2 , x 1 , x 0 ) and ( f 3 , f2 , f 1 , f0 ) =
F(x 3 , x 2 , x 1 , x 0 ) are listed in the following, where x 3 , g3 ,
and f 3 represent the most significant bits:
g3 = x 0 ⊕ x 1 ⊕ x 2
g2 = 1 ⊕ x 1 ⊕ x 2
g1 = 1 ⊕ x 3 ⊕ x 1 ⊕ x 0 x 2 ⊕ x 0 x 1
g0 = 1 ⊕ x 0 ⊕ x 2 x 3 ⊕ x 1 x 3 ⊕ x 1 x 2
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

DE CNUDDE AND NIKOVA: SECURING THE PRESENT BLOCK CIPHER AGAINST COMBINED SCA AND FAs 5

f3 = x2 ⊕ x1 ⊕ x0 ⊕ x3 x0
f2 = x 3 ⊕ x 1 x 0
f1 = x2 ⊕ x1 ⊕ x3 x0
f0 = x 1 ⊕ x 2 x 0 .

For the shared versions of these equations, we refer to the

Appendix.

B. Testing PRESENT-TI With Leakage Detection Tests

We perform the evaluation of the security by loading the
resulting implementation onto a SAKURA-G board [44].
The SAKURA-G (Side-Channel Attack User Reference
Architecture) provides an SCA evaluation environment based
around two Xilinx Spartan-6 FPGAs: an XC6SLX75 to hold
our cryptographic implementations and an XC6SLX9 for
controlling the communication between the board, the mea- Fig. 2. Masked PRESENT-TI, from top to bottom: average power con-
surement PC, and other equipment. During synthesis, we select sumption trace of 1.5 rounds of a masked encryption, first-order t-test with
the Xilinx “Keep Hierarchy” option to avoid optimizations biased masks using 20k traces, first-order t-test with uniform masks using
100M traces, and second-order t-test with uniform masks using 100M traces.
over boundaries of the individual shares. We keep all other
synthesis and implementation options to their default value.
We provide a stable clock of 3 MHz to the FPGAs and
measure the instantaneous power consumption as the voltage
drop over a 1- resistor between the ground lines of the
crypto FPGA core and the board. We acquire the power traces
with a Tektronix DPO 7254C oscilloscope at a sample rate
of 1 GHz/s. We submit our designs to t-test-based leakage
detection [41]–[43], since they provide a very powerful way
to ascertain side-channel resistance.
To show that the security of our design uniquely comes Fig. 3. Output logic for PRESENT-TI.
from a sound masked implementation, we go through the
following steps. We first bias the uniformity of the input shares
by turning OFF the random number generator (RNG), fixing IV. A PPLYING PC-II
one of the three initial input shares to the plaintext, while We proceed by applying the remaining PC-II transforma-
setting the remaining shares to zero. In that case, we expect tions on the PRESENT-TI. While our model assumes an
that the leakage detection test will reveal t-values beyond the attacker to only inject a 1-bit fault on a wire (e = 1),
confidence interval of ±4.5. If this expectation is fulfilled, the explained process can be extended to any number of faulty
we assume that the soundness of the test setup is asserted and bit injections.
proceed with the evaluation by turning on the RNG of our
designs. The lack of bias in uniformity, and thus the correct A. Encoding
application of all properties of the masking schemes, is then
Transforming every wire into a wire pair is straightforward.
exclusively responsible for any increase in SCA resistance.
All wires and registers are simply duplicated. In contrast to
For the PRESENT TI, this gives the following security
masking, where only the data-dependent logic and registers
evaluation.
must be protected, this duplication has to be applied to all
1) RNG Off: The result of the leakage detection tests for
wires and registers, including the ones responsible for the
the PRESENT-TI with biased masks is shown in Fig. 2. With
control of the data flow. If their protection is overlooked, inter-
20k traces, the t-value goes beyond the confidence interval
mediate states from which the key can be trivially retrieved
of ±4.5, and we can conclude that our measurement setup is
can be made to prematurely appear at the outputs through a
sound.
careful fault injection. This is exemplified in Fig. 3: activating
2) RNG On: The result of the leakage detection test on
the ready signal at the start of an encryption would make a
PRESENT-TI with the activated RNG is shown in Fig. 2.
key retrieval straightforward for an attacker.
Leaks are present in the second-order t-test, while no
first-order t-values fall outside the confidence interval. Our
PRESENT-TI implementation achieves the targeted first-order B. Gate Transformation
security with 100 million traces and provides us with a solid After all wires and registers are encoded, we transform all
foundation for a PC-II implementation. gates in the circuit to their respective PC-II gadgets. In addition
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

6 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS

TABLE II
4- TO -4 bit S UBSTITUTION OF THE PRESENT S-B OX [32] AND A Q UADRATIC D ECOMPOSITION [33]

Fig. 4. Control structure for PRESENT-TI.

Fig. 6. Masked PC-II protected PRESENT, from top to bottom: average

power consumption trace of 1.5 rounds of a masked encryption, first-order
t-test with biased masks using 20k traces, first-order t-test with uniform
masks using 100M traces, and second-order t-test with uniform masks using
100M traces.

We achieve this by expressing all operations in the Hardware

Fig. 5. Logic structure of a multiplexer.
to the gates of the shared S-box, permutation, and round key
addition, this transformation has to include the internal gates
of the two adders, the multiplexers and the comparators of the
design also. An example of this can be found in the structure
of the PRESENT-TI control logic, which is shown in Fig. 4.
The internal signals of, e.g., the multiplexers (shown in Fig. 5)
have to undergo the encoding and the gates transformation too.
In Section II, it was noted that reversible NOT gates are
required for PC-II in the general attack model. The reason
for this is described in the original work [19] and boils
down to being able to consider the NOT gates as part of
atomic AND gates inside PC-II gadgets. We can omit the
need for reversible NOT gates in our FPGA implementation by
packing the logic of each single PC-II gadget inside individual
six-input, dual output LUTs of the Spartan-6 FPGA. With the
original assumption that attacks are only performed on wires,
the design remains a valid PC-II implementation as a whole
LUT can be considered atomic. For standard cell ICs, this can
be achieved by placing the atomic standard cells related to the
same gadget adjacently and keeping their connections on the
lowest routing layers.
Description Language of the PRESENT-TI using the following
atomic gates: AND, XAND,2 OR, NOR, XOR, XNOR, and NOT
gates. Since all these functions have at most four inputs and
two outputs in their encoded form, we map these to the
six-input, dual output LUTs of the Spartan-6 FPGA using
the Xilinx LU T _M A P constraint. This is an alternative to
hard coding the LUT functionality as was done in the PC-II
implementation of Rakotomalala et al. [25].
C. Error Cascading
Error cascades are nonlinear gadgets that forward the input
unless an invalid encoding is detected at one of or both
the inputs. In that case, both its encoded outputs are made
invalid (⊥).
We provide a toy example to explain the effect of the
error cascading stage on the SCA security. Assume that we
have two shares of a 1-bit value s = s1 ⊕ s2 , such that
s1 = s ⊕ r and s2 = r , where r is a random bit drawn from
a uniform distribution. These two values are passed through
an error cascade, of which the function is given in Table I.
Its underlying circuit is of the form OR of ANDs of all the
shares.
2 a XAND b = (¬a)b
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

DE CNUDDE AND NIKOVA: SECURING THE PRESENT BLOCK CIPHER AGAINST COMBINED SCA AND FAs 7

Fig. 7. Traces of signals from the PRESENT-TI implementation with a set fault on the ready signal.

Fig. 8. Traces of signals from the PC-II protected PRESENT implementation with a set fault on one of the wires of the encoded ready signal.

This can be seen by observing its four outputs TABLE III

A REA OF D IFFERENT F UNCTIONS OF THE PRESENT D ESIGNS
s1,EC,1 = (s1,1 ¬s1,0 ¬s2,1 s2,0 ) ⊕ (s1,1 ¬s1,0 s2,1 ¬s2,0 )
s1,EC,0 = (¬s1,1 s1,0 ¬s2,1 s2,0 ) ⊕ (¬s1,1 s1,0 s2,1 ¬s2,0 )
s2,EC,1 = (¬s1,1 s1,0 s2,1 ¬s2,0 ) ⊕ (s1,1 ¬s1,0 s2,1 ¬s2,0 )
s2,EC,0 = (¬s1,1 s1,0 ¬s2,1 s2,0 ) ⊕ (s1,1 ¬s1,0 ¬s2,1 s2,0 ).
For the error cascading stage to be effective, it should
pass all pairs of wires, as shown in Fig. 1. This creates a
combinational circuit that nonlinearly relates all shares, and
invalidates the noncompleteness property. When using CMOS,
the unprotected PRESENT design. The clk signal represents
glitching and early propagation of values can cause the circuit
the system clock, the start signal activates the start of an
to potentially leak. Since this stage is optional [19], we will
encryption, and the ready signal indicates when the output is
omit its implementation.
available. We show the decoded input, key, and output shares
D. Leakage Detection by decoded_inp, decoded_key, and decoded_out,
respectively. The ready signal in this example is stuck-at-1,
The resulting implementation needs to satisfy the first-order
i.e., every intermediate state is observable at the output of
SCA security. To test this claim, we follow the same approach
the cipher. By knowing the plaintext and observing the first
as with our previous security evaluations for the PRESENT-TI.
intermediate result, the key can be obtained without much
1) RNG Off: The result of the leakage detection tests for
effort in an unprotected implementation. In Fig. 8, we show
the biased PC-II protected PRESENT is shown in Fig. 6. With
the same simulation applied on the PC-II protected PRESENT.
20k traces, the t-value goes beyond the confidence interval
Since the ready signal and the bits of the state values pass
of ±4.5 and we can again conclude that our measurement
through an AND gadget (see Fig. 3), their decoded output
setup is sound.
values become zero when a fault is present at their inputs.
2) RNG On: The results of the leakage detection tests on
The invalid signal 01 on the encoded ready signal is detected,
PC-II protected PRESENT with the activated RNG is shown
and the countermeasure succeeds in making the injected fault
in Fig. 6. Again, clear leaks are present in the second-order
unexploitable.
t-test, while no first-order t-values fall outside the confi-
Similarly, attacks on the data that are covered by our fault
dence interval. The PC-II protected PRESENT implementation
model will not succeed. Fig. 9 shows a correct and faulty
achieves the targeted first-order SCA security with 100 million
encryption, where the fault is generated by flipping a bit in
traces.
the first S-box lookup of the penultimate round. Fig. 10 shows
E. Fault Attack Simulation this same 1-bit fault injected in the PC-II protected PRESENT.
While not all ciphertext bits are zeroized due to the absent
As mentioned in the example in Section IV-A, an attractive
error cascading stage, the injected fault is detected and invalid
target for an attacker to inject a fault on is the ready signal.
values are propagated through parts of the circuit, resulting in
The ready signal guards the intermediate states from appearing
several bits turning zero.
prematurely at the output and activates the outputs only
when the cipher has finished the right number of rounds.
V. D ISCUSSION
By validating this signal at the start of an encryption using
a fault injection, intermediate states of the cipher become A. Area Cost
observable and cryptanalysis becomes feasible. Table III lists the area costs of the individual components of
We now simulate this fault injection on the ready signal of both the TI and PC-II implementation of PRESENT. Table IV
the unprotected and PC-II protected PRESENT implementa- lists the area costs of the individual PC-II gadgets that we use
tions. Fig. 7 shows the simulation traces of several signals of in our PC-II design. All area estimations are obtained with the
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

8 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS

Fig. 9. Traces of signals from the PRESENT-TI implementation with a set fault on the first share of the S-box input.

Fig. 10. Traces of signals from the PC-II protected PRESENT implementation with a set fault on one of the wires of the first share of the S-box input.

TABLE IV
A REA C OST OF THE D IFFERENT PC-II G ADGETS U SED

Compile Ultra option in Synopsys 2010.03 and the NanGate

45-nm Open Cell Library [45].
When going from a first-order SCA resistant TI to a
first-order SCA resistant PC-II implementation resisting 1-bit
faults, an increase in area of factor 8.75 is required. The bulk
of this factor originates from the increase in area of the gadgets
compared with their corresponding gates, since the duplication
of the registers would only lead to a duplication in area cost.

B. Increased Resistance Against Differential Fault Analysis

We now evaluate the increased resistance against two DFA
attacks on PRESENT: 1) a DFA on the key schedule intro-
duced by Wang and Wang [46] and 2) a DFA on the internal
state introduced by Bagheri et al. [47].
1) DFA on the PRESENT Key Schedule: The attack on the
key schedule uses a fault model where 4-bit random faults are
injected in either the 30th or 31st round key. Once an attacker
obtains (on average) 64 pairs of correct and faulty ciphertexts,
the secret key can be retrieved with a complexity of 229 .
Since our implementation only provides protection against
1-bit faults, a successful key retrieval is possible when the
attacker’s power is outside the model. Some increased DFA Fig. 11. Different wire configuration can increase the resistance against
DFA. (a) and (b) Encoded wires lying adjacently in the same metal layer.
resistance is, however, obtained from our implementation. (c) Encoded wires lying pairwise in different metal layers.
First, an attacker now has to inject an 8-bit fault instead of a
4-bit fault and needs to make sure the 8-bit fault is an encoded
version of the 4-bit fault, and otherwise, the circuit will start to faulty ciphertext pairs. A second attack reduces the number of
infectively erase values by propagating the invalid signal ⊥∗ . correct and faulty ciphertext pairs to 12, by injecting random
From a theoretical point of view, only 24 of the 28 8-bit values 4-bit faults in the 29th round.
lead to a useful fault injection. As a result, the fault injection The first attack using the single bit fault falls within the
procedure will require 24 times more effort, leading to needing bounds of what our implementation can secure and will always
1024 pairs of correct and faulty ciphertexts on average for a fail, as shown in Fig. 10. The second attack will require the
successful key retrieval. 4-bit random fault to be extended to a restricted 8-bit fault
2) DFA on the PRESENT State Registers: Bagheri et al. [47] similar to the condition of the previously studied DFA on the
present two DFAs on the PRESENT state registers. The first key schedule. The fault injection procedure for this second
uses a fault on a single bit of the intermediate state at the attack to succeed will require 24 times more effort than the
start of the S-box layer of the last round. This attack leads to unprotected version, requiring on average 192 correct and
a retrieval of the last subkey with an average of 48 correct and faulty ciphertext pairs for a key retrieval.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
DE CNUDDE AND NIKOVA: SECURING THE PRESENT BLOCK CIPHER AGAINST COMBINED SCA AND FAs
C. Further Increased Resistance Against
Differential Fault Analysis
The resistance against DFA can be further increased in the
back-end design process. This is illustrated by the routing
configurations of the wires shown in Fig. 11. Encoded wires
lying adjacently in the same layer can lead to easier fault
injection than when the wires are separated in different metal
layers. We leave the investigation of the effect of placement
and routing on FA resistance for future work.
VI. C ONCLUSION
In this paper, we implemented and evaluated a Private Cir-
cuit II of the PRESENT block cipher based on the serialized TI
of Poschmann et al. [33]. We obtained an implementation that
resists combined first-order side-channel attacks and single bit
FAs. The area cost compared with a side-channel resistant
circuit increases with factor 8.75 and mainly originates from
the complexity of the gadgets. While this cost is significant,
our design benefits from an increase in attacker effort to mount
differential FAs that fall outside our security model. In addition
to the data path, the control logic is secured, leading to a
protection against trivial attacks, e.g., revealing intermediate
state values at the output of the circuits by injecting a fault
in a well-chosen signal. Our implementation was succumbed
to the state-of-the-art leakage detection tests, which it passed
with power consumption traces corresponding to 100 million
encryptions.
The Private Circuits II countermeasure is shown to be
expensive. It is a succession of two separate transformations on
a circuit, the first one obtains SCA resistance and the second
one obtains additional FA resistance. Turning this separation of
transformations into a more integrated approach while design-
ing a combined SCA and FA countermeasure is therefore a
promising approach to realize a less costly implementation,
e.g., by drawing on established techniques from the field of
secure multiparty computation.
As additional future work, we propose the investigation of
the influence of placement and routing on FA resistance. We
additionally propose the investigation of applying PC-II to
an SCA resistant circuit that depends on an RNG, since our
considered PRESENT-80 implementation does not consume
any randomness during its execution.
A PPENDIX
The algebraic normal forms of the shared functions G(x)
and F(x) from Poschmann et al. [33] are listed in the
following. A first subscript index represents the share and
a second subscript indicates the bit of that share, with index
3 representing the most significant bit
G 1 (x 2 , x 3 ) = (g1,3 , g1,2 , g1,1, g1,0)
g1,3 = x 2,2 ⊕ x 2,1 ⊕ x 2,0
g1,2 = 1 ⊕ x 2,2 ⊕ x 2,1
g1,1 = 1 ⊕ x 2,3 ⊕ x 2,1 ⊕ x 2,2 x 2,0 ⊕ x 2,2 x 3,0
⊕ x 3,2 x 2,0 ⊕ x 2,1 x 2,0 ⊕ x 2,1 x 3,0 ⊕ x 3,1 x 2,0
g1,0 = 1 ⊕ x 2,0 ⊕ x 2,3 x 2,2 ⊕ x 2,3 x 3,2 ⊕ x 3,3 x 2,2
⊕ x 2,3 x 2,1 ⊕ x 2,3 x 3,1 ⊕ x 3,3 x 2,1 ⊕ x 2,2 x 2,1
⊕ x 2,2 x 3,1 ⊕ x 3,2 x 2,1
9
G 2 (x 1 , x 3 ) = (g2,3 , g2,2 , g2,1 , g2,0 )
g2,3 = x 3,2 ⊕ x 3,1 ⊕ x 3,0
g2,2 = x 3,2 ⊕ x 3,1
g2,1 = x 3,3 ⊕ x 3,1 ⊕ x 3,2 x 3,0 ⊕ x 1,2 x 3,0
⊕ x 3,2 x 1,0 ⊕ x 3,1 x 3,0 ⊕ x 1,1 x 3,0 ⊕ x 3,1 x 1,0
g2,0 = x 3,0 ⊕ x 3,3 x 3,2 ⊕ x 1,3 x 3,2 ⊕ x 3,3 x 1,2
⊕ x 3,3 x 3,1 ⊕ x 1,3 x 3,1 ⊕ x 3,3 x 1,1 ⊕ x 3,2 x 3,1
⊕ x 1,2 x 3,1 ⊕ x 3,2 x 1,1
G 3 (x 1 , x 2 ) = (g3,3, g3,2 , g3,1, g3,0)
g3,3 = x 1,2 ⊕ x 1,1 ⊕ x 1,0
g3,2 = x 1,2 ⊕ x 1,1
g3,1 = x 1,3 ⊕ x 1,1 ⊕ x 1,2 x 1,0 ⊕ x 1,2 x 2,0
⊕ x 2,2 x 1,0 ⊕ x 1,1 x 1,0 ⊕ x 1,1 x 2,0 ⊕ x 2,1 x 1,0
g3,0 = x 1,0 ⊕ x 1,3 x 1,2 ⊕ x 1,3 x 2,2 ⊕ x 2,3 x 1,2
⊕ x 1,3 x 1,1 ⊕ x 1,3 x 2,1 ⊕ x 2,3 x 1,1 ⊕ x 1,2 x 1,1
⊕ x 1,2 x 2,1 ⊕ x 2,2 x 1,1
F1 (x 2 , x 3 ) = ( f 1,3 , f1,2 , f 1,1 , f 1,0 )
f 1,3 = x 2,2 ⊕ x 2,1 ⊕ x 2,0 ⊕ x 2,3 x 2,0
⊕ x 2,3 x 3,0 ⊕ x 3,3 x 2,0
f 1,2 = x 2,3 ⊕ x 2,1 x 2,0 ⊕ x 2,1 x 3,0 ⊕ x 3,1 x 2,0
f 1,1 = x 2,2 ⊕ x 2,1 ⊕ x 2,3 x 2,0 ⊕ x 2,3 x 3,0 ⊕ x 3,3 x 2,0
f 1,0 = x 2,1 ⊕ x 2,2 x 2,0 ⊕ x 2,2 x 3,0 ⊕ x 3,2 x 2,0
F2 (x 1 , x 3 ) = ( f 2,3 , f 2,2 , f 2,1 , f 2,0 )
f 2,3 = x 3,2 ⊕ x 3,1 ⊕ x 3,0 ⊕ x 3,3 x 3,0
⊕ x 1,3 x 3,0 ⊕ x 3,3 x 1,0
f2,2 = x 3,3 ⊕ x 3,1 x 3,0 ⊕ x 1,1 x 3,0 ⊕ x 3,1 x 1,0
f 2,1 = x 3,2 ⊕ x 3,1 ⊕ x 3,3 x 3,0 ⊕ x 1,3 x 3,0 ⊕ x 3,3 x 1,0
f 2,0 = x 3,1 ⊕ x 3,2 x 3,0 ⊕ x 1,2 x 3,0 ⊕ x 3,2 x 1,0
F3 (x 1 , x 2 ) = ( f 3,3 , f3,2 , f 3,1 , f 3,0 )
f 3,3 = x 1,2 ⊕ x 1,1 ⊕ x 1,0 ⊕ x 1,3 x 1,0
⊕ x 1,3 x 2,0 ⊕ x 2,3 x 1,0
f 3,2 = x 1,3 ⊕ x 1,1 x 1,0 ⊕ x 1,1 x 2,0 ⊕ x 2,1 x 1,0
f 3,1 = x 1,2 ⊕ x 1,1 ⊕ x 1,3 x 1,0 ⊕ x 1,3 x 2,0 ⊕ x 2,3 x 1,0
f 3,0 = x 1,1 ⊕ x 1,2 x 1,0 ⊕ x 1,2 x 2,0 ⊕ x 2,2 x 1,0 .
R EFERENCES
[1] P. C. Kocher, “Timing attacks on implementations of Diffie–Hellman,
RSA, DSS, and other systems,” in Advances in Cryptology—CRYPTO
(Lecture Notes in Computer Science), vol. 1109. New York, NY, USA:
Springer, 1996, pp. 104–113.
[2] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Advances
in Cryptology, vol. 1666. Berlin, Germany: Springer-Verlag, 1999,
pp. 388–397.
[3] K. Gandolfi, C. Mourtel, and F. Olivier, “Electromagnetic analysis:
Concrete results,” in Cryptographic Hardware and Embedded Systems—
CHES 2001 (Lecture Notes in Computer Science), vol. 2162. New York,
NY, USA: Springer, 2001, pp. 251–261.
[4] J.-J. Quisquater and D. Samyde, “ElectroMagnetic analysis (EMA):
Measures and counter-measures for smart cards,” in Smart Card Pro-
gramming and Security (Lecture Notes in Computer Science), vol. 2140.
Berlin, Germany: Springer-Verlag, 2001, pp. 200–210.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
10
[5] E. Brier, C. Clavier, and F. Olivier, “Correlation power analysis with
a leakage model,” in Proc. 6th Int. Workshop CHES, vol. 3156. New
York, NY, USA: Springer, 2004, pp. 16–29.
[6] D. Boneh, R. A. DeMillo, and R. J. Lipton, “On the importance of check-
ing cryptographic protocols for faults,” in Advances in Cryptology—
EUROCRYPT (Lecture Notes in Computer Science), vol. 1233. New
York, NY, USA: Springer, 1997, pp. 37–51.
[7] E. Biham and A. Shamir, “Differential fault analysis of secret key
cryptosystems,” in Advances in Cryptology (Lecture Notes in Computer
Science), vol. 1294. New York, NY, USA: Springer, 1997, pp. 513–525.
[8] F. Amiel, K. Villegas, B. Feix, and L. Marcel, “Passive and active
combined attacks on AES combining fault attacks and side channel
analysis,” in Proc. FDTC, Aug. 2007, pp. 92–102.
[9] C. Clavier, B. Feix, G. Gagnerot, and M. Roussellet, “Passive and active
combined attacks on AES combining fault attacks and side channel
analysis,” in Proc. FDTC, Aug. 2010, pp. 10–19.
[10] A. Moradi, O. Mischke, C. Paar, Y. Li, K. Ohta, and K. Sakiyama, “On
the power of fault sensitivity analysis and collision side-channel attacks
in a combined setting,” in Cryptographic Hardware and Embedded
Systems—CHES 2011 (Lecture Notes in Computer Science), vol. 6917.
New York, NY, USA: Springer, 2011, pp. 292–311.
[11] T. Roche, V. Lomné, and K. Khalfallah, “Combined fault and side-
channel attack on protected implementations of AES,” in Smart Card
Research and Advanced Applications (Lecture Notes in Computer Sci-
ence), vol. 7079. Washington, DC, USA: Springer, 2011, pp. 65–83.
[12] F. Dassance and A. Venelli, “Combined fault and side-channel attacks
on the AES key schedule,” in Proc. FDTC, Sep. 2012, pp. 63–71.
[13] S. Chari, C. S. Jutla, J. R. Rao, and P. Rohatgi, “Towards sound
approaches to counteract power-analysis attacks,” in Advances in
Cryptology—CRYPTO (Lecture Notes in Computer Science), vol. 1666.
New York, NY, USA: Springer, 1999, pp. 398–412.
[14] L. Goubin and J. Patarin, “DES and differential power analysis the
‘duplication’ method,” in Cryptographic Hardware and Embedded Sys-
tems (Lecture Notes in Computer Science), vol. 1717. New York, NY,
USA: Springer, 1999, pp. 158–172.
[15] E. Prouff and M. Rivain, “Masking against side-channel attacks: A
formal security proof,” in Advances in Cryptology—EUROCRYPT 2013
(Lecture Notes in Computer Science), vol. 7881. Washington, DC, USA:
Springer, 2013, pp. 142–159.
[16] R. Karri and K. Wu, “Algorithm level re-computing using implemen-
tation diversity: A register transfer level concurrent error detection
technique,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 10,
no. 6, pp. 864–875, Dec. 2002.
[17] M. G. Karpovsky, K. J. Kulikowski, and A. Taubin, “Differential
fault analysis attack resistant architectures for the advanced encryption
standard,” in CARDIS (IFIP International Federation for Information
Processing), vol. 153. Norwell, MA, USA: Kluwer, 2004, pp. 177–192.
[18] S. P. Skorobogatov and R. J. Anderson, “Optical fault induction attacks,”
in Cryptographic Hardware and Embedded Systems—CHES 2002 (Lec-
ture Notes in Computer Science), vol. 2523. New York, NY, USA:
Springer, 2002, pp. 2–12.
[19] Y. Ishai, M. Prabhakaran, A. Sahai, and D. Wagner, “Private circuits II:
Keeping secrets in tamperable circuits,” in Advances in Cryptology—
EUROCRYPT 2006 (Lecture Notes in Computer Science), vol. 4004.
New York, NY, USA: Springer, 2006, pp. 308–327.
[20] Y. Ishai, A. Sahai, and D. Wagner, “Private circuits: Securing hardware
against probing attacks,” in Advances in Cryptology—CRYPTO 2003
(Lecture Notes in Computer Science), vol. 2729. New York, NY, USA:
Springer, 2003, pp. 463–481.
[21] S. Mangard, N. Pramstaller, and E. Oswald, “Successfully attacking
masked AES hardware implementations,” in Cryptographic Hardware
and Embedded Systems—CHES 2005 (Lecture Notes in Computer
Science), vol. 3659. New York, NY, USA: Springer, 2005, pp. 157–171.
[22] S. Nikova, C. Rechberger, and V. Rijmen, “Threshold implementations
against side-channel attacks and glitches,” in Information and Commu-
nications Security (Lecture Notes in Computer Science). New York, NY,
USA: Springer, 2006, pp. 529–545.
[23] S. Nikova, V. Rijmen, and M. Schläffer, “Secure hardware implementa-
tion of non-linear functions in the presence of glitches,” in Proc. ICISC,
2008, pp. 218–234.
[24] B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen,
“Higher-order threshold implementations,” in Advances in Cryptology—
ASIACRYPT 2014 (Lecture Notes in Computer Science). Washington,
DC, USA: Springer, 2014, pp. 326–343.
[25] H. Rakotomalala, X. T. Ngo, Z. Najm, J. Danger, and S. Guilley, “Private
circuits II versus fault injection attacks,” in Proc. IEEE ReConFig,
Sep. 2015, pp. 1–9.
IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS
[26] Z. N. Goddard, N. LaJeunesse, and T. Eisenbarth, “Power analy-
sis of the t-private logic style for FPGAs,” in Proc. HOST, 2015,
pp. 68–71.
[27] D. B. Roy, S. Bhasin, S. Guilley, J. Danger, and D. Mukhopadhyay,
“From theory to practice of private circuit: A cautionary note,” in Proc.
ICCD, 2015, pp. 296–303.
[28] O. Reparaz, B. Bilgin, S. Nikova, B. Gierlichs, and I. Verbauwhede,
“Consolidating masking schemes,” in Advances in Cryptology—
CRYPTO (Lecture Notes in Computer Science), vol. 9215. New York,
NY, USA: Springer, 2015, pp. 764–783.
[29] T. Schneider, A. Moradi, and T. Güneysu, “ParTI—Towards com-
bined hardware countermeasures against side-channel and fault-injection
attacks,” in Advances in Cryptology—CRYPTO 2016 (Lecture Notes in
Computer Science), vol. 9815. New York, NY, USA: Springer, 2016,
pp. 302–332.
[30] J. Guo, T. Peyrin, A. Poschmann, and M. J. B. Robshaw, “The LED
block cipher,” in CHES (Lecture Notes in Computer Science). Wash-
ington, DC, USA: Springer, 2011, pp. 326–341.
[31] T. de Cnudde and S. Nikova, “More efficient private cir-
cuits II through threshold implementations,” in Proc. FDTC, 2016,
pp. 114–124.
[32] A. Bogdanov et al., “PRESENT: An ultra-lightweight block cipher,”
in Cryptographic Hardware and Embedded Systems (Lecture Notes in
Computer Science), vol. 4727. New York, NY, USA: Springer, 2007,
pp. 450–466.
[33] A. Poschmann, A. Moradi, K. Khoo, C. Lim, H. Wang, and S. Ling,
“Side-channel resistant crypto for less than 2,300 GE,” J. Cryptol.,
vol. 24, no. 2, pp. 322–345, 2011.
[34] A. Moradi, A. Poschmann, S. Ling, C. Paar, and H. Wang, “Pushing
the limits: A very compact and a threshold implementation of AES,”
in Advances in Cryptology—EUROCRYPT 2011 (Lecture Notes in
Computer Science), vol. 6632. New York, NY, USA: Springer, 2011,
pp. 69–88.
[35] S. Kutzner, P. H. Nguyen, and A. Poschmann, “Enabling 3-share
threshold implementations for all 4-bit s-boxes,” in Information
Security and Cryptology—ICISC 2013 (Lecture Notes in Com-
puter Science), vol. 8565. New York, NY, USA: Springer, 2013,
pp. 91–108.
[36] B. Bilgin, S. Nikova, V. Nikov, V. Rijmen, N. Tokareva, and V. Vitkup,
“Threshold implementations of small s-boxes,” Cryptogr. Commun.,
vol. 7, no. 1, pp. 3–33, 2015.
[37] B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen, “A more
efficient AES threshold implementation,” in Progress in Cryptology—
AFRICACRYPT 2014 (Lecture Notes in Computer Science), vol. 8469.
New York, NY, USA: Springer, 2014, pp. 267–284.
[38] B. Bilgin, S. Nikova, V. Nikov, V. Rijmen, and G. Stütz, “Thresh-
old implementations of all 3×3 and 4×4 s-boxes,” in Cryptographic
Hardware and Embedded Systems—CHES 2012 (Lecture Notes in
Computer Science), vol. 7428. New York, NY, USA: Springer, 2012,
pp. 76–91.
[39] R. Gennaro, A. Lysyanskaya, T. Malkin, S. Micali, and T. Rabin,
“Algorithmic tamper-proof (ATP) security: Theoretical foundations for
security against hardware tampering,” in Theory of Cryptography (Lec-
ture Notes in Computer Science), vol. 2951. New York, NY, USA:
Springer, 2004, pp. 258–277.
[40] S. Yen, S. Kim, S. Lim, and S. Moon, “RSA speedup with residue num-
ber system immune against hardware fault cryptanalysis,” in Information
Security and Cryptology—ICISC 2001 (Lecture Notes in Computer
Science). Washington, DC, USA: Springer, 2001, pp. 397–413.
[41] B. J. G. Goodwill et al., “A testing methodology for side-channel resis-
tance validation,” in Proc. NIST Non-Invasive Attack Test. Workshop,
2011, pp. 1–15.
[42] G. Becker et al., “Test vector leakage assessment (TVLA) methodology
in practice,” in Proc. ICMC, 2013, pp. 1–13.
[43] T. Schneider and A. Moradi, “Leakage assessment methodology—A
clear roadmap for side-channel evaluations,” in Cryptographic Hardware
and Embedded Systems (Lecture Notes in Computer Science). Washing-
ton, DC, USA: Springer, 2015, pp. 495–513.
[44] H. Guntur, J. Ishii, and A. Satoh, “Side-channel attack user reference
architecture board SAKURA-G,” in Proc. IEEE 3rd Global Conf.
Consum. Electron. (GCCE), Sep. 2014, pp. 271–274.
[45] J. Knudsen, Nangate 45 nm Open Cell Library. EMEA: CDNLive, 2008.
[46] G. Wang and S. Wang, “Differential fault analysis on PRESENT key
schedule,” in CIS, 2010, pp. 362–366.
[47] N. Bagheri, R. Ebrahimpour, and N. Ghaedi, “New differential fault
analysis on PRESENT,” EURASIP J. Adv. Signal Process., vol. 2013,
no. 1, p. 145, Dec. 2013.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

DE CNUDDE AND NIKOVA: SECURING THE PRESENT BLOCK CIPHER AGAINST COMBINED SCA AND FAs 11

Thomas De Cnudde received the M.Sc. degree in Svetla Nikova received the master’s degree in math-
electrical engineering from the University of Ghent, ematics from Sofia University, Sofia, Bulgaria, and
Ghent, Belgium, in 2013, and the M.Sc. degree in the Ph.D. degree from the Eindhoven University of
artificial intelligence from the University of Leuven, Technology, Eindhoven, The Netherlands.
Leuven, Belgium, in 2015, where he is currently From 1999 to 2008, she was a Post-Doctoral
pursuing the Ph.D. degree. Researcher with ESAT/COSIC, KU Leuven, Leuven,
His current research interests include embedded Belgium. From 2008 to 2012, she was an Assistant
systems security against side-channel analysis and Professor with the University of Twente, Enschede,
fault attacks. The Netherlands. Since 2012, she has been a
Research Expert with the Research Group COSIC,
KU Leuven. His current research interests include
cryptography, in particular lightweight cryptographic algorithms, side-channel
resistant implementations, and symmetric crypto primitives.