SCA-Resistant GCM Implementation on 8-Bit AVR Microcontrollers

Galois/counter mode (GCM) is one of the most widely used authenticated encryptions. To date, even though some works have investigated the security against side channel analysis (SCA) in the process of GCM computation, especially GHASH function, they failed to present comprehensive SCA security in consideration of both SPA/TA and DPA/CPA aspects simultaneously. In this paper, we present a secure GCM implementation on 8-bit AVR microcontroller environments. The proposed implementation provides comprehensive SCA security in consideration of not only SPA/TA but also DPA/CPA. In order to defeat SPA/TA, we introduce the concepts of dummy XOR with garbage registers and instruction level atomicity (ILA) and also present secure binary field (BF) multiplication method using them, which runs in a constant-time and fixed pattern. We also propose an efficient multiplicative masking method which can prevent DPA/CPA when computing GHASH function in the GCM process. Through actual implementation of the proposed method on an 8-bit AVR ATmega128 microcontroller, we show that the proposed method outperforms existing alternatives while providing comprehensive SCA security. With respect to the performance of secure binary field multiplication, the proposed multiplication method outperforms the related work by around 51.86% when computing a 128-bit binary field multiplication. Regarding the overhead of the multiplicative masking method, the proposed method requires only one additional BF multiplication and negligible amount of field additions regardless of the number of input blocks, while the related work consumes around the {log(m + n + 1) + 2} number of additional BF multiplications when there are (m + n + 1) input blocks. Through SCA-related experiments, we prove the SCA security of the proposed methods.