DRECON : DPA Resistant Encryption by Construction Suvadeep Hajra 1 , Chester Rebeiro 1 , Shivam Bhasin 2 , Gaurav Bajaj 1 , Sahil Sharma 1 , Sylvain Guilley 2,3 , and Debdeep Mukhopadhyay 1 1 Dept. of Computer Science and Engineering, Indian Institute of Technology Kharagpur, India {suvadeep.hajra,chetrebeiro,bajaj.gaurav92,shlshrm000, debdeep.mukhopadhyay}@gmail.com 2 Institut MINES-TELECOM, TELECOM ParisTech, Department COMELEC, 46 rue Barrault, 75634 Paris Cedex 13, France {bhasin,guilley}@telecom-paristech.fr 3 Secure-IC S.A.S., 80 avenue des Buttes de Co¨ esmes, 35700 Rennes, FRANCE Abstract. Side-channel attacks are considered as one of the biggest threats against modern crypto-systems. This motivates the design of ci- phers which are naturally resistant against side-channel attacks. The present paper proposes a scheme called DRECON to construct a block cipher with innate protection against differential power attacks (DPA), another term used as a synonym for side-channel attacks. The scheme is motivated by tweakable block ciphers and is shown to be secure against first-order DPA using information theoretic metrics. DRECON is shown to be less expensive than masking and re-keying countermeasures from the implementation perspective and can be efficiently realized in both hardware and software platforms. On FPGAs especially, DRECON can optimally utilize the abundant block RAMs available and therefore have minimal overheads. We estimate the cost overhead of DRECON in micro- controllers and FPGAs, two common targets for cryptographic appli- cations. Finally we demonstrate practical side-channel resistance of a DRECON implementation on a Xilinx Virtex-5 FPGA (SASEBO GII board). 1 Introduction In 1998, Paul Kocher demonstrated a new class of cryptographic attacks known as differential power analysis (DPA) [13], which utilizes information leakages from power or electro-magnetic radiation of the cipher’s implementation. Since then, several DPA attacks have been demonstrated on almost every crypto- system in use. Today DPA has become one of the biggest threats to modern security systems. Over the years there have been several attempts to prevent these attacks. A current trend is to either eliminate [37, 38] or randomize [2, 7]