Cryptology ePrint Archive: Report 2011/520

Houssem Maghrebi and Sylvain Guilley and Claude Carlet and Jean-Luc Danger

Houssem maghebi, Sylvain Guilley, Claude Carlet, Jean-Luc Danger

Abstract: This article provides an in-depth study of high-order (HO) Boolean masking countermeasure against side-channel attacks. We introduce the notion of HO-CPA immunity as a metric to characterize a leakage function. We show that this notion intervenes to assess both the resistance against HO-CPA attacks and the amount of leakage. Namely, the HO-CPA immunity, denoted $\mathsf{HCI} \in \N^*$, coincides with the lowest order of a successful HO-CPA and gives the dependence of leakage behavior with the noise's variance $\sigma^2$ (according to $\mathcal{O}(1/\sigma^{2 \times \mathsf{HCI}})$ in Landau notation). Then, we introduce the technique of leakage squeezing. It is an optimization of the straightforward masking where masks are recoded relevantly by bijections. Our main contribution is to show that the HO-CPA immunity of a masking countermeasure can be incremented by one or even by two at virtually no added cost. Indeed, the bijections (and inverse bijections) can be incorporated in tables that are often found in cryptographic algorithms (e.g. substitution boxes).

Category / Keywords: implementation / High-Order Masking, High-Order Correlation Power Analysis (HO-CPA), High-Order CPA Immunity ($\mathsf{HCI}$), Mutual Information Metric (MIM).

Date: received 22 Sep 2011, last revised 4 Feb 2014

Contact author: maghrebi at enst fr

Available format(s): PDF | BibTeX Citation

Note: A more pedagogical version of this report is published in the Journal of Cryptographic Engineering (JCEN): <a href=""></a>.

<br /> <u>Citation:</u> "<i>Achieving side-channel high-order correlation immunity with leakage squeezing</i>", Claude Carlet, Jean-Luc Danger, Sylvain Guilley, Houssem Maghrebi, and Emmanuel Prouff. JCEN (Springer), DOI: 10.1007/s13389-013-0067-1

Version: 20140204:202159 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]