Paper 2012/175

Optimal First-Order Masking with Linear and Non-Linear Bijections

Houssem MAGHREBI, Claude CARLET, Sylvain GUILLEY, and Jean-Luc DANGER

Abstract

Hardware devices can be protected against side-channel attacks by introducing one random mask per sensitive variable. The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers. Nonetheless, this setup can be attacked by a zero-offset second-order CPA attack. The countermeasure can be improved by manipulating the mask through a bijection $F$, aimed at reducing the dependency between the shares. Thus $d$th-order zero-offset attacks, that consist in applying CPA on the $d$th power of the centered side-channel traces, can be thwarted for $d \geq 2$ at no extra cost. We denote by $n$ the size in bits of the shares and call $F$ the transformation function, that is a bijection of $\mathbb{F}_2^n$. In this paper, we explore the functions $F$ that thwart zero-offset HO-CPA of maximal order $d$. We mathematically demonstrate that optimal choices for $F$ relate to optimal binary codes (in the sense of communication theory). First, we exhibit optimal linear $F$ functions. Second, we note that for values of $n$ for which non-linear codes exist with better parameters than linear ones. These results are exemplified in the case $n=8$, the optimal $F$ can be identified: it is derived from the optimal rate~$1/2$ binary code of size $2n$, namely the Nordstrom-Robinson $(16, 256, 6)$ code. This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates. It protects against all zero-offset HO-CPA attacks of order $d \leq 5$. Eventually, the countermeasure is shown to be resilient to imperfect leakage models.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Unknown where it was published
Keywords
First-order masking countermeasure (CM)zero-offset HO-CPAlinear and non-linear codes.
Contact author(s)
maghrebi @ enst fr
sylvain guilley @ telecom-paristech fr
danger @ enst fr
claude carlet @ gmail com
History
2012-04-11: received
Short URL
https://ia.cr/2012/175
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2012/175,
      author = {Houssem MAGHREBI and Claude CARLET and Sylvain GUILLEY and Jean-Luc DANGER},
      title = {Optimal First-Order Masking with Linear and Non-Linear Bijections},
      howpublished = {Cryptology {ePrint} Archive, Paper 2012/175},
      year = {2012},
      url = {https://eprint.iacr.org/2012/175}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.