## Cryptology ePrint Archive: Report 2012/567

Leakage Squeezing of Order Two

Claude Carlet and Jean-Luc Danger and Sylvain Guilley and Houssem Maghrebi

Abstract: In masking schemes, \emph{leakage squeezing} is the study of the optimal shares' representation, that maximizes the resistance order against high-order side-channel attacks. Squeezing the leakage of first-order Boolean masking has been problematized and solved previously in~\cite{DBLP:conf/africacrypt/MaghrebiCGD12}. The solution consists in finding a bijection $F$ that modifies the mask, in such a way that its graph, seen as a code, be of greatest dual distance. This paper studies second-order leakage squeezing, \emph{i.e.} leakage squeezing with two independent random masks. It is proved that, compared to first-order leakage squeezing, second-order leakage squeezing at least increments (by one unit) the resistance against high-order attacks, such as high-order correlation power analyses (HO-CPA). Now, better improvements over first-order leakage squeezing are possible by relevant constructions of the squeezing bijections pair. We provide with linear bijections that improve by strictly more than one (instead of one) the resistance order. Specifically, when the masking is applied on bytes (which suits AES), resistance against $1$st-order (resp. $2$nd-order) attacks is possible with one (resp. two) masks. Optimal leakage squeezing with one mask resists HO-CPA of orders up to $5$. In this paper, with two masks, we provide resistance against HO-CPA not only of order $5+1=6$, but also of order $7$.

Category / Keywords: implementation /

Publication Info: Extended version of a paper to be published at INDOCRYPT 2012