Cryptology ePrint Archive: Report 2009/420
Higher-order Masking and Shuffling for Software Implementations of Block Ciphers
Matthieu Rivain and Emmanuel Prouff and Julien Doget
Abstract: Differential Power Analysis (DPA) is a powerful side channel key recovery attack that efficiently breaks block ciphers implementations. In software, two main techniques are usually applied to thwart them: masking and operations shuffling. To benefit from the advantages of the two techniques, recent works have proposed to combine them. However, the schemes which have been
designed until now only provide limited resistance levels and some
advanced DPA attacks have turned out to break them. In this paper,
we investigate the combination of masking and shuffling. We moreover
extend the approach with the use of higher-order masking and we
show that it enables to significantly improve the security level of
such a scheme. We first conduct a theoretical analysis in which the
efficiency of advanced DPA attacks targeting masking and shuffling
is quantified. Based on this analysis, we design a generic scheme
combining higher-order masking and shuffling. This scheme is
scalable and its security parameters can be chosen according to any
desired resistance level. As an illustration, we apply it to protect
a software implementation of AES for which we give several
security/efficiency trade-offs.
Category / Keywords: implementation / Differential Power Analysis (DPA), block ciphers implementations, software countermeasures, higher order masking
Publication Info: Extended version of a paper published at CHES 2009.
Date: received 28 Aug 2009, last revised 1 Sep 2009
Contact author: matthieu rivain at gmail com
Available format(s): PDF | BibTeX Citation
Version: 20090901:130005 (All versions of this report)
Short URL: ia.cr/2009/420
[ Cryptology ePrint archive ]