Paper 2018/438

Improved Bitslice Masking: from Optimized Non-Interference to Probe Isolation

Gaëtan Cassiers and François-Xavier Standaert

Abstract

We revisit the security analysis of bitslice masking which is currently the most efficient way to protect block ciphers against higher-order side-channel analysis. First, we put forward that the existing definition of Strong Non-Interference (SNI) used to reason about composability in masked implementations requires minor adaptations to capture the multiple-input multiple-output functions that bitslice implementations contain. We argue that the latter adaptations are instrumental in the analysis of a compositional strategy used in the masked AES implementations of Goudarzi and Rivain from EUROCRYPT 2017, where all multiplications are SNI with one input "refreshed" in a SNI manner. Second, we show that this strategy can be improved thanks to integer programming and report on an optimized masked AES S-box with significantly less SNI gadgets than previously required. Eventually we propose a new definition of Probe-Isolating Non-Interference (PINI) which captures a weaker yet sufficient requirement for composability in masked implementations. The latter definition allows major simplifications of the probing security analyzes of complex circuits. We show that it leads to improved performances for masked AES implementations (of order up to 20) by proposing and proving a first PINI multiplication.