Paper 2021/1111

A Low-Randomness Second-Order Masked AES

Tim Beyne, Siemen Dhooghe, Adrián Ranea, and Danilo Šijačić

Abstract

We propose a second-order masking of the AES in hardware that requires an order of magnitude less random bits per encryption compared to previous work. The design and its security analysis are based on recent results by Beyne et al. from Asiacrypt 2020. Applying these results to the AES required overcoming significant engineering challenges by introducing new design techniques. Since the security analysis is based on linear cryptanalysis, the masked cipher needs to have sufficient diffusion and the S-box sharing must be highly nonlinear. Hence, in order to apply the changing of the guards technique, a detailed study of its effect on the diffusion of the linear layer becomes important. The security analysis is automated using an SMT solver. Furthermore, we propose a sharpening of the glitch-extended probing model that results in improvements to our concrete security bounds. Finally, it is shown how to amortize randomness costs over multiple evaluations of the masked cipher.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Selected Areas in Cryptography 2021
Keywords
HardwareLinear CryptanalysisMaskingProbing SecuritySide-Channel AnalysisThreshold Implementations
Contact author(s)
siemen dhooghe @ esat kuleuven be
History
2021-09-01: revised
2021-08-31: received
See all versions
Short URL
https://ia.cr/2021/1111
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2021/1111,
      author = {Tim Beyne and Siemen Dhooghe and Adrián Ranea and Danilo Šijačić},
      title = {A Low-Randomness Second-Order Masked {AES}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/1111},
      year = {2021},
      url = {https://eprint.iacr.org/2021/1111}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.