Cryptology ePrint Archive: Report 2021/1111

A Low-Randomness Second-Order Masked AES

Tim Beyne and Siemen Dhooghe and Adrián Ranea and Danilo Šijačić

Abstract: We propose a second-order masking of the AES in hardware that requires an order of magnitude less random bits per encryption compared to previous work. The design and its security analysis are based on recent results by Beyne et al. from Asiacrypt 2020. Applying these results to the AES required overcoming significant engineering challenges by introducing new design techniques. Since the security analysis is based on linear cryptanalysis, the masked cipher needs to have sufficient diffusion and the S-box sharing must be highly nonlinear. Hence, in order to apply the changing of the guards technique, a detailed study of its effect on the diffusion of the linear layer becomes important. The security analysis is automated using an SMT solver. Furthermore, we propose a sharpening of the glitch-extended probing model that results in improvements to our concrete security bounds. Finally, it is shown how to amortize randomness costs over multiple evaluations of the masked cipher.

Category / Keywords: implementation / Hardware, Linear Cryptanalysis, Masking, Probing Security, Side-Channel Analysis, Threshold Implementations

Original Publication (in the same form): Selected Areas in Cryptography 2021

Date: received 31 Aug 2021, last revised 1 Sep 2021

Contact author: siemen dhooghe at esat kuleuven be

Available format(s): PDF | BibTeX Citation

Version: 20210901:091454 (All versions of this report)

Short URL: ia.cr/2021/1111


[ Cryptology ePrint archive ]