You are looking at a specific version 20210722:090334 of this paper. See the latest version.

Paper 2021/951

Bitslice Masking and Improved Shuffling: How and When to Mix Them in Software?

Melissa Azouaoui and Olivier Bronchain and Vincent Grosso and Kostas Papagiannopoulos and François-Xavier Standaert

Abstract

We revisit the popular adage that side-channel countermeasures must be combined to be efficient, and study its application to bitslice masking and shuffling. Our contributions are threefold. First, we improve this combination: by shuffling the shares of a masked implementation rather than its tuples, we can amplify the impact of the shuffling exponentially in the number of shares, while this impact was independent of the masking security order in previous works. Second, we evaluate the masking and shuffling combination's performance vs. security tradeoff under sufficient noise conditions: we show that the best approach is to mask first (i.e., fill the registers with as many shares as possible) and shuffle the independent operations that remain. Third, we discuss the challenges for implementing masking and shuffling under low noise conditions: we recall that such algorithmic countermeasures cannot be implemented securely without a minimum level of physical noise. We conclude that with moderate but sufficient noise, the bitslice masking + shuffling combination is relevant, and its interest increases when randomness is expensive and many independent operations are available for shuffling. When these conditions are not met, masking only is the best option. As a side result, we improve the best known attack against shuffling from Asiacrypt 2012, which we use in our concrete evaluations.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint.
Keywords
side-channel attacksshufflingmasking
Contact author(s)
olivier bronchain @ uclouvain be
History
2021-07-22: received
Short URL
https://ia.cr/2021/951
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.