Paper 2023/1117

Mask Compression: High-Order Masking on Memory-Constrained Devices

Markku-Juhani O. Saarinen, PQShield, UK
Mélissa Rossi, ANSSI, France
Abstract

Masking is a well-studied method for achieving provable security against side-channel attacks. In masking, each sensitive variable is split into d randomized shares, and computations are performed with those shares. In addition to the computational overhead of masked arithmetic, masking also has a storage cost, increasing the requirements for working memory and secret key storage proportionally with d. In this work, we introduce mask compression. This conceptually simple technique is based on standard, non-masked symmetric cryptography. Mask compression allows an implementation to dynamically replace individual shares of large arithmetic objects (such as polynomial rings) with -bit cryptographic seeds (or temporary keys) when they are not in computational use. Since does not need to be larger than the security parameter (e.g., bits) and each polynomial share may be several kilobytes in size, this radically reduces the memory requirement of high-order masking. Overall provable security properties can be maintained by using appropriate gadgets to manage the compressed shares. We describe gadgets with Non-Inteference (NI) and composable Strong-Non Interference (SNI) security arguments. Mask compression can be applied in various settings, including symmetric cryptography, code-based cryptography, and lattice-based cryptography. It is especially useful for cryptographic primitives that allow quasilinear-complexity masking and hence are practically capable of very high masking orders. We illustrate this with a (Order-31) implementation of the recently introduced lattice-based signature scheme Raccoon on an FPGA platform with limited memory resources.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Minor revision. SAC 2023: Selected Areas in Cryptography, 30th International Conference, Fredericton, NB, Canada, August 16-18, 2023
Keywords
Side-Channel SecurityMask CompressionRaccoon Signature SchemePost-Quantum Cryptography
Contact author(s)
mjos @ pqshield com
melissa rossi @ ssi gouv fr
History
2023-07-18: approved
2023-07-18: received
See all versions
Short URL
https://ia.cr/2023/1117
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1117,
      author = {Markku-Juhani O. Saarinen and Mélissa Rossi},
      title = {Mask Compression: High-Order Masking on Memory-Constrained Devices},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1117},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1117}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.