Paper 2023/1117

Mask Compression: High-Order Masking on Memory-Constrained Devices

Markku-Juhani O. Saarinen, PQShield, UK
Mélissa Rossi, ANSSI, France
Abstract

Masking is a well-studied method for achieving provable security against side-channel attacks. In masking, each sensitive variable is split into $d$ randomized shares, and computations are performed with those shares. In addition to the computational overhead of masked arithmetic, masking also has a storage cost, increasing the requirements for working memory and secret key storage proportionally with $d$. In this work, we introduce mask compression. This conceptually simple technique is based on standard, non-masked symmetric cryptography. Mask compression allows an implementation to dynamically replace individual shares of large arithmetic objects (such as polynomial rings) with $\kappa$-bit cryptographic seeds (or temporary keys) when they are not in computational use. Since $\kappa$ does not need to be larger than the security parameter (e.g., $\kappa=256$ bits) and each polynomial share may be several kilobytes in size, this radically reduces the memory requirement of high-order masking. Overall provable security properties can be maintained by using appropriate gadgets to manage the compressed shares. We describe gadgets with Non-Inteference (NI) and composable Strong-Non Interference (SNI) security arguments. Mask compression can be applied in various settings, including symmetric cryptography, code-based cryptography, and lattice-based cryptography. It is especially useful for cryptographic primitives that allow quasilinear-complexity masking and hence are practically capable of very high masking orders. We illustrate this with a $d=32$ (Order-31) implementation of the recently introduced lattice-based signature scheme Raccoon on an FPGA platform with limited memory resources.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Minor revision. SAC 2023: Selected Areas in Cryptography, 30th International Conference, Fredericton, NB, Canada, August 16-18, 2023
Keywords
Side-Channel SecurityMask CompressionRaccoon Signature SchemePost-Quantum Cryptography
Contact author(s)
mjos @ pqshield com
melissa rossi @ ssi gouv fr
History
2023-07-18: approved
2023-07-18: received
See all versions
Short URL
https://ia.cr/2023/1117
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1117,
      author = {Markku-Juhani O. Saarinen and Mélissa Rossi},
      title = {Mask Compression: High-Order Masking on Memory-Constrained Devices},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1117},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1117}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.