A masking method based on orthonormal spaces, protecting several bytes against both SCA and FIA with a reduced cost

Claude Carlet; Abderrahman Daif; Sylvain Guilley; Cédric Tavernier

Paper 2023/1746

A masking method based on orthonormal spaces, protecting several bytes against both SCA and FIA with a reduced cost

Claude Carlet

, University of Bergen, 5005, Norway, LAGA, Department of Mathematics, University of Paris 8 (and Paris 13 and CNRS), Saint–Denis cedex 02, France.

Abderrahman Daif

, BULL SAS, Les Clayes-sous-Bois, France

Sylvain Guilley

, Secure-IC S.A.S., Paris, France, Telecom Paris, France, Institut Polytechnique de Paris, Palaiseau, France

Cédric Tavernier

, Hensoldt France, Plaisir, France

Abstract

In the attacker models of Side-Channel Attacks (SCA) and Fault Injection Attacks (FIA), the opponent has access to a noisy version of the internal behavior of the hardware. Since the end of the nineties, many works have shown that this type of attacks constitutes a serious threat to cryptosystems implemented in embedded devices. In the state-of-the-art, there exist several countermeasures to protect symmetric encryption (especially AES-128). Most of them protect only against one of these two attacks (either SCA or FIA). The main known counter-measure against SCA is masking; it makes the complexity of SCA growing exponentially with its order d. The most general version of masking is based on error correcting codes. It has the advantage of offering in principle a protection against both types of attacks (SCA and FIA), but all the functions implemented in the algorithm need to be masked accordingly, and this is not a simple task in general. We propose a particular version of such construction that has several advantages: it has a very low computation complexity, it offers a concrete protection against both SCA and FIA, and finally it allows flexibility: being not specifically dedicated to AES, it can be applied to any block cipher with any S-boxes. In the state-of-art, masking schemes all come with pros and cons concerning the different types of complexity (time, memory, amount of randomness). Our masking scheme concretely achieves the complexity of the best known scheme, for each complexity type

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Published elsewhere. Journal of Cryptographic Engineering
DOI: 10.1007/s13389-023-00339-9
Keywords: Masking countermeasure Error correcting codes Generalized Reed-Solomon codes Side-channel attack Fault injection attack
Contact author(s): claude carlet @ gmail com
daif abde @ yahoo fr
sylvain guilley @ secure-ic com
tavernier cedric @ gmail com
History: 2023-11-13: approved; 2023-11-11: received; See all versions
Short URL: https://ia.cr/2023/1746
License: CC BY

BibTeX

@misc{cryptoeprint:2023/1746,
      author = {Claude Carlet and Abderrahman Daif and Sylvain Guilley and Cédric Tavernier},
      title = {A masking method based on orthonormal spaces, protecting several bytes against both SCA and FIA with a reduced cost},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1746},
      year = {2023},
      doi = {10.1007/s13389-023-00339-9},
      note = {\url{https://eprint.iacr.org/2023/1746}},
      url = {https://eprint.iacr.org/2023/1746}
}