Abstract
Due to its provable security and remarkable device-independence, masking has been widely accepted as a noteworthy algorithmic-level countermeasure against side-channel attacks. However, relatively high cost of masking severely limits its applicability. Considering the high tackling complexity of non-linear operations, most masked AES implementations focus on the security and cost reduction of masked S-boxes. In this paper, we focus on linear operations, which seems to be underestimated, on the contrary. Specifically, we discover some security flaws and redundant processes in popular first-order masked AES linear operations, and pinpoint the underlying root causes. Then we propose a provably secure and highly efficient masking scheme for AES linear operations. In order to show its practical implications, we replace the linear operations of state-of-the-art first-order AES masking schemes with our proposal, while keeping their original non-linear operations unchanged. We implement four newly combined masking schemes on an Intel Core i7-4790 CPU, and the results show they are roughly 20% faster than those original ones. Then we select one masked implementation named RSMv2 due to its popularity, and investigate its security and efficiency on an AVR ATMega163 processor and four different FPGA devices. The results show that no exploitable first-order side-channel leakages are detected. Moreover, compared with original masked AES implementations, our combined approach is nearly 25% faster on the AVR processor, and at least 70% more efficient on four FPGA devices.
Highlights
Side-Channel Attacks (SCAs) exploit physical leakages (e.g. running time (Kocher 1996), power consumption (Kocher et al 1999) and electromagnetic radiations (Quisquater and Samyde 2001)) of a cryptographic implementation to recover the corresponding secrets
ISO/IEC 17825:2016 specifies the use of Test Vector Leakage Assessment (TVLA) framework as a certain measure to assess whether an implementation of symmetrical cryptography is vulnerable to first-order attacks or not
Evaluation of running time on CPU A masked Advanced Encryption Standard (AES) implementation is consist of two parts: non-linear part and linear part, so the speedup of our proposal toward whole AES execution time is affected by the implementations of non-linear part
Summary
Side-Channel Attacks (SCAs) exploit physical leakages (e.g. running time (Kocher 1996), power consumption (Kocher et al 1999) and electromagnetic radiations (Quisquater and Samyde 2001)) of a cryptographic implementation to recover the corresponding secrets. Among different kinds of SCAs, first-order attacks, such as first-order differential power analysis (DPA) (Kocher et al 1999) and first-order correlation power analysis (CPA) (Schneider and Krishnamoorthy 1996), are widely used due to their low costs. They are the first into considerations when guarding devices against SCAs. According to the highest security level, namely ISO/IEC 17825 level-4, there should be at least 100,000 traces collected to test whether a specific implementation is resistant to them
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
