Abstract
This work introduces second-order masked implementation of LED, Midori, Skinny, and Prince ciphers which do not require fresh masks to be updated at every clock cycle. The main idea lies on a combination of the constructions given by Shahmirzadi and Moradi at CHES 2021, and the theory presented by Beyne et al. at Asiacrypt 2020. The presented masked designs only use a minimal number of shares, i.e., three to achieve second-order security, and we make use of a trick to pair a couple of S-boxes to reduce their latency. The theoretical security analyses of our constructions are based on the linear-cryptanalytic properties of the underlying masked primitive as well as SILVER, the leakage verification tool presented at Asiacrypt 2020. To improve this cryptanalytic analysis, we use the noisy probing model which allows for the inclusion of noise in the framework of Beyne et al. We further provide FPGA-based experimental security analysis confirming second-order protection of our masked implementations.
Highlights
Ever since the introduction of differential power analysis by Kocher et al [KJJ99] in 1999, the cryptographic hardware community has been looking for countermeasures to protect embedded devices
We propose two masking techniques that allow for a concrete security analysis in the noisy probing model and that allow the randomness in each masked S-box to be reused
By combining the improved security model with the new masking techniques, we provide second-order secure maskings of LED, Midori, Skinny, and Prince which require no fresh randomness
Summary
Ever since the introduction of differential power analysis by Kocher et al [KJJ99] in 1999, the cryptographic hardware community has been looking for countermeasures to protect embedded devices. In CHES 2021, Shahmirzadi and Moradi [SM21b] proposed several efficient second-order masking of popular symmetric primitives that require a significantly lower amount of randomness compared to other known masked designs. We propose two masking techniques that allow for a concrete security analysis in the noisy probing model and that allow the randomness in each masked S-box to be reused. These techniques remove an important limitation from the work of Beyne et al that required each shared function to be second-order non-complete and uniform, which led to a high overhead in area and latency. Our hardware implementations (HDL code), are provided in full in GitHub
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
