Abstract
Code-based masking is a very general type of masking scheme that covers Boolean masking, inner product masking, direct sum masking, and so on. The merits of the generalization are twofold. Firstly, the higher algebraic complexity of the sharing function decreases the information leakage in “low noise conditions” and may increase the “statistical security order” of an implementation (with linear leakages). Secondly, the underlying error-correction codes can offer improved fault resistance for the encoded variables. Nevertheless, this higher algebraic complexity also implies additional challenges. On the one hand, a generic multiplication algorithm applicable to any linear code is still unknown. On the other hand, masking schemes with higher algebraic complexity usually come with implementation overheads, as for example witnessed by inner-product masking. In this paper, we contribute to these challenges in two directions. Firstly, we propose a generic algorithm that allows us (to the best of our knowledge for the first time) to compute on data shared with linear codes. Secondly, we introduce a new amortization technique that can significantly mitigate the implementation overheads of code-based masking, and illustrate this claim with a case study. Precisely, we show that, although performing every single code-based masked operation is relatively complex, processing multiple secrets in parallel leads to much better performances. This property enables code-based masked implementations of the AES to compete with the state-of-the-art in randomness complexity. Since our masked operations can be instantiated with various linear codes, we hope that these investigations open new avenues for the study of code-based masking schemes, by specializing the codes for improved performances, better side-channel security or improved fault tolerance.
Highlights
Masking is one of the most investigated countermeasures against side-channel attacks [Koc96, KJJ99]
When we take into account that cryptographic algorithms usually apply the function that is computed over multiple variables in parallel, our scheme can lead to decent performance by packing multiple (e.g., 16 for the AES) secret variables in a single codeword, a technique we call amortization
We tackle the computational issue of code-based masking
Summary
Masking is one of the most investigated countermeasures against side-channel attacks [Koc, KJJ99]. Algebraic complexity of the sharing (than Boolean masking) include polynomial masking [GM11, PR11, GSF13, CMP18], leakage squeezing [MGD11, CDGM14, CDG+14], Inner Product (IP) masking [BFG15, BFG+17, CCG+19] and (orthogonal) Direct Sum Masking (DSM) [BCC+14, CG16, PGS+17]. It has been shown in [BFGV12] that IP masking can be viewed as a generalization of simpler encoders such as used in Boolean, affine and polynomial maskings. The higher algebraic complexity of its encodings can provide an improved concrete security against side-channel attacks It decreases the information leakages observed in “low noise conditions” [BFG15, BFGV12, FMPR10, GM11, PR11]. It is pointed out in [PGS+17] that an efficient multiplication algorithm for DSM is still an open challenge, and known IP masking schemes are not as efficient as Boolean masking schemes
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
