Abstract
The current state of the art of Boolean masking for the modular addition operation in software has a very high performance overhead. Firstly, the instruction count is very high compared to a normal addition operation. Secondly, until recently, the entropy consumed by such protections was also quite high. Our paper significantly improves both aspects, by applying the Threshold Implementation (TI) methodology with two shares and by reusing internal values as randomness source in such a way that the uniformity is always preserved. Our approach performs considerably faster compared to the previously known masked addition and subtraction algorithms by Coron et al. and Biryukov et al. improving the state of the art by 36%, if we only consider the number of ARM assembly instructions. Furthermore, similar to the masked adder from Biryukov et al. we reduce the amount of randomness and only require one bit additional entroy per addition, which is a good trade-off for the improved performance. We applied our improved masked adder to ChaCha20, for which we provide two new first-order protected implementations and achieve a 36% improvement over the best published result for ChaCha20 using an ARM Cortex-M4 microprocessor.
Highlights
Modular addition is a common operation in many cryptographic algorithms
ARX ciphers, such as Threefish [FLS+10], Speck [BSS+15], or ChaCha20 [Ber08] rely only on the three operations addition, rotation and XOR. Software implementations of these ciphers are usually easy to protect against timing side-channel attacks, but at the same time harder to protect against power or EM analysis, e.g. against the butterfly attack on Skein’s modular addition [ZKS12] or the bricklayer attack on ChaCha20 [AFM17]
We investigate how to implement the Boolean masking for modular addition and subtraction using a 2-share Threshold Implementation (TI)
Summary
ARX ciphers, such as Threefish [FLS+10], Speck [BSS+15], or ChaCha20 [Ber08] rely only on the three operations (modular) addition, rotation and XOR. Software implementations of these ciphers are usually easy to protect against timing side-channel attacks, but at the same time harder to protect against power or EM analysis, e.g. against the butterfly attack on Skein’s modular addition [ZKS12] or the bricklayer attack on ChaCha20 [AFM17]. The overhead of applying Boolean masking is high for the addition operation, even with state of the art implementations [BDLCU17, DGLC17]. This is especially evident when comparing ARX ciphers with substitution-permutation network (SPN) ciphers, such as AES, where masked bit-sliced implementations can be used to reduce the overhead significantly [SS16, BGRV15]. We chose ChaCha[20] as an example because it is a stream cipher with 256 bit security and seems to be a promising candidate for long terms security, because its resilience to quantum computer based attacks with Grover’s algorithm
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
