Abstract
Side-channel countermeasure designers often face severe performance overheads when trying to protect a device. Widely applied countermeasures such as masking and shuffling entail generating a large amount of random numbers, which can result in a computational bottleneck. To mitigate the randomness cost, this work evaluates low-randomness versions of both masking and shuffling, namely Recycled Randomness Masking (RRM) and Reduced Randomness Shuffling (RRS). These countermeasures employ memory units to store generated random numbers and reuse them in subsequent computations,making them primarily suitable for implementation on devices with sufficient memory. Both RRM and RRS are evaluated using the MI-based framework in the context of horizontal attacks. The evaluation exhibits the tradeoff between the randomness cost and the noisy leakage security level offered by the countermeasures, enabling the designer to fine-tune a masking or shuffling scheme and maximize the security level achieved for a certain cost.
Highlights
The continuously growing Internet of Things (IoT) is rapidly changing modern infrastructure
The evaluation exhibits the tradeoff between the randomness cost and the noisy leakage security level offered by the countermeasures, enabling the designer to fine-tune a masking or shuffling scheme and maximize the security level achieved for a certain cost
We have performed an in-depth investigation of low-randomness alternatives to standard masking and shuffling, namely Recycled Randomness Masking (RRM) and Reduced Randomness Shuffling (RRS)
Summary
The continuously growing Internet of Things (IoT) is rapidly changing modern infrastructure. In order to hinder the attacker, masking applies secret-sharing techniques that randomize intermediate values, while shuffling randomizes the order of the cryptographic blocks and/or the implementation’s instructions As a result, both countermeasures require random numbers to function, making on-chip random number generation (RNG) a useful addition to the device. Their work establishes the notion of security with common randomness (denoted as t−SCR) and provides composable (t−SNI) gadgets [BBD+16] that achieve randomness recycling Their analysis relies on simulation-based proofs that do not take into account the effect of recycling on the noise level of the device and on the noise amplification stage of masking. We establish a direct link between the randomness cost and the noisy leakage security level provided by a countermeasure, i.e. we integrate the noise factor in our analysis.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have