Abstract
Masking is a sound countermeasure to protect implementations of block- cipher algorithms against Side Channel Analysis (SCA). Currently, the most efficient masking schemes use Lagrange’s Interpolation Theorem in order to represent any S- box by a polynomial function over a binary finite field. Masking the processing of an S-box is then achieved by masking every operation involved in the evaluation of its polynomial representation. While the common approach requires to use the well- known Ishai-Sahai-Wagner (ISW) scheme in order to secure this processing, there exist alternatives. In the particular case of power functions, Genelle, Prouff and Quisquater proposed an efficient masking scheme (GPQ). However, no generalization has been suggested for polynomial functions so far. In this paper, we solve the open problem of extending GPQ for polynomials, and we also solve the open problem of proving that both the original scheme and its variants for polynomials satisfy the t-SNI security definition. Our approach to extend GPQ is based on the cyclotomic method and results in an alternate cyclotomic method which is three times faster in practice than the original proposal in almost all scenarios we address. The best- known method for polynomial evaluation is currently CRV which requires to use the cyclotomic method for one of its step. We also show how to plug our alternate cyclo- tomic approach into CRV and again provide an alternate approach that outperforms the original in almost all scenarios. We consider the masking of n-bit S-boxes for n ∈ [4;8] and we get in practice 35% improvement of efficiency for S-boxes with dimension n ∈ {5,7,8} and 25% for 6-bit S-boxes.
Highlights
Side channel attacks exploit physical leakages of a device during the computation
In our GPQ based alternate approaches, there are always one non-zero input involved in field multiplications which yields to slightly more efficient field multiplications than in the classical CGPQR approach
We have proven the security of the power function masking scheme GPQ under the t-SNI definition
Summary
Side channel attacks exploit physical leakages of a device during the computation. This leakage may unveil sensitive information on the data manipulated by an implementation. Since their introduction in the late nineties [Koc96,KJJ99], numerous side-channel attacks have been successfully mounted on cryptosystems, motivating the design of provably secure countermeasures against such realistic threats. The most common strategy is based on masking. Such a countermeasure randomly splits every sensitive variable into several shares such that all of them are required to retrieve any information about the original data. The number of random shares used to split (or mask) a sensitive variable is referred to as the masking order. A masking scheme of order greater or equal to d resists to an attack of order d
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
