Abstract
With the growing threat of the side-channel attack (SCA) to the cryptographic algorithm’s implementations, the masking method has become one of the most promising SCA countermeasures for securely implementing, for example, block ciphers. The basic principle of the masking method is that if the sensitive variable (which, by definition, depends on sensitive information) is split into some random variables and they are manipulated in a secure manner, then the relationship between the random variables and the corresponding side-channel information may look independent from the outside world. However, after the introduction of the glitch attack, there has been a lot of concern about the security of the masking method itself. And, to mitigate the threat of the glitch attack, the threshold implementation (TI) and G-equivariant gates were independently introduced as countermeasures. In this paper, we consider the main notions of two such independent glitch attack’s countermeasures, say, non-completeness and G-equivariance, and investigate their relationship. The contribution of this paper is three-fold. First, we show that the widely-circulated proof that the non-complete TI with uniform inputs guarantees the security against the 1st order DPA even in the presence of glitches is not satisfactory. Next, using the extended notion of G-equivariance to the higher-order setting, we prove that non-completeness implies G-equivariance, which, in turn, means that the non-complete TI with uniform inputs has resistance against the glitch attack. Thirdly, we prove that the set of non-complete gates is a proper subset of the set of G-equivariant gates by showing there is a gate that is G-equivariant but not non-complete.
Highlights
With the growing threat of side-channel attack (SCA) (Side-Channel Attack, [1,2,3,4]), many countermeasures have been proposed and the masking method has been one of the most promising power attack countermeasures for securely implementing block ciphers [5,6].The basic principle of the masking methods is that if the sensitive variable is split into some random shares and is manipulated in a secure manner, the relationship between the behavior of internal variables and the corresponding side-channel information may look independent from the outside world
G-equivariant gates [14] and thehave threshold implementation proposed since the glitch attack was introduced, and this paper focuses on the G-equivariant gates
We re-investigated the proof that threshold implementation (TI) is secure against the 1st-order differential power attack (DPA) even in the presence of glitches and argued that the proof is missing some points
Summary
With the growing threat of SCA (Side-Channel Attack, [1,2,3,4]), many countermeasures have been proposed and the masking method has been one of the most promising power attack countermeasures for securely implementing block ciphers [5,6]. The independency is believed to successfully prevent the 1st-order side-channel DPA regardless of the arrival order of the input signals It was shown in [14] that there are no G-equivariant gates which have two input shares and the XOR sum in which two output shares is equal to the logical AND evaluation of its original inputs. We review the proof in [14] that any non-complete TI with uniform input sharing is secure against the 1st order DPA even in the presence of glitches and claim that the proof is not satisfactory by introducing a contradictory example. G-equivariance, this paper proves that non-completeness implies G-equivariance, which fills the gap in the security proof in [14].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
