Abstract
Masking by lookup table randomisation is a well-known technique used to achieve side-channel attack resistance for software implementations, particularly, against DPA attacks. The randomised table technique for first- and second-order security requires about m•2n bits of RAM to store an (n,m)-bit masked S-box lookup table. Table compression helps in reducing the amount of memory required, and this is useful for highly resource-constrained IoT devices. Recently, Vadnala (CT-RSA 2017) proposed a randomised table compression scheme for first- and second-order security in the probing leakage model. This scheme reduces the RAM memory required by about a factor of 2l, where l is a compression parameter. Vivek (Indocrypt 2017) demonstrated an attack against the second-order scheme of Vadnala. Hence achieving table compression at second and higher orders is an open problem.In this work, we propose a second-order secure randomised table compression scheme which works for any (n,m)-bit S-box. Our proposal is a variant of Vadnala’s scheme that is not only secure but also significantly improves the time-memory trade-off. Specifically, we improve the online execution time by a factor of 2n−l. Our proposed scheme is proved 2-SNI secure in the probing leakage model. We have implemented our method for AES-128 on a 32-bit ARM Cortex processor. We are able to reduce the memory required to store a randomised S-box table for second-order AES-128 implementation to 59 bytes.
Highlights
IoT involves extending connectivity beyond standard devices, such as desktops, laptops, smartphones and tablets, to a range of traditionally non-connectivity-enabled and everyday objects
We reduce the RAM memory required per S-box to mask AES-128 at second-order security to 59 bytes and that of second-order masked PRESENT 80-bit key variant to 9 bytes
Since first-order DPA attacks on embedded devices are feasible, in this work we focused on designing a second-order secure masked table compression scheme for highly resource constrained embedded devices to achieve time-memory trade-offs
Summary
IoT involves extending connectivity beyond standard devices, such as desktops, laptops, smartphones and tablets, to a range of traditionally non-connectivity-enabled and everyday objects. We present our variant of the second-order secure randomised table-based S-box masking scheme of Rivain, Dottax and Prouff [RDP08, Section 3.1, Algorithm 2] Unlike the former scheme, our variant allows pre-computing of the masked table offline as the third share is needed only in the last step. Pair-wise independence of output masks is sufficient for 2-SNI security since first output masks are not combined as part of Algorithm 3 Our approach is to secure the second-order lookup table compression scheme from [Vad[17], Section 3] (see Section 3) by first basing it on the modified RDP scheme from Section 2 to allow pre-processing, and by using different output masks for each of the rows of T1 and T2.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have