A low-entropy first-degree secure provable masking scheme for resource-constrained devices

The trend in the protection against side-channel analysis is to be more secure with little consideration for the cost. However in small devices like RFID, traditional security solutions might be impractical due to limited availability of resources. Thus designers are often forced to use imperfect but low-cost security solutions. When implementing masking countermeasures on a low-resource device, designers are not only limited in memory or power but also lacks a high-throughput source of randomness. In this paper, we stick to a formal security notion (1st-degree security), but seek a low-cost countermeasure against side-channel attacks. The proposed countermeasure is based on masking but needs only one bit of random to resist first-degree attacks like correlation power analysis. Furthermore the implementation also resists side-channel collision attacks once the entropy of random is increased to 16 bits. We show that security can be obtained at extremely low overhead and with as few as a couple of random bytes. This is supported by an application on PRESENT which is provably masked at first-degree for performance overhead of only 1%. Side-channel laboratory evaluations are also provided to support our claim.

[1]  Sylvain Guilley,et al.  RSM: A small and fast countermeasure for AES, secure against 1st and 2nd-order zero-offset SCAs , 2012, 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[2]  Dennis G. Abraham,et al.  Transaction Security System , 1991, IBM Syst. J..

[3]  Patrick Schaumont,et al.  Masking and Dual-Rail Logic Don't Add Up , 2007, CHES.

[4]  Jongsung Kim,et al.  HIGHT: A New Block Cipher Suitable for Low-Resource Device , 2006, CHES.

[5]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[6]  David A. Wagner,et al.  Towards Efficient Second-Order Power Analysis , 2004, CHES.

[7]  Emmanuel Prouff,et al.  Statistical Analysis of Second Order Differential Power Analysis , 2009, IEEE Transactions on Computers.

[8]  Tim Güneysu,et al.  Compact Implementation and Performance Evaluation of Block Ciphers in ATtiny Devices , 2012, AFRICACRYPT.

[9]  Vincent Rijmen,et al.  Threshold Implementations Against Side-Channel Attacks and Glitches , 2006, ICICS.

[10]  Christophe Clavier,et al.  Improved Collision-Correlation Power Analysis on First Order Protected AES , 2011, CHES.

[11]  Amir Moradi,et al.  Statistical Tools Flavor Side-Channel Collision Attacks , 2012, EUROCRYPT.

[12]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[13]  Daisuke Suzuki,et al.  Random Switching Logic: A Countermeasure against DPA based on Transition Probability , 2004, IACR Cryptol. ePrint Arch..

[14]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[15]  Johannes Blömer,et al.  Provably Secure Masking of AES , 2004, IACR Cryptol. ePrint Arch..

[16]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[17]  Stefan Mangard,et al.  Masked Dual-Rail Pre-charge Logic: DPA-Resistance Without Routing Constraints , 2005, CHES.

[18]  Amir Moradi,et al.  How Far Should Theory Be from Practice? - Evaluation of a Countermeasure , 2012, CHES.

[19]  Emmanuel Prouff,et al.  A Generic Method for Secure SBox Implementation , 2007, WISA.

[20]  Thomas Eisenbarth,et al.  Correlation-Enhanced Power Analysis Collision Attack , 2010, CHES.

[21]  Emmanuel Prouff,et al.  First-Order Side-Channel Attacks on the Permutation Tables Countermeasure , 2009, CHES.

[22]  Emmanuel Prouff,et al.  Higher-Order Masking and Shuffling for Software Implementations of Block Ciphers , 2009, CHES.

[23]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[24]  Denis Réal,et al.  SCARE of an Unknown Hardware Feistel Implementation , 2008, CARDIS.