Higher-Order Masking Schemes for S-Boxes

Masking is a common countermeasure against side-channel attacks. The principle is to randomly split every sensitive intermediate variable occurring in the computation into d+1 shares, where d is called the masking order and plays the role of a security parameter. The main issue while applying masking to protect a block cipher implementation is to design an efficient scheme for the s-box computations. Actually, masking schemes with arbitrary order only exist for Boolean circuits and for the AES s-box. Although any s-box can be represented as a Boolean circuit, applying such a strategy leads to inefficient implementation in software. The design of an efficient and generic higher-order masking scheme was hence until now an open problem. In this paper, we introduce the first masking schemes which can be applied in software to efficiently protect any s-box at any order. We first describe a general masking method and we introduce a new criterion for an s-box that relates to the best efficiency achievable with this method. Then we propose concrete schemes that aim to approach the criterion. Specifically, we give optimal methods for the set of power functions, and we give efficient heuristics for the general case. As an illustration we apply the new schemes to the DES and PRESENT s-boxes and we provide implementation results.

[1]  Vinod Vaikuntanathan,et al.  Protecting Circuits from Leakage: the Computationally-Bounded and Noisy Cases , 2010, EUROCRYPT.

[2]  Stefan Mangard,et al.  Successfully Attacking Masked AES Hardware Implementations , 2005, CHES.

[3]  Louis Goubin,et al.  A Fast and Secure Implementation of Sflash , 2003, Public Key Cryptography.

[4]  L. Goubin,et al.  DES and Differential Power Analysis , 1999 .

[5]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[6]  Akashi Satoh,et al.  A Compact Rijndael Hardware Architecture with S-Box Optimization , 2001, ASIACRYPT.

[7]  Seokhie Hong,et al.  A Fast and Provably Secure Higher-Order Masking of AES S-Box , 2011, CHES.

[8]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[9]  Ulrich W. Kulisch,et al.  Evaluation of Polynomials , 1995 .

[10]  Joachim von zur Gathen,et al.  Efficient and optimal exponentiation in finite fields , 1991, computational complexity.

[11]  Vincent Rijmen,et al.  Secure Hardware Implementation of Non-linear Functions in the Presence of Glitches , 2009, ICISC.

[12]  Johannes Blömer,et al.  Provably Secure Masking of AES , 2004, IACR Cryptol. ePrint Arch..

[13]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[14]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .

[15]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[16]  Thomas S. Messerges,et al.  Using Second-Order Power Analysis to Attack DPA Resistant Software , 2000, CHES.

[17]  Jean-Sébastien Coron,et al.  Side Channel Cryptanalysis of a Higher Order Masking Scheme , 2007, CHES.

[18]  Yvo Desmedt Public Key Cryptography — PKC 2003 , 2002, Lecture Notes in Computer Science.

[19]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[20]  Berk Sunar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2005, 7th International Workshop, Edinburgh, UK, August 29 - September 1, 2005, Proceedings , 2005, CHES.

[21]  G. R. Blakley,et al.  Safeguarding cryptographic keys , 1899, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[22]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[23]  Christophe Giraud,et al.  An Implementation of DES and AES, Secure against Some Attacks , 2001, CHES.

[24]  Alfred Menezes,et al.  Topics in Cryptology – CT-RSA 2005 , 2005 .

[25]  Tsuyoshi Takagi,et al.  Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28 - October 1, 2011. Proceedings , 2011, CHES.

[26]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[27]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[28]  Thomas S. Messerges,et al.  Securing the AES Finalists Against Power Analysis Attacks , 2000, FSE.

[29]  Michaël Quisquater,et al.  Thwarting Higher-Order Side Channel Analysis with Additive and Multiplicative Maskings , 2011, CHES.

[30]  Ingrid Verbauwhede,et al.  Cryptographic Hardware and Embedded Systems - CHES 2007, 9th International Workshop, Vienna, Austria, September 10-13, 2007, Proceedings , 2007, CHES.

[31]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[32]  Emmanuel Prouff,et al.  Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis , 2008, FSE.

[33]  David Pointcheval Topics in Cryptology - CT-RSA 2006, The Cryptographers' Track at the RSA Conference 2006, San Jose, CA, USA, February 13-17, 2006, Proceedings , 2006, CT-RSA.

[34]  Stefan Mangard,et al.  Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17-20, 2010. Proceedings , 2010, CHES.

[35]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[36]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings , 2006, CHES.

[37]  Emmanuel Prouff,et al.  A Generic Method for Secure SBox Implementation , 2007, WISA.

[38]  Christof Paar,et al.  Higher Order Masking of the AES , 2006, CT-RSA.

[39]  Marc Joye,et al.  Cryptographic Hardware and Embedded Systems - CHES 2004 , 2004, Lecture Notes in Computer Science.

[40]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[41]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[42]  Michael J. Oudshoorn,et al.  Visualization techniques for various programming paradigms , 1993, Proceedings of TENCON '93. IEEE Region 10 International Conference on Computers, Communications and Automation.

[43]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[44]  David Naccache,et al.  Cryptographic Hardware and Embedded Systems — CHES 2001 , 2001 .

[45]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[46]  Vincent Rijmen,et al.  Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches , 2011, Journal of Cryptology.

[47]  Stefan Mangard,et al.  Side-Channel Leakage of Masked CMOS Gates , 2005, CT-RSA.

[48]  Stephen M. Matyas,et al.  The data encryption standard , 1997, Inf. Secur. Tech. Rep..

[49]  Henri Gilbert,et al.  Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings , 2010, EUROCRYPT.

[50]  Donald E. Knuth,et al.  Evaluation of polynomials by computer , 1962, Commun. ACM.

[51]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[52]  M. D. MacLaren The Art of Computer Programming. Volume 2: Seminumerical Algorithms (Donald E. Knuth) , 1970 .

[53]  Thomas Zefferer,et al.  Evaluation of the Masked Logic Style MDPL on a Prototype Chip , 2007, CHES.