Orthogonal Direct Sum Masking - A Smartcard Friendly Computation Paradigm in a Code, with Builtin Protection against Side-Channel and Fault Attacks

Secure elements, such as smartcards or trusted platform modules (TPMs), must be protected against implementation-level attacks. Those include side-channel and fault injection attacks. We introduce ODSM, Orthogonal Direct Sum Masking, a new computation paradigm that achieves protection against those two kinds of attacks. A large vector space is structured as two supplementary orthogonal subspaces. One subspace (called a code $\mathcal{C}$ ) is used for the functional computation, while the second subspace carries random numbers. As the random numbers are entangled with the sensitive data, ODSM ensures a protection against (monovariate) side-channel attacks. The random numbers can be checked either occasionally, or globally, thereby ensuring a detection capability. The security level can be formally detailed: it is proved that monovariate side-channel attacks of order up to $d_\mathcal{C}-1$ , where $d_\mathcal{C}$ is the minimal distance of $\mathcal{C}$ , are impossible, and that any fault of Hamming weight strictly less than $d_\mathcal{C}$ is detected. A complete instantiation of ODSM is given for AES. In this case, all monovariate side-channel attacks of order strictly less than 5 are impossible, and all fault injections perturbing strictly less than 5 bits are detected.

[1]  Thomas Eisenbarth,et al.  On the Vulnerability of Low Entropy Masking Schemes , 2013, CARDIS.

[2]  Thomas S. Messerges,et al.  Securing the AES Finalists Against Power Analysis Attacks , 2000, FSE.

[3]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[4]  Patrick Schaumont,et al.  Cryptographic Hardware and Embedded Systems – CHES 2012 , 2012, Lecture Notes in Computer Science.

[5]  Sylvain Guilley,et al.  A low-entropy first-degree secure provable masking scheme for resource-constrained devices , 2013, WESS '13.

[6]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[7]  Amir Moradi,et al.  Statistical Tools Flavor Side-Channel Collision Attacks , 2012, EUROCRYPT.

[8]  Shu Lin,et al.  Applied Algebra, Algebraic Algorithms and Error-Correcting Codes , 1999, Lecture Notes in Computer Science.

[9]  Stefan Mangard,et al.  Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17-20, 2010. Proceedings , 2010, CHES.

[10]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings , 2006, CHES.

[11]  Emmanuel Prouff,et al.  A Generic Method for Secure SBox Implementation , 2007, WISA.

[12]  Martijn Stam,et al.  Understanding Adaptivity: Random Systems Revisited , 2012, ASIACRYPT.

[13]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[14]  Eli Biham,et al.  A Fast New DES Implementation in Software , 1997, FSE.

[15]  Michael Tunstall,et al.  Masking Tables - An Underestimated Security Risk , 2013, FSE.

[16]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation , 2012, IACR Cryptol. ePrint Arch..

[17]  Claude Carlet,et al.  Achieving side-channel high-order correlation immunity with leakage squeezing , 2013, Journal of Cryptographic Engineering.

[18]  Aria Shahverdi,et al.  Balanced Encoding to Mitigate Power Analysis: A Case Study , 2014, CARDIS.

[19]  Emmanuel Prouff,et al.  Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis , 2008, FSE.

[20]  Sylvain Guilley,et al.  Combined SCA and DFA Countermeasures Integrable in a FPGA Design Flow , 2009, 2009 International Conference on Reconfigurable Computing and FPGAs.

[21]  Debdeep Mukhopadhyay,et al.  Security, Privacy, and Applied Cryptography Engineering , 2013, Lecture Notes in Computer Science.

[22]  Claude Carlet,et al.  A New Representation of Boolean Functions , 1999, AAECC.

[23]  Johannes Blömer,et al.  Provably Secure Masking of AES , 2004, IACR Cryptol. ePrint Arch..

[24]  Julien Bringer,et al.  Protecting AES against side-channel analysis using wire-tap codes , 2012, Journal of Cryptographic Engineering.

[25]  David A. Wagner,et al.  Towards Efficient Second-Order Power Analysis , 2004, CHES.

[26]  Helena Handschuh,et al.  Masking Does Not Protect Against Differential Fault Attacks , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[27]  David Naccache,et al.  When Clocks Fail: On Critical Paths and Clock Faults , 2010, CARDIS.

[28]  Johann Großschädl,et al.  Algorithms for Switching between Boolean and Arithmetic Masking of Second Order , 2013, SPACE.

[29]  François-Xavier Standaert,et al.  Shuffling against Side-Channel Attacks: A Comprehensive Study with Cautionary Note , 2012, ASIACRYPT.

[30]  Jean-Sébastien Coron,et al.  On Boolean and Arithmetic Masking against Differential Power Analysis , 2000, CHES.

[31]  Patel,et al.  Information Security: Theory and Practice , 2008 .

[32]  Claude Carlet,et al.  Boolean Functions for Cryptography and Error-Correcting Codes , 2010, Boolean Models and Methods.

[33]  Jean-Sébastien Coron,et al.  Higher Order Masking of Look-up Tables , 2014, IACR Cryptol. ePrint Arch..

[34]  Debdeep Mukhopadhyay,et al.  Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault , 2011, WISTP.

[35]  Blandine Debraize Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking , 2012, CHES.

[36]  Marc Joye,et al.  Cryptographic Hardware and Embedded Systems - CHES 2004 , 2004, Lecture Notes in Computer Science.

[37]  Marc Joye,et al.  Fault Analysis in Cryptography , 2012, Information Security and Cryptography.

[38]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[39]  Simon Heron,et al.  Encryption: Advanced Encryption Standard (AES) , 2009 .

[40]  L. Goubin,et al.  DES and Differential Power Analysis , 1999 .

[41]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..