论文信息 - Higher-Order Side Channel Security and Mask Refreshing

Higher-Order Side Channel Security and Mask Refreshing

Masking is a widely used countermeasure to protect block cipher implementations against side-channel attacks. The principle is to split every sensitive intermediate variable occurring in the computation into \(d+1\) shares, where \(d\) is called the masking order and plays the role of a security parameter. A masked implementation is then said to achieve \(d\) th-order security if any set of \(d\) (or less) intermediate variables does not reveal key-dependent information. At CHES 2010, Rivain and Prouff have proposed a higher-order masking scheme for AES that works for any arbitrary order \(d\). This scheme, and its subsequent extensions, are based on an improved version of the shared multiplication processing published by Ishai et al. at CRYPTO 2003. This improvement enables better memory/timing performances but its security relies on the refreshing of the masks at some points in the algorithm. In this paper, we show that the method proposed at CHES 2010 to do such mask refreshing introduces a security flaw in the overall masking scheme. Specifically, we show that it is vulnerable to an attack of order \(\lceil d/2 \rceil +1\) whereas the scheme is supposed to achieve \(d\) th-order security. After exhibiting and analyzing the flaw, we propose a new solution which avoids the use of mask refreshing, and we prove its security. We also provide some implementation trick that makes our proposed solution, not only secure, but also faster than the original scheme.

[1] Claude Carlet,et al. Higher-Order Masking Schemes for S-Boxes , 2012, FSE.

[2] Bart Preneel,et al. Revisiting Higher-Order DPA Attacks: Multivariate Mutual Information Analysis. , 2009 .

[3] Yuval Ishai,et al. Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[4] Akashi Satoh,et al. A Compact Rijndael Hardware Architecture with S-Box Optimization , 2001, ASIACRYPT.

[5] Vincent Rijmen,et al. The Design of Rijndael , 2002, Information Security and Cryptography.

[6] Emmanuel Prouff,et al. Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[7] Seokhie Hong,et al. A Fast and Provably Secure Higher-Order Masking of AES S-Box , 2011, CHES.

[8] Paul C. Kocher,et al. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[9] Siva Sai Yerubandi,et al. Differential Power Analysis , 2002 .

[10] Pankaj Rohatgi,et al. Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[11] Emmanuel Prouff,et al. Statistical Analysis of Second Order Differential Power Analysis , 2009, IEEE Transactions on Computers.

[12] Moti Yung,et al. A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks (extended version) , 2009, IACR Cryptol. ePrint Arch..