Reconciling d+1 Masking in Hardware and Software

The continually growing number of security-related autonomous devices requires efficient mechanisms to counteract low-cost side-channel analysis (SCA) attacks. Masking provides high resistance against SCA at an adjustable level of security. A high level of SCA resistance, however, goes hand in hand with an increasing demand for fresh randomness which drastically increases the implementation costs. Since hardware based masking schemes have other security requirements than software masking schemes, the research in these two fields has been conducted quite independently over the last ten years. One important practical difference is that recently published software schemes achieve a lower randomness footprint than hardware masking schemes. In this work we combine existing software and hardware masking schemes into a unified masking algorithm. We demonstrate how to protect software and hardware implementations using the same masking algorithm, and for lower randomness costs than the separate schemes. Especially for hardware implementations the randomness costs can in some cases be halved over the state of the art. Theoretical considerations as well as practical implementation results are then used for a comparison with existing schemes from different perspectives and at different levels of security.

[1]  Oscar Reparaz A note on the security of Higher-Order Threshold Implementations , 2015, IACR Cryptol. ePrint Arch..

[2]  Florian Mendel,et al.  Submission to the CAESAR Competition , 2014 .

[3]  Stefan Mangard,et al.  An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order , 2017, CT-RSA.

[4]  Vinod Vaikuntanathan,et al.  Protecting Circuits from Leakage: the Computationally-Bounded and Noisy Cases , 2010, EUROCRYPT.

[5]  Vincent Rijmen,et al.  Threshold Implementations Against Side-Channel Attacks and Glitches , 2006, ICICS.

[6]  Erich Wenger,et al.  Suit up! -- Made-to-Measure Hardware Implementations of ASCON , 2015, 2015 Euromicro Conference on Digital System Design.

[7]  Benjamin Grégoire,et al.  Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model , 2017, EUROCRYPT.

[8]  Ingrid Verbauwhede,et al.  Consolidating Masking Schemes , 2015, CRYPTO.

[9]  Vincent Rijmen,et al.  Higher-Order Threshold Implementations , 2014, ASIACRYPT.

[10]  Jean-Sébastien Coron,et al.  Higher-Order Side Channel Security and Mask Refreshing , 2013, FSE.

[11]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[12]  Stefan Mangard,et al.  Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order , 2016, IACR Cryptol. ePrint Arch..

[13]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[14]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[15]  Adrian Thillard,et al.  Randomness Complexity of Private Circuits for Multiplication , 2016, EUROCRYPT.

[16]  Stefan Mangard,et al.  Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations , 2006, CHES.

[17]  P. Rohatgi,et al.  A testing methodology for side channel resistance , 2011 .