Second-Order Masked Lookup Table Compression Scheme

Masking by lookup table randomisation is a well-known technique used to achieve side-channel attack resistance for software implementations, particularly, against DPA attacks. The randomised table technique for firstand second-order security requires about m ·2 bits of RAM to store an (n, m)-bit masked S-box lookup table. Table compression helps in reducing the amount of memory required, and this is useful for highly resource-constrained IoT devices. Recently, Vadnala (CT-RSA 2017) proposed a randomised table compression scheme for firstand second-order security in the probing leakage model. This scheme reduces the RAM memory required by about a factor of 2, where l is a compression parameter. Vivek (Indocrypt 2017) demonstrated an attack against the second-order scheme of Vadnala. Hence achieving table compression at second and higher orders is an open problem. In this work, we propose a second-order secure randomised table compression scheme which works for any (n, m)-bit S-box. Our proposal is a variant of Vadnala’s scheme that is not only secure but also significantly improves the time-memory trade-off. Specifically, we improve the online execution time by a factor of 2n−l. Our proposed scheme is proved 2-SNI secure in the probing leakage model. We have implemented our method for AES-128 on a 32-bit ARM Cortex processor. We are able to reduce the memory required to store a randomised S-box table for second-order AES-128 implementation to 59 bytes.

[1]  Srinivas Vivek Revisiting a Masked Lookup-Table Compression Scheme , 2017, INDOCRYPT.

[2]  Emmanuel Prouff,et al.  Masking against Side-Channel Attacks: A Formal Security Proof , 2013, EUROCRYPT.

[3]  Claude Carlet,et al.  Higher-Order Masking Schemes for S-Boxes , 2012, FSE.

[4]  Jorge Luis Villar,et al.  On proper secrets, (t, k)-bases and linear codes , 2009, Des. Codes Cryptogr..

[5]  Srinivas Vivek,et al.  Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures , 2017, CHES.

[6]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[7]  Pankaj Rohatgi,et al.  Partitioning attacks: or how to rapidly clone some GSM cards , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[8]  Gerhard Goos,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999, Lecture Notes in Computer Science.

[9]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[10]  Claude Carlet,et al.  Algebraic Decomposition for Probing Security , 2015, CRYPTO.

[11]  Sonia Belaïd,et al.  Tight Private Circuits: Achieving Probing Security with the Least Refreshing , 2018, IACR Cryptol. ePrint Arch..

[12]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[13]  Chester Rebeiro,et al.  Bitslice Implementation of AES , 2006, CANS.

[14]  Christof Paar,et al.  Higher Order Masking of the AES , 2006, CT-RSA.

[15]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[16]  Benjamin Grégoire,et al.  Strong Non-Interference and Type-Directed Higher-Order Masking , 2016, CCS.

[17]  Benjamin Grégoire,et al.  Verified Proofs of Higher-Order Masking , 2015, EUROCRYPT.

[18]  Naofumi Homma,et al.  Cryptographic Hardware and Embedded Systems – CHES 2017 , 2017, Lecture Notes in Computer Science.

[19]  Praveen Kumar Vadnala Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers , 2017, CT-RSA.

[20]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[21]  Jean-Sébastien Coron,et al.  Formal Verification of Side-channel Countermeasures via Elementary Circuit Transformations , 2018, IACR Cryptol. ePrint Arch..

[22]  Srinivas Vivek,et al.  Fast evaluation of polynomials over binary finite fields and application to side-channel countermeasures , 2014, Journal of Cryptographic Engineering.

[23]  Zhipeng Guo,et al.  Table Recomputation-Based Higher-Order Masking Against Horizontal Attacks , 2020, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[24]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[25]  Rina Zeitoun,et al.  Side-channel Masking with Pseudo-Random Generator , 2020, IACR Cryptol. ePrint Arch..

[26]  François-Xavier Standaert,et al.  Very High Order Masking: Efficient Implementation and Security Evaluation , 2017, IACR Cryptol. ePrint Arch..

[27]  Jean-Sébastien Coron,et al.  Higher Order Masking of Look-up Tables , 2014, IACR Cryptol. ePrint Arch..

[28]  Rafail Ostrovsky,et al.  Robust Pseudorandom Generators , 2013, ICALP.

[29]  Jean-Sébastien Coron,et al.  High Order Masking of Look-up Tables with Common Shares , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[30]  Emmanuel Prouff,et al.  Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis , 2008, FSE.