Affine Equivalence and Its Application to Tightening Threshold Implementations

Motivated by the development of Side-Channel Analysis SCA countermeasures which can provide security upi¾?to a certain order, defeating higher-order attacks has become amongst the most challenging issues. For instance, Threshold Implementation TI which nicely solves the problem of glitches in masked hardware designs is able to avoid first-order leakages. Hence, its extension to higher orders aims at counteracting SCA attacks at higher orders, that might be limited to univariate scenarios. Although with respect to the number of traces as well as sensitivity to noise the higher the order, the harder it is to mount the attack, a d-order TI design is vulnerable to an attack at order $$d+1$$d+1. In this work we look at the feasibility of higher-order attacks on first-order TI from another perspective. Instead of increasing the order of resistance by employing higher-order TIs, we go toward introducing structured randomness into the implementation. Our construction, which is a combination of masking and hiding, is dedicated to TI designs and deals with the concept of "affine equivalence" of Boolean functions. Such a combination hardens a design practically against higher-order attacks so that these attacks cannot be successfully mounted. We show that the area overhead of our construction is paid off by its ability to avoid higher-order leakages to be practically exploitable.

[1]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[2]  Pankaj Rohatgi,et al.  Partitioning attacks: or how to rapidly clone some GSM cards , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[3]  Vincent Rijmen,et al.  Threshold Implementations of all 3x3 and 4x4 S-boxes , 2012, IACR Cryptol. ePrint Arch..

[4]  Oscar Reparaz A note on the security of Higher-Order Threshold Implementations , 2015, IACR Cryptol. ePrint Arch..

[5]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[6]  Akashi Satoh,et al.  Side-channel Attack user reference architecture board SAKURA-W for security evaluation of IC card , 2015, 2015 IEEE 4th Global Conference on Consumer Electronics (GCCE).

[7]  Amir Moradi,et al.  Side-Channel Resistant Crypto for Less than 2,300 GE , 2011, Journal of Cryptology.

[8]  P. Rohatgi,et al.  A testing methodology for side channel resistance , 2011 .

[9]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[10]  Vincent Rijmen,et al.  Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches , 2011, Journal of Cryptology.

[11]  Christof Paar,et al.  Pushing the Limits: A Very Compact and a Threshold Implementation of AES , 2011, EUROCRYPT.

[12]  Vincent Rijmen,et al.  Higher-Order Threshold Implementations , 2014, ASIACRYPT.

[13]  V. Neelima,et al.  A More Efficient AES Threshold Implementation , 2016 .

[14]  Alex Biryukov,et al.  A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms , 2003, EUROCRYPT.

[15]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[16]  Jean-Jacques Quisquater,et al.  On the Need of Physical Security for Small Embedded Devices: A Case Study with COMP128-1 Implementations in SIM Cards , 2013, Financial Cryptography.

[17]  Vincent Rijmen,et al.  Threshold implementations of small S-boxes , 2014, Cryptography and Communications.

[18]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[19]  Amir Moradi,et al.  Assessment of Hiding the Higher-Order Leakages in Hardware - What Are the Achievements Versus Overheads? , 2015, CHES.

[20]  Amir Moradi,et al.  Leakage Assessment Methodology - A Clear Roadmap for Side-Channel Evaluations , 2015, CHES.