Leakage squeezing: Optimal implementation and security evaluation

Abstract Hardware devices can be protected against side-channel attacks by introducing one random mask per sensitive variable. The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers. Nonetheless, this setup can still be attacked if the side-channel is squared, because this operation causes an interference between the two shares. This more sophisticated analysis is referred to as a zero-offset second-order correlation power analysis (CPA) attack. When the device leaks in Hamming distance, the countermeasure can be improved by the “leakage squeezing”. It consists in manipulating the mask through a bijection, aimed at reducing the dependency between the shares' leakage. Thus dth-order zero-offset attacks, that consist in applying CPA on the dth power of the centered side-channel traces, can be thwarted for d ≥ 2 at no extra cost. We denote by n the size in bits of the shares and call F the transformation function, that is, a bijection of 𝔽 2 n $\mathbb {F}_2^n$ . In this paper, we explore the functions F that thwart zero-offset high-order CPA (HO-CPA) of maximal order d. We mathematically demonstrate that optimal choices for F relate to optimal binary codes (in the sense of communication theory). First, we exhibit optimal linear F functions. They are suitable for masking schemes where only one mask is used throughout the algorithm. Second, we note that for values of n for which non-linear codes exist with better parameters than linear ones, better protection levels can be obtained. This applies to implementations in which each mask is randomly cast independently of the previous ones. These results are exemplified in the case n = 8, where the optimal F can be identified: it is derived from the optimal rate 1/2 binary code of size 2n$2n$ , namely the Nordstrom–Robinson (16,256,6)$(16, 256, 6)$ code. This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates. It protects against all zero-offset HO-CPA attacks of order d≤5$d \le 5$ . Eventually, the countermeasure is shown to be resilient to imperfect leakage models, where the registers leak differently than the sum of their toggling bits.

[1]  N. J. A. Sloane,et al.  The Nordstrom-Robinson Code is the Binary Image of 19 the Octacode , 1992, Coding And Quantization.

[2]  Claude Carlet,et al.  Classification of High-Order Boolean Masking Schemes and Improvements of their Efficiency , 2011, IACR Cryptol. ePrint Arch..

[3]  François-Xavier Standaert,et al.  Low Entropy Masking Schemes, Revisited , 2013, CARDIS.

[4]  Akashi Satoh,et al.  A Compact Rijndael Hardware Architecture with S-Box Optimization , 2001, ASIACRYPT.

[5]  Sylvain Guilley,et al.  Leakage Squeezing Countermeasure against High-Order Attacks , 2011, WISTP.

[6]  Serge Vaudenay,et al.  On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER , 1994, FSE.

[7]  Sylvain Guilley,et al.  A First-Order Leak-Free Masking Countermeasure , 2012, CT-RSA.

[8]  FRANÇOIS-XAVIER STANDAERT,et al.  An Overview of Power Analysis Attacks Against Field Programmable Gate Arrays , 2006, Proceedings of the IEEE.

[9]  Julien Bringer,et al.  Protecting AES against side-channel analysis using wire-tap codes , 2012, Journal of Cryptographic Engineering.

[10]  David A. Wagner,et al.  Towards Efficient Second-Order Power Analysis , 2004, CHES.

[11]  Claude Carlet,et al.  Boolean Functions for Cryptography and Error-Correcting Codes , 2010, Boolean Models and Methods.

[12]  P. Delsarte AN ALGEBRAIC APPROACH TO THE ASSOCIATION SCHEMES OF CODING THEORY , 2011 .

[13]  Milos Drutarovský,et al.  Two Methods of Rijndael Implementation in Reconfigurable Hardware , 2001, CHES.

[14]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[15]  L. Goubin,et al.  DES and Differential Power Analysis , 1999 .

[16]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[17]  Johannes Blömer,et al.  Provably Secure Masking of AES , 2004, IACR Cryptol. ePrint Arch..

[18]  Emmanuel Prouff,et al.  Statistical Analysis of Second Order Differential Power Analysis , 2009, IEEE Transactions on Computers.

[19]  Moti Yung,et al.  A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks (extended version) , 2009, IACR Cryptol. ePrint Arch..

[20]  Lejla Batina,et al.  Mutual Information Analysis: a Comprehensive Study , 2011, Journal of Cryptology.

[21]  Christof Paar,et al.  A Stochastic Model for Differential Side Channel Cryptanalysis , 2005, CHES.

[22]  François-Xavier Standaert,et al.  Generic Side-Channel Distinguishers: Improvements and Limitations , 2011, IACR Cryptol. ePrint Arch..

[23]  François-Xavier Standaert,et al.  Mutual Information Analysis: How, When and Why? , 2009, CHES.

[24]  James L. Massey,et al.  A spectral characterization of correlation-immune combining functions , 1988, IEEE Trans. Inf. Theory.

[25]  Christof Paar,et al.  Higher Order Masking of the AES , 2006, CT-RSA.

[26]  Eric Peeters,et al.  Power and electromagnetic analysis: Improved model, consequences and comparisons , 2007, Integr..

[27]  Claude Carlet,et al.  Theory of masking with codewords in hardware: low-weight dth-order correlation-immune Boolean functions , 2013, IACR Cryptol. ePrint Arch..

[28]  Jens-Peter Kaps,et al.  Investigation of DPA Resistance of Block RAMs in Cryptographic Implementations on FPGAs , 2010, 2010 International Conference on Reconfigurable Computing and FPGAs.

[29]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[30]  Amir Moradi,et al.  How Far Should Theory Be from Practice? - Evaluation of a Countermeasure , 2012, CHES.

[31]  Claude Carlet,et al.  Correlation-Immune Boolean Functions for Leakage Squeezing and Rotating S-Box Masking against Side Channel Attacks , 2013, SPACE.

[32]  Eric Peeters,et al.  Improved Higher-Order Side-Channel Attacks with FPGA Experiments , 2005, CHES.

[33]  F. MacWilliams,et al.  The Theory of Error-Correcting Codes , 1977 .

[34]  Patric R. J. Östergård,et al.  Binary optimal linear rate 1/2 codes , 2004, Discret. Math..

[35]  Claude Carlet,et al.  A New Class of Codes for Boolean Masking of Cryptographic Computations , 2011, IEEE Transactions on Information Theory.

[36]  François-Xavier Standaert,et al.  Univariate side channel attacks and leakage modeling , 2011, Journal of Cryptographic Engineering.

[37]  Claude Carlet,et al.  Optimal First-Order Masking with Linear and Non-linear Bijections , 2012, AFRICACRYPT.

[38]  Claude Carlet,et al.  Vectorial Boolean Functions for Cryptography , 2006 .

[39]  Claude Carlet,et al.  On Correlation-Immune Functions , 1991, CRYPTO.

[40]  Stefan Mangard,et al.  Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations , 2006, CHES.

[41]  Tim Güneysu,et al.  Generic Side-Channel Countermeasures for Reconfigurable Devices , 2011, CHES.