Chapter

Cryptographic Hardware and Embedded Systems - CHES 2013

Volume 8086 of the series Lecture Notes in Computer Science pp 400-416

Masking vs. Multiparty Computation: How Large Is the Gap for AES?

  • Vincent GrossoAffiliated withICTEAM/ELEN/Crypto Group, Université catholique de Louvain
  • , François-Xavier StandaertAffiliated withICTEAM/ELEN/Crypto Group, Université catholique de Louvain
  • , Sebastian FaustAffiliated withEcole Polytechnique Fédérale de Lausanne

* Final gross prices may vary according to local VAT.

Get Access

Abstract

In this paper, we evaluate the performances of state-of-the-art higher-order masking schemes for the AES. Doing so, we pay a particular attention to the comparison between specialized solutions introduced exclusively as countermeasures against side-channel analysis, and a recent proposal by Roche and Prouff exploiting MultiParty Computation (MPC) techniques. We show that the additional security features this latter scheme provides (e.g. its glitch-freeness) comes at the cost of large performance overheads. We then study how exploiting standard optimization techniques from the MPC literature can be used to reduce this gap. In particular, we show that “packed secret sharing” based on a modified multiplication algorithm can speed up MPC-based masking when the order of the masking scheme increases. Eventually, we discuss the randomness requirements of masked implementations. For this purpose, we first show with information theoretic arguments that the security guarantees of masking are only preserved if this randomness is uniform, and analyze the consequences of a deviation from this requirement. We then conclude the paper by including the cost of randomness generation in our performance evaluations. These results should help actual designers to choose a masking scheme based on security and performance constraints.