Polynomial direct sum masking to protect against both SCA and FIA

  • Claude Carlet
  • Abderrahman DaifEmail author
  • Sylvain Guilley
  • Cédric Tavernier
Regular Paper


Side-channel attacks (SCAs) and fault injection attacks (FIAs) allow an opponent to have partial access to the internal behavior of the hardware. Since the end of the 1990s, many works have shown that this type of attacks constitutes a serious threat to cryptosystems implemented in embedded devices. In the state of the art, there exist several countermeasures to protect symmetric encryption (especially AES-128). Most of them protect only against one of these two attacks (SCA or FIA). A method called ODSM has been proposed to withstand SCA and FIA, but its implementation in the whole algorithm is a big open problem when no particular hardware protection is possible. In the present paper, we propose a practical masking scheme specifying ODSM which makes it possible to protect the symmetric encryption against these two attacks.


Masking countermeasure Error correcting codes Side-channel attack Fault injection attack AES 


  1. 1.
    Anderson, R.J., Kuhn, M.G.: Low cost attacks on tamper resistant devices. In: 5th International Workshop on Security Protocols, Paris, France, April 7–9, 1997, Proceedings, pp. 125–136 (1997)Google Scholar
  2. 2.
    Azzi, S., Barras, B., Christofi, M., Vigilant, D.: Using linear codes as a fault countermeasure for nonlinear operations: application to AES and formal verification. J. Cryptogr. Eng. 7(1), 75–85 (2017)CrossRefGoogle Scholar
  3. 3.
    Balasch, J., Faust, S., Gierlichs, B.: Inner product masking revisited. In: Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part IGoogle Scholar
  4. 4.
    Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012)CrossRefGoogle Scholar
  5. 5.
    Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, May 2–4, 1988, Chicago, Illinois, USA, pp. 1–10 (1988)Google Scholar
  6. 6.
    Blömer, J., Guajardo, J., Krummel, V.: Provably secure masking of AES. In: 11th International Workshop on Selected Areas in Cryptography, SAC, Waterloo, Canada, August 9–10, Revised Selected Papers 2004, pp. 69–83 (2004)Google Scholar
  7. 7.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptol. 14(2), 101–119 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Bringer, J., Carlet, C., Chabanne, H., Guilley, S., Maghrebi, H.: Orthogonal direct sum masking—a smartcard friendly computation paradigm in a code, with builtin protection against side-channel and fault attacks. In: Information Security Theory and Practice. Securing the Internet of Things—8th IFIP WG 11.2 International Workshop, WISTP 2014, Heraklion, Crete, Greece, June 30–July 2, 2014. Proceedings , pp. 40–56 (2014)Google Scholar
  9. 9.
    Bringer, J., Chabanne, H., Le, T.: Protecting AES against side-channel analysis using wire-tap codes. J. Cryptogr. Eng. 2(2), 129–141 (2012)CrossRefGoogle Scholar
  10. 10.
    Bruneau, N., Guilley, S., Heuser, A., Rioul, O., Standaert, F., Teglia, Y.: Taylor expansion of maximum likelihood attacks for masked and shuffled implementations. In: Advances in Cryptology—ASIACRYPT 2016—22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part I, pp. 573–601 (2016)Google Scholar
  11. 11.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Advances in Cryptology—CRYPTO’99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15–19, 1999, Proceedings, pp. 398–412 (1999)Google Scholar
  12. 12.
    Daemen, J., Rijmen, V.: Aes proposal: Rijndael (1999)Google Scholar
  13. 13.
    Goubin, L., Martinelli, A.: Protecting AES with Shamir’s secret sharing scheme. In: Cryptographic Hardware and Embedded Systems—CHES 2011—13th International Workshop, Nara, Japan, September 28–October 1, 2011. Proceedings, pp. 79–94 (2011)Google Scholar
  14. 14.
    Goubin, L., Patarin, J.: DES and differential power analysis (the “duplication” method). In: Cryptographic Hardware and Embedded Systems, First International Workshop, CHES’99, Worcester, MA, USA, August 12–13, 1999, Proceedings, pp. 158–172 (1999)Google Scholar
  15. 15.
    Guilley, S., Heuser, A., Rioul, O. Codes for side-channel attacks and protections. In: Codes, Cryptology and Information Security—Second International Conference, C2SI: Rabat, Morocco, April 10–12, 2017. Proceedings—In Honor of Claude Carlet 2017, pp. 35–55 (2017)Google Scholar
  16. 16.
    Ishai, Y., Sahai, A., Wagner, D.A.: Private circuits: securing hardware against probing attacks. In: Advances in Cryptology—CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 2003, Proceedings, pp. 463–481 (2003)Google Scholar
  17. 17.
    Massey, J.L.: Linear codes with complementary duals. Discrete Math. 106–107, 337–342 (1992)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Poussier, R., Guo, Q., Standaert, F., Carlet, C., Guilley, S.: Connecting and improving direct sum masking and inner product masking. In: Smart Card Research and Advanced Applications—16th International Conference, CARDIS 2017, Lugano, Switzerland, November 13–15, 2017, Revised Selected Papers, pp. 123–141 (2017)Google Scholar
  19. 19.
    Prouff, E., Roche, T.: Higher-order glitches free implementation of the AES using secure multi-party computation protocols. In: Cryptographic Hardware and Embedded Systems—CHES 2011—13th International Workshop, Nara, Japan, September 28–October 1, 2011. Proceedings, pp. 63–78 (2011)Google Scholar
  20. 20.
    Rijmen, V., Daemen, J.: Advanced encryption standard. In: Proceedings of Federal Information Processing Standards Publications, National Institute of Standards and Technology, pp. 19–22 (2001)Google Scholar
  21. 21.
    Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17–20, 2010. Proceedings (2010)Google Scholar
  22. 22.
    Rivain, M., Prouff, E., Doget, J.: Higher-order masking and shuffling for software implementations of block ciphers. In: Cryptographic Hardware and Embedded Systems—CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6–9, 2009, Proceedings, pp. 171–188 (2009)Google Scholar
  23. 23.
    Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  1. 1.LAGA, Department of MathematicsUniversity of Paris 8Saint–Denis cedex 02France
  2. 2.University of BergenBergenNorway
  3. 3.BU connect, Assystem E&OSMontigny-le-BretonneuxFrance
  4. 4.TELECOM-ParisTech, Crypto GroupParis Cedex 13France
  5. 5.Secure-IC S.A.S.RennesFrance
  6. 6.École Normale SupérieureParisFrance

Personalised recommendations