Orthogonal Direct Sum Masking

A Smartcard Friendly Computation Paradigm in a Code, with Builtin Protection against Side-Channel and Fault Attacks
  • Julien Bringer
  • Claude Carlet
  • Hervé Chabanne
  • Sylvain Guilley
  • Houssem Maghrebi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8501)


Secure elements, such as smartcards or trusted platform modules (TPMs), must be protected against implementation-level attacks. Those include side-channel and fault injection attacks. We introduce ODSM, Orthogonal Direct Sum Masking, a new computation paradigm that achieves protection against those two kinds of attacks. A large vector space is structured as two supplementary orthogonal subspaces. One subspace (called a code \(\mathcal{C}\)) is used for the functional computation, while the second subspace carries random numbers. As the random numbers are entangled with the sensitive data, ODSM ensures a protection against (monovariate) side-channel attacks. The random numbers can be checked either occasionally, or globally, thereby ensuring a detection capability. The security level can be formally detailed: it is proved that monovariate side-channel attacks of order up to \(d_\mathcal{C}-1\), where \(d_\mathcal{C}\) is the minimal distance of \(\mathcal{C}\), are impossible, and that any fault of Hamming weight strictly less than \(d_\mathcal{C}\) is detected. A complete instantiation of ODSM is given for AES. In this case, all monovariate side-channel attacks of order strictly less than 5 are impossible, and all fault injections perturbing strictly less than 5 bits are detected.


Masking countermeasure trans-masking fault detection orthogonal supplementary spaces linear codes minimal and dual distances AES 


  1. 1.
    Agoyan, M., Dutertre, J.-M., Naccache, D., Robisson, B., Tria, A.: When Clocks Fail: On Critical Paths and Clock Faults. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 182–193. Springer, Heidelberg (2010)Google Scholar
  2. 2.
    Bhasin, S., Danger, J.-L., Flament, F., Graba, T., Guilley, S., Mathieu, Y., Nassar, M., Sauvage, L., Selmane, N.: Combined SCA and DFA Countermeasures Integrable in a FPGA Design Flow. In: ReConFig, Cancún, Quintana Roo, México, December 9-11, pp. 213–218. IEEE Computer Society (2009),, doi:10.1109/ReConFig.2009.50
  3. 3.
    Bhasin, S., Danger, J.-L., Guilley, S., Najm, Z.: A Low-Entropy First-Degree Secure Provable Masking Scheme for Resource-Constrained Devices. In: Proceedings of the Workshop on Embedded Systems Security, WESS 2013, Montreal, Quebec, Canada, pp. 7:1–7:10, September 29. ACM, New York (2013), doi:10.1145/2527317.2527324Google Scholar
  4. 4.
    Biham, E.: A Fast New DES Implementation in Software. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 260–272. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  5. 5.
    Blömer, J., Guajardo, J., Krummel, V.: Provably Secure Masking of AES. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 69–83. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Boscher, A., Handschuh, H.: Masking Does Not Protect Against Differential Fault Attacks. In: FDTC, 5th Workshop on Fault Detection and Tolerance in Cryptography, pp. 35–40. IEEE-CS, Washington, DC (2008), doi:10.1109/FDTC.2008.12Google Scholar
  7. 7.
    Bringer, J., Chabanne, H., Le, T.-H.: Protecting AES against side-channel analysis using wire-tap codes. J. Cryptographic Engineering 2(2), 129–141 (2012)CrossRefGoogle Scholar
  8. 8.
    Carlet, C.: Boolean Functions for Cryptography and Error Correcting Codes: Chapter of the monography. In: Crama, Y., Hammer, P. (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 257–397. Cambridge University Press (2010), Preliminary version available at
  9. 9.
    Carlet, C., Danger, J.-L., Guilley, S., Maghrebi, H., Prouff, E.: Achieving side-channel high-order correlation immunity with Leakage Squeezing. Journal of Cryptographic Engineering, 1–15 (2014), doi:10.1007/s13389-013-0067-1Google Scholar
  10. 10.
    Carlet, C., Guillot, P.: A New Representation of Boolean Functions. In: Fossorier, M., Imai, H., Lin, S., Poli, A. (eds.) AAECC 1999. LNCS, vol. 1719, pp. 94–103. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  11. 11.
    Coron, J.-S.: Higher Order Masking of Look-up Tables. Cryptology ePrint Archive, Report 2013/700 (2013),
  12. 12.
    Coron, J.-S., Goubin, L.: On Boolean and Arithmetic Masking against Differential Power Analysis. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 231–237. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. 13.
    Debraize, B.: Efficient and provable Secure Methods for Switching from Arithmetic to Boolean Masking. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 107–121. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Goubin, L., Patarin, J.: DES and Differential Power Analysis. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  15. 15.
    M. Joye, M. Tunstall.: Fault Analysis in Cryptography. Springer (March 2011),, doi: 10.1007/978-3-642-29656-7, ISBN 978-3-642-29655-0
  16. 16.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer (December 2006),, ISBN 0-387-30857-1
  17. 17.
    Messerges, T.S.: Securing the AES Finalists Against Power Analysis Attacks. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 150–164. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Moradi, A.: Statistical tools flavor side-channel collision attacks. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 428–445. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  19. 19.
    NIST/ITL/CSD. Advanced Encryption Standard (AES). FIPS PUB 197 (November 2001),
  20. 20.
    Prouff, E., Rivain, M.: A Generic Method for Secure SBox Implementation. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 227–244. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Rivain, M., Dottax, E., Prouff, E.: Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 127–143. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  22. 22.
    Rivain, M., Prouff, E.: Provably Secure Higher-Order Masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  23. 23.
    Tunstall, M., Mukhopadhyay, D., Ali, S.: Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 224–233. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  24. 24.
    Tunstall, M., Whitnall, C., Oswald, E.: Masking Tables - An Underestimated Security Risk. IACR Cryptology ePrint Archive, 2013:735 (2013)Google Scholar
  25. 25.
    University of Sydney. Magma Computational Algebra System,
  26. 26.
    Vadnala, P.K., Großschädl, J.: Algorithms for Switching between Boolean and Arithmetic Masking of Second Order. In: Gierlichs, B., Guilley, S., Mukhopadhyay, D. (eds.) SPACE 2013. LNCS, vol. 8204, pp. 95–110. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  27. 27.
    Veyrat-Charvillon, N., Medwed, M., Kerckhof, S., Standaert, F.-X.: Shuffling against Side-Channel Attacks: A Comprehensive Study with Cautionary Note. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 740–757. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  28. 28.
    Waddle, J., Wagner, D.: Towards Efficient Second-Order Power Analysis. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 1–15. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  29. 29.
    Ye, X., Eisenbarth, T.: On the Vulnerability of Low Entropy Masking Schemes. In: CARDIS. LNCS. Springer, Berlin (November 2013)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Julien Bringer
    • 1
  • Claude Carlet
    • 2
  • Hervé Chabanne
    • 1
    • 3
  • Sylvain Guilley
    • 3
    • 4
  • Houssem Maghrebi
    • 1
  1. 1.MorphoOsnyFrance
  2. 2.LAGA, UMR 7539, CNRS, Department of MathematicsUniversity of Paris XIII and University of Paris VIIISaint-Denis CedexFrance
  3. 3.Crypto GroupInstitut Mines TélécomParis Cedex 13France
  4. 4.Secure-IC S.A.S.RennesFrance

Personalised recommendations