Advertisement

Orthogonal Direct Sum Masking

A Smartcard Friendly Computation Paradigm in a Code, with Builtin Protection against Side-Channel and Fault Attacks
  • Julien Bringer
  • Claude Carlet
  • Hervé Chabanne
  • Sylvain Guilley
  • Houssem Maghrebi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8501)

Abstract

Secure elements, such as smartcards or trusted platform modules (TPMs), must be protected against implementation-level attacks. Those include side-channel and fault injection attacks. We introduce ODSM, Orthogonal Direct Sum Masking, a new computation paradigm that achieves protection against those two kinds of attacks. A large vector space is structured as two supplementary orthogonal subspaces. One subspace (called a code \(\mathcal{C}\)) is used for the functional computation, while the second subspace carries random numbers. As the random numbers are entangled with the sensitive data, ODSM ensures a protection against (monovariate) side-channel attacks. The random numbers can be checked either occasionally, or globally, thereby ensuring a detection capability. The security level can be formally detailed: it is proved that monovariate side-channel attacks of order up to \(d_\mathcal{C}-1\), where \(d_\mathcal{C}\) is the minimal distance of \(\mathcal{C}\), are impossible, and that any fault of Hamming weight strictly less than \(d_\mathcal{C}\) is detected. A complete instantiation of ODSM is given for AES. In this case, all monovariate side-channel attacks of order strictly less than 5 are impossible, and all fault injections perturbing strictly less than 5 bits are detected.

Keywords

Masking countermeasure trans-masking fault detection orthogonal supplementary spaces linear codes minimal and dual distances AES 

References

  1. 1.
    Agoyan, M., Dutertre, J.-M., Naccache, D., Robisson, B., Tria, A.: When Clocks Fail: On Critical Paths and Clock Faults. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 182–193. Springer, Heidelberg (2010)Google Scholar
  2. 2.
    Bhasin, S., Danger, J.-L., Flament, F., Graba, T., Guilley, S., Mathieu, Y., Nassar, M., Sauvage, L., Selmane, N.: Combined SCA and DFA Countermeasures Integrable in a FPGA Design Flow. In: ReConFig, Cancún, Quintana Roo, México, December 9-11, pp. 213–218. IEEE Computer Society (2009), http://hal.archives-ouvertes.fr/hal-00411843/en/, doi:10.1109/ReConFig.2009.50
  3. 3.
    Bhasin, S., Danger, J.-L., Guilley, S., Najm, Z.: A Low-Entropy First-Degree Secure Provable Masking Scheme for Resource-Constrained Devices. In: Proceedings of the Workshop on Embedded Systems Security, WESS 2013, Montreal, Quebec, Canada, pp. 7:1–7:10, September 29. ACM, New York (2013), doi:10.1145/2527317.2527324Google Scholar
  4. 4.
    Biham, E.: A Fast New DES Implementation in Software. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 260–272. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  5. 5.
    Blömer, J., Guajardo, J., Krummel, V.: Provably Secure Masking of AES. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 69–83. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Boscher, A., Handschuh, H.: Masking Does Not Protect Against Differential Fault Attacks. In: FDTC, 5th Workshop on Fault Detection and Tolerance in Cryptography, pp. 35–40. IEEE-CS, Washington, DC (2008), doi:10.1109/FDTC.2008.12Google Scholar
  7. 7.
    Bringer, J., Chabanne, H., Le, T.-H.: Protecting AES against side-channel analysis using wire-tap codes. J. Cryptographic Engineering 2(2), 129–141 (2012)CrossRefGoogle Scholar
  8. 8.
    Carlet, C.: Boolean Functions for Cryptography and Error Correcting Codes: Chapter of the monography. In: Crama, Y., Hammer, P. (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 257–397. Cambridge University Press (2010), Preliminary version available at http://www.math.univ-paris13.fr/carlet/chap-fcts-Bool-corr.pdf
  9. 9.
    Carlet, C., Danger, J.-L., Guilley, S., Maghrebi, H., Prouff, E.: Achieving side-channel high-order correlation immunity with Leakage Squeezing. Journal of Cryptographic Engineering, 1–15 (2014), doi:10.1007/s13389-013-0067-1Google Scholar
  10. 10.
    Carlet, C., Guillot, P.: A New Representation of Boolean Functions. In: Fossorier, M., Imai, H., Lin, S., Poli, A. (eds.) AAECC 1999. LNCS, vol. 1719, pp. 94–103. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  11. 11.
    Coron, J.-S.: Higher Order Masking of Look-up Tables. Cryptology ePrint Archive, Report 2013/700 (2013), http://eprint.iacr.org/
  12. 12.
    Coron, J.-S., Goubin, L.: On Boolean and Arithmetic Masking against Differential Power Analysis. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 231–237. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. 13.
    Debraize, B.: Efficient and provable Secure Methods for Switching from Arithmetic to Boolean Masking. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 107–121. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Goubin, L., Patarin, J.: DES and Differential Power Analysis. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  15. 15.
    M. Joye, M. Tunstall.: Fault Analysis in Cryptography. Springer (March 2011), http://joye.site88.net/FAbook.html, doi: 10.1007/978-3-642-29656-7, ISBN 978-3-642-29655-0
  16. 16.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer (December 2006), http://www.springer.com/, ISBN 0-387-30857-1
  17. 17.
    Messerges, T.S.: Securing the AES Finalists Against Power Analysis Attacks. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 150–164. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Moradi, A.: Statistical tools flavor side-channel collision attacks. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 428–445. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  19. 19.
    NIST/ITL/CSD. Advanced Encryption Standard (AES). FIPS PUB 197 (November 2001), http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
  20. 20.
    Prouff, E., Rivain, M.: A Generic Method for Secure SBox Implementation. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 227–244. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Rivain, M., Dottax, E., Prouff, E.: Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 127–143. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  22. 22.
    Rivain, M., Prouff, E.: Provably Secure Higher-Order Masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  23. 23.
    Tunstall, M., Mukhopadhyay, D., Ali, S.: Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 224–233. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  24. 24.
    Tunstall, M., Whitnall, C., Oswald, E.: Masking Tables - An Underestimated Security Risk. IACR Cryptology ePrint Archive, 2013:735 (2013)Google Scholar
  25. 25.
    University of Sydney. Magma Computational Algebra System, http://magma.maths.usyd.edu.au/magma/
  26. 26.
    Vadnala, P.K., Großschädl, J.: Algorithms for Switching between Boolean and Arithmetic Masking of Second Order. In: Gierlichs, B., Guilley, S., Mukhopadhyay, D. (eds.) SPACE 2013. LNCS, vol. 8204, pp. 95–110. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  27. 27.
    Veyrat-Charvillon, N., Medwed, M., Kerckhof, S., Standaert, F.-X.: Shuffling against Side-Channel Attacks: A Comprehensive Study with Cautionary Note. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 740–757. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  28. 28.
    Waddle, J., Wagner, D.: Towards Efficient Second-Order Power Analysis. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 1–15. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  29. 29.
    Ye, X., Eisenbarth, T.: On the Vulnerability of Low Entropy Masking Schemes. In: CARDIS. LNCS. Springer, Berlin (November 2013)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Julien Bringer
    • 1
  • Claude Carlet
    • 2
  • Hervé Chabanne
    • 1
    • 3
  • Sylvain Guilley
    • 3
    • 4
  • Houssem Maghrebi
    • 1
  1. 1.MorphoOsnyFrance
  2. 2.LAGA, UMR 7539, CNRS, Department of MathematicsUniversity of Paris XIII and University of Paris VIIISaint-Denis CedexFrance
  3. 3.Crypto GroupInstitut Mines TélécomParis Cedex 13France
  4. 4.Secure-IC S.A.S.RennesFrance

Personalised recommendations