Skip to main content
SpringerLink
Log in

Optimal First-Order Masking with Linear and Non-linear Bijections

  • Conference paper
Progress in Cryptology - AFRICACRYPT 2012 (AFRICACRYPT 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7374))

Included in the following conference series:

Abstract

Hardware devices can be protected against side-channel attacks by introducing one random mask per sensitive variable. The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers. Nonetheless, this setup can be attacked by a zero-offset second-order CPA attack. The countermeasure can be improved by manipulating the mask through a bijection F, aimed at reducing the dependency between the shares. Thus dth-order zero-offset attacks, that consist in applying CPA on the dth power of the centered side-channel traces, can be thwarted for d ≥ 2 at no extra cost. We denote by n the size in bits of the shares and call F the transformation function, that is a bijection of \(\mathbb{F}_2^n\). In this paper, we explore the functions F that thwart zero-offset HO-CPA of maximal order d. We mathematically demonstrate that optimal choices for F relate to optimal binary codes (in the sense of communication theory). First, we exhibit optimal linear F functions. Second, we note that for values of n for which non-linear codes exist with better parameters than linear ones. These results are exemplified in the case n = 8, the optimal F can be identified:it is derived from the optimal rate 1/2 binary code of size 2n, namely the Nordstrom-Robinson (16, 256, 6) code. This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates. It protects against all zero-offset HO-CPA attacks of order d ≤ 5. Eventually, the countermeasure is shown to be resilient to imperfect leakage models.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Batina, L., Gierlichs, B., Prouff, E., Rivain, M., Standaert, F.-X., Veyrat-Charvillon, N.: Mutual Information Analysis: a Comprehensive Study. J. Cryptology 24(2), 269–291 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  2. Brier, E., Clavier, C., Olivier, F.: Correlation Power Analysis with a Leakage Model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  3. Camion, P., Carlet, C., Charpin, P., Sendrier, N.: On Correlation-Immune Functions. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 86–100. Springer, Heidelberg (1992)

    Google Scholar 

  4. Carlet, C.: Boolean Functions for Cryptography and Error Correcting Codes. Chapter of the Monography Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 257–397. Cambridge University Press (2010), Preliminary version, http://www.math.univ-paris13.fr/~carlet/chap-fcts-Bool-corr.pdf

  5. Carlet, C.: Vectorial Boolean Functions for Cryptography. Crama, Y., Hammer, P. (eds.) Chapter of the Monography Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 398–469. Cambridge University Press, Cambridge (2010), Preliminary version, http://www.math.univ-paris13.fr/~carlet/pubs.html

    Google Scholar 

  6. Carlet, C., Gaborit, P., Kim, J.-L., Solé, P.: A new class of codes for Boolean masking of cryptographic computations, October 6 (2011), http://arxiv.org/abs/1110.1193

  7. Danger, J.-L., Guilley, S.: Cryptography Circuit Protected Against Observation Attacks, in Particular of a High Order, September 23, International patent, published as FR2941342 (A1), WO2010084106 (A1) & (A9), EP2380306 (A1), CA2749961, A1 (2010)

    Google Scholar 

  8. Delsarte, P.: An algebraic approach to the association schemes of coding theory. PhD thesis, Université Catholique de Louvain, Belgium (1973)

    Google Scholar 

  9. Doget, J., Prouff, E., Rivain, M., Standaert, F.-X.: Univariate side channel attacks and leakage modeling. J. Cryptographic Engineering 1(2), 123–144 (2011)

    Article  Google Scholar 

  10. David Forney Jr., G., Sloane, N.J.A., Trott, M.D.: The Nordstrom-Robinson Code is the Binary Image of the Octacode. In: Calderbank Amer, R., Forney Jr., G.D., Moayeri, N. (eds.) Coding and Quantization: DIMACS/IEEE Workshop, October 19-21. Math. Soc., pp. 19–26 (1992)

    Google Scholar 

  11. Goubin, L., Patarin, J.: DES and Differential Power Analysis. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  12. Aaron Gulliver, T., Östergård, P.R.J.: Binary optimal linear rate 1/2 codes. Discrete Mathematics 283(1-3), 255–261 (2004)

    Article  MathSciNet  MATH  Google Scholar 

  13. Jessie MacWilliams, F., Sloane, N.J.A.: The Theory of Error-Correcting Codes. Elsevier, Amsterdam (1977) ISBN: 978-0-444-85193-2

    Google Scholar 

  14. Maghrebi, H., Carlet, C., Guilley, S., Danger, J.-L.: Optimal first-order masking with linear and non-linear bijections. Cryptology ePrint Archive, Report 2012/175, April 6 (2012), http://eprint.iacr.org/2012/175/

  15. Maghrebi, H., Prouff, E., Guilley, S., Danger, J.-L.: A First-Order Leak-Free Masking Countermeasure. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 156–170. Springer, Heidelberg (2012), doi:10.1007/978-3-642-27954-6_10

    Chapter  Google Scholar 

  16. Mathew, S.K., Sheikh, F., Kounavis, M., Gueron, S., Agarwal, A., Hsu, S.K., Kaul, H., Anders, M.A., Krishnamurthy, R.K.: 53 Gbps Native GF(24)2 Composite-Field AES-Encrypt/Decrypt Accelerator for Content-Protection in 45 nm High-Performance Microprocessors. IEEE Journal of Solid-State Circuits 46(4), 767–776 (2011)

    Article  Google Scholar 

  17. Peeters, E., Standaert, F.-X., Donckers, N., Quisquater, J.-J.: Improved Higher-Order Side-Channel Attacks with FPGA Experiments. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 309–323. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  18. Peeters, É., Standaert, F.-X., Quisquater, J.-J.: Power and electromagnetic analysis: Improved model, consequences and comparisons. Integration, The VLSI Journal, Special Issue on Embedded Cryptographic Hardware 40, 52–60 (2005), doi:10.1016/j.vlsi.2005.12.013

    Google Scholar 

  19. Prouff, E., Rivain, M., Bevan, R.: Statistical Analysis of Second Order Differential Power Analysis. IEEE Trans. Computers 58(6), 799–811 (2009)

    Article  MathSciNet  Google Scholar 

  20. Satoh, A., Morioka, S., Takano, K., Munetoh, S.: A Compact Rijndael Hardware Architecture with S-Box Optimization. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 239–254. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  21. Schindler, W., Lemke, K., Paar, C.: A Stochastic Model for Differential Side Channel Cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 30–46. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  22. Shah, S., Velegalati, R., Kaps, J.-P., Hwang, D.: Investigation of DPA Resistance of Block RAMs in Cryptographic Implementations on FPGAs. In: Prasanna, V.K., Becker, J., Cumplido, R. (eds.) ReConFig, pp. 274–279. IEEE Computer Society (2010)

    Google Scholar 

  23. Snover, S.L.: The uniqueness of the Nordstrom-Robinson and the Golay binary codes. PhD thesis, Department of Mathematics, Michigan State University, USA (1973)

    Google Scholar 

  24. Standaert, F.-X., Malkin, T.G., Yung, M.: A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  25. Standaert, F.-X., Peeters, É., Rouvroy, G., Quisquater, J.-J.: An Overview of Power Analysis Attacks Against Field Programmable Gate Arrays. Proceedings of the IEEE 94(2), 383–394 (2006) (invited paper)

    Article  Google Scholar 

  26. Standaert, F.-X., Rouvroy, G., Quisquater, J.-J.: FPGA Implementations of the DES and Triple-DES Masked Against Power Analysis Attacks. In: FPL, Madrid, Spain. IEEE (August 2006)

    Google Scholar 

  27. Veyrat-Charvillon, N., Standaert, F.-X.: Mutual Information Analysis: How, When and Why? In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 429–443. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  28. Veyrat-Charvillon, N., Standaert, F.-X.: Generic Side-Channel Distinguishers: Improvements and Limitations. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 354–372. Springer, Heidelberg (2011)

    Google Scholar 

  29. Waddle, J., Wagner, D.: Towards Efficient Second-Order Power Analysis. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 1–15. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Crypto Group, TELECOM-ParisTech, 37/39 rue Dareau, 75 634, Paris Cedex 13, France

    Houssem Maghrebi, Sylvain Guilley & Jean-Luc Danger

  2. LAGA, UMR 7539, CNRS, Department of Mathematics, University of Paris XIII and University of Paris VIII, 2 rue de la liberté, 93 526, Saint-Denis Cedex, France

    Claude Carlet

  3. Secure-IC S.A.S., 80 avenue des Buttes de Coësmes, 35 700, Rennes, France

    Sylvain Guilley & Jean-Luc Danger

Authors
  1. Houssem Maghrebi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Claude Carlet
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sylvain Guilley
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jean-Luc Danger
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Ecole Polytechnice Fédérale de Lausanne, IC - LASEC, Bâtiment INF 238, Station 14, 1015, Lausanne, Switzerland

    Aikaterini Mitrokotsa  & Serge Vaudenay  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Maghrebi, H., Carlet, C., Guilley, S., Danger, JL. (2012). Optimal First-Order Masking with Linear and Non-linear Bijections. In: Mitrokotsa, A., Vaudenay, S. (eds) Progress in Cryptology - AFRICACRYPT 2012. AFRICACRYPT 2012. Lecture Notes in Computer Science, vol 7374. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31410-0_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-31410-0_22

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-31409-4

  • Online ISBN: 978-3-642-31410-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation