Connecting and Improving Direct Sum Masking and Inner Product Masking

Abstract: Direct Sum Masking (DSM) and Inner Product (IP) masking are two types of countermeasures that have been introduced as alternatives to simpler (e.g., additive) masking schemes to protect cryptographic implementations against side-channel analysis. In this paper, we first show that IP masking can be written as a particular case of DSM. We then analyze the improved security properties that these (more complex) encodings can provide over Boolean masking. For this purpose, we introduce a slight variation of the pro… Show more

“…• Bit-level security order d b : in practice, each bit of sensitive variable can be investigated independently or/and several bits can be evaluated jointly. We consider here the number of bits that can be probed by attackers, which is consistent with the bit-level probing model proposed by Poussier et al [22].…”

“…• Inner Product Masking (IPM) [2] is a word-oriented (e.g., byte-oriented) masking scheme, equipped with universal operations (namely, addition and multiplication). It is optimized to resist attacks at both word-level and bit-level probing model [22], which is suitable for computing cryptographic algorithms that are subject to high-order side-channel analysis.…”

“…The main advantage of IPM is the higher bit-level security order than Boolean masking, which is called "Security Order Amplification" in [26]. It has been proven in [22] that sidechannel resistance is directly connected to the dual distance d ⊥ D of the code D generated by H. Precisely, the security order t of IPM is equal to t = d ⊥ D − 1 [22]. The dual distance of linear code D is equal to the minimum distance of the dual code D ⊥ [18].…”

“…In Tab. 1, the maximal d b for IPM codes with n = 4 shares in F 2 8 is only 10 (d ⊥ D = 11), not 11 as in[22] …”

“…: Instances of codes with X ∈ K = F 2 8 , d b in IPM entries are consist with results in [22] Inputs…”

Detecting Faults in Inner-Product Masking Scheme - IPM-FD: IPM with Fault Detection

“…• Bit-level security order d b : in practice, each bit of sensitive variable can be investigated independently or/and several bits can be evaluated jointly. We consider here the number of bits that can be probed by attackers, which is consistent with the bit-level probing model proposed by Poussier et al [22].…”

“…• Inner Product Masking (IPM) [2] is a word-oriented (e.g., byte-oriented) masking scheme, equipped with universal operations (namely, addition and multiplication). It is optimized to resist attacks at both word-level and bit-level probing model [22], which is suitable for computing cryptographic algorithms that are subject to high-order side-channel analysis.…”

“…The main advantage of IPM is the higher bit-level security order than Boolean masking, which is called "Security Order Amplification" in [26]. It has been proven in [22] that sidechannel resistance is directly connected to the dual distance d ⊥ D of the code D generated by H. Precisely, the security order t of IPM is equal to t = d ⊥ D − 1 [22]. The dual distance of linear code D is equal to the minimum distance of the dual code D ⊥ [18].…”

“…In Tab. 1, the maximal d b for IPM codes with n = 4 shares in F 2 8 is only 10 (d ⊥ D = 11), not 11 as in[22] …”

“…: Instances of codes with X ∈ K = F 2 8 , d b in IPM entries are consist with results in [22] Inputs…”

Detecting Faults in Inner-Product Masking Scheme - IPM-FD: IPM with Fault Detection

Spectral Approach to Process the High-Order Template Attack Against any Masking Scheme

SCA Countermeasures