Higher-Order Masking and Shuffling for Software Implementations of Block Ciphers

Rivain, Matthieu; Prouff, Emmanuel; Doget, Julien

doi:10.1007/978-3-642-04138-9_13

Cited by 97 publications

(61 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We note that in addition to the large design space, our architecture has specific advantages compared to the straightforward protection of a block cipher. For example, how to design a masking scheme for a software implementation of a block cipher that has an order higher than 3 is an open problem, as pointed out in [30]. In our case, thanks to the algebraic structure of the function g, such a generalization to high orders is as easy as for asymmetric encryption.…”

Section: Resistance Against Standard Side-channel Attacksmentioning

confidence: 94%

“…The design space of the proposed architecture allows to deploy three well studied countermeasures against DPA attacks: shuffling, blinding and protection by secure logic. For an extensive discussion of those countermeasures see for instance [19], or [30] for a more theoretical approach. We note that in addition to the large design space, our architecture has specific advantages compared to the straightforward protection of a block cipher.…”

Section: Resistance Against Standard Side-channel Attacksmentioning

confidence: 99%

See 1 more Smart Citation

Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices

Medwed

Standaert

Großschädl

et al. 2010

Progress in Cryptology – AFRICACRYPT 2010

101

View full text Add to dashboard Cite

The market for RFID technology has grown rapidly over the past few years. Going along with the proliferation of RFID technology is an increasing demand for secure and privacy-preserving applications. In this context, RFID tags need to be protected against physical attacks such as Differential Power Analysis (DPA) and fault attacks. The main obstacles towards secure RFID are the extreme constraints of passive tags in terms of power consumption and silicon area, which makes the integration of countermeasures against physical attacks even more difficult than for other types of embedded systems. In this paper we propose a fresh re-keying scheme that is especially suited for challenge-response protocols such as used to authenticate tags. We evaluate the resistance of our scheme against fault and side-channel analysis, and introduce a simple architecture for VLSI implementation on RFID tags. In addition, we estimate the cost of our scheme in terms of area and execution time for various sec... Abstract. The market for RFID technology has grown rapidly over the past few years. Going along with the proliferation of RFID technology is an increasing demand for secure and privacy-preserving applications. In this context, RFID tags need to be protected against physical attacks such as Differential Power Analysis (DPA) and fault attacks. The main obstacles towards secure RFID are the extreme constraints of passive tags in terms of power consumption and silicon area, which makes the integration of countermeasures against physical attacks even more difficult than for other types of embedded systems. In this paper we propose a fresh re-keying scheme that is especially suited for challenge-response protocols such as used to authenticate tags. We evaluate the resistance of our scheme against fault and side-channel analysis, and introduce a simple architecture for VLSI implementation on RFID tags. In addition, we estimate the cost of our scheme in terms of area and execution time for various security/performance trade-offs. Our experimental results show that the proposed re-keying scheme provides better security (and does so at less cost) than other state-of-the-art countermeasures.

show abstract

Section: Resistance Against Standard Side-channel Attacksmentioning

confidence: 94%

Section: Resistance Against Standard Side-channel Attacksmentioning

confidence: 99%

Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices

Medwed

Standaert

Großschädl

et al. 2010

Progress in Cryptology – AFRICACRYPT 2010

101

View full text Add to dashboard Cite

show abstract

“…Regarding Boolean masking, it has been shown in [20] that the correlation ρ bool corresponding to HO-DPA with normalized product combining against dth-order Boolean masking satisfies (in the Hamming weight model):…”

Section: Higher-order Dpa Evaluationmentioning

confidence: 99%

Protecting AES with Shamir’s Secret Sharing Scheme

Goubin

Martinelli

2011

Cryptographic Hardware and Embedded Systems – CHES 2011

View full text Add to dashboard Cite

Abstract. Cryptographic algorithms embedded on physical devices are particularly vulnerable to Side Channel Analysis (SCA). The most common countermeasure for block cipher implementations is masking, which randomizes the variables to be protected by combining them with one or several random values. In this paper, we propose an original masking scheme based on Shamir's Secret Sharing scheme [22] as an alternative to Boolean masking. We detail its implementation for the AES using the same tool than Rivain and Prouff in CHES 2010 [16]: multi-party computation. We then conduct a security analysis of our scheme in order to compare it to Boolean masking. Our results show that for a given amount of noise the proposed scheme -implemented to the first orderprovides the same security level as 3 rd up to 4 th order boolean masking, together with a better efficiency.

show abstract

“…This is definitely not sufficient in practice where one usually expects that no attack succeeds with less than 1 million observations (or even more). As a conclusion, choosing s-boxes with small minimum transparency order is a sound strategy if it is combined with other classical countermeasures like e.g., masking [7], shuffling [28] or threshold implementation [21]. Moreover, our analysis (e.g., Table 1) suggests that among s-boxes with equal (and good) cryptographic properties, there may exist significant differences in terms of (minimum) transparency order.…”

Section: Conclusion Of the Practical Soundness Of The Transparency Ordermentioning

confidence: 62%

Redefining the transparency order

Chakraborty

Sarkar²,

Maitra

et al. 2016

Des. Codes Cryptogr.

Self Cite

View full text Add to dashboard Cite

Abstract. In this paper, we consider the multi-bit Differential Power Analysis (DPA) in the Hamming weight model. In this regard, we revisit the definition of Transparency Order (TO) from the work of Prouff (FSE 2005) and find that the definition has certain limitations. Although this work has been quite well referred in the literature, surprisingly, these limitations remained unexplored for almost a decade. We analyse the definition from scratch, modify it and finally provide a definition with better insight that can theoretically capture DPA in Hamming weight model for hardware implementation with precharge logic. At the end, we confront the notion of (revised) transparency order with attack simulations in order to study to what extent the low transparency order of an s-box impacts the efficiency of a side channel attack against its processing. To the best of our knowledge, this is the first time that such a critical analysis is conducted (even considering the original notion of Prouff). It practically confirms that the transparency order is indeed related to the resistance of the s-box against side-channel attacks, but it also shows that it is not sufficient alone to directly achieve a satisfying level of security. Regarding this point, our conclusion is that the (revised) transparency order is a valuable criterion to consider when designing a cryptographic algorithm, and even if it does not preclude to also use classical countermeasures like masking or shuffling, it enables to improve their effectiveness.

show abstract

Higher-Order Masking and Shuffling for Software Implementations of Block Ciphers

Cited by 97 publications

References 24 publications

Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices

Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices

Protecting AES with Shamir’s Secret Sharing Scheme

Redefining the transparency order

Contact Info

Product

Resources

About