Higher Order Masking of Look-Up Tables

Coron, Jean-Sébastien

doi:10.1007/978-3-642-55220-5_25

Cited by 126 publications

(154 citation statements)

References 14 publications

Supporting

Mentioning

152

Contrasting

Order By: Relevance

“…We tested the table recomputation scheme of Coron [Cor14]. This scheme passes all fixed-vs-fixed tests with the identity leakage model.…”

Section: A First-order Secure Implementationmentioning

confidence: 99%

Detecting Flawed Masking Schemes with Leakage Detection Tests

Reparaz

2016

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. Masking is a popular countermeasure to thwart side-channel attacks on embedded systems. Many proposed masking schemes, even carrying "security proofs", are eventually broken because they are flawed by design. The security validation process is nowadays a lengthy, tedious and manual process. In this paper, we report on a method to verify the soundness of a masking scheme before implementing it on a device. We show that by instrumenting a high-level implementation of the masking scheme and by applying leakage detection techniques, a system designer can quickly assess at design time whether the masking scheme is flawed or not, and to what extent. Our method requires not more than working high-level source code and is based on simulation. Thus, our method can be used already in the very early stages of design. We validate our approach by spotting in an automated fashion first-, second-and thirdorder flaws in recently published state-of-the-art schemes in a matter of seconds with limited computational resources. We also present a new second-order flaw on a table recomputation scheme, and show that the approach is useful when designing a hardware masked implementation.

show abstract

“…We tested the table recomputation scheme of Coron [Cor14]. This scheme passes all fixed-vs-fixed tests with the identity leakage model.…”

Section: A First-order Secure Implementationmentioning

confidence: 99%

Detecting Flawed Masking Schemes with Leakage Detection Tests

Reparaz

2016

Fast Software Encryption

View full text Add to dashboard Cite

show abstract

“…The SecMult algorithm enables to securely compute a product c = a · b over F 2 k , from an n-sharing of a and b, and outputs an n-sharing of c. Here we use the linear memory version from [Cor14], using similar notations as in [BBD + 15a].…”

Section: The Rivain-prouff Multiplicationmentioning

confidence: 99%

“…[CGP + 12a, Cor14, CPRR13, GPQ11, ISW03, RP10, RV13]), based on the original notion of private circuits introduced in [ISW03]. Except [Cor14] which extends the original idea of [KJJ99] to any order, the other proposals are based on the ISW gadget recalled above. The core idea of the latter works is to split the processing into a short sequence of field multiplications and F 2 -linear operations, and then to secure these operations independently, while ensuring that the local security proofs can be combined to prove the security of the entire processing.…”

Section: Introductionmentioning

confidence: 99%

Faster Evaluation of SBoxes via Common Shares

Coron

Greuet

Prouff

et al. 2016

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. We describe a new technique for improving the efficiency of the masking countermeasure against side-channel attacks. Our technique is based on using common shares between secret variables, in order to reduce the number of finite field multiplications. Our algorithms are proven secure in the ISW probing model with n t + 1 shares against t probes. For AES, we get an equivalent of 2.8 nonlinear multiplications for every SBox evaluation, instead of 4 in the Rivain-Prouff countermeasure. We obtain similar improvements for other block-ciphers. Our technique is easy to implement and performs relatively well in practice, with roughly a 20% speed-up compared to existing algorithms.

show abstract

“…The design error was that only one masked table was used. A repaired version has been presented recently at [11]; it employs d + 1 tables that need each to be precomputed d times (hence a quadratic complexity overhead in the number of masks). Other provably secure schemes have been promoted, such as the computation of the S-box in a Galois field; refer for instance to [39].…”

Section: Multi-mask Fems Vs Mono-mask Lemsmentioning

confidence: 99%

“…Therefore, the information-theoretic study of the leakage will without doubt allow to put forward biases exploitable in key recovery attacks. In this sense, RSM is not a first-order masking scheme according to the definition that can be found in [11] for instance. A couple of nice and interesting tools, e.g., detecting the collisions due to the complimentary mask lists, are provided in [46] to make use of the leakage distributions.…”

Section: Comparison With Other Attacks On the Dpa Contest V4 Aes Tracesmentioning

confidence: 99%

Detecting Hidden Leakages

Moradi

Guilley

Heuser

2014

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Abstract. Reducing the entropy of the mask is a technique which has been proposed to mitigate the high performance overhead of masked software implementations of symmetric block ciphers. Rotating S-box Masking (RSM) is an example of such schemes applied to AES with the purpose of maintaining the security at least against univariate first-order side-channel attacks. This article examines the vulnerability of a realization of such technique using the side-channel measurements publicly available through DPA contest V4. Our analyses which focus on exploiting the first-order leakage of the implementation discover a couple of potential attacks which can recover the secret key. Indeed the leakage we exploit is due to a design mistake as well as the characteristics of the implementation platform, none of which has been considered during the design of the countermeasure (implemented in naive C code).

show abstract

Higher Order Masking of Look-Up Tables

Cited by 126 publications

References 14 publications

Detecting Flawed Masking Schemes with Leakage Detection Tests

Detecting Flawed Masking Schemes with Leakage Detection Tests

Faster Evaluation of SBoxes via Common Shares

Detecting Hidden Leakages

Contact Info

Product

Resources

About