Side-Channel Masking with Pseudo-Random Generator

Coron, Jean-Sébastien; Greuet, Aurélien; Zeitoun, Rina

doi:10.1007/978-3-030-45727-3_12

Cited by 14 publications

(30 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Coron et al [6] proposed a special technique called locality of randomness subset, allowing the usage of multiple PRGs to reduce the randomness cost by setting proper randomness subsets of each gadget. According to it, if all gadgets are SNI-R/PINI-R defined in [6], we can securely use d-wise PRGs [7] to generate the random bit for the gadgets and keep an equivalent security in the probing model, even if the worst case where the adversary can get the variables in a PRG with one probe happens. Then, we can reuse the random seeds of dwise PRGs in different gadgets based on the locality of the subsets, which significantly reduces the randomness cost.…”

Section: Introductionmentioning

confidence: 99%

“…Then, we can reuse the random seeds of dwise PRGs in different gadgets based on the locality of the subsets, which significantly reduces the randomness cost. In [6], the ISWAND [8] has been proved as SNI-R with 1-local use of dðd þ 1Þ=2 subsets. Furthermore, two better SNI-R AND algorithms are given in [6] with d 1-local use subsets and d 2-local use subsets.…”

Section: Introductionmentioning

confidence: 99%

“…In [6], the ISWAND [8] has been proved as SNI-R with 1-local use of dðd þ 1Þ=2 subsets. Furthermore, two better SNI-R AND algorithms are given in [6] with d 1-local use subsets and d 2-local use subsets.…”

Section: Introductionmentioning

confidence: 99%

“…Our Contributions. Following [6], our main contribution is to propose a new security notion allowing multiple PRGs, and a more efficient masked d-order AND algorithm with 1local use of 2d randomness subsets based on [5] which satisfies the new notion. Besides, we consolidate the work on masked arithmetic addition by improving the existing work of Coron et al [20].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Improved Masking Multiplication with PRGs and Its Application to Arithmetic Addition

Wang,

Sui,

et al. 2024

IET Information Security

View full text Add to dashboard Cite

At Eurocrypt 2020, Coron et al. proposed a masking technique allowing the use of random numbers from pseudo-random generators (PRGs) to largely reduce the use of expansive true-random generators (TRNGs). For security against d probes, they describe a construction using 2d PRGs, each of which is fed with at most 2d random variables in a finite field, resulting in a randomness requirement of O∼d2. In this paper, we improve the technique on multiple frontiers. On the theoretical level, we push the limits of the randomness requirement by providing an improved masking multiplication using only d PRGs, each of which is fed with d random variables, saving more than half random bits. On the practical level, considering that the masking of arithmetic addition usually requires more randomness (than multiplication), we apply the technique to the algorithm proposed at FSE 2015 that is a very efficient scheme performing arithmetic addition modulo 2w. It significantly reduces the randomness cost of masked arithmetic addition, and further advocates the advantage of masking with PRGs. Furthermore, we apply our masking scheme to the Speck, XTEA, and Sparkle, and provide the first (to the best of our knowledge) higher order masked implementations for the ciphers using ARX structure.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Improved Masking Multiplication with PRGs and Its Application to Arithmetic Addition

Wang,

Sui,

et al. 2024

IET Information Security

View full text Add to dashboard Cite

show abstract

“…An improved scheme that can save the RAM overhead by a factor of 2 is given in [CRZ18]. At CHES 2021, Valiveti et al [VV21] proposed a method that can reduce the RAM size to 2 k+1 k + O k k(d + 1) 2 bits by applying the technique of masking with pseudorandom generators (PRGs) [CGZ20]. However, the complexity of online-computation of this method grows to Õ( d 2 ), due to the running of PRGs.…”

Section: Introductionmentioning

confidence: 99%

Efficient Private Circuits with Precomputation

Wang

Zhang

et al. 2023

TCHES

View full text Add to dashboard Cite

At CHES 2022, Wang et al. described a new paradigm for masked implementations using private circuits, where most intermediates can be precomputed before the input shares are accessed, significantly accelerating the online execution of masked functions. However, the masking scheme they proposed mainly featured (and was designed for) the cost amortization, leaving its (limited) suitability in the above precomputation-based paradigm just as a bonus. This paper aims to provide an efficient, reliable, easy-to-use, and precomputation-compatible masking scheme. We propose a new masked multiplication over the finite field Fq suitable for the precomputation, and prove its security in the composable notion called Probing-Isolating Non-Inference (PINI). Particularly, the operations (e.g., AND and XOR) in the binary field can be achieved by assigning q = 2, allowing the bitsliced implementation that has been shown to be quite efficient for the software implementations. The new masking scheme is applied to leverage the masking of AES and SKINNY block ciphers on ARM Cortex M architecture. The performance results show that the new scheme contributes to a significant speed-up compared with the state-of-the-art implementations. For SKINNY with block size 64, the speed and RAM requirement can be significantly improved (saving around 45% cycles in the online-computation and 60% RAM space for precomputed values) from AES-128, thanks to its smaller number of AND gates. Besides the security proof by hand, we provide formal verifications for the multiplication and T-test evaluations for the masked implementations of AES and SKINNY. Because of the structure of the new masked multiplication, our formal verification can be performed for security orders up to 16.

show abstract