Abstract
Designers of masking schemes are usually torn between the contradicting goals of maximizing the security gains while minimizing the performance overheads. Boolean masking is one extreme example of this tradeoff: its algebraic structure is as simple as can be (and so are its implementations), but it typically suffers more from implementation weaknesses. For example knowing one bit of each share is enough to know one bit of secret in this case. Inner product masking lies at the other side of this tradeoff: its algebraic structure is more involved, making it more expensive to implement (especially at higher orders), but it ensures stronger security guarantees. For example, knowing one bit of each share is not enough to know one bit of secret in this case.
In this paper, we try to combine the best of these two worlds, and propose a new masking scheme mixing a single Boolean matrix product (to improve the algebraic complexity of the scheme) with standard additive Boolean masking (to allow efficient higher-order implementations). We show that such a masking is well suited for application to bitslice ciphers. We also conduct a comprehensive security analysis of the proposed scheme. For this purpose, we give a security proof in the probing model, and carry out an information leakage evaluation of an idealized implementation. For certain leakage functions, the latter exhibits surprising observations, namely information leakages in higher statistical moments than guaranteed by the proof in the probing model, which we can connect to the recent literature on low entropy masking schemes. We conclude the paper with a performance evaluation, which confirms that both for security and performance reasons, our new masking scheme (which can be viewed as a variation of inner product masking) compares favorably to state-of-the-art masking schemes for bitslice ciphers.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
‘popcnt’ instruction counts the number of bits set to 1 in one cycle.
- 2.
We take the matrices A as \((1\,0\,0\,0; 1\,1\,1\,0; 0\,0\,1\,0; 1\,1\,1\,1)\), \((1\,1\,0\,0; 0\,0\,1\,1; 1\,0\,1\,0; 1\,1\,0\,1)\) and \((1\,1\,1\,0; 1\,1\,0\,1; 1\,0\,1\,1; 0\,1\,1\,1)\) respectively.
- 3.
Note that in this case we don’t need to keep the memory for the matrices \(\hat{A}\), \(\grave{A}\) and \(\acute{A}\).
- 4.
This problem could be solved by an optimized assembly implementation.
References
Balasch, J., Faust, S., Gierlichs, B.: Inner product masking revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 486–510. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_19
Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.-A., Grégoire, B., Strub, P.-Y.: Verified proofs of higher-order masking. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 457–485. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_18
Carlet, C., Guilley, S.: Complementary dual codes for counter-measures to side-channel attacks. Adv. Math. Commun. 10(1), 131–150 (2016)
Castagnos, G., Renner, S., Zémor, G.: High-order masking by using coding theory and its application to AES. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 193–212. Springer, Heidelberg (2013). doi:10.1007/978-3-642-45239-0_12
Duc, A., Faust, S., Standaert, F.-X.: Making masking security proofs concrete. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 401–429. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_16
Fumaroli, G., Martinelli, A., Prouff, E., Rivain, M.: Affine masking against higher-order side channel analysis. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 262–280. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19574-7_18
Goubin, L., Martinelli, A.: Protecting AES with Shamir’s secret sharing scheme. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 79–94. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23951-9_6
Grosso, V., Leurent, G., Standaert, F.-X., Varici, K.: LS-Designs: bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 18–37. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46706-0_2
Grosso, V., Standaert, F.-X., Prouff, E.: Low entropy masking schemes, revisited. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 33–43. Springer, Heidelberg (2014). doi:10.1007/978-3-319-08302-5_3
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_27
Journault, A., Standaert, F.X., Varici, K.: Improving the security and efficiency of block ciphers based on LS-designs. In: 9th International Workshop on Coding and Cryptography, WCC 2015, Paris, France, April 2015
Oswald, E., Fischlin, M. (eds.): EUROCRYPT 2015. LNCS, vol. 9056. Springer, Heidelberg (2015)
Preneel, B., Takagi, T. (eds.): CHES 2011. LNCS, vol. 6917. Springer, Heidelberg (2011)
Prouff, E., Roche, T.: Higher-order glitches free implementation of the AES using secure multi-party computation protocols. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 63–78. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23951-9_5
Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15031-9_28
Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). doi:10.1007/978-3-642-01001-9_26
Standaert, F.-X., Veyrat-Charvillon, N., Oswald, E., Gierlichs, B., Medwed, M., Kasper, M., Mangard, S.: The world is not enough: another look on second-order DPA. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 112–129. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17373-8_7
Acknowledgements
This work has been funded in parts by the European Commission through the ERC project 280141, the CHIST-ERA project SECODE, Major State Basic Research Development Program (973 Plan) (2013CB338004). François-Xavier Standaert is a research associate of the Belgian Fund for Scientific Research (FNRS-F.R.S.). Yu Yu was supported by the National Natural Science Foundation of China Grant (Nos. 61472249, 61572192, 61572149) and International Science & Technology Cooperation & Exchange Projects of Shaanxi Province (2016KW-038). Zheng Guo was supported by the National Natural Science Foundation of China (No. 61402286) and Shanghai Minhang Innovation project (No. 2015MH069). Junrong Liu was supported by the National Natural Science Foundation of China (No. U1536103). Dawu Gu was supported by National Natural Science Foundation of China (No. 61472250).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Wang, W. et al. (2017). Inner Product Masking for Bitslice Ciphers and Security Order Amplification for Linear Leakages. In: Lemke-Rust, K., Tunstall, M. (eds) Smart Card Research and Advanced Applications. CARDIS 2016. Lecture Notes in Computer Science(), vol 10146. Springer, Cham. https://doi.org/10.1007/978-3-319-54669-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-54669-8_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54668-1
Online ISBN: 978-3-319-54669-8
eBook Packages: Computer ScienceComputer Science (R0)