Abstract
Boolean masking is an effective side-channel countermeasure that consists in splitting each sensitive variable into two or more shares which are carefully manipulated to avoid leakage of the sensitive variable. The best known expressions for Boolean masking of bitwise operations are relatively compact, but even a small improvement of these expressions can significantly reduce the performance penalty of more complex masked operations such as modular addition on Boolean shares or of masked ciphers. In this paper, we present and evaluate new secure expressions for performing bitwise operations on Boolean shares. To this end, we describe an algorithm for efficient search of expressions that have an optimal cost in number of elementary operations. We show that bitwise AND and OR on Boolean shares can be performed using less instructions than the best known expressions. More importantly, our expressions do no require additional random values as the best known expressions do. We apply our new expressions to the masked addition/subtraction on Boolean shares based on the Kogge-Stone adder and we report an improvement of the execution time between 14% and 19%. Then, we compare the efficiency of first-order masked implementations of three lightweight block ciphers on an ARM Cortex-M3 to determine which design strategies are most suitable for efficient masking. All our masked implementations passed the t-test evaluation and thus are deemed secure against first-order side-channel attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., Zhou, Y.: Understanding the Mirai Botnet. In: 26th USENIX Security Symposium (USENIX Security 2017), Vancouver, BC. USENIX Association (2017)
Random Number Generator (TRNG) API, October 2012. https://forum.arduino.cc/index.php?topic=129083.0. Accessed 03 July 2017
Baek, Y.-J., Noh, M.-J.: Differential power attack and masking method. Trends Math. 8(1), 1–15 (2005)
Balasch, J., Gierlichs, B., Grosso, V., Reparaz, O., Standaert, F.-X.: On the cost of lazy engineering for masked software implementations. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 64–81. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16763-3_5
Baysal, A., Şahin, S.: RoadRunneR: a small and fast bitslice block cipher for low cost 8-bit processors. In: Güneysu, T., Leander, G., Moradi, A. (eds.) LightSec 2015. LNCS, vol. 9542, pp. 58–76. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29078-2_4
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK lightweight block ciphers. In: Proceedings of the 52nd Annual Design Automation Conference, San Francisco, CA, USA, 7–11 June 2015, pp. 175:1–175:6. ACM (2015)
Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_26
Constantin, L.: Hackers Found 47 New Vulnerabilities in 23 IoT Devices at DEF CON, September 2016. http://www.csoonline.com/article/3119765/security/hackers-found-47-new-vulnerabilities-in-23-iot-devices-at-def-con.html. Accessed 03 July 2017
Coron, J.-S., Großschädl, J., Tibouchi, M., Vadnala, P.K.: Conversion from arithmetic to Boolean masking with logarithmic complexity. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 130–149. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_7
Daemen, J., Peeters, M., Van Assche, G., Rijmen, V.: Nessie proposal: Noekeon. In: First Open NESSIE Workshop, pp. 213–230 (2000)
T. P. Developers: PyPy Interpreter, version 5.1.2 (2016). https://pypy.org/
Ding, A.A., Chen, C., Eisenbarth, T.: Simpler, faster, and more Robust T-test based leakage detection. In: Standaert, F.-X., Oswald, E. (eds.) COSADE 2016. LNCS, vol. 9689, pp. 163–183. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-43283-0_10
Dinu, D., Corre, Y.L., Khovratovich, D., Perrin, L., Großschädl, J., Biryukov, A.: Triathlon of Lightweight Block Ciphers for the Internet of Things. IACR Cryptology ePrint Archive, 2015:209 (2015)
Gartner: Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016, February 2017. http://www.gartner.com/newsroom/id/3598917. Accessed 03 July 2017
Gilbert Goodwill, B.J., Jaffe, J., Rohatgi, P., et al.: A testing methodology for side-channel resistance validation. In: NIST Non-invasive Attack Testing Workshop (2011)
Gross, H.: Sharing is caring—on the protection of arithmetic logic units against passive physical attacks. In: Mangard, S., Schaumont, P. (eds.) RFIDSec 2015. LNCS, vol. 9440, pp. 68–84. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24837-0_5
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27
Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks - Revealing the Secrets of Smart Cards. Springer, New York (2007)
Marsaglia, G., et al.: Xorshift RNGs. J. Stat. Softw. 8(14), 1–6 (2003)
McCann, D., Oswald, E., Whitnall, C.: Towards practical tools for side channel aware software engineering: ‘grey box’ modelling for instruction leakages. In: Kirda, E., Ristenpart, T. (eds.) 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, 16–18 August 2017, pp. 199–216. USENIX Association (2017)
Papagiannopoulos, K., Veshchikov, N.: Mind the gap: towards secure 1st-order masking in software. In: Guilley, S. (ed.) COSADE 2017. LNCS, vol. 10348, pp. 282–297. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64647-3_17
Public Comments Received on “Profiles for the Lightweight Cryptography Standardization Process”, June 2017. https://www.nist.gov/sites/default/files/documents/2017/06/20/public-comments-profiles-i-ii-june2017.pdf. Accessed 03 July 2017
Reparaz, O.: Detecting flawed masking schemes with leakage detection tests. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 204–222. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_11
Ronen, E., Shamir, A., Weingarten, A., O’Flynn, C.: IoT goes nuclear: creating a zigbee chain reaction. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, 22–26 May 2017, pp. 195–212. IEEE Computer Society (2017)
Schneider, T., Moradi, A.: Leakage assessment methodology. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 495–513. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48324-4_25
Schneider, T., Moradi, A., Güneysu, T.: Arithmetic addition over Boolean masking. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 559–578. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_27
Standaert, F.-X.: How (not) to use Welch’s t-test in side-channel security evaluations. Cryptology ePrint Archive, Report 2017/138 (2017). http://eprint.iacr.org/2017/138
Trichina, E.: Combinational Logic Design for AES SubByte Transformation on Masked Data. IACR Cryptology ePrint Archive, 2003:236 (2003)
Won, Y., Han, D.: Efficient conversion method from arithmetic to Boolean masking in constrained devices. IACR Cryptology ePrint Archive, 2016:664 (2016)
Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms. Sci. China Inf. Sci. 58(12), 1–15 (2015)
Acknowledgements
The authors thank the anonymous reviewers for their valuable comments. The work of Aleksei Udovenko is supported by the Fonds National de la Recherche, Luxembourg (project reference 9037104).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Leakage Assessment
A Leakage Assessment
The tool we used to assess the security of our implementations against first-order attacks is inspired from similar tools such as ELMO [20], ASCOLD [21], and the one described in [23]. The simulated leakages are computed as follows. For each register \(r_i\) we store its previous value \(r_i^{j-1}\) and its current value \(r_i^j\). At each step j we dump the leakage as \(\mathsf {HW}(r_i^j)\) or \(\mathsf {HD}(r_i^{j-1}, r_i^j) = \mathsf {HW}(r_i^{j-1} \oplus r_i^j)\), where \(\mathsf {HW(r)}\) is the Hamming weight of r.
The result of the t-test applied to \(10^6\) simulated traces (using the HW model) from our first-order protected implementation of Speck is exemplarily shown in Fig. 3. Similar results for Simon and RECTANGLE are given in Figs. 4 and 5, respectively. All results use our expressions to compute secure AND and OR. We can see that the value of the t-statistic is inside the \(\pm 4.5\) interval for each point in time, which implies that the protected implementations are secure against first-order attacks.
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Biryukov, A., Dinu, D., Le Corre, Y., Udovenko, A. (2018). Optimal First-Order Boolean Masking for Embedded IoT Devices. In: Eisenbarth, T., Teglia, Y. (eds) Smart Card Research and Advanced Applications. CARDIS 2017. Lecture Notes in Computer Science(), vol 10728. Springer, Cham. https://doi.org/10.1007/978-3-319-75208-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-75208-2_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-75207-5
Online ISBN: 978-3-319-75208-2
eBook Packages: Computer ScienceComputer Science (R0)