Skip to main content
SpringerLink
Log in

Polynomial Evaluation and Side Channel Analysis

  • Chapter
  • First Online:
The New Codebreakers

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9100))

Abstract

Side Channel Analysis (SCA) is a class of attacks that exploits leakage of information from a cryptographic implementation during execution. To thwart it, masking is a common countermeasure. The principle is to randomly split every sensitive intermediate variable occurring in the computation into several shares and the number of shares, called the masking order, plays the role of a security parameter. The main issue while applying masking to protect a block cipher implementation is to specify an efficient scheme to secure the s-box computations. Several masking schemes, applicable for arbitrary orders, have been recently introduced. Most of them follow a similar approach originally introduced in the paper of Carlet et al. published at FSE 2012; the s-box to protect is viewed as a polynomial and strategies are investigated which minimize the number of field multiplications which are not squarings. This paper aims at presenting all these works in a comprehensive way. The methods are discussed, their differences and similarities are identified and the remaining open problems are listed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A function f is \(\mathbb {F}_{2}\)-linear if it satisfies \(f(x\oplus y)=f(x)\oplus f(y)\) for any pair (xy) of elements in its domain. This property must not be confused with \(\mathbb {F}_{2^m}\)-linearity of a function, where m divides n and is larger than 1, which is defined such that \(f(ax \oplus by)=af(x)\oplus bf(y)\), for every \(a,b\in \mathbb {F}_{2^m}\). An \(\mathbb {F}_{2^m}\)-linear function is \(\mathbb {F}_{2}\)-linear but the converse is false in general.

  2. 2.

    A multiplication over a field of characteristic 2 is \(\mathbb {F}_{2}\)-linear if it corresponds to a Frobenius automorphism, i.e. to a series of squarings.

  3. 3.

    The protocol is an improved version of the protocol originally proposed by Ben-Or et al. [4], due to Gennaro et al. in [28].

  4. 4.

    Such improvement was already known in the context of multi-party computation [22].

  5. 5.

    Where \(\ell +1\) corresponds to the code length and where k (resp. d) denotes its dimension (resp. minimum distance).

  6. 6.

    The improvement of Algorithm 3 proposed in [53] involves \(d^3+9d^2+5d\) additions and \(d^3+8d^2+9d+2\) multiplications, which leads to an improvement when \(d\geqslant 3\) (see [53]).

  7. 7.

    Recall that a multiplication over a field of characteristic 2 corresponding to a Frobenius automorphism, i.e. to a series of squarings, is \(\mathbb {F}_{2}\)-linear.

  8. 8.

    i.e.  a linear combination of monomials in the form \(x^{2^j}\) with \(j < n\).

  9. 9.

    Implementations have been done in C and compiled for ATMEGA644p micro-controller thanks to the compiler avr_gcc with optimisation flag -o2.

  10. 10.

    These attacks assume that the adversary is not limited to the observation of d intermediate results during the evaluation but can observe any family of intermediate results.

References

  1. Akkar, M.-L., Goubin, L.: A generic protection against high-order differential power analysis. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 192–205. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  2. Balasch, J., Faust, S., Gierlichs, B., Verbauwhede, I.: Theory and practice of a leakage resilient masking scheme. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 758–775. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  3. Bellare, M., Goldwasser, S., Micciancio, D.: “Pseudo-random” number generation within cryptographic algorithms: the DSS case. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 277–291. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  4. Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for noncryptographic fault-tolerant distributed computation. In: STOC 1988: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, pp. 1–10. ACM, New York (1988)

    Google Scholar 

  5. Blakely, G.: Safeguarding cryptographic keys. In: National Computer Conference, vol. 48, pp. 313–317. AFIPS Press, New York, June 1979

    Google Scholar 

  6. Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier and Verbauwhede [48], pp. 450–466

    Google Scholar 

  7. Brauer, A.: On addtion chains. Bull. Amer. MAth. Soc. 45, 736–739 (1939)

    Article  MathSciNet  MATH  Google Scholar 

  8. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  9. Carlet, C., Goubin, L., Prouff, E., Quisquater, M., Rivain, M.: Higher-order masking schemes for s-boxes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 366–384. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  10. Carlet, C., Prouff, E., Rivain, M., Roche, T.: Algebraic decomposition for probing security. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, pp. 742–763. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  11. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 398. Springer, Heidelberg (1999)

    Google Scholar 

  12. Chen, H., Cramer, R., Goldwasser, S., de Haan, R., Vaikuntanathan, V.: Secure computation from random error correcting codes. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 291–310. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  13. Cook, S.A.: On the minimum computation time of functions. Ph.D. thesis, Harvard University, Cambridge, MA, USA (1966). http://cr.yp.to/bib/entries.html#1966/cook

  14. Coron, J.-S., Prouff, E., Rivain, M., Roche, T.: Higher-order side channel security and mask refreshing. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 410–424. Springer, Heidelberg (2014)

    Google Scholar 

  15. Coron, J.-S., Roy, A., Vivek, S.: Fast evaluation of polynomials over binary finite fields and application to side-channel countermeasures. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 170–187. Springer, Heidelberg (2014)

    Google Scholar 

  16. Coron, J.-S.: A new DPA countermeasure based on permutation tables. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 278–292. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  17. Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  18. Coron, J.-S., Giraud, C., Prouff, E., Renner, S., Rivain, M., Vadnala, P.K.: Conversion of security proofs from one leakage model to another: a new issue. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 69–81. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  19. Yoo, H.S., Kim, C.K., Ha, J.C., Moon, S.-J., Park, I.H.: Side channel cryptanalysis on SEED. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 411–424. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  20. Coron, J.-S., Prouff, E., Roche, T.: On the use of shamir’s secret sharing against side-channel analysis. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 77–90. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  21. Courtois, N.T., Goubin, L.: An algebraic masking method to protect AES against power attacks. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 199–209. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  22. Damgård, I., Ishai, Y., Krøigaard, M., Nielsen, J.B., Smith, A.: Scalable multiparty computation with nearly optimal work and resilience. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 241–261. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  23. Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 423–440. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  24. Eve, J.: The evaluation of polynomials. Comm. ACM 6(1), 17–21 (1964)

    MathSciNet  MATH  Google Scholar 

  25. Faust, S., Rabin, T., Reyzin, L., Tromer, E., Vaikuntanathan, V.: Protecting circuits from leakage: the computationally-bounded and noisy cases. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 135–156. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  26. Franklin, M.K., Yung, M.: Communication complexity of secure computation (extended abstract). In: Kosaraju, S.R., Fellows, M., Wigderson, A., Ellis, J.A. (eds.) STOC, pp. 699–710. ACM, New York (1992)

    Google Scholar 

  27. Genelle, L., Prouff, E., Quisquater, M.: Thwarting higher-order side channel analysis with additive and multiplicative maskings. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 240–255. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  28. Gennaro, R., Rabin, M.O., Rabin, T.: Simplified vss and fact-track multiparty computations with applications to threshold cryptography. In: PODC, pp. 101–111 (1998)

    Google Scholar 

  29. Goubin, L., Martinelli, A.: Protecting AES with shamir’s secret sharing scheme. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 79–94. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  30. Grosso, V., Prouff, E., Standaert, F.-X.: Efficient masked s-boxes processing – a step forward –. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT. LNCS, vol. 8469, pp. 251–266. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  31. Grosso, V., Standaert, F.-X., Faust, S.: Masking vs. multiparty computation: how large is the gap for AES? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 400–416. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  32. Grosso, V., Standaert, F.-X., Faust, S.: Masking vs. multiparty computation: how large is the gap for aes? J. Cryptographic Eng. 4(1), 47–57 (2014)

    Article  Google Scholar 

  33. Gueron, S., Parzanchevsky, O., Zuk, O.: Masked inversion in GF(\(2^{n}\)) usingmixed field representations and its efficient implementation for AES. In: Nedjah, N., Mourelle, L.M. (eds.) Embedded Cryptographic Hardware: Methodologies and Architectures, pp. 213–228. Nova Science Publishers, New York (2004)

    Google Scholar 

  34. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  35. Karatsuba, A., Ofman, Y.: Multiplication of many-digital numbers by automatic computers. Transl. Acad. J. Phys. Dokl. 7, 595–596 (1963). Proceedings of the USSR Academy of Sciences, 145, pp. 293–294 (1962)

    Google Scholar 

  36. Kim, H.S., Hong, S., Lim, J.: A fast and provably secure higher-order masking of AES S-Box. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 95–107. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  37. Knuth, D.: The Art of Computer Programming, vol. 2, 3rd edn. Addison Wesley, USA (1988)

    Google Scholar 

  38. Knuth, D.E.: Evaluation of polynomials by computers. Comm. ACM 5(12), 137–138 (1962)

    Article  MathSciNet  Google Scholar 

  39. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 388. Springer, Heidelberg (1999)

    Google Scholar 

  40. Mangard, S., Popp, T., Gammel, B.M.: Side-channel leakage of masked CMOS gates. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 351–365. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  41. Mangard, S., Pramstaller, N., Oswald, E.: Successfully attacking masked AES hardware implementations. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 157–171. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  42. Mangard, S., Schramm, K.: Pinpointing the side-channel leakage of masked AES hardware implementations. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 76–90. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  43. Massey, J.: Minimal codewords and secret sharings. In: Sixth Joint Sweedish-Russian Workshop on Information Theory, pp. 246–249 (1993)

    Google Scholar 

  44. Messerges, T.S.: Using second-order power analysis to attack DPA resistant software. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 238–251. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  45. Moradi, A., Mischke, O.: How far should theory be from practice? In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 92–106. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  46. Omura, J., Massey, J.: Computational method and apparatus for finite fieldarithmetic. Technical report, Omnet Associates. Patent Number 4,587,627, May 1986

    Google Scholar 

  47. Paterson, M., Stockmeyer, L.J.: On the number of nonscalar multiplications necessary to evaluate polynomials. SIAM J. Comput. 2(1), 60–66 (1973)

    Article  MathSciNet  MATH  Google Scholar 

  48. Prouff, E., McEvoy, R.: First-order side-channel attacks on the permutation tables countermeasure. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 81–96. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  49. Prouff, E., Rivain, M.: Masking against side-channel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  50. Prouff, E., Rivain, M., Roche, T.: On the practical security of a leakage resilient masking scheme. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 169–182. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  51. Prouff, E., Roche, T.: Attack on a higher-order masking of the aes based on homographic functions. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 262–281. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  52. Prouff, E., Roche, T.: Higher-order glitches free implementation of the AES using secure multi-party computation protocols. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 63–78. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  53. Renner, S.: Protection des Algorithmes Cryptographiques Embarqués. Ph.D. thesis, University of Bordeaux (2014). http://www.math.u-bordeaux1.fr/~srenner/Thesis_Soline_Renner.pdf

  54. Rivain, M., Prouff, E.: Provably Secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  55. Roche, T., Prouff, E.: Higher-order glitch free implementation of the AES using secure multi-party computation protocols - extended version. J. Cryptographic Eng. 2(2), 111–127 (2012)

    Article  Google Scholar 

  56. Coron, J.-S., Kizhvatov, I., Roy, A., Vivek, S.: Analysis and improvement of the generic higher-order masking scheme of FSE 2012. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 417–434. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  57. Rudra, A., Dubey, P.K., Jutla, C.S., Kumar, V., Rao, J.R., Rohatgi, P.: Efficient rijndael encryption implementation with composite field arithmetic. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 171–184. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  58. Schramm, K., Paar, C.: Higher order masking of the AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 208–225. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  59. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)

    Article  MathSciNet  MATH  Google Scholar 

  60. Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit blockcipher CLEFIA (Extended Abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  61. Sunar, B., Koç, C.K.: An efficient optimal normal basis type II multiplier. IEEE Trans. Comput. 50(1), 83–87 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  62. Toom, A.L.: The complexity of a scheme of functional elements realizing the multiplication of integers. Sov. Math. Dokl., 3, 714–716 (1963). http://www.de.ufpe.br/toom/articles/engmat/MULT-E.PDF

  63. von zur Gathen, J.: Efficient and optimal exponentiation in finite fields. Comput. Complex. 1, 360–394 (1991)

    Article  MathSciNet  MATH  Google Scholar 

  64. von zur Gathen, J., Shokrollahi, M.A., Shokrollahi, J.: Efficient multiplication using type 2 optimal normal bases. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 55–68. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  65. Wang, Y., Zhu, X.: A fast algorithm for the Fourier transform over finite fields and its VLSI implementation. IEEE J. Sel. Areas Commun. 6(3), 572–577 (1988)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Mathematics, LAGA, UMR 7539, CNRS, University of Paris XIII and University of Paris VIII, Saint-Denis, France

    Claude Carlet

  2. ANSSI, Saint-Denis, France

    Emmanuel Prouff

  3. POLSYS, UMR 7606, LIP6, Sorbonne Universities, UPMC University Paris VI, Saint-Denis, France

    Emmanuel Prouff

Authors
  1. Claude Carlet
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Emmanuel Prouff
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Claude Carlet .

Editor information

Editors and Affiliations

  1. Université du Luxembourg , Luxembourg, Luxembourg

    Peter Y. A. Ryan

  2. Ecole normale supérieure , Paris, France

    David Naccache

  3. Université Catholique de Louvain , Louvain-la-Neuve, Belgium

    Jean-Jacques Quisquater

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Carlet, C., Prouff, E. (2016). Polynomial Evaluation and Side Channel Analysis. In: Ryan, P., Naccache, D., Quisquater, JJ. (eds) The New Codebreakers. Lecture Notes in Computer Science(), vol 9100. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49301-4_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-49301-4_20

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-49300-7

  • Online ISBN: 978-3-662-49301-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation