Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Journal of Mathematical Cryptology

Managing Editor: Magliveras, Spyros S. / Steinwandt, Rainer / Trung, Tran

Editorial Board Member: Blackburn, Simon R. / Blundo, Carlo / Burmester, Mike / Cramer, Ronald / Dawson, Ed / Gilman, Robert / Gonzalez Vasco, Maria Isabel / Grosek, Otokar / Helleseth, Tor / Kim, Kwangjo / Koblitz, Neal / Kurosawa, Kaoru / Lauter, Kristin / Lange, Tanja / Menezes, Alfred / Nguyen, Phong Q. / Pieprzyk, Josef / Rötteler, Martin / Safavi-Naini, Rei / Shparlinski, Igor E. / Stinson, Doug / Takagi, Tsuyoshi / Williams, Hugh C. / Yung, Moti

4 Issues per year


CiteScore 2016: 0.74

SCImago Journal Rank (SJR) 2016: 0.463
Source Normalized Impact per Paper (SNIP) 2016: 0.778

Mathematical Citation Quotient (MCQ) 2016: 0.16

Online
ISSN
1862-2984
See all formats and pricing
More options …

Leakage squeezing: Optimal implementation and security evaluation

Claude Carlet
  • LAGA, UMR 7539, CNRS, University of Paris XIII and University of Paris VIII, 2 rue de la liberté, 93526 Saint-Denis Cedex, France
  • Email
  • Other articles by this author:
  • De Gruyter OnlineGoogle Scholar
/ Jean-Luc Danger
  • TELECOM-ParisTech, Crypto Group, 37/39 rue Dareau, 75634 Paris Cedex 13; and Secure-IC S.A.S., 80 avenue des Buttes de Coësmes, 35700 Rennes, France
  • Email
  • Other articles by this author:
  • De Gruyter OnlineGoogle Scholar
/ Sylvain Guilley
  • TELECOM-ParisTech, Crypto Group, 37/39 rue Dareau, 75634 Paris Cedex 13; and Secure-IC S.A.S., 80 avenue des Buttes de Coësmes, 35700 Rennes, France
  • Email
  • Other articles by this author:
  • De Gruyter OnlineGoogle Scholar
/ Houssem Maghrebi
  • TELECOM-ParisTech, Crypto Group, 37/39 rue Dareau, 75634 Paris Cedex 13; and MORPHO, 18 chaussée Jules César, 95520 Osny, France
  • Email
  • Other articles by this author:
  • De Gruyter OnlineGoogle Scholar
Published Online: 2014-06-07 | DOI: https://doi.org/10.1515/jmc-2012-0018

Abstract

Hardware devices can be protected against side-channel attacks by introducing one random mask per sensitive variable. The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers. Nonetheless, this setup can still be attacked if the side-channel is squared, because this operation causes an interference between the two shares. This more sophisticated analysis is referred to as a zero-offset second-order correlation power analysis (CPA) attack. When the device leaks in Hamming distance, the countermeasure can be improved by the “leakage squeezing”. It consists in manipulating the mask through a bijection, aimed at reducing the dependency between the shares' leakage. Thus dth-order zero-offset attacks, that consist in applying CPA on the dth power of the centered side-channel traces, can be thwarted for d ≥ 2 at no extra cost. We denote by n the size in bits of the shares and call F the transformation function, that is, a bijection of 𝔽2n. In this paper, we explore the functions F that thwart zero-offset high-order CPA (HO-CPA) of maximal order d. We mathematically demonstrate that optimal choices for F relate to optimal binary codes (in the sense of communication theory). First, we exhibit optimal linear F functions. They are suitable for masking schemes where only one mask is used throughout the algorithm. Second, we note that for values of n for which non-linear codes exist with better parameters than linear ones, better protection levels can be obtained. This applies to implementations in which each mask is randomly cast independently of the previous ones. These results are exemplified in the case n = 8, where the optimal F can be identified: it is derived from the optimal rate 1/2 binary code of size 2n, namely the Nordstrom–Robinson (16,256,6) code. This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates. It protects against all zero-offset HO-CPA attacks of order d5. Eventually, the countermeasure is shown to be resilient to imperfect leakage models, where the registers leak differently than the sum of their toggling bits.

Keywords: First-order masking countermeasure (CM); high-order correlation power analysis (HO-CPA); zero-offset HO-CPA; Hamming distance/Hamming weight leakage models; leakage squeezing; linear and non-linear codes

MSC: 94C10

About the article

Received: 2012-07-03

Revised: 2014-05-02

Accepted: 2014-05-07

Published Online: 2014-06-07

Published in Print: 2014-09-01


Citation Information: Journal of Mathematical Cryptology, ISSN (Online) 1862-2984, ISSN (Print) 1862-2976, DOI: https://doi.org/10.1515/jmc-2012-0018.

Export Citation

© 2014 by De Gruyter. Copyright Clearance Center

Comments (0)

Please log in or register to comment.
Log in