Show Summary Details
More options …

Journal of Mathematical Cryptology

Managing Editor: Magliveras, Spyros S. / Steinwandt, Rainer / Trung, Tran

Editorial Board Member: Blackburn, Simon R. / Blundo, Carlo / Burmester, Mike / Cramer, Ronald / Dawson, Ed / Gilman, Robert / Gonzalez Vasco, Maria Isabel / Grosek, Otokar / Helleseth, Tor / Kim, Kwangjo / Koblitz, Neal / Kurosawa, Kaoru / Lauter, Kristin / Lange, Tanja / Menezes, Alfred / Nguyen, Phong Q. / Pieprzyk, Josef / Rötteler, Martin / Safavi-Naini, Rei / Shparlinski, Igor E. / Stinson, Doug / Takagi, Tsuyoshi / Williams, Hugh C. / Yung, Moti

4 Issues per year

CiteScore 2016: 0.74

SCImago Journal Rank (SJR) 2016: 0.463
Source Normalized Impact per Paper (SNIP) 2016: 0.778

Mathematical Citation Quotient (MCQ) 2016: 0.16

Online
ISSN
1862-2984
See all formats and pricing
More options …

Leakage squeezing: Optimal implementation and security evaluation

Claude Carlet
• LAGA, UMR 7539, CNRS, University of Paris XIII and University of Paris VIII, 2 rue de la liberté, 93526 Saint-Denis Cedex, France
• Email
• Other articles by this author:
/ Jean-Luc Danger
• TELECOM-ParisTech, Crypto Group, 37/39 rue Dareau, 75634 Paris Cedex 13; and Secure-IC S.A.S., 80 avenue des Buttes de Coësmes, 35700 Rennes, France
• Email
• Other articles by this author:
/ Sylvain Guilley
• TELECOM-ParisTech, Crypto Group, 37/39 rue Dareau, 75634 Paris Cedex 13; and Secure-IC S.A.S., 80 avenue des Buttes de Coësmes, 35700 Rennes, France
• Email
• Other articles by this author:
/ Houssem Maghrebi
• TELECOM-ParisTech, Crypto Group, 37/39 rue Dareau, 75634 Paris Cedex 13; and MORPHO, 18 chaussée Jules César, 95520 Osny, France
• Email
• Other articles by this author:
Published Online: 2014-06-07 | DOI: https://doi.org/10.1515/jmc-2012-0018

Abstract

Hardware devices can be protected against side-channel attacks by introducing one random mask per sensitive variable. The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers. Nonetheless, this setup can still be attacked if the side-channel is squared, because this operation causes an interference between the two shares. This more sophisticated analysis is referred to as a zero-offset second-order correlation power analysis (CPA) attack. When the device leaks in Hamming distance, the countermeasure can be improved by the “leakage squeezing”. It consists in manipulating the mask through a bijection, aimed at reducing the dependency between the shares' leakage. Thus dth-order zero-offset attacks, that consist in applying CPA on the dth power of the centered side-channel traces, can be thwarted for d ≥ 2 at no extra cost. We denote by n the size in bits of the shares and call F the transformation function, that is, a bijection of ${𝔽}_{2}^{n}$. In this paper, we explore the functions F that thwart zero-offset high-order CPA (HO-CPA) of maximal order d. We mathematically demonstrate that optimal choices for F relate to optimal binary codes (in the sense of communication theory). First, we exhibit optimal linear F functions. They are suitable for masking schemes where only one mask is used throughout the algorithm. Second, we note that for values of n for which non-linear codes exist with better parameters than linear ones, better protection levels can be obtained. This applies to implementations in which each mask is randomly cast independently of the previous ones. These results are exemplified in the case n = 8, where the optimal F can be identified: it is derived from the optimal rate 1/2 binary code of size $2n$, namely the Nordstrom–Robinson $\left(16,256,6\right)$ code. This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates. It protects against all zero-offset HO-CPA attacks of order $d\le 5$. Eventually, the countermeasure is shown to be resilient to imperfect leakage models, where the registers leak differently than the sum of their toggling bits.

MSC: 94C10

Revised: 2014-05-02

Accepted: 2014-05-07

Published Online: 2014-06-07

Published in Print: 2014-09-01

Citation Information: Journal of Mathematical Cryptology, ISSN (Online) 1862-2984, ISSN (Print) 1862-2976,

Export Citation