research-article

First-Order Masking with Only Two Random Bits

Authors:

Lauren De Meyer,

Stefan MangardAuthors Info & Claims

TIS'19: Proceedings of ACM Workshop on Theory of Implementation Security Workshop

Pages 10 - 23

https://doi.org/10.1145/3338467.3358950

Published: 11 November 2019 Publication History

Abstract

Masking is the best-researched countermeasure against side-channel analysis attacks. Even though masking was introduced almost 20 years ago, its efficient implementation continues to be an active research topic. Many of the existing works focus on the reduction of randomness requirements since the production of fresh random bits with high entropy is very costly in practice. Most of these works rely on the assumption that only so-called online randomness results in additional costs. In practice, however, it shows that the distinction between randomness costs to produce the initial masking and the randomness to maintain security during computation (online) is not meaningful. In this work, we thus study the question of minimum randomness requirements for first-order Boolean masking when taking the costs for initial randomness into account. We demonstrate that first-order masking can in theory always be performed by just using two fresh random bits and without requiring online randomness. We first show that two random bits are enough to mask linear transformations and then discuss prerequisites under which nonlinear transformations are securely performed likewise. Subsequently, we introduce a new masked AND gate that fulfills these requirements and which forms the basis for our synthesis tool that automatically transforms an unmasked implementation into a first-order secure masked implementation. We demonstrate the feasibility of this approach by implementing AES in software with only two bits of randomness, including the initial masking. Finally, we use these results to discuss the gap between theory and practice and the need for more accurate adversary models.

References

[1]

Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. 2017. Consolidating Inner Product Masking, See citeNDBLP:conf/asiacrypt/2017-1, 724--754. https://doi.org/10.1007/978-3-319-70694-8_25

[2]

Josep Balasch, Benedikt Gierlichs, Vincent Grosso, Oscar Reparaz, and Francc ois-Xavier Standaert. 2014. On the Cost of Lazy Engineering for Masked Software Implementations. In Smart Card Research and Advanced Applications - 13th International Conference, CARDIS 2014, Paris, France, November 5-7, 2014. Revised Selected Papers (Lecture Notes in Computer Science), Marc Joye and Amir Moradi (Eds.), Vol. 8968. Springer, 64--81. https://doi.org/10.1007/978-3-319-16763-3_5

[3]

Josep Balasch, Benedikt Gierlichs, Oscar Reparaz, and Ingrid Verbauwhede. 2015. DPA, Bitslicing and Masking at 1 GHz. In Cryptographic Hardware and Embedded Systems - CHES 2015 - 17th International Workshop, Saint-Malo, France, September 13--16, 2015, Proceedings (Lecture Notes in Computer Science), Tim Gü neysu and Helena Handschuh (Eds.), Vol. 9293. Springer, 599--619. https://doi.org/10.1007/978-3-662-48324-4_30

[4]

Gilles Barthe, Sonia Bela"i d, Pierre-Alain Fouque, and Benjamin Gré goire. 2018. maskVerif: a formal tool for analyzing software and hardware masked implementations. IACR Cryptology ePrint Archive, Vol. 2018 (2018), 562.

[5]

Gilles Barthe, Francc ois Dupressoir, Sebastian Faust, Benjamin Gré goire, Francc ois-Xavier Standaert, and Pierre-Yves Strub. 2017. Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model. In EUROCRYPT (1) (Lecture Notes in Computer Science), Vol. 10210. 535--566.

[6]

Alberto Battistello, Jean-Sé bastien Coron, Emmanuel Prouff, and Rina Zeitoun. 2016. Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme. In Cryptographic Hardware and Embedded Systems - CHES 2016 - 18th International Conference, Santa Barbara, CA, USA, August 17--19, 2016, Proceedings (Lecture Notes in Computer Science), Benedikt Gierlichs and Axel Y. Poschmann (Eds.), Vol. 9813. Springer, 23--39. https://doi.org/10.1007/978-3-662-53140-2_2

[7]

Auré lie Bauer, É liane Jaulmes, Emmanuel Prouff, and Justine Wild. 2013a. Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations. In Topics in Cryptology - CT-RSA 2013 - The Cryptographers' Track at the RSA Conference 2013, San Francisco,CA, USA, February 25-March 1, 2013. Proceedings (Lecture Notes in Computer Science), Ed Dawson (Ed.), Vol. 7779. Springer, 1--17. https://doi.org/10.1007/978-3-642-36095-4_1

[8]

Auré lie Bauer, É liane Jaulmes, Emmanuel Prouff, and Justine Wild. 2013b. Horizontal Collision Correlation Attack on Elliptic Curves. In Selected Areas in Cryptography - SAC 2013 - 20th International Conference, Burnaby, BC, Canada, August 14-16, 2013, Revised Selected Papers (Lecture Notes in Computer Science), Tanja Lange, Kristin E. Lauter, and Petr Lisonek (Eds.), Vol. 8282. Springer, 553--570. https://doi.org/10.1007/978-3-662-43414-7_28

[9]

Sonia Belaïd, Fabrice Benhamouda, Alain Passelè gue, Emmanuel Prouff, Adrian Thillard, and Damien Vergnaud. 2016. Randomness Complexity of Private Circuits for Multiplication. In EUROCRYPT (2) (Lecture Notes in Computer Science), Vol. 9666. Springer, 616--648.

[10]

Sonia Belaïd, Fabrice Benhamouda, Alain Passelè gue, Emmanuel Prouff, Adrian Thillard, and Damien Vergnaud. 2017. Private Multiplication over Finite Fields. In CRYPTO (3) (Lecture Notes in Computer Science), Vol. 10403. Springer, 397--426.

[11]

Begü l Bilgin, Benedikt Gierlichs, Svetla Nikova, Ventzislav Nikov, and Vincent Rijmen. 2014. Higher-Order Threshold Implementations. In ASIACRYPT (2) (Lecture Notes in Computer Science), Vol. 8874. Springer, 326--343.

[12]

Alex Biryukov, Daniel Dinu, Yann Le Corre, and Aleksei Udovenko. 2017. Optimal First-Order Boolean Masking for Embedded IoT Devices. In CARDIS (Lecture Notes in Computer Science), Vol. 10728. Springer, 22--41.

[13]

Roderick Bloem, Hannes Groß, Rinat Iusupov, Bettina Kö nighofer, Stefan Mangard, and Johannes Winter. 2018. Formal Verification of Masked Hardware Implementations in the Presence of Glitches. In EUROCRYPT (2) (Lecture Notes in Computer Science), Vol. 10821. Springer, 321--353.

[14]

Joan Boyar, Morris Dworkin, Rene Peralta, Meltem Turan, Cagdas Calik, and Luis Brandao. [n.d.]. Circuit Minimization Work. http://www.cs.yale.edu/homes/peralta/CircuitStuff/CMT.html.

[15]

Joan Boyar, Philip Matthews, and René Peralta. 2013. Logic Minimization Techniques with Applications to Cryptology. J. Cryptology, Vol. 26, 2 (2013), 280--312. https://doi.org/10.1007/s00145-012--9124--7

Digital Library

[16]

Joan Boyar and René Peralta. 2012. A Small Depth-16 Circuit for the AES S-Box. In SEC (IFIP Advances in Information and Communication Technology), Vol. 376. Springer, 287--298.

[17]

David Canright. 2005. A Very Compact S-Box for AES. In CHES (Lecture Notes in Computer Science), Vol. 3659. Springer, 441--455.

[18]

Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. 1999. Towards Sound Approaches to Counteract Power-Analysis Attacks. In CRYPTO (Lecture Notes in Computer Science), Vol. 1666. Springer, 398--412.

[19]

Joan Daemen. 2017. Changing of the Guards: A Simple and Efficient Method for Achieving Uniformity in Threshold Sharing. In Cryptographic Hardware and Embedded Systems - CHES 2017 - 19th International Conference, Taipei, Taiwan, September 25-28, 2017, Proceedings (Lecture Notes in Computer Science), Wieland Fischer and Naofumi Homma (Eds.), Vol. 10529. Springer, 137--153. https://doi.org/10.1007/978-3-319-66787-4_7

[20]

Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In TACAS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings, C. R. Ramakrishnan and Jakob Rehof (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 337--340. https://doi.org/10.1007/978-3-540-78800-3_24

[21]

Alexandre Duc, Stefan Dziembowski, and Sebastian Faust. 2014. Unifying Leakage Models: From Probing Attacks to Noisy Leakage. In EUROCRYPT (Lecture Notes in Computer Science), Vol. 8441. Springer, 423--440.

[22]

Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, and Francc ois-Xavier Standaert. 2018. Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model. IACR Trans. Cryptogr. Hardw. Embed. Syst., Vol. 2018, 3 (2018), 89--120. https://doi.org/10.13154/tches.v2018.i3.89--120

[23]

Sebastian Faust, Clara Paglialonga, and Tobias Schneider. 2017. Amortizing Randomness Complexity in Private Circuits, See citeNDBLP:conf/asiacrypt/2017-1, 781--810. https://doi.org/10.1007/978-3-319-70694-8_27

[24]

Ashrujit Ghoshal and Thomas De Cnudde. 2017. Several Masked Implementations of the Boyar-Peralta AES S-Box. In INDOCRYPT (Lecture Notes in Computer Science), Vol. 10698. Springer, 384--402.

[25]

Dahmun Goudarzi and Matthieu Rivain. 2017. How Fast Can Higher-Order Masking Be in Software?. In Advances in Cryptology - EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part I (Lecture Notes in Computer Science), Jean-Sé bastien Coron and Jesper Buus Nielsen (Eds.), Vol. 10210. 567--597. https://doi.org/10.1007/978-3-319-56620-7_20

[26]

Hannes Groß, Rinat Iusupov, and Roderick Bloem. 2018. Generic Low-Latency Masking in Hardware. IACR Trans. Cryptogr. Hardw. Embed. Syst., Vol. 2018, 2 (2018), 1--21.

[27]

Hannes Groß and Stefan Mangard. 2017. Reconciling d+1 Masking in Hardware and Software. In CHES (Lecture Notes in Computer Science), Vol. 10529. Springer, 115--136.

[28]

Hannes Groß and Stefan Mangard. 2018. A unified masking approach. J. Cryptographic Engineering, Vol. 8, 2 (2018), 109--124.

[29]

Hannes Groß, Stefan Mangard, and Thomas Korak. 2016. Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order. IACR Cryptology ePrint Archive, Vol. 2016 (2016), 486.

[30]

Neil Hanley, HeeSeok Kim, and Michael Tunstall. 2015. Exploiting Collisions in Addition Chain-Based Exponentiation Algorithms Using a Single Trace, See citeNDBLP:conf/ctrsa/2015, 431--448. https://doi.org/10.1007/978-3-319-16715-2_23

[31]

Yuval Ishai, Amit Sahai, and David A. Wagner. 2003. Private Circuits: Securing Hardware against Probing Attacks. In CRYPTO (Lecture Notes in Computer Science), Vol. 2729. Springer, 463--481.

[32]

Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. 1999. Differential Power Analysis. In CRYPTO (Lecture Notes in Computer Science), Vol. 1666. Springer, 388--397.

[33]

Svetla Nikova, Christian Rechberger, and Vincent Rijmen. 2006. Threshold Implementations Against Side-Channel Attacks and Glitches. In ICICS (Lecture Notes in Computer Science), Vol. 4307. Springer, 529--545.

[34]

Svetla Nikova, Vincent Rijmen, and Martin Schl"a ffer. 2008. Secure Hardware Implementation of Non-linear Functions in the Presence of Glitches. In Information Security and Cryptology - ICISC 2008, 11th International Conference, Seoul, Korea, December 3-5, 2008, Revised Selected Papers (Lecture Notes in Computer Science), Pil Joong Lee and Jung Hee Cheon (Eds.), Vol. 5461. Springer, 218--234. https://doi.org/10.1007/978-3-642-00730-9_14

[35]

Kaisa Nyberg (Ed.). 2015. Topics in Cryptology - CT-RSA 2015, The Cryptographer's Track at the RSA Conference 2015, San Francisco, CA, USA, April 20-24, 2015. Proceedings. Lecture Notes in Computer Science, Vol. 9048. Springer. https://doi.org/10.1007/978-3-319-16715-2

[36]

Jing Pan, J. I. den Hartog, and Jiqiang Lu. 2009. You Cannot Hide behind the Mask: Power Analysis on a Provably Secure S-Box Implementation. In Information Security Applications, 10th International Workshop, WISA 2009, Busan, Korea, August 25--27, 2009, Revised Selected Papers (Lecture Notes in Computer Science), Heung Youl Youm and Moti Yung (Eds.), Vol. 5932. Springer, 178--192. https://doi.org/10.1007/978-3-642-10838-9_14

[37]

Kostas Papagiannopoulos and Nikita Veshchikov. 2017. Mind the Gap: Towards Secure 1st-Order Masking in Software. In Constructive Side-Channel Analysis and Secure Design - 8th International Workshop, COSADE 2017, Paris, France, April 13-14, 2017, Revised Selected Papers (Lecture Notes in Computer Science), Sylvain Guilley (Ed.), Vol. 10348. Springer, 282--297. https://doi.org/10.1007/978-3-319-64647-3_17

[38]

Jean-Jacques Quisquater and David Samyde. 2001. ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards. In E-smart (Lecture Notes in Computer Science), Vol. 2140. Springer, 200--210.

[39]

Oscar Reparaz, Begü l Bilgin, Svetla Nikova, Benedikt Gierlichs, and Ingrid Verbauwhede. 2015. Consolidating Masking Schemes. In CRYPTO (1) (Lecture Notes in Computer Science), Vol. 9215. Springer, 764--783.

[40]

Matthieu Rivain and Emmanuel Prouff. 2010. Provably Secure Higher-Order Masking of AES. In Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17--20, 2010. Proceedings (Lecture Notes in Computer Science), Stefan Mangard and Francc ois-Xavier Standaert (Eds.), Vol. 6225. Springer, 413--427. https://doi.org/10.1007/978-3-642-15031-9_28

[41]

Peter Schwabe and Ko Stoffelen. 2016. All the AES You Need on Cortex-M3 and M4. In SAC (Lecture Notes in Computer Science), Vol. 10532. Springer, 180--194.

[42]

Ko Stoffelen. 2016. Instruction scheduling and register allocation on ARM Cortex-M. In Software performance enhancement for encryption and decryption, and benchmarking - SPEED-B.

[43]

Takeshi Sugawara. 2019. 3-Share Threshold Implementation of AES S-box without Fresh Randomness. IACR Trans. Cryptogr. Hardw. Embed. Syst., Vol. 2019, 1 (2019), 123--145. https://doi.org/10.13154/tches.v2019.i1.123--145

[44]

Tsuyoshi Takagi and Thomas Peyrin (Eds.). 2017 Advances in Cryptology - ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3--7, 2017, Proceedings, Part I. Lecture Notes in Computer Science, Vol. 10624. Springer. https://doi.org/10.1007/978-3-319-70694-8

[45]

Andrea Visconti, Chiara Valentina Schiavo, and René Peralta. 2017. Improved upper bounds for the expected circuit complexity of dense systems of linear equations over GF(2). IACR Cryptology ePrint Archive, Vol. 2017 (2017), 194. http://eprint.iacr.org/2017/194

[46]

Junwei Wang, Praveen Kumar Vadnala, Johann Großschädl, and Qiuliang Xu. 2015. Higher-Order Masking in Practice: A Vector Implementation of Masked AES for ARM NEON, See citeNDBLP:conf/ctrsa/2015, 181--198. https://doi.org/10.1007/978-3-319-16715-2_10

[47]

Felix Wegener and Amir Moradi. 2018a. A First-Order SCA Resistant AES Without Fresh Randomness. In Constructive Side-Channel Analysis and Secure Design - 9th International Workshop, COSADE 2018, Singapore, April 23--24, 2018, Proceedings (Lecture Notes in Computer Science), Junfeng Fan and Benedikt Gierlichs (Eds.), Vol. 10815. Springer, 245--262. https://doi.org/10.1007/978-3-319-89641-0_14

[48]

Felix Wegener and Amir Moradi. 2018b. A Note on Transitional Leakage When Masking AES with Only Two Bits of Randomness. IACR Cryptology ePrint Archive, Vol. 2018 (2018), 1117. https://eprint.iacr.org/2018/1117

[49]

Clifford Wolf. [n.d.]. Yosys Open SYnthesis Suite. http://www.clifford.at/yosys/.

Cited By

Cardoso dos Santos LGérard FGroßschädl JSpignoli L(2023)Rivain-Prouff on Steroids: Faster and Stronger Masking of the AESSmart Card Research and Advanced Applications10.1007/978-3-031-25319-5_7(123-145)Online publication date: 29-Jan-2023
https://doi.org/10.1007/978-3-031-25319-5_7
Stangherlin KSachdev M(2022)Design and Implementation of a Secure RISC-V MicroprocessorIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2022.320330730:11(1705-1715)Online publication date: Nov-2022
https://doi.org/10.1109/TVLSI.2022.3203307
Renner SPozzobon EMottok J(2022)Evolving a Boolean Masked Adder Using NeuroevolutionAttacks and Defenses for the Internet-of-Things10.1007/978-3-031-21311-3_2(21-40)Online publication date: 11-Dec-2022
https://doi.org/10.1007/978-3-031-21311-3_2
Show More Cited By

Recommendations

Second-Order Low-Randomness d + 1 Hardware Sharing of the AES
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

In this paper, we introduce a second-order masking of the AES using the minimal number of shares and a total of 1268 bits of randomness including the sharing of the plaintext and key. The masking of the S-box is based on the tower field decomposition of ...
Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order
TIS '16: Proceedings of the 2016 ACM Workshop on Theory of Implementation Security

Passive physical attacks, like power analysis, pose a serious threat to the security of embedded systems and corresponding countermeasures need to be implemented. In this talk, we demonstrate how the costs for protecting digital circuits against passive ...
Resilient uniformity: applying resiliency in masking
Abstract
Threshold Implementations are known countermeasures defending against side-channel attacks via the use of masking techniques. While sufficient properties are known to defend against first-order side-channel attacks, it is not known how to achieve ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

TIS'19: Proceedings of ACM Workshop on Theory of Implementation Security Workshop

November 2019

43 pages

ISBN:9781450368278

DOI:10.1145/3338467

Program Chairs:
Begül Bilgin
Rambus-Cryptography Research, NL
,
Svetla Petkova-Nikova
KU Leuven, Belgium
,
Vincent Rijmen
KU Leuven, Belgium

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '19

Sponsor:

SIGSAC

CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security

November 11, 2019

London, United Kingdom

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
230
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)3

Reflects downloads up to 15 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Cardoso dos Santos LGérard FGroßschädl JSpignoli L(2023)Rivain-Prouff on Steroids: Faster and Stronger Masking of the AESSmart Card Research and Advanced Applications10.1007/978-3-031-25319-5_7(123-145)Online publication date: 29-Jan-2023
https://doi.org/10.1007/978-3-031-25319-5_7
Stangherlin KSachdev M(2022)Design and Implementation of a Secure RISC-V MicroprocessorIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2022.320330730:11(1705-1715)Online publication date: Nov-2022
https://doi.org/10.1109/TVLSI.2022.3203307
Renner SPozzobon EMottok J(2022)Evolving a Boolean Masked Adder Using NeuroevolutionAttacks and Defenses for the Internet-of-Things10.1007/978-3-031-21311-3_2(21-40)Online publication date: 11-Dec-2022
https://doi.org/10.1007/978-3-031-21311-3_2
Beckers AWouters LGierlichs BPreneel BVerbauwhede I(2022)Provable Secure Software Masking in the Real-WorldConstructive Side-Channel Analysis and Secure Design10.1007/978-3-030-99766-3_10(215-235)Online publication date: 26-Mar-2022
https://doi.org/10.1007/978-3-030-99766-3_10
Belaïd SRivain MTaleb AVergnaud D(2021)Dynamic Random Probing Expansion with Quasi Linear Asymptotic ComplexityAdvances in Cryptology – ASIACRYPT 202110.1007/978-3-030-92075-3_6(157-188)Online publication date: 1-Dec-2021
https://doi.org/10.1007/978-3-030-92075-3_6
Kim HSim MEum SJang KSong GKim HKwon HLee WSeo H(2021)Masked Implementation of PIPO Block Cipher on 8-bit AVR MicrocontrollersInformation Security Applications10.1007/978-3-030-89432-0_14(171-182)Online publication date: 27-Oct-2021
https://doi.org/10.1007/978-3-030-89432-0_14

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents