DOI: 10.1007/978-3-540-71039-4_8
|View full text |Cite
|
Sign up to set email alerts
|

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis

Abstract: Abstract. In the recent years, side channel analysis has received a lot of attention, and attack techniques have been improved. Side channel analysis of second order is now successful in breaking implementations of block ciphers supposed to be effectively protected. This progress shows not only the practicability of second order attacks, but also the need for provably secure countermeasures. Surprisingly, while many studies have been dedicated to the attacks, only a few papers have been published about the ded… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
2

Citation Types

0
123
0

Publication Types

Select...
7

Relationship

3
4

Authors

Journals

citations
Cited by 61 publications
(123 citation statements)
references
References 27 publications
0
123
0
Order By: Relevance
“…Namely proving the security of a countermeasure against first-order attacks (t = 1) is usually straightforward, as it suffices to check that every internal variable has the uniform distribution (or at least a distribution independent from the secret-key). Such approach can be extended to second-order attacks by considering pairs of internal variables (as in [RDP08]); however it becomes clearly unfeasible for larger values of t, as the number of t-uples to consider would grow exponentially with t. Alternatively the ISW framework is simulation based: the authors prove the security of their construction against a adversary with at most t probes by showing that any set of t probes can be perfectly simulated without the knowledge of the original input variables (such as x, y in the AND gate z = xy). In [ISW03] this is done by iteratively generating a subset I of indices of the input shares that are sufficient to simulate the t probes; then if |I| < n the corresponding input shares can be perfectly simulated without knowing the original input variable, simply by generating independently and uniformly distributed bits.…”
Section: Introductionmentioning
confidence: 99%
“…Namely proving the security of a countermeasure against first-order attacks (t = 1) is usually straightforward, as it suffices to check that every internal variable has the uniform distribution (or at least a distribution independent from the secret-key). Such approach can be extended to second-order attacks by considering pairs of internal variables (as in [RDP08]); however it becomes clearly unfeasible for larger values of t, as the number of t-uples to consider would grow exponentially with t. Alternatively the ISW framework is simulation based: the authors prove the security of their construction against a adversary with at most t probes by showing that any set of t probes can be perfectly simulated without the knowledge of the original input variables (such as x, y in the AND gate z = xy). In [ISW03] this is done by iteratively generating a subset I of indices of the input shares that are sufficient to simulate the t probes; then if |I| < n the corresponding input shares can be perfectly simulated without knowing the original input variable, simply by generating independently and uniformly distributed bits.…”
Section: Introductionmentioning
confidence: 99%
“…We did not implement Genelle et al 's scheme [12] since it addresses the masking of an overall AES and is not interesting while focusing on a single s-box processing. Regarding existing schemes for DES and PRESENT s-boxes, we implemented the generic methods proposed in [25] (for d = 1) and in [26] (for d = 2). We also implemented the improvement of these schemes described in [26, §3.3] that consists in treating two 4-bit outputs at the same time.…”
Section: Implementation Resultsmentioning
confidence: 99%
“…At second order, the cost of the secure multiplications involved in the cyclotomic method is approximatively doubled, which explains that the overall cost is multiplied by 1.8. This makes it less efficient than [25] and [26], which are less impacted by the increase of the masking order from 1 to 2. At third order, our method is the only one.…”
Section: Implementation Resultsmentioning
confidence: 99%
See 2 more Smart Citations