Changing of the Guards: A Simple and Efficient Method for Achieving Uniformity in Threshold Sharing

Daemen, Joan

doi:10.1007/978-3-319-66787-4_7

Cited by 42 publications

(61 citation statements)

References 28 publications

(33 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moreover, a flaw in their design was detected and reported by Wegener and Moradi [WM18a]. The S-box of [WM18a] also has four input and output shares and exploits the changing of the guards trick by Daemen [Dae17] to obtain zero online randomness consumption. Their full design uses the dynamic conversion approach, but avoids extra online randomness by a clever recycling of independent state bytes.…”

Section: Randomness In Perspectivementioning

confidence: 99%

First-Order Masking with Only Two Random Bits

Groß

Stoffelen

Meyer

et al. 2019

Proceedings of ACM Workshop on Theory of Implementation Security Workshop

View full text Add to dashboard Cite

Masking is the best-researched countermeasure against side-channel analysis attacks. Even though masking was introduced almost 20 years ago, its efficient implementation continues to be an active research topic. Many of the existing works focus on the reduction of randomness requirements since the production of fresh random bits with high entropy is very costly in practice. Most of these works rely on the assumption that only so-called online randomness results in additional costs. In practice, however, it shows that the distinction between randomness costs to produce the initial masking and the randomness to maintain security during computation (online) is not meaningful. In this work, we thus study the question of minimum randomness requirements for first-order Boolean masking when taking the costs for initial randomness into account. We demonstrate that first-order masking can in theory always be performed by just using two fresh random bits and without requiring online randomness. We first show that two random bits are enough to mask linear transformations and then discuss prerequisites under which nonlinear transformations are securely performed likewise. Subsequently, we introduce a new masked AND gate that fulfills these requirements and which forms the basis for our synthesis tool that automatically transforms an unmasked implementation into a first-order secure masked implementation. We demonstrate the feasibility of this approach by implementing AES in software with only two bits of randomness, including the initial masking. Finally, we use these results to discuss the gap between theory and practice and the need for more accurate adversary models.

show abstract

Section: Randomness In Perspectivementioning

confidence: 99%

First-Order Masking with Only Two Random Bits

Groß

Stoffelen

Meyer

et al. 2019

Proceedings of ACM Workshop on Theory of Implementation Security Workshop

View full text Add to dashboard Cite

show abstract

“…To ensure uniformity for permutations (m = n), we can simply check if the shared version of f is an m × s-bit permutation [3] (or prove it is invertible [14]).…”

Section: Threshold Implementationmentioning

confidence: 99%

“…Recently, De Meyer, Moradi and Wegener proposed a bit-serialized implementation of the Sbox of AES [13]: although their implementation with AES can be easily deployed in many applications, it comes with the price of adding fresh randomness. Joan Daemen proposed a technique called "Changing of the Guards", which significantly eases the dilemma between uniformity and fresh randomness [14]. As the "Changing of the Guards" technique borrows randomness from the shares of other concurrent components, engineers no longer need to ensure uniformity for their TI schemes, as long as there are a few extra random bits available in the beginning of the encryption.…”

Section: Introductionmentioning

confidence: 99%

Constructing TI-Friendly Substitution Boxes Using Shift-Invariant Permutations

Gao

Oswald

2019

Topics in Cryptology – CT-RSA 2019

View full text Add to dashboard Cite

The threat posed by side channels requires ciphers that can be efficiently protected in both software and hardware against such attacks. In this paper, we proposed a novel Sbox construction based on iterations of shift-invariant quadratic permutations and linear diffusions. Owing to the selected quadratic permutations, all of our Sboxes enable uniform 3-share threshold implementations, which provide first order SCA protections without any fresh randomness. More importantly, because of the "shift-invariant" property, there are ample implementation trade-offs available, in software as well as hardware. We provide implementation results (software and hardware) for a four-bit and an eight-bit Sbox, which confirm that our constructions are competitive and can be easily adapted to various platforms as claimed. We have successfully verified their resistance to first order attacks based on real acquisitions. Because there are very few studies focusing on software-based threshold implementations, our software implementations might be of independent interest in this regard.

show abstract

“…To reduce the amount of additional randomness, we investigate the following two ideas. Firstly, we show how to apply a simple but effective scheme to reuse randomness, similar to the Changing of the Guards technique proposed by Daemen [Dae17]. In contrast to Daemen's work, our technique can also be applied to modular addition.…”

Section: Our Contributionsmentioning

confidence: 99%

Efficient Side-Channel Protections of ARX Ciphers

Jungk

Petri

Stöttinger

2018

TCHES

View full text Add to dashboard Cite

The current state of the art of Boolean masking for the modular addition operation in software has a very high performance overhead. Firstly, the instruction count is very high compared to a normal addition operation. Secondly, until recently, the entropy consumed by such protections was also quite high. Our paper significantly improves both aspects, by applying the Threshold Implementation (TI) methodology with two shares and by reusing internal values as randomness source in such a way that the uniformity is always preserved. Our approach performs considerably faster compared to the previously known masked addition and subtraction algorithms by Coron et al. and Biryukov et al. improving the state of the art by 36%, if we only consider the number of ARM assembly instructions. Furthermore, similar to the masked adder from Biryukov et al. we reduce the amount of randomness and only require one bit additional entroy per addition, which is a good trade-off for the improved performance. We applied our improved masked adder to ChaCha20, for which we provide two new first-order protected implementations and achieve a 36% improvement over the best published result for ChaCha20 using an ARM Cortex-M4 microprocessor.

show abstract

Changing of the Guards: A Simple and Efficient Method for Achieving Uniformity in Threshold Sharing

Cited by 42 publications

References 28 publications

First-Order Masking with Only Two Random Bits

First-Order Masking with Only Two Random Bits

Constructing TI-Friendly Substitution Boxes Using Shift-Invariant Permutations

Efficient Side-Channel Protections of ARX Ciphers

Contact Info

Product

Resources

About