Cryptanalysis of Masked Ciphers: A Not So Random Idea

Beyne, Tim; Dhooghe, Siemen; Zhang, Zhenda

doi:10.1007/978-3-030-64837-4_27

Cited by 11 publications

(27 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Reduction of the number of required fresh masks per cipher round (due to the composition) is of interesting topics as well. We should refer to the relevant study [BDZ20], which addresses some interesting facts with respect to reusing the masks to refresh the shares between consecutive cipher rounds in higher-order td + 1 masked designs. Further, it has been stated in [BKN19], that when each S-box requires n-bit fresh masks, having 16 S-boxes in a second-order implementation of PRINCE, 4n fresh mask bits are adequate to apply instead of 16n bits, i.e., reusing the fresh masks.…”

Section: Discussionmentioning

confidence: 99%

Second-Order SCA Security with almost no Fresh Randomness

Shahmirzadi

Moradi

2021

TCHES

View full text Add to dashboard Cite

Masking schemes are among the most popular countermeasures against Side-Channel Analysis (SCA) attacks. Realization of masked implementations on hardware faces several difficulties including dealing with glitches. Threshold Implementation (TI) is known as the first strategy with provable security in presence of glitches. In addition to the desired security order d, TI defines the minimum number of shares to also depend on the algebraic degree of the target function. This may lead to unaffordable implementation costs for higher orders.For example, at least five shares are required to protect the smallest nonlinear function against second-order attacks. By cuttingsuch a dependency, the successor schemes are able to achieve the same security level by just d + 1 shares, at the cost of high demand for fresh randomness, particularly at higher orders. In this work, we provide a methodology to realize the second-order glitch-extended probing-secure implementation of a group of quadratic functions with three shares and no fresh randomness. This allows us to construct second-order secure implementations of several cryptographic primitives with very limited number of fresh masks, including Keccak, SKINNY, Midori, PRESENT, and PRINCE.

show abstract

Section: Discussionmentioning

confidence: 99%

Second-Order SCA Security with almost no Fresh Randomness

Shahmirzadi

Moradi

2021

TCHES

View full text Add to dashboard Cite

show abstract

“…Figure 1: Representation of a threshold circuit assuming an equal number of input and output shares [1].…”

Section: Encodermentioning

confidence: 99%

“…Instead, the Threshold Implementation approach was generalized for second-order security using fresh randomness by the "Consolidating Masking Schemes" (CMS) approach [18]. Only recently a secure extension of the threshold model was proposed for second-order security [1]. Interestingly enough, this extension makes heavy use of the cryptanalytic properties of the shared cipher such as its diffusion layers and nonlinearity of its S-box.…”

Section: Encodermentioning

confidence: 99%

“…Further details on this decomposition are given in Appendix A.1. The masking of the S-box is constructed from the masking of G which is inspired from the work by Beyne et al [1] and is detailed in Appendix A.2. This masking consists of seven input shares and seven output shares and is uniform and second-order non-complete.…”

Section: Seven-shared Presentmentioning

confidence: 99%

“…We argue that re-using the randomness every 14 rounds is secure as long as the adversary is limited in the number of probing queries. More specifically, we move from the simulation based security model as defined in Section 2.2 to the bounded query model defined by Beyne et al [1] which defines a security model where the adversary is admitted only a limited number of probing queries. In the bounded query model, we make use of linear cryptanalytic security arguments using a trail-wise approach.…”

Section: Moving To Bounded-query Securitymentioning

confidence: 99%

See 2 more Smart Citations

Resilient uniformity: applying resiliency in masking

Dhooghe

Nikova

2021

Cryptogr. Commun.

Self Cite

View full text Add to dashboard Cite

Threshold Implementations are known countermeasures defending against side-channel attacks via the use of masking techniques. While sufficient properties are known to defend against first-order sidechannel attacks, it is not known how to achieve higher-order security. This work generalizes the Threshold Implementation notion of uniformity and proves it achieves second-order protection. The notion is applied to create a second-order masking of the Present cipher with a low randomness cost.

show abstract

Analyzing Masked Ciphers Against Transition and Coupling Effects

Dhooghe¹

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Cryptanalysis of Masked Ciphers: A Not So Random Idea

Cited by 11 publications

References 37 publications

Second-Order SCA Security with almost no Fresh Randomness

Second-Order SCA Security with almost no Fresh Randomness

Resilient uniformity: applying resiliency in masking

Analyzing Masked Ciphers Against Transition and Coupling Effects

Contact Info

Product

Resources

About