Threshold implementations with non-uniform inputs. (English) Zbl 07927466
Carlet, Claude (ed.) et al., Selected areas in cryptography – SAC 2023. 30th international conference, Fredericton, Canada, August 14–18, 2023. Revised selected papers. Cham: Springer. Lect. Notes Comput. Sci. 14201, 97-123 (2024).
Summary: Modern block ciphers designed for hardware and masked with Threshold Implementations (TIs) provide provable security against first-order attacks. However, the application of TIs leaves designers to deal with a trade-off between its security and its cost, for example, the process to generate its required random bits. This generation cost comes with an increased overhead in terms of area and latency. Decreasing the number of random bits for the masking allows to reduce the aforementioned overhead.
We propose to reduce the randomness to mask the secrets, like the plaintext. For that purpose, we suggest relaxing the requirement for the uniformity of the input shares and reuse randomness for their masking in first-order TIs. We apply our countermeasures to first-order TIs of the Prince and Midori64 ciphers with three shares. Since the designs with non-uniform masks are no longer perfect first-order probing secure, we provide further analysis by calculating bounds on the advantage of a noisy threshold-probing adversary. We then make use of the PROLEAD tool, which implements statistical tests verifying the robust probing security to compare its output with our estimates. Finally, we evaluate the designs on FPGA to highlight the practical security of our solution. We observe that their security holds while requiring four times less randomness over uniform TIs.
For the entire collection see [Zbl 07831434].
We propose to reduce the randomness to mask the secrets, like the plaintext. For that purpose, we suggest relaxing the requirement for the uniformity of the input shares and reuse randomness for their masking in first-order TIs. We apply our countermeasures to first-order TIs of the Prince and Midori64 ciphers with three shares. Since the designs with non-uniform masks are no longer perfect first-order probing secure, we provide further analysis by calculating bounds on the advantage of a noisy threshold-probing adversary. We then make use of the PROLEAD tool, which implements statistical tests verifying the robust probing security to compare its output with our estimates. Finally, we evaluate the designs on FPGA to highlight the practical security of our solution. We observe that their security holds while requiring four times less randomness over uniform TIs.
For the entire collection see [Zbl 07831434].
References:
| [1] | Banik, S.; Iwata, T.; Cheon, JH, Midori: a block cipher for low energy, Advances in Cryptology - ASIACRYPT 2015, 411-436, 2015, Heidelberg: Springer, Heidelberg · Zbl 1382.94057 · doi:10.1007/978-3-662-48800-3_17 |
| [2] | Becker, G.T., et al.: Test vector leakage assessment (TVLA) methodology in practice (2013) |
| [3] | Beierle, C.; Robshaw, M.; Katz, J., The SKINNY family of block ciphers and its low-latency variant MANTIS, Advances in Cryptology - CRYPTO 2016, 123-153, 2016, Heidelberg: Springer, Heidelberg · Zbl 1372.94412 · doi:10.1007/978-3-662-53008-5_5 |
| [4] | Beierle, C.; Leander, G.; Moradi, A.; Rasoolzadeh, S., CRAFT: lightweight tweakable block cipher with efficient protection against DFA attacks, IACR Trans. Symmetric Cryptol., 2019, 1, 5-45, 2019 · doi:10.46586/tosc.v2019.i1.5-45 |
| [5] | Beyne, T.; Dhooghe, S.; Moradi, A.; Shahmirzadi, AR, Cryptanalysis of efficient masked ciphers: applications to low latency, IACR Trans. Cryptogr. Hardw. Embed. Syst., 2022, 1, 679-721, 2022 |
| [6] | Beyne, T.; Dhooghe, S.; Ranea, A.; Šijačić, D.; AlTawy, R.; Hülsing, A., A low-randomness second-order masked AES, Selected Areas in Cryptography, 87-110, 2022, Cham: Springer, Cham · Zbl 07926005 · doi:10.1007/978-3-030-99277-4_5 |
| [7] | Beyne, T.; Dhooghe, S.; Zhang, Z.; Moriai, S.; Wang, H., Cryptanalysis of masked ciphers: a not so random idea, Advances in Cryptology - ASIACRYPT 2020, 817-850, 2020, Cham: Springer, Cham · Zbl 1511.94056 · doi:10.1007/978-3-030-64837-4_27 |
| [8] | Bilgin, B.; Nikova, S.; Nikov, V.; Rijmen, V.; Stütz, G.; Prouff, E.; Schaumont, P., Threshold implementations of all \(3 \times 3\) and \(4 \times 4 S\)-boxes, Cryptographic Hardware and Embedded Systems - CHES 2012, 76-91, 2012, Heidelberg: Springer, Heidelberg · Zbl 1366.94478 · doi:10.1007/978-3-642-33027-8_5 |
| [9] | Bilgin, B., Nikova, S., Nikov, V., Rijmen, V., Stütz, G.: Threshold implementations of all \(3 \times 3\) and \(4 \times 4\) s-boxes. IACR Cryptology ePrint Archive, p. 300 (2012). https://eprint.iacr.org/2012/300 |
| [10] | Borghoff, J.; Wang, X.; Sako, K., PRINCE - a low-latency block cipher for pervasive computing applications, Advances in Cryptology - ASIACRYPT 2012, 208-225, 2012, Heidelberg: Springer, Heidelberg · Zbl 1292.94035 · doi:10.1007/978-3-642-34961-4_14 |
| [11] | Bozilov, D.; Knezevic, M.; Nikov, V., Optimized threshold implementations: securing cryptographic accelerators for low-energy and low-latency applications, J. Cryptogr. Eng., 12, 1, 15-51, 2022 · doi:10.1007/s13389-021-00276-5 |
| [12] | Faust, S., Grosso, V., Pozo, S.M.D., Paglialonga, C., Standaert, F.: Composable masking schemes in the presence of physical defaults and the robust probing model. IACR Cryptology ePrint Archive, p. 711 (2017). https://eprint.iacr.org/2017/711 |
| [13] | Faust, S.; Grosso, V.; Pozo, SMD; Paglialonga, C.; Standaert, F., Composable masking schemes in the presence of physical defaults & the robust probing model, IACR Trans. Cryptogr. Hardw. Embed. Syst., 2018, 3, 89-120, 2018 · doi:10.46586/tches.v2018.i3.89-120 |
| [14] | Guntur, H., Ishii, J., Satoh, A.: Side-channel attack user reference architecture board SAKURA-G. In: IEEE 3rd Global Conference on Consumer Electronics, GCCE 2014, Tokyo, Japan, 7-10 October 2014, pp. 271-274. IEEE (2014). doi:10.1109/GCCE.2014.7031104 |
| [15] | Ishai, Y.; Sahai, A.; Wagner, D.; Boneh, D., Private circuits: securing hardware against probing attacks, Advances in Cryptology - CRYPTO 2003, 463-481, 2003, Heidelberg: Springer, Heidelberg · Zbl 1122.94378 · doi:10.1007/978-3-540-45146-4_27 |
| [16] | Kocher, P.; Jaffe, J.; Jun, B.; Wiener, M., Differential power analysis, Advances in Cryptology — CRYPTO’ 99, 388-397, 1999, Heidelberg: Springer, Heidelberg · Zbl 0942.94501 · doi:10.1007/3-540-48405-1_25 |
| [17] | Matsui, M.; Helleseth, T., Linear cryptanalysis method for DES cipher, Advances in Cryptology — EUROCRYPT ’93, 386-397, 1994, Heidelberg: Springer, Heidelberg · Zbl 0951.94519 · doi:10.1007/3-540-48285-7_33 |
| [18] | Moradi, A.; Schneider, T.; Cheon, JH; Takagi, T., Side-channel analysis protection and low-latency in action, Advances in Cryptology - ASIACRYPT 2016, 517-547, 2016, Heidelberg: Springer, Heidelberg · Zbl 1404.94099 · doi:10.1007/978-3-662-53887-6_19 |
| [19] | Müller, N.; Moradi, A., PROLEAD: a probing-based hardware leakage detection tool, IACR Trans. Cryptogr. Hardw. Embed. Syst., 2022, 4, 311-348, 2022 · doi:10.46586/tches.v2022.i4.311-348 |
| [20] | NANGATE: The NanGate 45 nm Open Cell Library, version: PDKv1.3_v2010_-12.Apache.CCL. https://github.com/The-OpenROAD-Project/OpenROAD-flow-scripts/tree/master/flow/platforms/nangate45 |
| [21] | Nikova, S.; Rechberger, C.; Rijmen, V.; Ning, P.; Qing, S.; Li, N., Threshold implementations against side-channel attacks and glitches, Information and Communications Security, 529-545, 2006, Heidelberg: Springer, Heidelberg · Zbl 1239.94058 · doi:10.1007/11935308_38 |
| [22] | Shahmirzadi, AR; Moradi, A., Re-consolidating first-order masking schemes nullifying fresh randomness, IACR Trans. Cryptogr. Hardw. Embed. Syst., 2021, 1, 305-342, 2021 · doi:10.46586/tches.v2021.i1.305-342 |
| [23] | Shahmirzadi, AR; Moradi, A., Second-order SCA security with almost no fresh randomness, IACR Trans. Cryptogr. Hardw. Embed. Syst., 2021, 3, 708-755, 2021 · doi:10.46586/tches.v2021.i3.708-755 |
| [24] | Sokal, R., Rohlf, F.: Biometry: The Principles and Practice of Statistics in Biological Research. W. H. Freeman (1981). https://books.google.be/books?id=C-OTQgAACAAJ · Zbl 0554.62094 |
| [25] | Tardy-Corfdir, A.; Gilbert, H.; Feigenbaum, J., A known plaintext attack of FEAL-4 and FEAL-6, Advances in Cryptology — CRYPTO ’91, 172-182, 1992, Heidelberg: Springer, Heidelberg · Zbl 0825.94174 · doi:10.1007/3-540-46766-1_12 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
