Low-Latency and Low-Randomness Second-Order Masked Cubic Functions

IACR Trans. Cryptogr. Hardw. Embed. Syst. Pub Date : 2022-11-29 DOI:10.46586/tches.v2023.i1.113-152

Aein Rezaei Shahmirzadi, S. Dhooghe, A. Moradi

{"title":"Low-Latency and Low-Randomness Second-Order Masked Cubic Functions","authors":"Aein Rezaei Shahmirzadi, S. Dhooghe, A. Moradi","doi":"10.46586/tches.v2023.i1.113-152","DOIUrl":null,"url":null,"abstract":"Masking schemes are the most popular countermeasure to mitigate Side-Channel Analysis (SCA) attacks. Compared to software, their hardware implementations require certain considerations with respect to physical defaults, such as glitches. To counter this extended leakage effect, the technique known as Threshold Implementation (TI) has proven to be a reliable solution. However, its efficiency, namely the number of shares, is tied to the algebraic degree of the target function. As a result, the application of TI may lead to unaffordable implementation costs. This dependency is relaxed by the successor schemes where the minimum number of d + 1 shares suffice for dth-order protection independent of the function’s algebraic degree. By this, although the number of input shares is reduced, the implementation costs are not necessarily low due to their high demand for fresh randomness. It becomes even more challenging when a joint low-latency and low-randomness cost is desired. In this work, we provide a methodology to realize the second-order glitch-extended probing-secure implementation of cubic functions with three shares while allowing to reuse fresh randomness. This enables us to construct low-latency second-order secure implementations of several popular lightweight block ciphers, including Skinny, Midori, and Prince, with a very limited number of fresh masks. Notably, compared to state-of-the-art equivalent implementations, our designs lower the latency in terms of the number of clock cycles while keeping randomness costs low.","PeriodicalId":13186,"journal":{"name":"IACR Trans. Cryptogr. Hardw. Embed. Syst.","volume":"57 1","pages":"113-152"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Trans. Cryptogr. Hardw. Embed. Syst.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tches.v2023.i1.113-152","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Masking schemes are the most popular countermeasure to mitigate Side-Channel Analysis (SCA) attacks. Compared to software, their hardware implementations require certain considerations with respect to physical defaults, such as glitches. To counter this extended leakage effect, the technique known as Threshold Implementation (TI) has proven to be a reliable solution. However, its efficiency, namely the number of shares, is tied to the algebraic degree of the target function. As a result, the application of TI may lead to unaffordable implementation costs. This dependency is relaxed by the successor schemes where the minimum number of d + 1 shares suffice for dth-order protection independent of the function’s algebraic degree. By this, although the number of input shares is reduced, the implementation costs are not necessarily low due to their high demand for fresh randomness. It becomes even more challenging when a joint low-latency and low-randomness cost is desired. In this work, we provide a methodology to realize the second-order glitch-extended probing-secure implementation of cubic functions with three shares while allowing to reuse fresh randomness. This enables us to construct low-latency second-order secure implementations of several popular lightweight block ciphers, including Skinny, Midori, and Prince, with a very limited number of fresh masks. Notably, compared to state-of-the-art equivalent implementations, our designs lower the latency in terms of the number of clock cycles while keeping randomness costs low.

查看原文本刊更多论文

低延迟和低随机二阶掩模三次函数

掩蔽方案是缓解侧信道分析(SCA)攻击的最流行的对策。与软件相比，它们的硬件实现需要对物理默认值(如故障)进行某些考虑。为了对抗这种扩展泄漏效应，被称为阈值实现(TI)的技术已被证明是一种可靠的解决方案。然而，它的效率，即股份的数量，与目标函数的代数程度有关。因此，TI的应用可能导致无法承受的实施成本。后续方案放宽了这种依赖性，其中d + 1份额的最小数量足以独立于函数的代数度进行d阶保护。这样，虽然减少了输入份额的数量，但由于其对新鲜随机性的要求较高，实施成本并不一定低。当需要联合低延迟和低随机成本时，它变得更加具有挑战性。在这项工作中，我们提供了一种方法来实现具有三个共享的三次函数的二阶故障扩展探测安全实现，同时允许重用新的随机性。这使我们能够用非常有限的新掩码构建几种流行的轻量级分组密码(包括Skinny, Midori和Prince)的低延迟二阶安全实现。值得注意的是，与最先进的等效实现相比，我们的设计降低了时钟周期数量方面的延迟，同时保持了较低的随机性成本。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Trans. Cryptogr. Hardw. Embed. Syst.

自引率

0.00%

发文量