Second-Order SCA Security with almost no Fresh Randomness

Authors

  • Aein Rezaei Shahmirzadi Ruhr University Bochum, Horst Görtz Institute for IT Security, Bochum, Germany
  • Amir Moradi Ruhr University Bochum, Horst Görtz Institute for IT Security, Bochum, Germany

DOI:

https://doi.org/10.46586/tches.v2021.i3.708-755

Keywords:

Side-Channel Analysis, Masking, Hardware, Threshold Implementation

Abstract

Masking schemes are among the most popular countermeasures against Side-Channel Analysis (SCA) attacks. Realization of masked implementations on hardware faces several difficulties including dealing with glitches. Threshold Implementation (TI) is known as the first strategy with provable security in presence of glitches. In addition to the desired security order d, TI defines the minimum number of shares to also depend on the algebraic degree of the target function. This may lead to unaffordable implementation costs for higher orders.
For example, at least five shares are required to protect the smallest nonlinear function against second-order attacks. By cuttingsuch a dependency, the successor schemes are able to achieve the same security level by just d + 1 shares, at the cost of high demand for fresh randomness, particularly at higher orders. In this work, we provide a methodology to realize the second-order glitch-extended probing-secure implementation of a group of quadratic functions with three shares and no fresh randomness. This allows us to construct second-order secure implementations of several cryptographic primitives with very limited number of fresh masks, including Keccak, SKINNY, Midori, PRESENT, and PRINCE.

Downloads

Published

2021-07-09

Issue

Section

Articles

How to Cite

Second-Order SCA Security with almost no Fresh Randomness. (2021). IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021(3), 708-755. https://doi.org/10.46586/tches.v2021.i3.708-755