Side-Channel Masking with Common Shares

Authors

  • Weijia Wang School of Cyber Science and Technology, Shandong University, Qingdao, China; Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Qingdao, China; Quan Cheng Shandong Laboratory, Jinan, China
  • Chun Guo School of Cyber Science and Technology, Shandong University, Qingdao, China; Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Qingdao, China; Shandong Research Institute of Industrial Technology, Jinan, China
  • Yu Yu Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, China; Shanghai Qi Zhi Institute, Shanghai, China; Shanghai Key Laboratory of Privacy-Preserving Computation, Shanghai, China
  • Fanjie Ji School of Cyber Science and Technology, Shandong University, Qingdao, China
  • Yang Su School of Cyber Science and Technology, Shandong University, Qingdao, China

DOI:

https://doi.org/10.46586/tches.v2022.i3.290-329

Keywords:

Side-Channel Attack, Masking, Cost Amortization, Precomputation

Abstract

To counter side-channel attacks, a masking scheme randomly encodes keydependent variables into several shares, and transforms operations into the masked correspondence (called gadget) operating on shares. This provably achieves the de facto standard notion of probing security.
We continue the long line of works seeking to reduce the overhead of masking. Our main contribution is a new masking scheme over finite fields in which shares of different variables have a part in common. This enables the reuse of randomness / variables across different gadgets, and reduces the total cost of masked implementation. For security order d and circuit size l, the randomness requirement and computational complexity of our scheme are Õ(d2) and Õ(ld2) respectively, strictly improving upon the state-of-the-art Õ(d2) and Õ(ld3) of Coron et al. at Eurocrypt 2020.
A notable feature of our scheme is that it enables a new paradigm in which many intermediates can be precomputed before executing the masked function. The precomputation consumes Õ(ld2) and produces Õ(ld) variables to be stored in RAM. The cost of subsequent (online) computation is reduced to Õ(ld), effectively speeding up e.g., challenge-response authentication protocols. We showcase our method on the AES on ARM Cortex M architecture and perform a T-test evaluation. Our results show a speed-up during the online phase compared with state-of-the-art implementations, at the cost of acceptable RAM consumption and precomputation time.
To prove security for our scheme, we propose a new security notion intrinsically supporting randomness / variables reusing across gadgets, and bridging the security of parallel compositions of gadgets to general compositions, which may be of independent interest.

Downloads

Published

2022-06-08

Issue

Section

Articles

How to Cite

Side-Channel Masking with Common Shares. (2022). IACR Transactions on Cryptographic Hardware and Embedded Systems, 2022(3), 290-329. https://doi.org/10.46586/tches.v2022.i3.290-329