Secure Multiplication for Bitslice Higher-Order Masking: Optimisation and Comparison

@inproceedings{Goudarzi2018SecureMF,
  title={Secure Multiplication for Bitslice Higher-Order Masking: Optimisation and Comparison},
  author={Dahmun Goudarzi and Anthony Journault and Matthieu Rivain and François-Xavier Standaert},
  booktitle={COSADE},
  year={2018}
}
In this paper, we optimize the performances and compare several recent masking schemes in bitslice on 32-bit arm devices, with a focus on multiplication. Our main conclusion is that efficiency (or randomness) gains always come at a cost, either in terms of composability or in terms of resistance against horizontal attacks. Our evaluations should therefore allow a designer to select a masking scheme based on implementation constraints and security requirements. They also highlight the increasing… 
Masking Kyber: First- and Higher-Order Implementations
TLDR
This work demonstrates the first completely masked implementation of Kyber which is protected against firstand higher-order attacks, and proposes a higher- order algorithm for the one-bit compression operation based on a masked bit-sliced binary-search that can be applied to prime moduli.
Fast Verification of Masking Schemes in Characteristic Two
TLDR
The matrix model for non-interference (NI) probing security of masking gadgets is revisited and the theorems on which this model is based are generalised, so as to be able to apply them to masking schemes over any finite field and to analyse the strong non- Interference (SNI) security notion.
Pyjamask: Block Cipher and Authenticated Encryption with Highly Efficient Masked Implementation
TLDR
This paper introduces Pyjamask, a new block cipher family and authenticated encryption proposal submitted to the NIST lightweight cryptography standardization process and provides a detailed design rationale for the block cipher which is guided by the aim of software efficiency in the presence of high-order masking.
Provable Order Amplification for Code-Based Masking: How to Avoid Non-Linear Leakages Due to Masked Operations
TLDR
It is shown that the issue of only linear operations can be provably avoided and that it is possible to obtain security order amplification for any functionality to implement and that (not so) slightly non-linear leakage functions do not annihilate the nice properties.
SKIVA: Flexible and Modular Side-channel and Fault Countermeasures
TLDR
SKIVA is described, a customized 32-bit processor enabling the design of software countermeasures for a broad range of implementation attacks covering fault injection and side-channel analysis of timing-based and power-based leakage and as variants of bitslice programming.
Share-slicing: Friend or Foe?
TLDR
This work shows that micro-architectural features of the M0 and M3 undermine the independence assumptions made in masking proofs and thus their theoretical guarantees do not translate into practice and demonstrates how difficult it is to link theoretical security proofs to practical real-world security guarantees.
Secure Wire Shuffling in the Probing Model
TLDR
The first improvement of the wire shuffling countermeasure against side-channel attacks described by Ishai, Sahai and Wagner at Crypto 2003 is described and it is shown how to get worst case statistical security against t probes with running time O( t) instead of O(t log t).
Circuit Masking: From Theory to Standardization, A Comprehensive Survey for Hardware Security Researchers and Practitioners
TLDR
This survey provides a research landscape of circuit masking for newcomers to the field, offers guidelines on which attack model and verification tool to choose when designing masking schemes, and identifies interesting new research directions where masking models and assessment tools can be applied.
Secure Shuffling in the Probing Model
TLDR
The first improvement of the shuffling countermeasure against side-channel attacks described by Ishai, Sahai and Wagner at Crypto 2003 is described, and it is shown how to get worst case statistical security against t probes with running time O( t) instead of O(t log t).
A New Method for Designing Lightweight S-Boxes With High Differential and Linear Branch Numbers, and its Application
TLDR
This paper develops a variety of new lightweight S-boxes that provide not only both DBN and LBN of at least 3 but also efficient bitsliced implementations including at most 11 nonlinear bitwise operations.
...
...

References

SHOWING 1-10 OF 17 REFERENCES
Very High Order Masking: Efficient Implementation and Security Evaluation
TLDR
This paper proposes a new “multi-model” evaluation methodology which takes advantage of different (more or less abstract) security models introduced in the literature and concludes that these implementations withstand worst-case adversaries with \(>\!2^{64}\) measurements under falsifiable assumptions.
How Fast Can Higher-Order Masking Be in Software?
TLDR
This paper investigates efficient higher-order masking techniques by conducting a case study on ARM architectures by investigating the implementation of the base field multiplication at the assembly level and investigating an alternative to these methods which is based on bitslicing at the s-box level.
Provably Secure Higher-Order Masking of AES
TLDR
This paper presents the first generic dth-order masking scheme for AES with a provable security and a reasonable software implementation overhead and can be efficiently implemented in software on any general-purpose processor.
Does Coupling Affect the Security of Masked Implementations?
TLDR
This paper investigates the effect of the physical placement on the security using leakage assessment on power measurements collected from an FPGA and uses threshold implementations as masking scheme in conjunction with a high-entropy pseudorandom number generator.
Higher-Order Side Channel Security and Mask Refreshing
TLDR
This paper shows that the method proposed at CHES 2010 to do mask refreshing introduces a security flaw in the overall masking scheme, and proposes a new solution which avoids the use of mask refreshing, and proves its security.
Masking against Side-Channel Attacks: A Formal Security Proof
TLDR
It is proved that the information gained by observing the leakage from one execution can be made negligible (in the masking order) and a formal security proof for masked implementations of block ciphers is provided.
Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme
A common countermeasure against side-channel attacks consists in using the masking scheme originally introduced by Ishai, Sahai and Wagner (ISW) at Crypto 2003, and further generalized by Rivain and
Randomness Complexity of Private Circuits for Multiplication
TLDR
A new dedicated verification tool, based on information set decoding, is provided, which aims at finding attacks on algorithms for fixed order d at a very low computational cost.
Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model
TLDR
It is proved that probing security for a serial implementation implies bounded moment security for its parallel counterpart, which enables an accurate understanding of the links between formal security analyses of masking schemes and experimental security evaluations based on the estimation of statistical moments.
Bitslice Ciphers and Power Analysis Attacks
TLDR
This paper analyzes and extends a technique proposed in [12] and applies it to BaseKing, a variant of 3-Way that was published in [7], and introduces an alternative method to protect against power analysis specific for BaseKing.
...
...