On Correlation-Immune Functions
CRYPTO '91 Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology
A Compact Rijndael Hardware Architecture with S-Box Optimization
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
DES and Differential Power Analysis (The "Duplication" Method)
CHES '99 Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems
Power and electromagnetic analysis: improved model, consequences and comparisons
Integration, the VLSI Journal - Special issue: Embedded cryptographic hardware
A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Statistical Analysis of Second Order Differential Power Analysis
IEEE Transactions on Computers
Mutual Information Analysis: How, When and Why?
CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
Investigation of DPA Resistance of Block RAMs in Cryptographic Implementations on FPGAs
RECONFIG '10 Proceedings of the 2010 International Conference on Reconfigurable Computing and FPGAs
Mutual Information Analysis: a Comprehensive Study
Journal of Cryptology - Special Issue on Hardware and Security
Generic side-channel distinguishers: improvements and limitations
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
A stochastic model for differential side channel cryptanalysis
CHES'05 Proceedings of the 7th international conference on Cryptographic hardware and embedded systems
Improved higher-order side-channel attacks with FPGA experiments
CHES'05 Proceedings of the 7th international conference on Cryptographic hardware and embedded systems
A first-order leak-free masking countermeasure
CT-RSA'12 Proceedings of the 12th conference on Topics in Cryptology
Hi-index | 0.00 |
Hardware devices can be protected against side-channel attacks by introducing one random mask per sensitive variable. The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers. Nonetheless, this setup can be attacked by a zero-offset second-order CPA attack. The countermeasure can be improved by manipulating the mask through a bijection F, aimed at reducing the dependency between the shares. Thus dth-order zero-offset attacks, that consist in applying CPA on the dth power of the centered side-channel traces, can be thwarted for d≥2 at no extra cost. We denote by n the size in bits of the shares and call F the transformation function, that is a bijection of $\mathbb{F}_2^n$. In this paper, we explore the functions F that thwart zero-offset HO-CPA of maximal order d. We mathematically demonstrate that optimal choices for F relate to optimal binary codes (in the sense of communication theory). First, we exhibit optimal linear F functions. Second, we note that for values of n for which non-linear codes exist with better parameters than linear ones. These results are exemplified in the case n=8, the optimal F can be identified:it is derived from the optimal rate 1/2 binary code of size 2n, namely the Nordstrom-Robinson (16, 256, 6) code. This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates. It protects against all zero-offset HO-CPA attacks of order d≤5. Eventually, the countermeasure is shown to be resilient to imperfect leakage models.