Franck Rondepierre

High Order Masking of Look-up Tables with Common Shares

Masking is an effective countermeasure against side-channel attacks. In this paper, we improve the efficiency of the high-order masking of look-up tables countermeasure introduced at Eurocrypt 2014, based on a combination of three techniques, and still with a proof of security in the Ishai-Sahai-Wagner (ISW) probing model. The first technique consists in proving security under the stronger t-SNI definition, which enables to use n = t+1 shares instead of n = 2t+1 against t-th order attacks. The second technique consists in progressively incrementing the number of shares within the countermeasure, from a single share to n, thereby reducing the complexity of the countermeasure. The third technique consists in adapting the common shares approach introduced by Coron et al. at CHES 2016, so that half of a randomized look-up table can be pre-computed for multiple SBoxes. We show that our techniques perform well in practice. In theory, the combination of the three techniques should lead to a factor 10.7 improvement in efficiency, for a large number of shares. For a practical implementation with a reasonable number of shares, we get a 4.8 speed-up factor for AES.

Differential Power Analysis of HMAC SHA-1 and HMAC SHA-2 in the Hamming Weight Model

As any algorithm manipulating secret data, HMAC is potentially vulnerable to side channel attacks. In 2004, Lemke et al. fully described a differential power attack on HMAC with RIPEMD-160 in the Hamming weight leakage model, and mentioned a possible extension to SHA-1. Later in 2007, McEvoy et al. proposed an attack against HMAC with hash functions from the SHA-2 family, that works in the Hamming distance leakage model. This attack makes strong assumptions on the target implementation. In this paper, we present an attack on HMAC SHA-2 in the Hamming weight leakage model, which advantageously can be used when no information is available on the targeted implementation. Furthermore, we give a full description of an extension of this attack to HMAC SHA-1. We also provide a careful study of the protections to develop in order to minimize the impact of the security on the performances.