Houssem Maghrebi

A first-order leak-free masking countermeasure

One protection of cryptographic implementations against side-channel attacks is the masking of the sensitive variables. In this article, we present a first-order masking that does not leak information when the registers change values according to some specific (and realistic) rules. This countermeasure applies to all devices that leak a function of the distance between consecutive values of internal variables. In particular, we illustrate its practicality on both hardware and software implementations. Moreover, we introduce a framework to evaluate the soundness of the new first-order masking when the leakage slightly deviates from the rules involved to design the countermeasure. It reveals that the countermeasure remains more efficient than the state-of-the-art first-order masking if the deviation from the ideal model is equal to a few tens of percents, and that it is as good as a first-order Boolean masking even if the deviation is 50%.

Study of a Novel Software Constant Weight Implementation

While in the early 2000’s lots of research was focused on Differential Power Analysis of first and second-order, it seems the recent trend is of even higher-order. As this order grows, countermeasures such as masking need to be designed in a more generic way. In this paper, we introduce a new constant weight implementation of the AES extending the idea of the software dual-rail countermeasure proposed by Hoogvorst et al. at COSADE 2011. Notably, we illustrate its practicality on 16-bit microcontroller in terms of speed and complexity. This countermeasure applies to all devices that leak a function of the Hamming weight of the internal variables. Under this assumption, our constant weight implementation is theoretically inherently resistant to side-channel attacks of any order. A security evaluation is conducted to analyze its resistance when the leakage slightly deviates from the Hamming weight assumption. It reveals that the countermeasure remains as good as several well-known masking countermeasures. Moreover, the proposed countermeasure offers the possibility to detect some classes of faults.

Optimal first-order masking with linear and non-linear bijections

Hardware devices can be protected against side-channel attacks by introducing one random mask per sensitive variable. The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers. Nonetheless, this setup can be attacked by a zero-offset second-order CPA attack. The countermeasure can be improved by manipulating the mask through a bijection F, aimed at reducing the dependency between the shares. Thus dth-order zero-offset attacks, that consist in applying CPA on the dth power of the centered side-channel traces, can be thwarted for d≥2 at no extra cost. We denote by n the size in bits of the shares and call F the transformation function, that is a bijection of

Entropy-based power attack

\mathbb{F}_2^n

Evaluation of countermeasure implementations based on Boolean masking to thwart side-channel attacks

. In this paper, we explore the functions F that thwart zero-offset HO-CPA of maximal order d. We mathematically demonstrate that optimal choices for F relate to optimal binary codes (in the sense of communication theory). First, we exhibit optimal linear F functions. Second, we note that for values of n for which non-linear codes exist with better parameters than linear ones. These results are exemplified in the case n=8, the optimal F can be identified:it is derived from the optimal rate 1/2 binary code of size 2n, namely the Nordstrom-Robinson (16, 256, 6) code. This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates. It protects against all zero-offset HO-CPA attacks of order d≤5. Eventually, the countermeasure is shown to be resilient to imperfect leakage models.

Achieving side-channel high-order correlation immunity with leakage squeezing

Recent works have shown that the mutual information is a generic side-channel distinguisher, since it detects any kind of statistical dependency between leakage observations and hypotheses on the secret. In this study the mutual information analysis (MIA) is tested in a noisy real world design. It indeed appears to be a powerful approach to break unprotected implementations. However, the MIA fails when applied on a DES cryptoprocessor with masked substitution boxes (Sboxes) in ROM. Nevertheless, this masking implementation remains sensitive to Higher-Order Differential Power Analysis (HO-DPA). For instance, an attack based on a variance analysis clearly shows the vulnerabilities of a first order masking countermeasure. We propose a novel approach to information-theoretic HO attacks, called the Entropy-based Power Analysis (EPA). This new attack gives a greatest importance to highly informative partitions and in the meantime better distinguishes between the key hypotheses. A thorough empirical evaluation of the proposed attack confirms the overwhelming advantage of this new approach when compared with MIA.

Orthogonal Direct Sum Masking

This paper presents hardware implementations of a DES cryptoprocessor with masking countermeasures and their evaluation against side-channel attacks (SCAs) in FPGAs. The masking protection has been mainly studied from a theoretical viewpoint without any thorough test in a noisy real world designs. In this study the masking countermeasure is tested with first-order and higher-order SCAs on a fully-fledged DES. Beside a classical implementation of the DES substitution boxes (S-Boxes) a simple structure called Universal Substitution boxes with Masking (USM) is proposed. It meets the constraint of low complexity as state-of-the-art masked S-Boxes are mostly built from large look-up tables or complex calculations with combinatorial logic gates. However attacks on USM has underlined some security weaknesses. ROM masked implementation exhibits greater robustness as it cannot be attacked with first-order DPA. Nevertheless any masking implementation remains sensitive to Higher-Order Differential Power Analysis (HO-DPA) as shown in a proposed attack. This attack is based on a variance analysis of the observed power consumption and it clearly shows the vulnerabilities of masking countermeasures.

Breaking Cryptographic Implementations Using Deep Learning Techniques

This article deeply analyzes high-order (HO) Boolean masking countermeasures against side-channel attacks in contexts where the shares are manipulated simultaneously and the correlation coefficient is used as a statistical distinguisher. The latter attacks are sometimes referred to as zero-offset high-order correlation power analysis (HO-CPA). In particular, the main focus is to get the most out of a single mask (i.e., for masking schemes with two shares). The relationship between the leakage characteristics and the attack efficiency is thoroughly studied. Our main contribution is to link the minimum attack order (called HO-CPA immunity) to the amount of information leaked. Interestingly, the HO-CPA immunity can be much larger than the number of shares in the masking scheme. This is made possible by the leakage squeezing. It is a variant of the Boolean masking where masks are recoded relevantly by bijections. This technique and others from the state-of-the-art (namely leak-free masking and wire-tap codes) are overviewed, and put in perspective.

Register leakage masking using Gray code

Secure elements, such as smartcards or trusted platform modules (TPMs), must be protected against implementation-level attacks. Those include side-channel and fault injection attacks. We introduce ODSM, Orthogonal Direct Sum Masking, a new computation paradigm that achieves protection against those two kinds of attacks. A large vector space is structured as two supplementary orthogonal subspaces. One subspace (called a code

There Is Wisdom in Harnessing the Strengths of Your Enemy: Customized Encoding to Thwart Side-Channel Attacks

\mathcal{C}