Reducing risks through simplicity: high side-channel security for lazy engineers
- PDF / 2,226,804 Bytes
- 17 Pages / 595.276 x 790.866 pts Page_size
- 13 Downloads / 182 Views
REGULAR PAPER
Reducing risks through simplicity: high side-channel security for lazy engineers Olivier Bronchain1
· Tobias Schneider2 · François-Xavier Standaert1
Received: 23 December 2019 / Accepted: 24 August 2020 © Springer-Verlag GmbH Germany, part of Springer Nature 2020
Abstract Countermeasures against side-channel attacks are in general expensive, and a lot of research has been devoted to the optimization of their security versus performance trade-off. Besides, a wide literature has also shown that implementing such countermeasures is an error-prone task and requires to deal with various engineering challenges (e.g., physical defaults, compositional errors, …). This work aims to contribute to this second item, by evaluating the extent to which (almost) keyhomomorphic primitives, and in particular a recent PRF instance based on the learning with rounding problem, can lead to easy-to-implement and easier-to-evaluate side-channel-secure designs. We confirm these properties by describing an FPGA implementation that does not require complex (compositional) reasoning in its analysis and can be masked securely under simple design conditions, and for which the evaluation directly scales to arbitrary number of shares. We provide a comprehensive performance and (worst-case) security analysis of our design and compare the obtained results with those of an AES implementation protected with the domain-oriented masking scheme. Results show that simplicity has a cost, which becomes less prohibitive as security requirements increase. Keywords Side-channel analysis · Masking · Worst-case evaluations · Key-homomorphic PRFs · Learning with rounding · FPGA implementations
1 Introduction Side-channel attacks are important threats to the security of embedded systems. They exploit physical information leaked from implementations through, for example, their power consumption [41] or electromagnetic radiations [31] in order to recover secret information such as encryption keys. A standard approach to circumvent this threat is the masking countermeasure [17]. Its underlying principle is to split the sensitive data of an implementation into shares and to perform the computations on those shares only. Theoretically, masking is expected to increase the security of the implementation exponentially in the number of shares [26,27,52], with
Tobias Schneider: The majority of the author’s contribution was performed while he was with ICTEAM Institute, UCLouvain, Louvain-la-Neuve, Belgium.
B
Olivier Bronchain [email protected]
1
ICTEAM Institute, UCLouvain, Louvain-la-Neuve, Belgium
2
NXP Semiconductors Austria, Gratkorn, Austria
quadratic (area/time and randomness) overheads (see [34,36] for recent examples in hardware and software, respectively). Despite these theoretical promises (and besides their important performance overheads), the deployment of secure masked implementations is usually slowed down (or sometimes even annihilated) by two types of engineering challenges. On the one hand, masking leads to an expone
Data Loading...
