• PDF / 452,030 Bytes
• 21 Pages / 439.37 x 666.142 pts Page_size
• 67 Downloads / 151 Views

DOWNLOAD

REPORT

stract. In this paper, we study the performances and security of recent masking algorithms specialized to parallel implementations in a 32-bit embedded software platform, for the standard AES Rijndael and the bitslice cipher Fantomas. By exploiting the excellent features of these algorithms for bitslice implementations, we first extend the recent speed records of Goudarzi and Rivain (presented at Eurocrypt 2017) and report realistic timings for masked implementations with 32 shares. We then observe that the security level provided by such implementations is uneasy to quantify with current evaluation tools. We therefore propose a new “multi-model” evaluation methodology which takes advantage of different (more or less abstract) security models introduced in the literature. This methodology allows us to both bound the security level of our implementations in a principled manner and to assess the risks of overstated security based on well understood parameters. Concretely, it leads us to conclude that these implementations withstand worst-case adversaries with > 264 measurements under falsifiable assumptions.

1

Introduction

The masking countermeasure is among the most investigated solutions to improve the security of cryptographic implementations against side-channel analysis. Concretely, masking amounts to perform cryptographic operations on secret shared data, say with d shares. Very summarized, it allows amplifying the noise in the physical measurements (hence the security level) exponentially in d, at the cost of quadratic (in d) performance overheads [27,38]. As discussed in [25], these performance overheads may become a bottleneck for the deployment of secure software implementations, especially as the number of shares increases – which is however needed if high security levels are targeted [15]. In this respect, two recent works from Eurocrypt 2017 tackled the challenge of improving the performances of masked implementations. In the first one, Goudarzi and Rivain leveraged the intuition that bitslice implementations are generally well suited to improve software performances, and described optimizations leading to fast masked implementations of the AES (and PRESENT), beating all state-of-the-art implementations based on polynomial representations [22]. In the second one, Barthe et al. introduced new masking algorithms c International Association for Cryptologic Research 2017  W. Fischer and N. Homma (Eds.): CHES 2017, LNCS 10529, pp. 623–643, 2017. DOI: 10.1007/978-3-319-66787-4 30

624

A. Journault and F.-X. Standaert

that are perfectly suited for parallel (bitslice) implementations and analyzed the formal security guarantees that can be expected from them [5]. Building on these two recent works, our contributions are in four parts: First, since the new masking algorithms of Barthe et al. are natural candidates for bitslice implementations, we analyze their performance on a 32-bit ARM Cortex M4 processor. Our results confirm that they allow competing with the performances of Goudarzi and Rivain with limited opt

Recommend Documents

High-Order Conversion from Boolean to Arithmetic Masking

168 0 382KB

Efficient Implementation of Standards for Security, Safety and UNECE

170 91 316KB

Higher Order Masking of Look-Up Tables

135 48 322KB

ORDER REVIEW AND EVALUATION

142 54 10KB

Efficient matching of very complex time series

180 56 1MB

Very High Resolution Photoelectron Spectroscopy

215 100 21MB

LUN Masking

173 70 2MB

Efficient Defense Against Adversarial Attacks and Security Evaluation of Deep Learning System

198 101 65MB

Implementation Management High-Speed Strategy Implementation

181 47 4MB

Standardization and Security Criteria: Security Evaluation of Computer Products

137 3 9MB

Implementation and Performance Evaluation of Omni Compiler

159 11 12MB

Efficient implementation of quantum arithmetic operation circuits

172 68 188KB