International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: Revealing the Weakness of Addition Chain Based Masked SBox Implementations

Authors:
Jingdian Ming , Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
Huizhong Li , Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
Yongbin Zhou , Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China; School of Cyber Security, Nanjing University of Science and Technology, Nanjing, China
Wei Cheng , Télécom Paris, Polytechnique de Paris, Palaiseau, France
Zehua Qiao , Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
Download:
DOI: 10.46586/tches.v2021.i4.326-350
URL: https://tches.iacr.org/index.php/TCHES/article/view/9068
Search ePrint
Search Google
Abstract: Addition chain is a well-known approach for implementing higher-order masked SBoxes. However, this approach induces more computations of intermediate monomials over F2n, which in turn leak more information related to the sensitive variables and may decrease its side-channel resistance consequently. In this paper, we introduce a new notion named polygon degree to measure the resistance of monomial computations. With the help of this notion, we select several typical addition chain implementations with the strongest or the weakest resistance. In practical experiments based on an ARM Cortex-M4 architecture, we collect power and electromagnetic traces in consideration of different noise levels. The results show that the resistance of the weakest masked SBox implementation is close to that of an unprotected implementation, while the strongest one can also be broken with fewer than 1,500 traces due to extra leakages. Moreover, we study the resistance of addition chain implementations against profiled attacks. We find that some monomials with smaller output size leak more information than the SBox output. The work by Duc et al. at JOC 2019 showed that for a balanced function, the smaller the output size is, the less information is leaked. Thus, our attacks demonstrate that this property of balanced functions does not apply to unbalanced functions.
Video from TCHES 2021
BibTeX
@article{tches-2021-31319,
  title={Revealing the Weakness of Addition Chain Based Masked SBox Implementations},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2021, Issue 4},
  pages={326-350},
  url={https://tches.iacr.org/index.php/TCHES/article/view/9068},
  doi={10.46586/tches.v2021.i4.326-350},
  author={Jingdian Ming and Huizhong Li and Yongbin Zhou and Wei Cheng and Zehua Qiao},
  year=2021
}