International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Prime-Field Masking in Hardware and its Soundness against Low-Noise SCA Attacks

Authors:
Gaëtan Cassiers , Graz University of Technology, Graz, Austria; Lamarr Security Research, Graz, Austria; Crypto Group, ICTEAM Institute, UCLouvain, Louvain-la-Neuve, Belgium
Loïc Masure , Crypto Group, ICTEAM Institute, UCLouvain, Louvain-la-Neuve, Belgium
Charles Momin , Crypto Group, ICTEAM Institute, UCLouvain, Louvain-la-Neuve, Belgium
Thorben Moos , Crypto Group, ICTEAM Institute, UCLouvain, Louvain-la-Neuve, Belgium
François-Xavier Standaert , Crypto Group, ICTEAM Institute, UCLouvain, Louvain-la-Neuve, Belgium
Download:
DOI: 10.46586/tches.v2023.i2.482-518
URL: https://tches.iacr.org/index.php/TCHES/article/view/10291
Search ePrint
Search Google
Abstract: A recent study suggests that arithmetic masking in prime fields leads to stronger security guarantees against passive physical adversaries than Boolean masking. Indeed, it is a common observation that the desired security amplification of Boolean masking collapses when the noise level in the measurements is too low. Arithmetic encodings in prime fields can help to maintain an exponential increase of the attack complexity in the number of shares even in such a challenging context. In this work, we contribute to this emerging topic in two main directions. First, we propose novel masked hardware gadgets for secure squaring in prime fields (since squaring is non-linear in non-binary fields) which prove to be significantly more resource-friendly than corresponding masked multiplications. We then formally show their local and compositional security for arbitrary orders. Second, we attempt to >experimentally evaluate the performance vs. security tradeoff of prime-field masking. In order to enable a first comparative case study in this regard, we exemplarily consider masked implementations of the AES as well as the recently proposed AESprime. AES-prime is a block cipher partially resembling the standard AES, but based on arithmetic operations modulo a small Mersenne prime. We present cost and performance figures for masked AES and AES-prime implementations, and experimentally evaluate their susceptibility to low-noise side-channel attacks. We consider both the dynamic and the static power consumption for our low-noise analyses and emulate strong adversaries. Static power attacks are indeed known as a threat for side-channel countermeasures that require a certain noise level to be effective because of the adversary’s ability to reduce the noise through intra-trace averaging. Our results show consistently that for the noise levels in our practical experiments, the masked prime-field implementations provide much higher security for the same number of shares. This compensates for the overheads prime computations lead to and remains true even if / despite leaking each share with a similar Signal-to-Noise Ratio (SNR) as their binary equivalents. We hope our results open the way towards new cipher designs tailored to best exploit the advantages of prime-field masking.
BibTeX
@article{tches-2023-33045,
  title={Prime-Field Masking in Hardware and its Soundness against Low-Noise SCA Attacks},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2023, Issue 2},
  pages={482-518},
  url={https://tches.iacr.org/index.php/TCHES/article/view/10291},
  doi={10.46586/tches.v2023.i2.482-518},
  author={Gaëtan Cassiers and Loïc Masure and Charles Momin and Thorben Moos and François-Xavier Standaert},
  year=2023
}