Side-Channel Masking with Common Shares

作     者：Wang, Weijia Guo, Chun Yu, Yu Ji, Fanjie Su, Yang 

作者机构：School of Cyber Science and Technology Shandong University Qingdao China Key Laboratory of Cryptologic Technology and Information Security Ministry of Education Shandong University Qingdao China Quan Cheng Shandong Laboratory Jinan China Shandong Research Institute of Industrial Technology Jinan China Department of Computer Science and Engineering Shanghai Jiao Tong University Shanghai China Shanghai Qi Zhi Institute Shanghai China Shanghai Key Laboratory of Privacy-Preserving Computation Shanghai China 

出 版 物：《IACR Transactions on Cryptographic Hardware and Embedded Systems》 (IACR Trans. Cryptogr. Hardw. Embed. Syst.)

年 卷 期：2022年第2022卷第3期

页      面：290-329页

核心收录：

基　　金：The authors would like to thank the reviewers for their helpful comments and suggestions. This work was supported by the National Key Research and Development Program of China (Nos. 2021YFA1000600  2020YFA0309705 and 2018YFA0704701)  the Program of Qilu Young Scholars (Grant Nos. 61580089963177 and 61580082063088) of Shandong University  the Program of Taishan Young Scholars of the Shandong Province  the National Natural Science Foundation of China (Grant Nos. 62002202  62002204  62125204 and 61872236)  the Shandong Nature Science Foundation of China (Grant No. ZR2020MF053)  and the Major Program of Guangdong Basic and Applied Research (Grant No. 2019B030302008). Yu Yu also acknowledges the support from the XPLORER PRIZE 

主　　题：Side channel attack 

摘      要：To counter side-channel attacks, a masking scheme randomly encodes key-dependent variables into several shares, and transforms operations into the masked correspondence (called gadget) operating on shares. This provably achieves the de facto standard notion of probing security. We continue the long line of works seeking to reduce the overhead of masking. Our main contribution is a new masking scheme over finite fields in which shares of different variables have a part in common. This enables the reuse of randomness/variables across different gadgets, and reduces the total cost of masked implementation. For security order d and circuit size , the randomness requirement and computational complexity of our scheme areÕ(d2) andÕ(d2) respectively, strictly improving upon the state-of-the-artÕ(d2) andÕ(d3) of Coron et al. at Eurocrypt 2020. A notable feature of our scheme is that it enables a new paradigm in which many intermediates can be precomputed before executing the masked function. The precomputation consumesÕ(d2) and produces Õ(d) variables to be stored in RAM. The cost of subsequent (online) computation is reduced to Õ(d), effectively speeding up e.g., challenge-response authentication protocols. We showcase our method on the AES on ARM Cortex M architecture and perform a T-test evaluation. Our results show a speed-up during the online phase compared with state-of-the-art implementations, at the cost of acceptable RAM consumption and precomputation time. To prove security for our scheme, we propose a new security notion intrinsically supporting randomness/variables reusing across gadgets, and bridging the security of paral lel compositions of gadgets to general compositions, which may be of independent interest. © 2022, Ruhr-University of Bochum. All rights reserved.