Monomial evaluation of polynomial functions protected by threshold implementations—with an illustration on AES

In the context of side-channel countermeasures, threshold implementations (TI) have been introduced in 2006 by Nikova et al. to defeat attacks which exploit hardware effects called glitches. On several aspects, TI may be seen as an extension of another classical side-channel countermeasure, called m...

Full description

Saved in:
Bibliographic Details
Published in:Cryptography and communications 2021-01, Vol.13 (4), p.543-572
Main Authors: Landry, Simon, Linge Yanis, Prouff Emmanuel
Format: Article
Language:English
Subjects:
Algorithms
Context
Cryptography
Encryption
Fields (mathematics)
Functions (mathematics)
Guards
Masking
Mathematical analysis
Polynomials
Randomness
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:In the context of side-channel countermeasures, threshold implementations (TI) have been introduced in 2006 by Nikova et al. to defeat attacks which exploit hardware effects called glitches. On several aspects, TI may be seen as an extension of another classical side-channel countermeasure, called masking, which is essentially based on the sharing of any internal state of the processing into independent parts (also called shares). To achieve side-channel security, a TI scheme operates on shared data and comes with additional properties to get robustness to glitches. When specifying such a scheme to secure a cryptographic implementation, as e.g. the AES block cipher, the challenging part is to minimise both the number of steps (or cycles) and the consumption of randomness. In this paper, we combine the changing of the guards technique published by Daemen at CHES 2017 (which reduces the need for fresh randomness) with the work of Genelle et al. at CHES 2011 (which combines additive masking and multiplicative one) to propose a new TI which does not consume fresh randomness and which is efficient (in terms of cycles) for classical block ciphers. As an illustration, we develop our proposal for the AES, and more specifically its SBox implemented thanks to a finite field exponentiation. In this particular context, we argue that our proposal is a valuable alternative to the state of the art solutions. More generally, it has the advantage of being easily applicable to the evaluation of any polynomial function, which was usually not the case of previous solutions.
ISSN:1936-2447
1936-2455
DOI:10.1007/s12095-021-00497-9