Debraize Solution

In this subsection we recall the algorithm proposed by Debraize to efficiently con- vert from arithmetic to Boolean masking secure against first-order attacks[Deb12]. In contrast to the earlier methods which use arithmetic masks, carries here are protected by Boolean masks. The two tables from Coron-Tchulkine’s algorithm are combined into one. The combined Table T has entries for both the carry and no carry cases and are differentiated by a random bit ρ. The entry for the no carry case for input a and random number r is given as

T [ρ||a] = (a + r) ⊕ (ρ||r)

and for the carry case it is given as

T [(ρ ⊕ 1)||a] = (a + r + 1) ⊕ (ρ||r).

Namely, in case of carry the table entry corresponding to the carry would be ρ + 1 and ρ for the no carry case. The algorithm to create the lookup table is recalled in Algorithm 11.

Algorithm 11 Debraize Table Creation

Input: Output: Table T , r, ρ 1: r ← rand(k) 2: ρ ← rand(1) 3: for a = 0 to 2k_{− 1 do} 4: T [ρ||a] ← (A + r) ⊕ (ρ||r) 5: T [(ρ ⊕ 1)||a] ← (A + r + 1) ⊕ (ρ||r) 6: end for 7: return T, r, ρ

Similar to Coron-Tchulkine method, the input arithmetic share is processed in words of l bits. For ith arithmetic word Ai, the corresponding Boolean share xi₁ is retrieved from the table by accessing the entry (β||(Ai− r) + Ri_{), and later XORing}

with Ri and r. Here β is the Boolean mask of the carry. Initially β is set to ρ and after conversion of every word, it is modified according to the carry arising from that word. We recall the full algorithm in Algorithm 12.

Algorithm 12 Debraize A→B Conversion

Input: Arithmetic shares: A, R and r, ρ from precomputed table Output: Boolean shares: x1, x2

1: A ← A − (r|| · · · ||r) mod 2n

2: β ← ρ

3: for i = 0 to p − 1 do

4: Split A into Ah||Al and R into Rh||Rl such that Al and Rl of size k

5: A ← A + Rl mod 2(n−i)·k 6: β||x1i ← T [β||Al] 7: x1i ← x₁i⊕ Rl 8: A ← Ah 9: R ← Rh 10: end for 11: x1= (x01||x11|| · · · ||xi1) ⊕ (r||r|| · · · ||r) 12: x2= R 13: return x1, x2

Chapter 3

Secure Conversion between

Boolean and Arithmetic

Masking of Any Order

The current solutions to convert between Boolean and arithmetic masking are secure against only first-order attacks. This chapter presents and evaluates new conversion algorithms that are secure against attacks of any order. To set the context, we show that a straightforward extension of first-order conversion schemes to second order is not possible. Then we introduce our new algorithms to convert between Boolean and arithmetic masking. To convert masks of a size of k bits securely against attacks of order n, the proposed algorithms have a time complexity of O(n2_{k) in both directions and are proven to be secure in the Ishai, Sahai, and}

Wagner (ISW) framework for private circuits. We evaluate our algorithms using HMAC-SHA-1 as example and report the execution times we achieved on a 32- bit AVR microcontroller. This is a joint work worth Jean-Sébastien Coron and Johann Großschädl. A part of this work appeared in the proceedings of CHES 2014 [CGV14].

Contents

3.1 Introduction . . . . 38 3.2 Applying Goubin’s Conversion to Second Order . . . . . 39 3.3 The Ishai, Sahai and Wagner Framework . . . . 41 3.4 Secure Addition on Boolean Shares . . . . 42 3.4.1 First Variant . . . 42 3.4.2 Second Variant . . . 44 3.5 Secure Arithmetic to Boolean Masking for Any Order . 45 3.5.1 A Simple Algorithm with Complexity O(n3k) . . . . 45 3.5.2 Our New Arithmetic to Boolean Conversion Algorithm . . 47 3.6 From Boolean to Arithmetic Masking of Any Order . . 50 3.7 Implementation Results . . . . 52

3.1

Introduction

Security Model.

We definitely aim for countermeasures against side-channel attacks that can be proven secure in a reasonable model of side-channel leakage (i.e. we will not be sat- isfied with heuristic “ad-hoc” countermeasures). Perhaps the simplest such model is the probing attack model proposed by Ishai, Sahai and Wagner (ISW) at CRYPTO 2003 [ISW03] (see Section 3.3). They initiated the theoretical study of securing circuits against an adversary who can probe its wires. In this model, the attacker is allowed to access at most t wires of the circuit, but he should not be able to learn anything about the secret key. The authors show that any circuit C can be transformed into a new circuit of size O(t2· |C|) that is resistant against such an adversary. The approach is based on secret-sharing every variable x into n shares xi with x = x1⊕ x2· · · ⊕ xn, and processing the shares in a way so that no infor-

mation about the initial variable x can be learned by any t-limited adversary, for n ≥ 2t + 1.

In recent years, numerous papers on provable security against side-channel at- tacks have been published in the literature, forming the rapidly emerging field of leakage-resilient cryptography. Building upon the leakage model introduced by Mi- cali and Reyzin [MR04] and on the bounded retrieval model [CLW06, Dzi06], the leakage resilience model assumes that the adversary has the ability to repeatedly learn arbitrary functions of the secret key, as long as the total number of bits leaked to the adversary is bounded by some parameter L. This is a very strong security no- tion because an attacker can choose arbitrary leakage functions; only the amount of leaked information is bounded. In particular, it is more general than the ISW probing model [ISW03], in which the attacker has only access to a limited number of physical bits computed in the circuit.

However, cryptosystems proven secure in the most general leakage-resilient model are often too inefficient for practical use. In practice, one typically has to de- sign a countermeasure against side-channel attacks for an existing algorithm (such as AES or HMAC-SHA-1) instead of devising a completely new algorithm based on the principles of leakage-resilient cryptography. The main advantage of the ISW probing model is that it can potentially lead to relatively practical designs. Another benefit is its interplay with resistance against power analysis attacks. Namely, if a given algorithm is proven resistant against t probes in the ISW model, then (at least) t + 1 measurements in a power acquisition must be combined to obtain the key. As shown in [CJRR99], the number of power acquisitions required to recover the key grows exponentially with t. This means that, even if a real probing attack would be physically impossible or too costly, it makes sense to obtain countermea- sures with the largest possible value of t since this translates into an (exponentially in t) increasing level of security against power attacks. In this chapter, we mainly work in the ISW model.

Proving the resistance of a countermeasure against a single-probe attack (or a first-order attack) is usually straightforward since it suffices to show that all inter- mediate variables are uniformly distributed (or, at least, that their distribution is