International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Bitslice Masking and Improved Shuffling:: How and When to Mix Them in Software?

Authors:
Melissa Azouaoui , ICTEAM Institute, Université catholique de Louvain, Louvain-la-Neuve, Belgium; NXP Semiconductors, Hamburg, Germany
Olivier Bronchain , ICTEAM Institute, Université catholique de Louvain, Louvain-la-Neuve, Belgium
Vincent Grosso , CNRS/Laboratoire Hubert Curien, Université de Lyon, Lyon, France
Kostas Papagiannopoulos , Security by Design group, University of Amsterdam, Amsterdam, The Netherlands
François-Xavier Standaert , ICTEAM Institute, Université catholique de Louvain, Louvain-la-Neuve, Belgium
Download:
DOI: 10.46586/tches.v2022.i2.140-165
URL: https://tches.iacr.org/index.php/TCHES/article/view/9484
Search ePrint
Search Google
Presentation: Slides
Abstract: We revisit the popular adage that side-channel countermeasures must be combined to be efficient, and study its application to bitslice masking and shuffling. Our main contributions are twofold. First, we improve this combination: by shuffling the shares of a masked implementation rather than its tuples, we can amplify the impact of the shuffling exponentially in the number of shares, while this impact was independent of the masking security order in previous works. Second, we evaluate the masking and shuffling combination’s performance vs. security tradeoff under sufficient noise conditions: we show that the best approach is to mask first (i.e., fill the registers with as many shares as possible) and shuffle the independent operations that remain. We conclude that with moderate but sufficient noise, the “bitslice masking + shuffling” combination of countermeasures is practically relevant, and its interest increases when randomness is expensive and many independent operations are available for shuffling. When these conditions are not met, masking only is the best option. As additional side results, we improve the best known attack against the shuffling countermeasure from ASIACRYPT 2012. We also recall that algorithmic countermeasures like masking and shuffling, and therefore their combination, cannot be implemented securely without a minimum level of physical noise.
BibTeX
@article{tches-2022-32001,
  title={Bitslice Masking and Improved Shuffling:: How and When to Mix Them in Software?},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2022, Issue 2},
  pages={140-165},
  url={https://tches.iacr.org/index.php/TCHES/article/view/9484},
  doi={10.46586/tches.v2022.i2.140-165},
  author={Melissa Azouaoui and Olivier Bronchain and Vincent Grosso and Kostas Papagiannopoulos and François-Xavier Standaert},
  year=2022
}