International Association for Cryptologic Research

International Association
for Cryptologic Research


Redundant Code-based Masking Revisited

Nicolas Costes , Simula UiB, Merkantilen (3rd floor), Thormøhlensgate 53D, N-5006 Bergen, Norway
Martijn Stam , Simula UiB, Merkantilen (3rd floor), Thormøhlensgate 53D, N-5006 Bergen, Norway
DOI: 10.46586/tches.v2021.i1.426-450
Search ePrint
Search Google
Abstract: Masking schemes are a popular countermeasure against side-channel attacks. To mask bytes, the two classical options are Boolean masking and polynomial masking. The latter lends itself to redundant masking, where leakage emanates from more shares than are strictly necessary to reconstruct, raising the obvious question how well such “redundant” leakage can be exploited by a side-channel adversary. We revisit the recent work by Chabanne et al. (CHES’18) and show that, contrary to their conclusions, said leakage can—in theory—always be exploited. For the Hamming weight scenario in the low-noise regime, we heuristically determine how security degrades in terms of the number of redundant shares for first and second order secure polynomial masking schemes.Furthermore, we leverage a well-established link between linear secret sharing schemes and coding theory to determine when different masking schemes will end up with essentially equivalent leakage profiles. Surprisingly, we conclude that for typical field sizes and security orders, Boolean masking is a special case of polynomial masking. We also identify quasi-Boolean masking schemes as a special class of redundant polynomial masking and point out that the popular “Frobenius-stable” sets of interpolations points typically lead to such quasi-Boolean masking schemes, with subsequent degraded leakage performance.
Video from TCHES 2020
  title={Redundant Code-based Masking Revisited},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2021, Issue 1},
  author={Nicolas Costes and Martijn Stam},