IACR News item: 11 April 2012
Houssem MAGHREBI, Claude CARLET, Sylvain GUILLEY, Jean-Luc DANGER
ePrint ReportThe computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers.
Nonetheless, this setup can be attacked by a zero-offset second-order CPA attack.
The countermeasure can be improved by manipulating the mask through a bijection $F$,
aimed at reducing the dependency between the shares.
Thus $d$th-order zero-offset attacks, that consist in applying CPA on the $d$th power of the centered side-channel traces,
can be thwarted for $d \\geq 2$ at no extra cost.
We denote by $n$ the size in bits of the shares and call $F$ the transformation function,
that is a bijection of $\\mathbb{F}_2^n$.
In this paper, we explore the functions $F$ that thwart zero-offset HO-CPA of maximal order $d$.
We mathematically demonstrate that optimal choices for $F$ relate to optimal binary codes (in the sense of communication theory).
First, we exhibit optimal linear $F$ functions.
Second, we note that for values of $n$ for which non-linear codes exist with better parameters than linear ones.
These results are exemplified in the case $n=8$, the optimal $F$ can be identified:
it is derived from the optimal rate~$1/2$ binary code of size $2n$, namely the Nordstrom-Robinson $(16, 256, 6)$ code.
This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates.
It protects against all zero-offset HO-CPA attacks of order $d \\leq 5$.
Eventually, the countermeasure is shown to be resilient to imperfect leakage models.
Additional news items may be found on the IACR news page.