International Association
for Cryptologic Research

Secure elements, such as smartcards or trusted platform modules (TPMs), must be protected against implementation-level attacks.

Those include side-channel and fault injection attacks.

We introduce ODSM, Orthogonal Direct Sum Masking, a new computation paradigm that achieves protection against those two kinds of attacks.

A large vector space is structured as two supplementary orthogonal subspaces.

One subspace (called a code $\\mathcal{C}$) is used for the functional computation,

while the second subspace carries random numbers.

As the random numbers are entangled with the sensitive data, ODSM ensures a protection against (monovariate) side-channel attacks.

The random numbers can be checked either occasionally, or globally, thereby ensuring a fine or coarse detection capability.

The security level can be formally detailed:

it is proved that monovariate side-channel attacks of order up to $d_\\mathcal{C}-1$, where $d_\\mathcal{C}$ is the minimal distance of $\\mathcal{C}$, are impossible,

and that any fault of Hamming weight strictly less than $d_\\mathcal{C}$ is detected.

A complete instantiation of ODSM is given for AES.

In this case, all monovariate side-channel attacks of order strictly less than $5$ are impossible,

and all fault injections perturbing strictly less than $5$ bits are detected.