Resilient uniformity: applying resiliency in masking

Abstract

Threshold Implementations are known countermeasures defending against side-channel attacks via the use of masking techniques. While sufficient properties are known to defend against first-order side-channel attacks, it is not known how to achieve higher-order security. This work generalizes the Threshold Implementation notion of uniformity and proves it achieves second-order protection. The notion is applied to create a second-order masking of the Present cipher with a low randomness cost.

Appendices

Appendix A: Masking of the Present S-Box

This appendix gives a decomposition of the Present S-box and a seven-sharing of the cipher.

A.1 Decomposition

Let (x,y,z,w) denote the input nibble from most significant to least significant bit. Similarly, (G₁,...,G₄) denotes the output from most significant to least significant bit.

$$S(x,y,z,w) = B^{\prime}(G(G(C^{\prime}(x,y,z,w)+ d))+ e)$$

In the above, the nonlinear function G(x,y,z,w) is given as

$$ \begin{array}{@{}rcl@{}} G_{1} = x+ yz + yw \qquad G_{2} = w+ xy \qquad G_{3} = y \qquad G_{4} = z+ yw , \end{array} $$

the linear transformations as

$$B^{\prime} = \left[\begin{array}{cccc} 1 & 0 & 1 & 0 \\ 0 & 1 & 0 & 0 \\ 1 & 0 & 0 & 0 \\ 1 & 0 & 1 & 1 \end{array}\right], C^{\prime} = \left[\begin{array}{cccc} 1 & 1 & 0 & 0 \\ 0 & 1 & 1 & 0 \\ 0 & 0 & 1 & 0 \\ 0 & 1 & 0 & 1 \end{array}\right], $$

and the constants as

$$d = \left[\begin{array}{cccc}0 & 0 & 0 & 1 \end{array}\right], e = \left[\begin{array}{cccc}0 & 1 & 0 & 1 \end{array}\right].$$

A.2 Seven-Sharing of G(x,y,z,w)

For each share i ∈{1,..., 7}, the permutation G(x,y,z,w) is shared as

$$ \begin{array}{@{}rcl@{}} {G}^{i}_{1} &= {x}^{i} + {y}^{i}{z}^{i}+ {y}^{i}{z}^{i+1}+ {y}^{i+1}{z}^{i}+ {y}^{i}{z}^{i+3}+ {y}^{i+3}{z}^{i}+ {y}^{i+1}{z}^{i+3}+ {y}^{i+3}{z}^{i+1} \\ & + {y}^{i}{w}^{i}+ {y}^{i}{w}^{i+1}+ {y}^{i+1}{w}^{i}+ {y}^{i}{w}^{i+3}+ {y}^{i+3}{w}^{i}+ {y}^{i+1}{w}^{i+3}+ {y}^{i+3}{w}^{i+1} ,\\ {G}^{i}_{2} &= {w}^{i} + {x}^{i}{y}^{i}+ {x}^{i}{y}^{i+1}+ {x}^{i+1}{y}^{i}+ {x}^{i}{y}^{i+3}+ {x}^{i+3}{y}^{i}+ {x}^{i+1}{y}^{i+3}+ {x}^{i+3}{y}^{i+1} ,\\ {G}^{i}_{3} &= {y}^{i} ,\\ {G}^{i}_{4} &= {z}^{i} + {y}^{i}{w}^{i}+ {y}^{i}{w}^{i+1}+ {y}^{i+1}{w}^{i}+ {y}^{i}{w}^{i+3}+ {y}^{i+3}{w}^{i}+ {y}^{i+1}{w}^{i+3}+ {y}^{i+3}{w}^{i+1} , \end{array} $$

where the convention is used that superscripts wrap around at seven.

For each i ∈{1,..., 7} and given 21 random bits \(({r_{1}^{i}},{r_{2}^{i}}, {r_{3}^{i}})\), the randomness layer \(\bar {r}_{1}(x,y,z,w)\) is given by

$$ \begin{array}{@{}rcl@{}} {G}^{i}_{1} &= {x}^{i} + {r_{1}^{i}} + r_{1}^{i+1} ,\\ {G}^{i}_{2} &= {y}^{i} + {r_{2}^{i}} + r_{2}^{i+1} ,\\ {G}^{i}_{3} &= {z}^{i} ,\\ {G}^{i}_{4} &= {w}^{i} + {r_{3}^{i}} + r_{3}^{i+1} , \end{array} $$

where the convention is used that superscripts wrap around at seven.

For each i ∈{1,..., 7} and given 28 random bits \(({r_{1}^{i}},{r_{2}^{i}},{r_{3}^{i}},{r_{4}^{i}})\), the randomness layer \(\bar {r}_{2}(x,y,z,w)\) is given by

$$ \begin{array}{@{}rcl@{}} {G}^{i}_{1} &= {x}^{i} + {r_{1}^{i}} + r_{1}^{i+1} ,\\ {G}^{i}_{2} &= {y}^{i} + {r_{2}^{i}} + r_{2}^{i+1} ,\\ {G}^{i}_{3} &= {z}^{i} + {r_{3}^{i}} + r_{3}^{i+1} ,\\ {G}^{i}_{4} &= {w}^{i} + {r_{4}^{i}} + r_{4}^{i+1} , \end{array} $$

where the convention is used that superscripts wrap around at seven.