A new class of codes for Boolean masking of cryptographic computations

We introduce a new class of rate one-half binary codes: {\bf complementary information set codes.} A binary linear code of length $2n$ and dimension $n$ is called a complementary information set code (CIS code for short) if it has two disjoint information sets. This class of codes contains self-dual codes as a subclass. It is connected to graph correlation immune Boolean functions of use in the security of hardware implementations of cryptographic primitives. Such codes permit to improve the cost of masking cryptographic algorithms against side channel attacks. In this paper we investigate this new class of codes: we give optimal or best known CIS codes of length $<132.$ We derive general constructions based on cyclic codes and on double circulant codes. We derive a Varshamov-Gilbert bound for long CIS codes, and show that they can all be classified in small lengths $\le 12$ by the building up construction. Some nonlinear permutations are constructed by using $\Z_4$-codes, based on the notion of dual distance of an unrestricted code.Comment: 19 pages. IEEE Trans. on Information Theory, to appea

Self-dual codes, subcode structures, and applications.

The classification of self-dual codes has been an extremely active area in coding theory since 1972 [33]. A particularly interesting class of self-dual codes is those of Type II which have high minimum distance (called extremal or near-extremal). It is notable that this class of codes contains famous unique codes: the extended Hamming [8,4,4] code, the extended Golay [24,12,8] code, and the extended quadratic residue [48,24,12] code. We examine the subcode structures of Type II codes for lengths up to 24, extremal Type II codes of length 32, and give partial results on the extended quadratic residue [48,24,12] code. We also develop a generalization of self-dual codes to Network Coding Theory and give some results on existence of self-dual network codes with largest minimum distance for lengths up to 10. Complementary Information Set (CIS for short) codes, a class of classical codes recently developed in [7], have important applications to Cryptography. CIS codes contain self-dual codes as a subclass. We give a new classification result for CIS codes of length 14 and a partial result for length 16

Optimal First-Order Masking with Linear and Non-Linear Bijections

Hardware devices can be protected against side-channel attacks by introducing one random mask per sensitive variable. The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers. Nonetheless, this setup can be attacked by a zero-offset second-order CPA attack. The countermeasure can be improved by manipulating the mask through a bijection $F$, aimed at reducing the dependency between the shares. Thus $d$th-order zero-offset attacks, that consist in applying CPA on the $d$th power of the centered side-channel traces, can be thwarted for $d \geq 2$ at no extra cost. We denote by $n$ the size in bits of the shares and call $F$ the transformation function, that is a bijection of $\mathbb{F}_2^n$. In this paper, we explore the functions $F$ that thwart zero-offset HO-CPA of maximal order $d$. We mathematically demonstrate that optimal choices for $F$ relate to optimal binary codes (in the sense of communication theory). First, we exhibit optimal linear $F$ functions. Second, we note that for values of $n$ for which non-linear codes exist with better parameters than linear ones. These results are exemplified in the case $n=8$, the optimal $F$ can be identified: it is derived from the optimal rate~$1/2$ binary code of size $2n$, namely the Nordstrom-Robinson $(16, 256, 6)$ code. This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates. It protects against all zero-offset HO-CPA attacks of order $d \leq 5$. Eventually, the countermeasure is shown to be resilient to imperfect leakage models