5 research outputs found

    A new class of codes for Boolean masking of cryptographic computations

    Full text link
    We introduce a new class of rate one-half binary codes: {\bf complementary information set codes.} A binary linear code of length 2n2n and dimension nn is called a complementary information set code (CIS code for short) if it has two disjoint information sets. This class of codes contains self-dual codes as a subclass. It is connected to graph correlation immune Boolean functions of use in the security of hardware implementations of cryptographic primitives. Such codes permit to improve the cost of masking cryptographic algorithms against side channel attacks. In this paper we investigate this new class of codes: we give optimal or best known CIS codes of length <132.<132. We derive general constructions based on cyclic codes and on double circulant codes. We derive a Varshamov-Gilbert bound for long CIS codes, and show that they can all be classified in small lengths ≤12\le 12 by the building up construction. Some nonlinear permutations are constructed by using Z4\Z_4-codes, based on the notion of dual distance of an unrestricted code.Comment: 19 pages. IEEE Trans. on Information Theory, to appea

    Self-dual codes, subcode structures, and applications.

    Get PDF
    The classification of self-dual codes has been an extremely active area in coding theory since 1972 [33]. A particularly interesting class of self-dual codes is those of Type II which have high minimum distance (called extremal or near-extremal). It is notable that this class of codes contains famous unique codes: the extended Hamming [8,4,4] code, the extended Golay [24,12,8] code, and the extended quadratic residue [48,24,12] code. We examine the subcode structures of Type II codes for lengths up to 24, extremal Type II codes of length 32, and give partial results on the extended quadratic residue [48,24,12] code. We also develop a generalization of self-dual codes to Network Coding Theory and give some results on existence of self-dual network codes with largest minimum distance for lengths up to 10. Complementary Information Set (CIS for short) codes, a class of classical codes recently developed in [7], have important applications to Cryptography. CIS codes contain self-dual codes as a subclass. We give a new classification result for CIS codes of length 14 and a partial result for length 16

    Optimal First-Order Masking with Linear and Non-Linear Bijections

    Get PDF
    Hardware devices can be protected against side-channel attacks by introducing one random mask per sensitive variable. The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers. Nonetheless, this setup can be attacked by a zero-offset second-order CPA attack. The countermeasure can be improved by manipulating the mask through a bijection FF, aimed at reducing the dependency between the shares. Thus ddth-order zero-offset attacks, that consist in applying CPA on the ddth power of the centered side-channel traces, can be thwarted for d≥2d \geq 2 at no extra cost. We denote by nn the size in bits of the shares and call FF the transformation function, that is a bijection of F2n\mathbb{F}_2^n. In this paper, we explore the functions FF that thwart zero-offset HO-CPA of maximal order dd. We mathematically demonstrate that optimal choices for FF relate to optimal binary codes (in the sense of communication theory). First, we exhibit optimal linear FF functions. Second, we note that for values of nn for which non-linear codes exist with better parameters than linear ones. These results are exemplified in the case n=8n=8, the optimal FF can be identified: it is derived from the optimal rate~1/21/2 binary code of size 2n2n, namely the Nordstrom-Robinson (16,256,6)(16, 256, 6) code. This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates. It protects against all zero-offset HO-CPA attacks of order d≤5d \leq 5. Eventually, the countermeasure is shown to be resilient to imperfect leakage models
    corecore