5 research outputs found
A new class of codes for Boolean masking of cryptographic computations
We introduce a new class of rate one-half binary codes: {\bf complementary
information set codes.} A binary linear code of length and dimension
is called a complementary information set code (CIS code for short) if it has
two disjoint information sets. This class of codes contains self-dual codes as
a subclass. It is connected to graph correlation immune Boolean functions of
use in the security of hardware implementations of cryptographic primitives.
Such codes permit to improve the cost of masking cryptographic algorithms
against side channel attacks. In this paper we investigate this new class of
codes: we give optimal or best known CIS codes of length We derive
general constructions based on cyclic codes and on double circulant codes. We
derive a Varshamov-Gilbert bound for long CIS codes, and show that they can all
be classified in small lengths by the building up construction. Some
nonlinear permutations are constructed by using -codes, based on the
notion of dual distance of an unrestricted code.Comment: 19 pages. IEEE Trans. on Information Theory, to appea
Self-dual codes, subcode structures, and applications.
The classification of self-dual codes has been an extremely active area in coding theory since 1972 [33]. A particularly interesting class of self-dual codes is those of Type II which have high minimum distance (called extremal or near-extremal). It is notable that this class of codes contains famous unique codes: the extended Hamming [8,4,4] code, the extended Golay [24,12,8] code, and the extended quadratic residue [48,24,12] code. We examine the subcode structures of Type II codes for lengths up to 24, extremal Type II codes of length 32, and give partial results on the extended quadratic residue [48,24,12] code. We also develop a generalization of self-dual codes to Network Coding Theory and give some results on existence of self-dual network codes with largest minimum distance for lengths up to 10. Complementary Information Set (CIS for short) codes, a class of classical codes recently developed in [7], have important applications to Cryptography. CIS codes contain self-dual codes as a subclass. We give a new classification result for CIS codes of length 14 and a partial result for length 16
Optimal First-Order Masking with Linear and Non-Linear Bijections
Hardware devices can be protected against side-channel attacks by introducing one random mask per sensitive variable.
The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers.
Nonetheless, this setup can be attacked by a zero-offset second-order CPA attack.
The countermeasure can be improved by manipulating the mask through a bijection ,
aimed at reducing the dependency between the shares.
Thus th-order zero-offset attacks, that consist in applying CPA on the th power of the centered side-channel traces,
can be thwarted for at no extra cost.
We denote by the size in bits of the shares and call the transformation function,
that is a bijection of .
In this paper, we explore the functions that thwart zero-offset HO-CPA of maximal order .
We mathematically demonstrate that optimal choices for relate to optimal binary codes (in the sense of communication theory).
First, we exhibit optimal linear functions.
Second, we note that for values of for which non-linear codes exist with better parameters than linear ones.
These results are exemplified in the case , the optimal can be identified:
it is derived from the optimal rate~ binary code of size , namely the Nordstrom-Robinson code.
This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates.
It protects against all zero-offset HO-CPA attacks of order .
Eventually, the countermeasure is shown to be resilient to imperfect leakage models