Orthogonal Direct Sum Masking: A Smartcard Friendly Computation Paradigm in a Code, with Builtin Protection against Side-Channel and Fault Attacks

Secure elements, such as smartcards or trusted platform modules (TPMs), must be protected against implementation-level attacks. Those include side-channel and fault injection attacks. We introduce ODSM, Orthogonal Direct Sum Masking, a new computation paradigm that achieves protection against those two kinds of attacks. A large vector space is structured as two supplementary orthogonal subspaces. One subspace (called a code $\mathcal{C}$) is used for the functional computation, while the second subspace carries random numbers. As the random numbers are entangled with the sensitive data, ODSM ensures a protection against (monovariate) side-channel attacks. The random numbers can be checked either occasionally, or globally, thereby ensuring a fine or coarse detection capability. The security level can be formally detailed: it is proved that monovariate side-channel attacks of order up to $d_\mathcal{C}-1$, where $d_\mathcal{C}$ is the minimal distance of $\mathcal{C}$, are impossible, and that any fault of Hamming weight strictly less than $d_\mathcal{C}$ is detected. A complete instantiation of ODSM is given for AES. In this case, all monovariate side-channel attacks of order strictly less than $5$ are impossible, and all fault injections perturbing strictly less than $5$ bits are detected

Linear Complementary Pair Of Group Codes over Finite Chain Rings

Linear complementary dual (LCD) codes and linear complementary pair (LCP) of codes over finite fields have been intensively studied recently due to their applications in cryptography, in the context of side-channel and fault injection attacks. The security parameter for an LCP of codes $(C,D)$ is defined as the minimum of the minimum distances $d(C)$ and $d(D^\bot)$. It has been recently shown that if $C$ and $D$ are both 2-sided group codes over a finite field, then $C$ and $D^\bot$ are permutation equivalent. Hence the security parameter for an LCP of 2-sided group codes $(C,D)$ is simply $d(C)$. We extend this result to 2-sided group codes over finite chain rings

New binary and ternary LCD codes

LCD codes are linear codes with important cryptographic applications. Recently, a method has been presented to transform any linear code into an LCD code with the same parameters when it is supported on a finite field with cardinality larger than 3. Hence, the study of LCD codes is mainly open for binary and ternary fields. Subfield-subcodes of $J$-affine variety codes are a generalization of BCH codes which have been successfully used for constructing good quantum codes. We describe binary and ternary LCD codes constructed as subfield-subcodes of $J$-affine variety codes and provide some new and good LCD codes coming from this construction

Quasi-linear Masking to Protect Kyber against both SCA and FIA

The recent technological advances in Post-Quantum Cryptography (PQC) rise the questions of robust implementations of new asymmetric cryptographic primitives in today’s technology. This is the case for the lattice-based CRYSTALS-Kyber algorithm which has been selected as the first NIST standard for Public Key Encryption (PKE) and Key Encapsulation Mechanisms (KEM). We have notably to make sure the Kyber implementation is resilient against physical attacks like Side-Channel Analysis (SCA) and Fault Injection Attacks (FIA). To reach this goal, we propose to use the masking countermeasure, more precisely the generic Direct Sum Masking method (DSM). By taking inspiration of a previous paper on AES, we extend the method to finite fields of characteristic prime other than 2 and even-length codes. In particular, we investigated its application to Keccak, which is the hash-based function used in Kyber. We also provided the first masked implementation of Kyber providing both SCA and FIA resilience while not requiring any conversion between different masking methods

Complementary Dual Codes for Counter-measures to Side-Channel Attacks

We recall why linear codes with complementary duals (LCD codes) play a role in counter-measures to passive and active side-channel analyses on embedded cryptosystems. The rate and the minimum distance of such LCD codes must be as large as possible. We investigate primary constructions of such codes, in particular with cyclic codes, specifically with generalized residue codes, and we study their idempotents. We study those secondary constructions which preserve the LCD property, and we characterize conditions under which codes obtained by puncturing, shortening or extending codes, or obtained by the Plotkin sum, can be LCD