A masking method based on orthonormal spaces, protecting several bytes against both SCA and FIA with a reduced cost

In the attacker models of Side-Channel Attacks (SCA) and Fault Injection Attacks (FIA), the opponent has access to a noisy version of the internal behavior of the hardware. Since the end of the nineties, many works have shown that this type of attacks constitutes a serious threat to cryptosystems implemented in embedded devices. In the state-of-the-art, there exist several countermeasures to protect symmetric encryption (especially AES-128). Most of them protect only against one of these two attacks (either SCA or FIA). The main known counter-measure against SCA is masking; it makes the complexity of SCA growing exponentially with its order d. The most general version of masking is based on error correcting codes. It has the advantage of offering in principle a protection against both types of attacks (SCA and FIA), but all the functions implemented in the algorithm need to be masked accordingly, and this is not a simple task in general. We propose a particular version of such construction that has several advantages: it has a very low computation complexity, it offers a concrete protection against both SCA and FIA, and finally it allows flexibility: being not specifically dedicated to AES, it can be applied to any block cipher with any S-boxes. In the state-of-art, masking schemes all come with pros and cons concerning the different types of complexity (time, memory, amount of randomness). Our masking scheme concretely achieves the complexity of the best known scheme, for each complexity typ

Quasi-linear masking to protect against both SCA and FIA

The implementation of cryptographic algorithms must be protected against physical attacks. Side-channel and fault injection analyses are two prominent such implem\-entation-level attacks. Protections against either do exist; they are characterized by security orders: the higher the order, the more difficult the attack. In this paper, we leverage fast discrete Fourier transform to reduce the complexity of high-order masking, and extend it to allow for fault detection and/or correction. The security paradigm is that of code-based masking. Coding theory is amenable both to mix the information and masking material at a prescribed order, and to detect and/or correct errors purposely injected by an attacker. For the first time, we show that quasi-linear masking (pioneered by Goudarzi, Joux and Rivain at ASIACRYPT 2018) can be achieved alongside with cost amortisation. This technique consists in masking several symbols/bytes with the same masking material, therefore improving the efficiency of the masking. Similarly, it allows to optimize the detection capability of codes as linear codes are all the more efficient as the information to protect is longer. Namely, we prove mathematically that our scheme features side-channel security order of $d+1-t$, detects $d$ faults and corrects $\lfloor(d-1)/2\rfloor$ faults, where $2d+1$ is the encoding length and $t$ is the information size ($t\geq1$). Applied to AES, one can get side-channel protection of order $d=7$ when masking one column/line ($t=4$ bytes) at once. In addition to the theory, that makes use of the Frobenius Additive Fast Fourier Transform, we show performance results, both in software and hardware

Les codes correcteurs au service de la cryptographie symétrique et asymétrique

Dans la première partie de cette thèse nous étudions les différentes méthodes de masquage permettant de lutter contre les attaques physiques sur les systèmes embarqués.Nous présentons quelques méthodes de masquage pour protéger l’AES contre les SCA et FIA. Chacune de ces méthodes repose sur une structure différente. Nous étudions en détail la structure de l’AES pour mieux évaluer comment s'implémentent ces méthodes et mesurer la complexité de chacune.Cette étude montre la difficulté de masquer à la fois les deux opérations qui interviennent dans les fonctions de l’AES (addition et multiplication) et en même temps de détecter les erreurs potentielles. Pour surmonter ce problème, nous avons conçu un masquage basé sur les codes LCD. Cette méthode permet de protéger contre les deux types d’attaques. Ainsi, il est désormais possible de masquer l’addition et la multiplication, de détecter les erreurs potentielles. La solution proposée apporte également un gain intéressant en terme de complexité algorithmique.Dans la deuxième partie, nous étudions les problématiques liées à la gestion des clés pour les systèmes de chiffrement asymétriques.Nous étudions les différentes infrastructures de gestion de clés. En particulier les schémas basés sur les certificats (PKI), et le chiffrement basé sur l’identité (IBE). Nous étudions les travaux réalisés sur IBE. Nous exposons les exigences que doit satisfaire un système de gestion de clés, comme le problème de révocation, l’autorité de séquestre, et la décentralisation. Enfin nous présentons une version flexible d’IBE pour satisfaire ces exigences, et qui répond à besoin réel dans le monde industriel.In the first part of this thesis, we are studying different masking methods to protect embedded cryptosystems against physical attacks.We are presenting some masking methods to protect the AES against SCA and FIA. Each of these methods is based on a particular structure. We are also studying the details of the AES to evaluate in a finer way how these methods apply and measure the complexity of each.This study shows the difficulty of both masking in the two operations that compose the AES (addition and multiplication) and in the same time detecting potential errors. To overcome this problem, we designed a masking method based on LCD codes. This method protects against both types of attacks. Thus, now it is possible to mask the addition and the multiplication, to detect the potential errors. The proposed solution brings also an interesting gain in terms of algorithmic complexity.In the second part, we study issues related to key management for asymmetric encryption systems.We are studying different key management infrastructures. Particularly, certificate-based schemes (PKI) and identity-based encryption (IBE). We are studying the work done in recent years on IBE. We outline the requirements that must be met by a key management system. These requirements relate particularly to the problem of revocation, key-escrow, and decentralization. Finally, we present a flexible version of IBE to meet these requirements, and meets real need in the industrial world

Polynomial direct sum masking to protect against both SCA and FIA

International audienc

Quasi-linear masking against SCA and FIA, with cost amortization

The implementation of cryptographic algorithms must be protected against physical attacks. Side-channel and fault injection analyses are two prominent such implementation-level attacks. Protections against either do exist. Against sidechannel attacks, they are characterized by SNI security orders: the higher the order, the more difficult the attack.In this paper, we leverage fast discrete Fourier transform to reduce the complexity of high-order masking. The security paradigm is that of code-based masking. Coding theory is amenable both to mask material at a prescribed order, by mixing the information, and to detect and/or correct errors purposely injected by an attacker. For the first time, we show that quasi-linear masking (pioneered by Goudarzi, Joux and Rivain at ASIACRYPT 2018) can be achieved alongside with cost amortisation. This technique consists in masking several symbols/bytes with the same masking material, therefore improving the efficiency of the masking. We provide a security proof, leveraging both coding and probing security arguments. Regarding fault detection, our masking is capable of detecting up to d faults, where 2d + 1 is the length of the code, at any place of the algorithm, including within gadgets. In addition to the theory, that makes use of the Frobenius Additive Fast Fourier Transform, we show performance results, in a C language implementation, which confirms in practice that the complexity is quasi-linear in the code length