International Association for Cryptologic Research

International Association
for Cryptologic Research

Transactions on Cryptographic Hardware and Embedded Systems, Volume 2021

Breaking Masked Implementations with Many Shares on 32-bit Software Platforms:

or When the Security Order Does Not Matter


Olivier Bronchain
Crypto Group, ICTEAM Institute, UCLouvain, Louvain-la-Neuve, Belgium

François-Xavier Standaert
Crypto Group, ICTEAM Institute, UCLouvain, Louvain-la-Neuve, Belgium


Keywords: Higher-Order Masking, Bitslice Software, Physical Security Evaluations, Profiled Side-Channel Analysis, Dimensionality Reduction, SASCA


Abstract

We explore the concrete side-channel security provided by state-of-theart higher-order masked software implementations of the AES and the (candidate to the NIST Lightweight Cryptography competition) Clyde, in ARM Cortex-M0 and M3 devices. Rather than looking for possibly reduced security orders (as frequently considered in the literature), we directly target these implementations by assuming their maximum security order and aim at reducing their noise level thanks to multivariate, horizontal and analytical attacks. Our investigations point out that the Cortex-M0 device has so limited physical noise that masking is close to ineffective. The Cortex-M3 shows a better trend but still requires a large number of shares to provide strong security guarantees. Practically, we first exhibit a full 128-bit key recovery in less than 10 traces for a 6-share masked AES implementation running on the Cortex-M0 requiring 232 enumeration power. A similar attack performed against the Cortex-M3 with 5 shares require 1,000 measurements with 244 enumeration power. We then show the positive impact of lightweight block ciphers with limited number of AND gates for side-channel security, and compare our attacks against a masked Clyde with the best reported attacks of the CHES 2020 CTF. We complement these experiments with a careful information theoretic analysis, which allows interpreting our results. We also discuss our conclusions under the umbrella of “backwards security evaluations” recently put forwards by Azouaoui et al. We finally extrapolate the evolution of the proposed attack complexities in the presence of additional countermeasures using the local random probing model proposed at CHES 2020.

Publication

Transactions of Cryptographic Hardware and Embedded Systems, Volume 2021, Issue 3

Paper

Artifact

Artifact number
tches/2021/a13

Artifact published
August 1, 2021

README

ZIP (1.2 MB)  

View on Github

License
AGPLv3 This work is licensed under the GNU Affero General Public License version 3.


BibTeX How to cite

Bronchain, O., & Standaert, F.-X. (2021). Breaking Masked Implementations with Many Shares on 32-bit Software Platforms: or When the Security Order Does Not Matter. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021(3), 202–234. https://doi.org/10.46586/tches.v2021.i3.202-234. Artifact at https://artifacts.iacr.org/tches/2021/a13.