TY - JOUR AU - Costes, Nicolas AU - Stam, Martijn PY - 2020/12/03 Y2 - 2024/03/28 TI - Redundant Code-based Masking Revisited JF - IACR Transactions on Cryptographic Hardware and Embedded Systems JA - TCHES VL - 2021 IS - 1 SE - Articles DO - 10.46586/tches.v2021.i1.426-450 UR - https://tches.iacr.org/index.php/TCHES/article/view/8740 SP - 426-450 AB - <p>Masking schemes are a popular countermeasure against side-channel attacks. To mask bytes, the two classical options are Boolean masking and polynomial masking. The latter lends itself to redundant masking, where leakage emanates from more shares than are strictly necessary to reconstruct, raising the obvious question how well such “redundant” leakage can be exploited by a side-channel adversary. We revisit the recent work by Chabanne et al. (CHES’18) and show that, contrary to their conclusions, said leakage can—in theory—always be exploited. For the Hamming weight scenario in the low-noise regime, we heuristically determine how security degrades in terms of the number of redundant shares for first and second order secure polynomial masking schemes.<br>Furthermore, we leverage a well-established link between linear secret sharing schemes and coding theory to determine when different masking schemes will end up with essentially equivalent leakage profiles. Surprisingly, we conclude that for typical field sizes and security orders, Boolean masking is a special case of polynomial masking. We also identify quasi-Boolean masking schemes as a special class of redundant polynomial masking and point out that the popular “Frobenius-stable” sets of interpolations points typically lead to such quasi-Boolean masking schemes, with subsequent degraded leakage performance.</p> ER -