[Resource Topic] 2023/1117: Mask Compression: High-Order Masking on Memory-Constrained Devices

Resource Implementation
#1

Welcome to the resource topic for 2023/1117

Title:
Mask Compression: High-Order Masking on Memory-Constrained Devices

Authors: Markku-Juhani O. Saarinen, Mélissa Rossi

Abstract:

Masking is a well-studied method for achieving provable security against side-channel attacks. In masking, each sensitive variable is split into d randomized shares, and computations are performed with those shares. In addition to the computational overhead of masked arithmetic, masking also has a storage cost, increasing the requirements for working memory and secret key storage proportionally with d.

In this work, we introduce mask compression. This conceptually simple technique is based on standard, non-masked symmetric cryptography. Mask compression allows an implementation to dynamically replace individual shares of large arithmetic objects (such as polynomial rings) with \kappa-bit cryptographic seeds (or temporary keys) when they are not in computational use. Since \kappa does not need to be larger than the security parameter (e.g., \kappa=256 bits) and each polynomial share may be several kilobytes in size, this radically reduces the memory requirement of high-order masking. Overall provable security properties can be maintained by using appropriate gadgets to manage the compressed shares. We describe gadgets with Non-Inteference (NI) and composable Strong-Non Interference (SNI) security arguments.

Mask compression can be applied in various settings, including symmetric cryptography, code-based cryptography, and lattice-based cryptography. It is especially useful for cryptographic primitives that allow quasilinear-complexity masking and hence are practically capable of very high masking orders. We illustrate this with a d=32 (Order-31) implementation of the recently introduced lattice-based signature scheme Raccoon on an FPGA platform with limited memory resources.

ePrint: https://eprint.iacr.org/2023/1117

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .