Low-Latency and Low-Randomness Second-Order Masked Cubic Functions

Abstract

Masking schemes are the most popular countermeasure to mitigate Side-Channel Analysis (SCA) attacks. Compared to software, their hardware implementa-tions require certain considerations with respect to physical defaults, such as glitches.To counter this extended leakage effect, the technique known as Threshold Imple-mentation (TI) has proven to be a reliable solution. However, its efficiency, namelythe number of shares, is tied to the algebraic degree of the target function. As aresult, the application of TI may lead to unaffordable implementation costs. Thisdependency is relaxed by the successor schemes where the minimum number ofd+ 1shares suffice fordth-order protection independent of the function’s algebraic degree.By this, although the number of input shares is reduced, the implementation costsare not necessarily low due to their high demand for fresh randomness. It becomeseven more challenging when a joint low-latency and low-randomness cost is desired.In this work, we provide a methodology to realize the second-order glitch-extendedprobing-secure implementation of cubic functions with three shares while allowingto reuse fresh randomness. This enables us to construct low-latency second-ordersecure implementations of several popular lightweight block ciphers, includingSkinny,Midori, andPrince, with a very limited number of fresh masks. Notably, comparedto state-of-the-art equivalent implementations, our designs lower the latency in terms of the number of clock cycles while keeping randomness costs low.