Second-Order SCA Security with almost no Fresh Randomness

Abstract

Masking schemes are among the most popular countermeasures against Side-ChannelAnalysis (SCA) attacks. Realization of masked implementations on hardware facesseveral difficulties including dealing with glitches. Threshold Implementation (TI) isknown as the first strategy with provable security in presence of glitches. In additionto the desired security orderd, TI defines the minimum number of shares to alsodepend on the algebraic degree of the target function. This may lead to unaffordableimplementation costs for higher orders. For example, at least five shares are requiredto protect the smallest nonlinear function against second-order attacks. By cuttingsuch a dependency, the successor schemes are able to achieve the same security levelby justd+ 1shares, at the cost of high demand for fresh randomness, particularly athigher orders.In this work, we provide a methodology to realize the second-order glitch-extendedprobing-secure implementation of a group of quadratic functions with three shares andno fresh randomness. This allows us to construct second-order secure implementationsof several cryptographic primitives with very limited number of fresh masks, includingKeccak, SKINNY, Midori, PRESENT, and PRINCE.