Polynomial sharings on two secrets: Buy one, get one free

While passive side-channel attacks and active fault attacks have been studied intensively in the last few decades, strong attackers combining these attacks have only been studied relatively recently. Due to its simplicity, most countermeasures against passive attacks are based on additive sharing. U...

Full description

Saved in:
Bibliographic Details
Published in:IACR transactions on cryptographic hardware and embedded systems Vol. 2024; no. 3; pp. 671 - 706
Main Authors: Arnold, Paula, Berndt, Sebastian, Eisenbarth, Thomas, Orlt, Maximilian
Format: Journal Article
Language:English
Published: Ruhr-Universität Bochum 18.07.2024
Subjects:
Leakage/Fault Resilience
Parallel Computation
Polynomial Masking
ISSN:2569-2925, 2569-2925
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:While passive side-channel attacks and active fault attacks have been studied intensively in the last few decades, strong attackers combining these attacks have only been studied relatively recently. Due to its simplicity, most countermeasures against passive attacks are based on additive sharing. Unfortunately, extending these countermeasures against faults often leads to quite a significant performance penalty, either due to the use of expensive cryptographic operations or a large number of shares due to massive duplication. Just recently, Berndt, Eisenbarth, Gourjon, Faust, Orlt, and Seker thus proposed to use polynomial sharing against combined attackers (CRYPTO 2023). While they construct gadgets secure against combined attackers using only a linear number of shares, the overhead introduced might still be too large for practical scenarios.In this work, we show how the overhead of nearly all known constructions using polynomial sharing can be reduced by nearly half by embedding two secrets in the coefficients of one polynomial at the expense of increasing the degree of the polynomial by one. We present a very general framework that allows adapting these constructions to this new sharing scheme and prove the security of this approach against purely passive side-channel attacks, purely active fault attacks, and combined attacks. Furthermore, we present new gadgets allowing us to operate upon the different secrets in a number of useful ways.
ISSN:2569-2925
2569-2925
DOI:10.46586/tches.v2024.i3.671-706