## Fast verification of masking schemes in characteristic two.(English)Zbl 1479.94296

Canteaut, Anne (ed.) et al., Advances in cryptology – EUROCRYPT 2021. 40th annual international conference on the theory and applications of cryptographic techniques, Zagreb, Croatia, October 17–21, 2021. Proceedings. Part II. Cham: Springer. Lect. Notes Comput. Sci. 12697, 283-312 (2021).
Summary: We revisit the matrix model for non-interference (NI) probing security of masking gadgets introduced by S. Belaïd et al. [Lect. Notes Comput. Sci. 12107, 311–341 (2020; Zbl 07436949)]. This leads to two main results.

1) We generalise the theorems on which this model is based, so as to be able to apply them to masking schemes over any finite field – in particular $$\mathbb{F}_2$$ – and to be able to analyse the strong non-interference (SNI) security notion. We also follow S. Faust et al. [“Composable masking schemes in the presence of physical defaults & the robust probing model”, IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018, No. 3, 89–120 (2018; doi:10.13154/tches.v2018.i3.89-120)] to additionally consider a robust probing model that takes hardware defects such as glitches into account.
2) We exploit this improved model to implement a very efficient verification algorithm that improves the performance of state-of-the-art software by three orders of magnitude. We show applications to variants of NI and SNI multiplication gadgets from [G. Barthe et al., Lect. Notes Comput. Sci. 10210, 535–566 (2017; Zbl 1411.94050)] which we verify to be secure up to order 11 after a significant parallel computation effort, whereas the previous largest proven order was 7; SNI refreshing gadgets; and NI multiplication gadgets from H. Groß et al. [“Domain-oriented masking: compact masked hardware implementations with arbitrary protection order”, in: Proceedings of the 2016 ACM workshop on theory of implementation security, TIS’16, Vienna, Austria, 2016. New York, NY: Association for Computing Machinery (ACM). 3 (2016; doi:10.1145/2996366.2996426)] secure in presence of glitches. We also reduce the randomness cost of some existing gadgets, notably for the implementation-friendly case of 8 shares, improving here the previous best results by 17% (resp. 19%) for SNI multiplication (resp. refreshing).
For the entire collection see [Zbl 1475.94011].

### MSC:

 94A62 Authentication, digital signatures and secret sharing 94A60 Cryptography 68P25 Data encryption (aspects in computer science)

### Citations:

Zbl 1411.94050; Zbl 07436949