On the Practical Security of a Leakage Resilient Masking Scheme

Implementations of cryptographic algorithms are vulnerable to Side-Channel Analyses extracting information from the device behaviour. When such an attack targets the manipulation of several, say

d

, intermediate variables then it is said to be a

d

th

-order one. A privileged way to circumvent this type of attacks is to split any key-dependent variable into

n

shares, with

n

 > 

d

, and to adapt the internal processing in order to securely operate on these shares. The latter step is often very tricky and few schemes have been proposed which address this issue in a sound way.

At Asiacrypt 2012, Balasch et al. proposed a new scheme based on the inner-product sharing introduced the same year by Dziembowski and Faust at TCC. This scheme is the first one to aim at provable security in two different security models: the continuous bounded-range leakage model and the

d

th

-order side-channel security model (sometimes called

d

-probing model).

In this paper, we contradict the

d

th

-order security claim by exhibiting some first-order information leakages. Namely, we show that some intermediate variables of the scheme depend on secret information whatever the number of shares. This result is of importance since this kind of flaw is considered as a dead-end point when evaluating the practical security of an implementation. To illustrate the effectiveness of the flaw, we perform an information theoretic evaluation of the first-order leakage and we provide simulation results for a standard side-channel attack against the scheme.