A note on the security of threshold implementations with d+1 input shares

Recently, threshold implementations (TI) with d+ 1 input shares have been proposed at Crypto 2015. This optimization aims for more lightweight TI designs while keeping the glitchresistance of the original concept. In this note, we consider such an approach and provide preliminary simulation-based evidence, backed by empirical results, of the existence of d-order leakages. We conclude that, while for first-order TI designs this solution can be overkill due to the extra randomness requirements, higher-order TIs can still benefit from it. 1 Threshold implementations The major requirement to guarantee the security level of masking schemes is the so-called independent leakage assumption (jeopardized by glitches, cross-talk or memory transitions). Yet, practical investigations (cf. [6,7]) have shown the hardness to achieve such a property in hardware due to the propagation of glitches, i.e., bogus transitions in the output(s) of a combinatorial circuit within a clock cycle. In this context, threshold implementation (TI) is one of the few masking schemes that can ensure the resistance of masked hardware implementations to first-order attacks (cf. [10,11]), then extended in the so-called HOTI to any arbitrary order d (cf. [2]), based on sound security arguments. Typically, the d-order TI of, e.g., a single-bit output non-linear function f : (x1, . . . , xn) 7→ y with algebraic degree t, can be built with sin ≥ t ·d+1 input shares and sout ≥ ( sin t ) output shares. More recently, it has been suggested that d-order TIs can be designed using sin = d+ 1 input shares (i.e., independently of the algebraic degree t of the considered function f), therefore allowing for designs consuming less randomness and hardware resources (cf. [13]). 2 What can go wrong? Early publications on TI designs claimed that one amongst their most noteworthy achievements was the fact that, when the output shares were uniformly distributed, no additional randomness was required. However, in more recent works this statement has been shown to be true only for first-order secure designs (cf. [12,13]). More concretely, since the HOTI concept did not consider multivariate scenarios, if a number of shares from different clock cycles are combined, then a d-order TI can leak (exploitable) information at the d-order statistical moment. To the best of our knowledge, the only known mitigation to this issue is to insert a refreshing layer injecting fresh random bits after shared functions. In this cautionary note, we show that a tweaked TI design using d+ 1 input shares still can exhibit data-dependencies at the d-order statistical moment. Table 1: First-order (2,4)-share TI output behavior in function of the given inputs. (x1,x2,x3) (y1,y2) μ σ x21 = X (0,0) (0,1) (1,0) (1,1) μ0 μ1 (0,0,0) 4 0 0 4 1 1 0 2 (0,1,0) 4 0 0 4 (0,0,1) 4 0 0 4 1 1 (1,1,1) 4 0 0 4 (0,1,1) 0 4 4 0 1 0 1 1 (1,0,0) 0 4 4 0 (1,0,1) 0 4 4 0 (1,1,0) 0 4 4 0 3 The shared AND/XOR function with 2 shares in [13] Let consider the AND/XOR module y = f(x1, x2, x3) = x1 + x2 · x3 (i.e., with algebraic degree t = 2) in the KATAN block cipher, and its first-order TI representation with sin = 2 input shares and sout = 4 output shares as provided in [13]: