International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: Dynamic Random Probing Expansion with Quasi Linear Asymptotic Complexity

Sonia Belaïd , CryptoExperts
Matthieu Rivain , CryptoExperts
Abdul Rahman Taleb , CryptoExperts and Sorbonne Université
Damien Vergnaud , Sorbonne Université and Institut Universitaire de France
DOI: 10.1007/978-3-030-92075-3_6
Search ePrint
Search Google
Presentation: Slides
Conference: ASIACRYPT 2021
Abstract: The masking countermeasure is widely used to protect cryptographic implementations against side-channel attacks. While many masking schemes are shown to be secure in the widely deployed probing model, the latter raised a number of concerns regarding its relevance in practice. Offering the adversary the knowledge of a fixed number of intermediate variables, it does not capture the so-called horizontal attacks which exploit the repeated manipulation of sensitive variables. Therefore, recent works have focused on the random probing model in which each computed variable leaks with some given probability p. This model benefits from fitting better the reality of the embedded devices. In particular, Belaïd, Coron, Prouff, Rivain, and Taleb (CRYPTO 2020) introduced a framework to generate random probing circuits. Their compiler somehow extends base gadgets as soon as they satisfy a notion called random probing expandability (RPE). A subsequent work from Belaïd, Rivain, and Taleb (EUROCRYPT 2021) went a step forward with tighter properties and improved complexities. In particular, their construction reaches a complexity of O(κ^{3.9}), for a κ-bit security, while tolerating a leakage probability of p = 2^{−7.5}. In this paper, we generalize the random probing expansion approach by considering a dynamic choice of the base gadgets at each step in the expansion. This approach makes it possible to use gadgets with high number of shares –which enjoy better asymptotic complexity in the expansion framework– while still tolerating the best leakage rate usually obtained for small gadgets. We investigate strategies for the choice of the sequence of compilers and show that it can reduce the complexity of an AES implementation by a factor 10. We also significantly improve the asymptotic complexity of the expanding compiler by exhibiting new asymptotic gadget constructions. Specifically, we introduce RPE gadgets for linear operations featuring a quasi-linear complexity, as well as, an RPE multiplication gadget with linear number of multiplications. These new gadgets drop the complexity of the expanding compiler from quadratic to quasi-linear.
Video from ASIACRYPT 2021
  title={Dynamic Random Probing Expansion with Quasi Linear Asymptotic Complexity},
  author={Sonia Belaïd and Matthieu Rivain and Abdul Rahman Taleb and Damien Vergnaud},