Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual - - PowerPoint PPT Presentation

β–Ά
low randomness masking and shulfifgn
SMART_READER_LITE
LIVE PREVIEW

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual - - PowerPoint PPT Presentation

Feb 17, 2023 307 likes β€’788 views

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1 Overview Masking,

slide-1
SLIDE 1

Low Randomness Masking and Shulfifgn:

An Evaluation Using Mutual Information

Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands

1

slide-2
SLIDE 2

Overview

  • Masking, shuffling and the cost of RNG
  • New countermeasure variants that recycle

randomness

  • Pitfalls in formal security and noise amplification

2

slide-3
SLIDE 3

Introduction

Masking and Shuffling Schemes Against Side-Channel Analysis

3

slide-4
SLIDE 4

Introduction: Masking Schemes

  • One of the most popular

countermeasures against SCA

  • Forces the adversary to recombine

shares

  • Performs noise amplification [1]

Secret S S0 S1 S2 S3 S4 S5 S6 S7

3 [1] Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. [2] Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks

slide-5
SLIDE 5

Introduction: Masking Schemes

  • One of the most popular

countermeasures against SCA

  • Forces the adversary to recombine

shares

  • Performs noise amplification [1]
  • Computationally demanding in
  • perations and RNG,

𝑃(π‘œ2) random elements for ISW multiplication with π‘œ shares [2]

Secret S S0 S1 S2 S3 S4 S5 S6 S7

3 [1] Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. [2] Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks

slide-6
SLIDE 6

Introduction: Shuffling Schemes

Sbox1 Sbox2 Sbox3 Sbox4

  • Widely deployed countermeasure
  • Permutes blocks
  • Performs noise amplification [3]

Sbox3 Sbox1 Sbox4 Sbox2

6 [3] Nicolas Veyrat-Charvillon, Marcel Medwed, Stéphanie Kerckhof, and François-Xavier Standaert. Shuffling against side-channel attacks: A comprehensive study with cautionary note [4] Donald E. Knuth. The Art of Computer Programming, Volume 2 (3rd Ed.): Seminumerical Algorithms

slide-7
SLIDE 7

Introduction: Shuffling Schemes

Sbox1 Sbox2 Sbox3 Sbox4

  • Widely deployed countermeasure
  • Permutes blocks
  • Performs noise amplification [3]
  • Computationally demanding in RNG,
  • approx. k βˆ— ceil π‘šπ‘π‘•2k random bits,

for 𝑙 operations shuffled [4]

Sbox3 Sbox1 Sbox4 Sbox2

6 [3] Nicolas Veyrat-Charvillon, Marcel Medwed, Stéphanie Kerckhof, and François-Xavier Standaert. Shuffling against side-channel attacks: A comprehensive study with cautionary note [4] Donald E. Knuth. The Art of Computer Programming, Volume 2 (3rd Ed.): Seminumerical Algorithms

slide-8
SLIDE 8

Introduction: RNG Overhead

  • The RNG constitutes a considerable performance overhead

10 [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

slide-9
SLIDE 9

Introduction: RNG Overhead

  • The RNG constitutes a considerable performance overhead
  • 2nd-order AES on AVR

pseudoRNG [5]

10 [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

slide-10
SLIDE 10

Introduction: RNG Overhead

  • The RNG constitutes a considerable performance overhead
  • 2nd-order AES on AVR

pseudoRNG [5]

Cipher 62% RNG 38%

10 [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

slide-11
SLIDE 11

Introduction: RNG Overhead

  • The RNG constitutes a considerable performance overhead
  • 2nd-order AES on AVR

pseudoRNG [5]

  • 2nd-order PRESENT on ARM Cortex-M4

trueRNG [6]

Cipher 62% RNG 38%

10 [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

slide-12
SLIDE 12

Introduction: RNG Overhead

  • The RNG constitutes a considerable performance overhead
  • 2nd-order AES on AVR

pseudoRNG [5]

  • 2nd-order PRESENT on ARM Cortex-M4

trueRNG [6]

Cipher 62% RNG 38% Cipher 75% RNG 25%

10 [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

slide-13
SLIDE 13

Introduction: RNG Overhead

  • The RNG constitutes a considerable performance overhead
  • 2nd-order AES on AVR

pseudoRNG [5]

  • 2nd-order PRESENT on ARM Cortex-M4

trueRNG [6]

  • 4th-order AES on ARM Cortex-A with NEON assembly

/dev/urandom [7]

Cipher 62% RNG 38% Cipher 75% RNG 25%

10 [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

slide-14
SLIDE 14

Introduction: RNG Overhead

  • The RNG constitutes a considerable performance overhead
  • 2nd-order AES on AVR

pseudoRNG [5]

  • 2nd-order PRESENT on ARM Cortex-M4

trueRNG [6]

  • 4th-order AES on ARM Cortex-A with NEON assembly

/dev/urandom [7]

Cipher 62% RNG 38% Cipher 75% RNG 25% Cipher 1% RNG 99%

10 [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

slide-15
SLIDE 15

Recycled Randomness Masking

Reducing the RNG overhead in masking with RRM

15

slide-16
SLIDE 16

RRM: Example

  • Assume two 2nd-order secure, independent ISW mult. gadgets

𝑨 = 𝑦𝑧, 𝑑 = 𝑏𝑐 𝑨0 = 𝑦0𝑧0 βŠ• π‘₯0 βŠ• π‘₯1 𝑨1 = 𝑦1𝑧1 βŠ• ((π‘₯0βŠ• 𝑦0𝑧1) βŠ• 𝑦1𝑧0) βŠ• π‘₯2 𝑨2 = 𝑦2𝑧2 βŠ• ((π‘₯1βŠ• 𝑦0𝑧2) βŠ• 𝑦2𝑧0)βŠ• ((π‘₯2βŠ• 𝑦1𝑧2) βŠ• 𝑦2𝑧1) 𝑑0 = 𝑏0𝑐0 βŠ• 𝑒0 βŠ• 𝑒1 𝑑1 = 𝑏1𝑐1 βŠ• ((𝑒0βŠ• 𝑏0𝑐1) βŠ• 𝑏1𝑐0) βŠ• 𝑒2 𝑑2 = 𝑏2𝑐2 βŠ• ((𝑒1βŠ• 𝑏0𝑐2) βŠ• 𝑏2𝑐0)βŠ• ((𝑒2βŠ• 𝑏1𝑐2) βŠ• 𝑏2𝑐1)

16

slide-17
SLIDE 17

RRM: Example

  • Recycle some random numbers from the first to the second gadget

𝑨0 = 𝑦0𝑧0 βŠ• π‘₯0 βŠ• π‘₯1 𝑨1 = 𝑦1𝑧1 βŠ• ((π‘₯0βŠ• 𝑦0𝑧1) βŠ• 𝑦1𝑧0) βŠ• π‘₯2 𝑨2 = 𝑦2𝑧2 βŠ• ((π‘₯1βŠ• 𝑦0𝑧2) βŠ• 𝑦2𝑧0)βŠ• ((π‘₯2βŠ• 𝑦1𝑧2) βŠ• 𝑦2𝑧1) 𝑑0 = 𝑏0𝑐0 βŠ• π‘₯0 βŠ• π‘₯1 𝑑1 = 𝑏1𝑐1 βŠ• ((π‘₯0βŠ• 𝑏0𝑐1) βŠ• 𝑏1𝑐0) βŠ• 𝑒2 𝑑2 = 𝑏2𝑐2 βŠ• ((π‘₯1βŠ• 𝑏0𝑐2) βŠ• 𝑏2𝑐0)βŠ• ((𝑒2βŠ• 𝑏1𝑐2) βŠ• 𝑏2𝑐1) Reduced Randomness cost by 2 random numbers

17

slide-18
SLIDE 18

RRM: Example

  • Formal security verification [8] : the 2-multiplication gadget is 2-NI

𝑨0 = 𝑦0𝑧0 βŠ• π‘₯0 βŠ• π‘₯1 𝑨1 = 𝑦1𝑧1 βŠ• ((π‘₯0βŠ• 𝑦0𝑧1) βŠ• 𝑦1𝑧0) βŠ• π‘₯2 𝑨2 = 𝑦2𝑧2 βŠ• ((π‘₯1βŠ• 𝑦0𝑧2) βŠ• 𝑦2𝑧0)βŠ• ((π‘₯2βŠ• 𝑦1𝑧2) βŠ• 𝑦2𝑧1) 𝑑0 = 𝑏0𝑐0 βŠ• π‘₯0 βŠ• π‘₯1 𝑑1 = 𝑏1𝑐1 βŠ• ((π‘₯0βŠ• 𝑏0𝑐1) βŠ• 𝑏1𝑐0) βŠ• 𝑒2 𝑑2 = 𝑏2𝑐2 βŠ• ((π‘₯1βŠ• 𝑏0𝑐2) βŠ• 𝑏2𝑐0)βŠ• ((𝑒2βŠ• 𝑏1𝑐2) βŠ• 𝑏2𝑐1)

18 [8] Jean-Sebastien Coron. Formal Verification of Side-channel Countermeasures via Elementary Circuit Transformations.

slide-19
SLIDE 19

RRM: Example

  • Recycle more!

𝑨0 = 𝑦0𝑧0 βŠ• π‘₯0 βŠ• π‘₯1 𝑨1 = 𝑦1𝑧1 βŠ• ((π‘₯0βŠ• 𝑦0𝑧1) βŠ• 𝑦1𝑧0) βŠ• π‘₯2 𝑨2 = 𝑦2𝑧2 βŠ• ((π‘₯1βŠ• 𝑦0𝑧2) βŠ• 𝑦2𝑧0)βŠ• ((π‘₯2βŠ• 𝑦1𝑧2) βŠ• 𝑦2𝑧1) 𝑑0 = 𝑏0𝑐0 βŠ• π‘₯0 βŠ• π‘₯1 𝑑1 = 𝑏1𝑐1 βŠ• ((π‘₯0βŠ• 𝑏0𝑐1) βŠ• 𝑏1𝑐0) βŠ• π‘₯2 𝑑2 = 𝑏2𝑐2 βŠ• ((π‘₯1βŠ• 𝑏0𝑐2) βŠ• 𝑏2𝑐0)βŠ• ((π‘₯2βŠ• 𝑏1𝑐2) βŠ• 𝑏2𝑐1) Reduced Randomness cost by 3 random numbers

19

slide-20
SLIDE 20

RRM: Example

  • Formal security verification : INSECURE, check 𝑨2 βŠ• 𝑑2

𝑨0 = 𝑦0𝑧0 βŠ• π‘₯0 βŠ• π‘₯1 𝑨1 = 𝑦1𝑧1 βŠ• ((π‘₯0βŠ• 𝑦0𝑧1) βŠ• 𝑦1𝑧0) βŠ• π‘₯2 𝑨2 = 𝑦2𝑧2 βŠ• ((π‘₯1βŠ• 𝑦0𝑧2) βŠ• 𝑦2𝑧0)βŠ• ((π‘₯2βŠ• 𝑦1𝑧2) βŠ• 𝑦2𝑧1) 𝑑0 = 𝑏0𝑐0 βŠ• π‘₯0 βŠ• π‘₯1 𝑑1 = 𝑏1𝑐1 βŠ• ((π‘₯0βŠ• 𝑏0𝑐1) βŠ• 𝑏1𝑐0) βŠ• π‘₯2 𝑑2 = 𝑏2𝑐2 βŠ• ((π‘₯1βŠ• 𝑏0𝑐2) βŠ• 𝑏2𝑐0)βŠ• ((π‘₯2βŠ• 𝑏1𝑐2) βŠ• 𝑏2𝑐1)

  • Recycling excessively can hurt probing security even between independent

gadgets

20

slide-21
SLIDE 21

RRM: Efficient Gadgets

  • Search for 2-multiplication, NI gadgets that recycle randomness

24

Recycling 2-mult ISW gadgets [2] 2-mult BBP gadgets [9] Security Order Security Order 1 2 3 1 2 3 Yes 1 4 8 1 2 6 No 2 6 12 2 4 8

[2] Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks [9] Sonia Belaïd, Fabrice Benhamouda, Alain Passelègue, Emmanuel Prouff, Adrian Thillard, and Damien Vergnaud. Randomness complexity of private circuits for multiplication.

Randomness Cost Table

slide-22
SLIDE 22

RRM: Noise Amplification Pitfall

  • Central Limit Theorem:

Let 𝑛 occurrences of random number, emitting leakages 𝑀1, 𝑀2,…,𝑀𝑛~ 𝑂(𝜈, 𝜏)

  • Averaging leakages gives: 𝑀𝑏𝑀𝑕 =

1 𝑛 σ𝑗=1 𝑛 𝑀𝑗 ~ 𝑂(𝜈, 𝜏 𝑛) ,

i.e. exploiting the recycling can de-noise the signal [10]

26 [10] Alberto Battistello, Jean-Sébastien Coron, Emmanuel Prouff, and Rina Zeitoun. Horizontal side-channel attacks and countermeasures on the ISW masking scheme [11] François-Xavier Standaert, Tal Malkin, and Moti Yung. A unified framework for the analysis of side-channel key recovery attacks.

slide-23
SLIDE 23

RRM: Noise Amplification Pitfall

  • Central Limit Theorem:

Let 𝑛 occurrences of random number, emitting leakages 𝑀1, 𝑀2,…,𝑀𝑛~ 𝑂(𝜈, 𝜏)

  • Averaging leakages gives: 𝑀𝑏𝑀𝑕 =

1 𝑛 σ𝑗=1 𝑛 𝑀𝑗 ~ 𝑂(𝜈, 𝜏 𝑛) ,

i.e. exploiting the recycling can de-noise the signal [10]

  • Let 2 types of adversaries and we perform an information-theoretic

analysis [11] C1: naive, doesn’t see recycling C2: smart, can see leakages from recycling

26 [10] Alberto Battistello, Jean-Sébastien Coron, Emmanuel Prouff, and Rina Zeitoun. Horizontal side-channel attacks and countermeasures on the ISW masking scheme [11] François-Xavier Standaert, Tal Malkin, and Moti Yung. A unified framework for the analysis of side-channel key recovery attacks.

slide-24
SLIDE 24

RRM: Noise Amplification Pitfall

29

slide-25
SLIDE 25

RRM: Noise Amplification Pitfall

  • 1. The naive adversary C1 cannot

take advantage of recycling

29

slide-26
SLIDE 26

RRM: Noise Amplification Pitfall

  • 1. The naive adversary C1 cannot

take advantage of recycling

  • 2. The smart adversary C2 can

shift the curve to the right

29

slide-27
SLIDE 27

RRM: Noise Amplification Pitfall

  • 1. The naive adversary C1 cannot

take advantage of recycling

  • 2. The smart adversary C2 can

shift the curve to the right

  • 3. Excessive recycling can damage

the security

29

slide-28
SLIDE 28

RRM: Noise Amplification Pitfall

  • 1. The naive adversary C1 cannot

take advantage of recycling

  • 2. The smart adversary C2 can

shift the curve to the right

  • 3. Excessive recycling can damage

the security

  • 4. RRM is a tradeoff between

security and randomness cost

29

slide-29
SLIDE 29

Reduced Randomness Shuffling

Reducing the RNG overhead in shuffling with RRS

29

slide-30
SLIDE 30

RRS: Original Shuffling

35

Layer1 Block1 Layer2 Block1 Layer3 Block1 Layer1 Block2 Layer2 Block2 Layer3 Block2 Layer1 Block3 Layer2 Block3 Layer3 Block3 Shuffle Layer1 Shuffle Layer2 Shuffle Layer3 Layer1 Block4 Layer2 Block4 Layer3 Block4

slide-31
SLIDE 31

RRS: Original Shuffling

Randomness cost:

  • Shuffle 3 layers independently
  • Each layer must shuffle 4 blocks
  • 3 βˆ— 4 βˆ— π‘šπ‘π‘•24 = 24 𝑐𝑗𝑒𝑑

35

Layer1 Block1 Layer2 Block1 Layer3 Block1 Layer1 Block2 Layer2 Block2 Layer3 Block2 Layer1 Block3 Layer2 Block3 Layer3 Block3 Shuffle Layer1 Shuffle Layer2 Shuffle Layer3 Layer1 Block4 Layer2 Block4 Layer3 Block4

slide-32
SLIDE 32

RRS: Partitioned Shuffling

  • Partition the layers in two, i.e.

partition factor 𝑔

π‘ž = 2

39

Layer1 Block1 Layer2 Block1 Layer3 Block1 Layer1 Block2 Layer2 Block2 Layer3 Block2 Layer1 Block3 Layer2 Block3 Layer3 Block3 Permutation Layer1 Permutation Layer2 Permutation Layer3 Layer1 Block4 Layer2 Block4 Layer3 Block4

slide-33
SLIDE 33

RRS: Partitioned Shuffling

  • Partition the layers in two, i.e.

partition factor 𝑔

π‘ž = 2

  • Randomness cost:
  • Shuffle 6 layers independently
  • Each partitioned layer shuffles 2

blocks

  • 6 βˆ— 2 βˆ— π‘šπ‘π‘•22 = 12 𝑐𝑗𝑒𝑑 < 24 𝑐𝑗𝑒𝑑

39

Layer1 Block1 Layer2 Block1 Layer3 Block1 Layer1 Block2 Layer2 Block2 Layer3 Block2 Layer1 Block3 Layer2 Block3 Layer3 Block3 Permutation Layer1 Permutation Layer2 Permutation Layer3 Layer1 Block4 Layer2 Block4 Layer3 Block4

slide-34
SLIDE 34

RRS: Original Shuffling

34

Layer1 Block1 Layer2 Block1 Layer3 Block1 Layer1 Block2 Layer2 Block2 Layer3 Block2 Layer1 Block3 Layer2 Block3 Layer3 Block3 Shuffle Layer1 Shuffle Layer2 Shuffle Layer3 Layer1 Block4 Layer2 Block4 Layer3 Block4

slide-35
SLIDE 35

RRS: Merged Shuffling

  • Merge the 2 layers and shuffle

them together, i.e. merge factor 𝑔

𝑛 = 2

35

Layer1 Block1 Layer2 Block1 Layer3 Block1 Layer1 Block2 Layer2 Block2 Layer3 Block2 Layer1 Block3 Layer2 Block3 Layer3 Block3 Shuffle Merged Layer 1,2 Layer1 Block4 Layer2 Block4 Layer3 Block4 Shuffle Layer3

slide-36
SLIDE 36

RRS: Merged Shuffling

  • Merge the 2 layers and shuffle

them together, i.e. merge factor 𝑔

𝑛 = 2

  • Randomness cost:
  • Shuffle 2 layers:
  • Merged layer 1,2
  • Layer 3
  • Merged layer 1,2 has 4 blocks
  • Non-merged layer 3 has 4 blocks
  • 4 βˆ— π‘šπ‘π‘•24 + 4 βˆ— π‘šπ‘π‘•24 = 16 𝑐𝑗𝑒𝑑 < 24 𝑐𝑗𝑒𝑑

36

Layer1 Block1 Layer2 Block1 Layer3 Block1 Layer1 Block2 Layer2 Block2 Layer3 Block2 Layer1 Block3 Layer2 Block3 Layer3 Block3 Shuffle Merged Layer 1,2 Layer1 Block4 Layer2 Block4 Layer3 Block4 Shuffle Layer3

slide-37
SLIDE 37

RRS: Noise Amplification

  • 1. Partitioning or merging layers

can reduce the randomness cost

39

slide-38
SLIDE 38

RRS: Noise Amplification

  • 1. Partitioning or merging layers

can reduce the randomness cost

  • 2. Like RRM it damages the noise

amplification stage of shuffling

39

slide-39
SLIDE 39

RRS: Noise Amplification

  • 1. Partitioning or merging layers

can reduce the randomness cost

  • 2. Like RRM it damages the noise

amplification stage of shuffling

  • 3. RRS is a tradeoff between

security and randomness cost

39

slide-40
SLIDE 40

Future Directions

Towards parametric design for side-channel countermeasures

40

slide-41
SLIDE 41

Future Directions: RNG

  • We have demonstrated how to reduce the randomness cost in

masking and shuffling

23

slide-42
SLIDE 42

Future Directions: RNG

  • We have demonstrated how to reduce the randomness cost in

masking and shuffling

  • Establish the required properties for a generator used in side-channel

protection

23

slide-43
SLIDE 43

Future Directions: Parametric Design

  • Modern architecture: 𝑦th-order masking

48

slide-44
SLIDE 44

Future Directions: Parametric Design

  • Modern architecture: 𝑦th-order masking
  • Parametric architecture: multitude of countermeasure variants to choose from

e.g. 𝑦th-order masking with 𝑧 recycled random numbers and merged shuffling of 𝑨 cipher layers

48

slide-45
SLIDE 45

Future Directions: Parametric Design

  • Modern architecture: 𝑦th-order masking
  • Parametric architecture: multitude of countermeasure variants to choose from

e.g. 𝑦th-order masking with 𝑧 recycled random numbers and merged shuffling of 𝑨 cipher layers

48

Athens Tower, 1971

slide-46
SLIDE 46

Future Directions: Parametric Design

  • Modern architecture: 𝑦th-order masking
  • Parametric architecture: multitude of countermeasure variants to choose from

e.g. 𝑦th-order masking with 𝑧 recycled random numbers and merged shuffling of 𝑨 cipher layers

48

Athens Tower, 1971 Turning Torso MalmΓΆ, 2005