Table Recomputation-Based Higher-Order Masking Against Horizontal Attacks

Masking is a class of well-known countermeasure against side-channel analysis by employing the idea of secret sharing. The theoretical security proof model of higher-order masking was initiated by Ishai, Sahai, and Wagner, and Barthe et al. pushed forward it by proposing a more refine security definition named as t-SNI security. In CHES 2016, a new attack called horizontal side-channel attacks (HSCAs) came forward and successfully broke the Rivain-Prouff countermeasure, which has been proved to satisfy the t-SNI security. It presents a dilemma: instead of more secure, masking with higher-order may be more vulnerable due to the HSCA. Although there already exists an effective countermeasure for the Rivain-Prouff scheme, it is quite difficult to apply this method in the table recomputation-based higher-order masking schemes, such as the scheme introduced by Coron in EUROCRYPT 2014. To fill this gap, we propose a new table recomputation-based higher-order masking scheme, named as table compression masking (TCM) scheme. While meeting the t-SNI security, our new countermeasure is also secure against the HSCA. We give the formal security proof under the t-SNI security definition, as well as a heuristic security analysis considering the HSCA. Our analysis shows that, by dividing the full lookup table into many distinct parts and shifting them by refreshed shares, the same share will never be manipulated for more than twice in TCM scheme. This feature gives a heuristic security against HSCA. To our best knowledge, our countermeasure is the first solution for table recomputation-based higher-order masking to resist HSCA.