RS-Mask: Random Space Masking as an Integrated Countermeasure against Power and Fault Analysis
While modern masking schemes provide provable security against passive side-channel analysis (SCA), such as power analysis, single faults can be employed to recover the secret key of ciphers even in masked implementations. In this paper, we propose random space masking (RS-Mask) as a countermeasure against both power analysis and statistical fault analysis (SFA) techniques. In the RS-Mask scheme, the distribution of all sensitive variables, faulty and/or correct values is uniform, and it therefore protects the implementations against any SFA technique that exploits the distribution of intermediate variables, including fault sensitivity analysis (FSA), statistical ineffective fault analysis (SIFA) and fault intensity map analysis (FIMA). We implement RS-Mask on AES, and show that a SIFA attack is not able to identify the correct key. We additionally show that an FPGA implementation of AES, protected with RS-Mask, is resistant to power analysis SCA using Welch's t-test. The area of the RS-Masked AES is about 3.5 times that of an unprotected AES implementation of similar architecture, and about 2 times that of a known FPGA SCA-resistant AES implementation. Finally, we introduce infective RS-Mask that provides security against differential techniques, such as differential fault analysis (DFA) and differential fault intensity analysis (DFIA), with a slight increase in overhead.
READ FULL TEXT