Security Order of Gate-Level Masking Schemes

Masking schemes have been introduced to thwart side-channel attacks. In software applications, attackers can measure leakage at several points in time and combine them to defeat the masking. In hardware gate-level masking, all shares of a masked variable are manipulated at the same time in a nanoscale circuit. In this article, we focus on setups where the attacker uses one mesoscopic probe, which measures an aggregated leakage of all shares. We consider masking schemes where each bit is randomly split (by XOR) into so-called shares (two or more). We analyze two interesting case studies about the interrelationship of attack order vs. the number of shares. First of all, we show that when the unique probe is measuring the sum of each share's individual leakage (so-called Hamming weight model), one measurement can reveal the sensitive unshared value, provided the attacker is able to determine the leakage's least significant bit. Second, we analyze a hardware masking belonging to threshold schemes. Such schemes require fulfilling a so-called incompleteness property, whereby some input shares must be absent from output shares. We analyze a first-order incomplete scheme, i.e., where the number of missing input shares is equal to one. In schemes such as threshold implementation, this requires the number of shares to be strictly more than two. Hence the natural question is whether such a scheme would resist high-order attacks of order also strictly more than two? We answer by the negative, and show that the lowest attack order is two: the security of such a masking scheme is governed by the order of incompleteness and not by the number of shares. We verify our findings using four different sets of experiments including theoretical analysis, digital simulation, HSpice simulation and also real-silicon (FPGA emulation).