Analysis and Design of Masking Schemes for Secure Cryptographic Implementations ; Analyse en ontwerp van maskeringsschema's voor veilige cryptografische implementaties

Masking is the central topic of this thesis based on publications. Masking is a technique that allows the secure execution of cryptographic algorithms in untrusted environments. More concretely, masking provides security guarantees even if an adversary observes side-channel leakage. We first propose a methodology to attack masked implementations more quickly. Our method is relevant in practice since it allows to carry out attacks that before took months in days. The proposed method first locates the relevant time samples for an attack and then only attacks those. For this purpose we rely on versatile information-theoretic tools. The second selected paper in this thesis deals with Di erential Power Analysis, masking and bit-slicing at very high clock speeds, such as those typically found in today’s smartphones and personal electronic devices. We present an attack on an ARM Cortex-A8 running at 1 GHz, and then apply the principles of gate-level masking to develop a DPA-resistant bit-sliced AES implementation. In our third selected paper, we propose a new masking strategy for a post-quantum public-key algorithm: ring-LWE. Our solution is essentially arithmetic masking with a bespoke probabilistic decoder. Our approach fits in a standard FPGA and incurs manageable performance overheads. We explain in our fourth paper similarities and di erences between theoretical and practical instances of masking schemes. These observations allow us to break some masking schemes proposed in literature and transfer attractive features from one scheme to another. To conclude, in the fifth paper we describe a simple, yet powerful tool to detect flaws in masking schemes. Sound masking schemes can be surprisingly di cult to design (especially if they provide higher-order security guarantees); our tool assists the design process of a masking scheme by assessing the soundness of a masking scheme at the algorithmic level before implementing it on an actual device. iii