Monomial Evaluation of Polynomial Functions Protected by Threshold Implementations: With an Illustration on AES

Abstract

In the context of side-channel countermeasures, threshold implementations (TI) have been introduced in 2006 by Nikova et al. to defeat attacks in presence of hardware effects called glitches. On several aspects, TI may be seen as an extension of another classical side-channel countermeasure, called masking, which is essentially based on the sharing of any internal state of the processing into independent parts (or shares). Among the properties of TI, uniform distribution of input and output shares is generally the most complicated to satisfy. Usually, this property is achieved by generating fresh randomness throughout the execution of the protected algorithm (e.g. the AES block cipher). In this paper, we combine the changing of the guards technique published by Daemen at CHES 2017 (which reduces the need for fresh randomness) with the work of Genelle et al. at CHES 2011 (which combines Boolean masking and multiplicative one) to propose a new TI without fresh randomness well suited to Substitution-Permutation Networks. As an illustration, we develop our proposal for the AES block cipher, and more specifically its non-linear part implemented thanks to a field inversion. In this particular context, we argue that our proposal is a valuable alternative to the state of the art solutions. More generally, it has the advantage of being easily applicable to the evaluation of any polynomial function, which was usually not the case of previous solutions.