{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,6]],"date-time":"2025-12-06T00:21:01Z","timestamp":1764980461117,"version":"3.46.0"},"reference-count":0,"publisher":"Walter de Gruyter GmbH","issue":"3","license":[{"start":{"date-parts":[[2014,6,7]],"date-time":"2014-06-07T00:00:00Z","timestamp":1402099200000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/3.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2014,9,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>\n                    Hardware devices can be protected against side-channel attacks by introducing one random mask per sensitive variable. The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers. Nonetheless, this setup\ncan still be attacked if the side-channel is squared, because this operation causes an interference between the two shares. This more sophisticated analysis is referred to as a zero-offset second-order correlation power analysis (CPA) attack. When the device leaks in Hamming distance, the countermeasure can be improved by the \u201cleakage squeezing\u201d. It consists in manipulating the mask through a bijection,\naimed at reducing the dependency between the shares' leakage. Thus\n                    <jats:italic>d<\/jats:italic>\n                    th-order zero-offset attacks, that consist in applying CPA on the\n                    <jats:italic>d<\/jats:italic>\n                    th power of the centered side-channel traces, can be thwarted for\n                    <jats:italic>d<\/jats:italic>\n                    \u2265 2 at no extra cost.\nWe denote by\n                    <jats:italic>n<\/jats:italic>\n                    the size in bits of the shares and call\n                    <jats:italic>F<\/jats:italic>\n                    the transformation function, that is, a bijection of\n                    <jats:inline-formula id=\"eq1_w2aab3b7b8b1b6b1aab1c13b1c11Aa\">\n                      <jats:alternatives>\n                        <m:math xmlns:m=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                          <m:msubsup>\n                            <m:mi>\ud835\udd3d<\/m:mi>\n                            <m:mn>2<\/m:mn>\n                            <m:mi>n<\/m:mi>\n                          <\/m:msubsup>\n                        <\/m:math>\n                        <jats:tex-math>$\\mathbb {F}_2^n$<\/jats:tex-math>\n                      <\/jats:alternatives>\n                    <\/jats:inline-formula>\n                    . In this paper, we explore the functions\n                    <jats:italic>F<\/jats:italic>\n                    that thwart zero-offset high-order CPA (HO-CPA) of maximal order\n                    <jats:italic>d<\/jats:italic>\n                    . We mathematically demonstrate that optimal choices for\n                    <jats:italic>F<\/jats:italic>\n                    relate to optimal binary codes (in the sense of communication theory). First, we exhibit optimal linear\n                    <jats:italic>F<\/jats:italic>\n                    functions. They are suitable for masking schemes where only one mask is used throughout the algorithm. Second, we note that for values of\n                    <jats:italic>n<\/jats:italic>\n                    for which non-linear codes exist with better parameters than linear ones, better protection levels can be obtained. This applies to implementations in which each mask is randomly cast independently of the previous ones. These results are exemplified in the case\n                    <jats:italic>n<\/jats:italic>\n                    = 8, where the optimal\n                    <jats:italic>F<\/jats:italic>\n                    can be identified: it is derived from the optimal rate 1\/2 binary code of size\n                    <jats:inline-formula id=\"eq2_w2aab3b7b8b1b6b1aab1c13b1c27Aa\">\n                      <jats:alternatives>\n                        <m:math xmlns:m=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                          <m:mrow>\n                            <m:mn>2<\/m:mn>\n                            <m:mi>n<\/m:mi>\n                          <\/m:mrow>\n                        <\/m:math>\n                        <jats:tex-math>$2n$<\/jats:tex-math>\n                      <\/jats:alternatives>\n                    <\/jats:inline-formula>\n                    , namely the Nordstrom\u2013Robinson\n                    <jats:inline-formula id=\"eq3_w2aab3b7b8b1b6b1aab1c13b1c29Aa\">\n                      <jats:alternatives>\n                        <m:math xmlns:m=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                          <m:mrow>\n                            <m:mo>(<\/m:mo>\n                            <m:mn>16<\/m:mn>\n                            <m:mo>,<\/m:mo>\n                            <m:mn>256<\/m:mn>\n                            <m:mo>,<\/m:mo>\n                            <m:mn>6<\/m:mn>\n                            <m:mo>)<\/m:mo>\n                          <\/m:mrow>\n                        <\/m:math>\n                        <jats:tex-math>$(16, 256, 6)$<\/jats:tex-math>\n                      <\/jats:alternatives>\n                    <\/jats:inline-formula>\n                    code. This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates.\nIt protects against all zero-offset HO-CPA attacks of order\n                    <jats:inline-formula id=\"eq4_w2aab3b7b8b1b6b1aab1c13b1c31Aa\">\n                      <jats:alternatives>\n                        <m:math xmlns:m=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                          <m:mrow>\n                            <m:mi>d<\/m:mi>\n                            <m:mo>\u2264<\/m:mo>\n                            <m:mn>5<\/m:mn>\n                          <\/m:mrow>\n                        <\/m:math>\n                        <jats:tex-math>$d \\le 5$<\/jats:tex-math>\n                      <\/jats:alternatives>\n                    <\/jats:inline-formula>\n                    .\nEventually, the countermeasure is shown to be resilient to imperfect leakage models,\nwhere the registers leak differently than the sum of their toggling bits.\n                  <\/jats:p>","DOI":"10.1515\/jmc-2012-0018","type":"journal-article","created":{"date-parts":[[2014,6,10]],"date-time":"2014-06-10T08:54:49Z","timestamp":1402390489000},"page":"249-295","source":"Crossref","is-referenced-by-count":12,"title":["Leakage squeezing: Optimal implementation and security evaluation"],"prefix":"10.1515","volume":"8","author":[{"given":"Claude","family":"Carlet","sequence":"first","affiliation":[{"name":"LAGA, UMR 7539, CNRS, University of Paris XIII and University of Paris VIII, 2 rue de la libert\u00e9, 93526 Saint-Denis Cedex, France"}]},{"given":"Jean-Luc","family":"Danger","sequence":"additional","affiliation":[{"name":"TELECOM-ParisTech, Crypto Group, 37\/39 rue Dareau, 75634 Paris Cedex 13; and Secure-IC S.A.S., 80 avenue des Buttes de Co\u00ebsmes, 35700 Rennes, France"}]},{"given":"Sylvain","family":"Guilley","sequence":"additional","affiliation":[{"name":"TELECOM-ParisTech, Crypto Group, 37\/39 rue Dareau, 75634 Paris Cedex 13; and Secure-IC S.A.S., 80 avenue des Buttes de Co\u00ebsmes, 35700 Rennes, France"}]},{"given":"Houssem","family":"Maghrebi","sequence":"additional","affiliation":[{"name":"TELECOM-ParisTech, Crypto Group, 37\/39 rue Dareau, 75634 Paris Cedex 13; and MORPHO, 18 chauss\u00e9e Jules C\u00e9sar, 95520 Osny, France"}]}],"member":"374","published-online":{"date-parts":[[2014,6,7]]},"container-title":["Journal of Mathematical Cryptology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.degruyterbrill.com\/document\/doi\/10.1515\/jmc-2012-0018\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.degruyterbrill.com\/document\/doi\/10.1515\/jmc-2012-0018\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,6]],"date-time":"2025-12-06T00:16:57Z","timestamp":1764980217000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.degruyterbrill.com\/document\/doi\/10.1515\/jmc-2012-0018\/html"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2014,6,7]]},"references-count":0,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2014,6,7]]},"published-print":{"date-parts":[[2014,9,1]]}},"alternative-id":["10.1515\/jmc-2012-0018"],"URL":"https:\/\/doi.org\/10.1515\/jmc-2012-0018","relation":{},"ISSN":["1862-2984","1862-2976"],"issn-type":[{"type":"electronic","value":"1862-2984"},{"type":"print","value":"1862-2976"}],"subject":[],"published":{"date-parts":[[2014,6,7]]}}}