Security Analysis of Deterministic Re-keying with Masking and Shuffling: Application to ISAP

Single-trace side-channel attacks are important attack vectors against the security of authenticated encryption schemes relying on an internal re-keying process, such as the NIST Lightweight Cryptography finalist ISAP. In a recent work of Kannwischer et al., it was suggested to mitigate such single-trace attacks with masking and shuffling. In this work, we first show that combining masking and re-keying is conceptually useless since this combination can always be attacked with a complexity that is just the sum of the complexities to attack a masked implementation (without re-keying) and a re-keyed implementation (without masking). We then show that combining shuffling and re-keying is theoretically founded but can be practically challenging: in low-cost embedded devices (e.g., ARM Cortex-M0) that are the typical targets of single-trace attacks, the noise level of the leakages is such that multivariate attacks can be powerful enough to recover the shuffling permutation in one trace. This second result does not prevent the shuffling + re-keying combination to be effective in more noisy contexts, but it suggests that the best use cases for leakage-resilient PRFs as used by ISAP remain the ones where no additional countermeasures are needed.