With the growing threat of the side-channel attack (SCA) to the cryptographic algorithm’s implementations, the masking method has become one of the most promising SCA countermeasures for securely implementing, for example, block ciphers. The basic principle of the masking method is that if the sensitive variable (which, by definition, depends on sensitive information) is split into some random variables and they are manipulated in a secure manner, then the relationship between the random variables and the corresponding side-channel information may look independent from the outside world. However, after the introduction of the glitch attack, there has been a lot of concern about the security of the masking method itself. And, to mitigate the threat of the glitch attack, the threshold implementation (TI) and G-equivariant gates were independently introduced as countermeasures. In this paper, we consider the main notions of two such independent glitch attack’s countermeasures, say, non-completeness and G-equivariance, and investigate their relationship. The contribution of this paper is three-fold. First, we show that the widely-circulated proof that the non-complete TI with uniform inputs guarantees the security against the 1st order DPA even in the presence of glitches is not satisfactory. Next, using the extended notion of G-equivariance to the higher-order setting, we prove that non-completeness implies G-equivariance, which, in turn, means that the non-complete TI with uniform inputs has resistance against the glitch attack. Thirdly, we prove that the set of non-complete gates is a proper subset of the set of G-equivariant gates by showing there is a gate that is G-equivariant but not non-complete.
This is an open access article distributed under the Creative Commons Attribution License
which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited