Two constructions of optimal pairs of linear codes for resisting side channel and fault injection attacks

TL;DR

This paper introduces two novel constructions of optimal linear code pairs using primitive irreducible cyclic codes to enhance resistance against side-channel and fault injection attacks, with explicit security parameters.

Contribution

First use of primitive irreducible cyclic codes to construct optimal code pairs for security against SCA and FIA, providing explicit security parameters.

Findings

Constructed two optimal code pairs with explicit security parameters

Derived weight enumerators for the involved codes

First application of primitive irreducible cyclic codes in this context

Abstract

Direct sum masking (DSM) has been proposed as a counter-measure against side-channel attacks (SCA) and fault injection attacks (FIA), which are nowadays important domains of cryptanalysis. DSM needs two linear codes whose sum is direct and equals a whole space $\Bbb F_q^n$. The minimum distance of the former code and the dual distance of the latter should be as large as possible, given their length and dimensions. But the implementation needs in practice to work with words obtained by appending, to each codeword $y$ of the latter code, the source word from which $y$ is the encoding. Let $\mathcal C_1$ be an $[n, k]$ linear code over the finite field $\Bbb F_q$ with generator matrix $G$ and let $\mathcal C_2$ be the linear code over the finite field $\Bbb F_q$ with generator matrix $[G, I_k]$. It is then highly desired to construct optimal pairs of linear codes satisfying that $d(\mathcal C_2^\perp)= d(\mathcal C_1^\perp)$. In this paper, we employ the primitive irreducible cyclic codes to derive two constructions of optimal pairs of linear codes for resisting SCA and FIA, where the security parameters are determined explicitly. To the best of our knowledge, it is the first time that primitive irreducible cyclic codes are used to construct (optimal) pairs of codes. As a byproduct, we obtain the weight enumerators of the codes $\mathcal C_1, \mathcal C_2, \mathcal C_1^\perp$, and $\mathcal C_2^\perp$ in our both constructions.