Analysis and Improvement of the Generic Higher-Order Masking Scheme of FSE 2012

  • Arnab Roy
  • Srinivas Vivek
Conference paper

DOI: 10.1007/978-3-642-40349-1_24

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8086)
Cite this paper as:
Roy A., Vivek S. (2013) Analysis and Improvement of the Generic Higher-Order Masking Scheme of FSE 2012. In: Bertoni G., Coron JS. (eds) Cryptographic Hardware and Embedded Systems - CHES 2013. CHES 2013. Lecture Notes in Computer Science, vol 8086. Springer, Berlin, Heidelberg

Abstract

Masking is a well-known technique used to prevent block cipher implementations from side-channel attacks. Higher-order side channel attacks (e.g. higher-order DPA attack) on widely used block cipher like AES have motivated the design of efficient higher-order masking schemes. Indeed, it is known that as the masking order increases, the difficulty of side-channel attack increases exponentially. However, the main problem in higher-order masking is to design an efficient and secure technique for S-box computations in block cipher implementations. At FSE 2012, Carlet et al. proposed a generic masking scheme that can be applied to any S-box at any order. This is the first generic scheme for efficient software implementations. Analysis of the running time, or masking complexity, of this scheme is related to a variant of the well-known problem of efficient exponentiation (addition chain), and evaluation of polynomials.

In this paper we investigate optimal methods for exponentiation in \(\mathbb{F}_{2^{n}}\) by studying a variant of addition chain, which we call cyclotomic-class addition chain, or CC-addition chain. Among several interesting properties, we prove lower bounds on min-length CC-addition chains. We define the notion of \(\mathbb{F}_{2^n}\)-polynomial chain, and use it to count the number of non-linear multiplications required while evaluating polynomials over \(\mathbb{F}_{2^{n}}\). We also give a lower bound on the length of such a chain for any polynomial. As a consequence, we show that a lower bound for the masking complexity of DES S-boxes is three, and that of PRESENT S-box is two. We disprove a claim previously made by Carlet et al. regarding min-length CC-addition chains. Finally, we give a polynomial evaluation method, which results into an improved masking scheme (compared to the technique of Carlet et al.) for DES S-boxes. As an illustration we apply this method to several other S-boxes and show significant improvement for them.

Keywords

block cipher S-box masking complexity addition chain polynomial evaluation side-channel attack 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Arnab Roy
    • 1
  • Srinivas Vivek
    • 1
  1. 1.University of LuxembourgLuxembourg

Personalised recommendations