# A Sound Method for Switching between Boolean and Arithmetic Masking

## Abstract

Since the announcement of the Differential Power Analysis (DPA) by Paul Kocher and al., several countermeasures were proposed in order to protect software implementations of cryptographic algorithms. In an attempt to reduce the resulting memory and execution time overhead, a general method was recently proposed, consisting in “masking” all the intermediate data.

This masking strategy is possible if all the fundamental operations used in a given algorithm can be rewritten with masked input data, giving masked output data. This is easily seen to be the case in classical algorithms such as DES or RSA.

However, for algorithms that combine boolean and arithmetic functions, such as IDEA or several of the AES candidates, two different kinds of masking have to be used. There is thus a need for a method to convert back and forth between boolean masking and arithmetic masking. A first solution to this problem was proposed by Thomas Messerges in [15], but was unfortunately shown (see [6]) insufficient to prevent DPA. In the present paper, we present two new practical algorithms for the conversion, that are proven secure against DPA.

The first one (“BooleanToArithmetic”) uses a constant number of elementary operations, namely 7, on the registers of the processor. The number of elementary operations for the second one (“Arithmetic To-Boolean”), namely 5*K* + 5, is proportional to the size *K* (in bits) of the processor registers.

## Key words

Physical attacks Differential Power Analysis Electric consumption AES IDEA Smartcards Masking Techniques## References

- 1.Eli Biham and Adi Shamir, “Power Analysis of the Key Scheduling of the AES Candidates”, in
*Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference*, http://csrc.nist.gov/encryption/aes/round1/Conf2/aes2conf.htm, March 1999. - 2.Carolynn Burwick, Don Coppersmith, Edward D’ Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas, Luke O’ Connor, Mohammad Peyra-vian, David Safford and Nevenko Zunic, “MARS-A Candidate Cipher for AES”, NIST AES Proposal, June 1998. Available at: http://www.research.ibm.com/security/mars.pdf
- 3.Suresh Chari, Charantjit S. Jutla, Josyula R. Rao and Pankaj Rohatgi, “A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards”, in
*Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference*, http://csrc.nist.gov/encryption/aes/round1/Conf2/aes2conf.htm, March 1999. - 4.Suresh Chari, Charantjit S. Jutla, Josyula R. Rao and Pankaj Rohatgi, “Towards Sound Approaches to Counteract Power-Analysis Attacks”, in
*Proceedings of Advances in Cryptology-CRYPTO’99*, Springer-Verlag, 1999, pp. 398–412.Google Scholar - 5.Jean-Srébastien Coron, “Resistance Against Differential Power Analysis for Ellipticc Curve Cryptosystems”, in
*Proceedings of Workshop on Cryptographic Hardware and Embedded Systems*, Springer-Verlag, August 1999, pp. 292–302.Google Scholar - 6.Jean-Sébastien Coron and Louis Goubin, “On Boolean and Arithmetic Masking against Differential Power Analysis”, in
*Proceedings of Workshop on Cryptographic Hardware and Embedded Systems*, Springer-Verlag, August 2000.Google Scholar - 7.John Daemen and Vincent Rijmen, “Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals”, in
*Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference*, http://csrc.nist.gov/encryption/aes/round1/Conf2/aes2conf.htm, March 1999. - 8.John Daemen, Michael Peters and Gilles Van Assche, “Bitslice Ciphers and Power Analysis Attacks”, in
*Proceedings of Fast Software Encryption Workshop 2000*, Springer-Verlag, April 2000.Google Scholar - 9.Paul N. Fahn and Peter K. Pearson, “IPA: A New Class of Power Attacks”, in
*Proceedings of Workshop on Cryptographic Hardware and Embedded Systems*, Springer-Verlag, August 1999, pp. 173–186.Google Scholar - 10.Louis Goubin and J. Patarin, “Procédé de sécurisation d’un ensemble électronique de cryptographie á clé secréte contre les attaques par analyse physique”, European Patent, Schlumberger, February 4th, 1999, Publication Number: 2789535.Google Scholar
- 11.Louis Goubin and Jacques Patarin, “DES and Differential Power Analysis-The Duplication Method”, in
*Proceedings of Workshop on Cryptographic Hardware and Embedded Systems*, Springer-Verlag, August 1999, pp. 158–172.Google Scholar - 12.Paul Kocher, Joshua Jaffe and Benjamin Jun, “Introduction to Differential Power Analysis and Related Attacks”, http://www.cryptography.com/dpa/technical, 1998.
- 13.Paul Kocher, Joshua Jaffe and Benjamin Jun, “Differential Power Analysis”, in
*Proceedings of Advances in Cryptology-CRYPTO’99*, Springer-Verlag, 1999, pp. 388–397.Google Scholar - 14.Xuejia Lai and James Massey, “A Proposal for a New Block Encryption Standard”, in
*Advances in Cryptology-EUROCRYPT’ 90 Proceedings*, Springer-Verlag, 1991, pp. 389–404.Google Scholar - 15.Thomas S. Messerges, “Securing the AES Finalists Against Power Analysis Attacks”, in
*Proceedings of Fast Software Encryption Workshop 2000*, Springer-Verlag, April 2000.Google Scholar - 16.Thomas S. Messerges, Ezzy A. Dabbish and Robert H. Sloan, “Investigations of Power Analysis Attacks on Smartcards”, in
*Proceedings of USENIX Workshop on Smartcard Technology*, May 1999, pp. 151–161.Google Scholar - 17.Thomas S. Messerges, Ezzy A. Dabbish and Robert H. Sloan, “Power Analysis Attacks of Modular Exponentiation in Smartcards”, in
*Proceedings of Workshop on Cryptographic Hardware and Embedded Systems*, Springer-Verlag, August 1999, pp. 144–157.Google Scholar - 18.Ronald L. Rivest, Matthew J.B. Robshaw, Ray Sidney and Yiqun L. Yin, “The RC6 Block Cipher”, v1.1, August 20, 1998. Available at: ftp://ftp.rsasecurity.com/pub/rsalabs/aes/rc6v11.pdf
- 19.Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall and Niels Ferguson, “Twofish: A 128-Bit Block Cipher”, June 15, 1998, AES submission available at: http://www.counterpane.com/twofish.pdf