Efficient Masked S-Boxes Processing – A Step Forward –

  • Vincent Grosso
  • Emmanuel Prouff
  • François-Xavier Standaert
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8469)


To defeat side-channel attacks, the implementation of block cipher algorithms in embedded devices must include dedicated countermeasures. To this end, security designers usually apply secret sharing techniques and build masking schemes to securely operate an shared data. The popularity of this approach can be explained by the fact that it enables formal security proofs. The construction of masking schemes thwarting higher-order side-channel attacks, which correspond to a powerful adversary able to exploit the leakage of the different shares, has been a hot topic during the last decade. Several solutions have been proposed, usually at the cost of significant performance overheads. As a result, the quest for efficient masked S-box implementations is still ongoing. In this paper, we focus on the scheme proposed by Carlet et al at FSE 2012, and latter improved by Roy and Vivek at CHES 2013. This scheme is today the most efficient one to secure a generic S-box at any order. By exploiting an idea introduced by Coron et al at FSE 2013, we show that Carlet et al’s scheme can still be improved for S-boxes with input dimension larger than four. We obtain this result thanks to a new definition for the addition-chain exponentiation used during the masked S-box processing. For the AES and DES S-boxes, we show that our improvement leads to significant efficiency gains.


Power Function Block Cipher Addition Chain Block Cipher Algorithm Formal Security Proof 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Goldwasser, S., Micciancio, D.: “Pseudo-random” number generation within cryptographic algorithms: The DSS case. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 277–291. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  2. 2.
    Blakely, G.: Safeguarding cryptographic keys. In: National Comp. Conf. vol. 48, pp. 313–317. AFIPS Press, New York (1979)Google Scholar
  3. 3.
    Blömer, J., Guajardo, J., Krummel, V.: Provably secure masking of AES. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 69–83. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Carlet, C.: Boolean functions for cryptography and error correcting codes. Boolean Methods and Models, pp. 257 (2010)Google Scholar
  5. 5.
    Carlet, C., Goubin, L., Prouff, E., Quisquater, M., Rivain, M.: Higher-order masking schemes for S-boxes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 366–384. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  6. 6.
    Chari, S., Jutla, C., Rao, J., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener (ed.) [25], pp. 398–412Google Scholar
  7. 7.
    Coron, J.-S.: Higher Order Masking of Look-up Tables. In: Nguyen, P.Q., Oswald, E. (eds.) Advances in Cryptology – EUROCRYPT 2014. LNCS. Springer (to appear, 2014)Google Scholar
  8. 8.
    Coron, J.-S., Prouff, E., Rivain, M.: Side channel cryptanalysis of a higher order masking scheme. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 28–44. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Coron, J.-S., Prouff, E., Rivain, M., Roche, T.: Higher-order side channel security and mask refreshing. In: Moriai, S. (ed.) Fast Software Encryption – FSE 2013. LNCS. Springer (2013)(to appear)Google Scholar
  10. 10.
    Duc, A., Dziembowski, S., Faust, S.: Unifying Leakage Models: from Probing Attacks to Noisy Leakage. In: Nguyen, P.Q., Oswald, E. (eds.) Advances in Cryptology – EUROCRYPT 2014. LNCS, Springer (to appear, 2014)Google Scholar
  11. 11.
    Gordon, D.M.: A survey of fast exponentiation methods. J. Algorithms 27(1), 129–146 (1998)CrossRefzbMATHMathSciNetGoogle Scholar
  12. 12.
    Grosso, V., Standaert, F.-X., Faust, S.: Masking vs. multiparty computation: How large is the gap for AES? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 400–416. Springer, Heidelberg (2013)Google Scholar
  13. 13.
    Ishai, Y., Sahai, A., Wagner, D.: Private Circuits: Securing Hardware against Probing Attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)Google Scholar
  14. 14.
    Kim, H., Hong, S., Lim, J.: A fast and provably secure higher-order masking of AES S-box. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 95–107. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. 15.
    Knuth, D.: The Art of Computer Programming, 3rd edn. vol. 2. Addison-Wesley (1988)Google Scholar
  16. 16.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener (ed.) [25], pp. 388–397.Google Scholar
  17. 17.
    Mangard, S., Popp, T., Gammel, B.M.: Side-Channel Leakage of Masked CMOS Gates. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 351–365. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Messerges, T.S.: Securing the AES finalists against power analysis attacks. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 150–164. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Prouff, E., Rivain, M.: Masking against side-channel attacks: A formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  20. 20.
    Rivain, M., Dottax, E., Prouff, E.: Block ciphers implementations provably secure against second order side channel analysis. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 127–143. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  22. 22.
    Roy, A., Vivek, S.: Analysis and improvement of the generic higher-order masking scheme of FSE 2012. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 417–434. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  23. 23.
    Schramm, K., Paar, C.: Higher order masking of the AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 208–225. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  24. 24.
    Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)CrossRefzbMATHMathSciNetGoogle Scholar
  25. 25.
    Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Vincent Grosso
    • 1
  • Emmanuel Prouff
    • 2
  • François-Xavier Standaert
    • 1
  1. 1.ICTEAM/ELEN/Crypto GroupUniversité catholique de LouvainBelgium
  2. 2.ANSSIParis 07France

Personalised recommendations