Higher-Order Masking Schemes for S-Boxes
Masking is a common countermeasure against side-channel attacks. The principle is to randomly split every sensitive intermediate variable occurring in the computation into d + 1 shares, where d is called the masking order and plays the role of a security parameter. The main issue while applying masking to protect a block cipher implementation is to design an efficient scheme for the s-box computations. Actually, masking schemes with arbitrary order only exist for Boolean circuits and for the AES s-box. Although any s-box can be represented as a Boolean circuit, applying such a strategy leads to inefficient implementation in software. The design of an efficient and generic higher-order masking scheme was hence until now an open problem. In this paper, we introduce the first masking schemes which can be applied in software to efficiently protect any s-box at any order. We first describe a general masking method and we introduce a new criterion for an s-box that relates to the best efficiency achievable with this method. Then we propose concrete schemes that aim to approach the criterion. Specifically, we give optimal methods for the set of power functions, and we give efficient heuristics for the general case. As an illustration we apply the new schemes to the DES and PRESENT s-boxes and we provide implementation results.
- 3.Blakley, G.: Safeguarding cryptographic keys. In: National Comp. Conf., June 1979, vol. 48, pp. 313–317. AFIPS Press, New York (1979)Google Scholar
- 11.FIPS PUB 46. The Data Encryption Standard. National Bureau of Standards (January 1977)Google Scholar
- 16.Knuth, D.: The Art of Computer Programming, 3rd edn., vol. 2. Addison-Wesley (1988)Google Scholar