Advertisement

Analysis and Improvement of the Generic Higher-Order Masking Scheme of FSE 2012

  • Arnab Roy
  • Srinivas Vivek
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8086)

Abstract

Masking is a well-known technique used to prevent block cipher implementations from side-channel attacks. Higher-order side channel attacks (e.g. higher-order DPA attack) on widely used block cipher like AES have motivated the design of efficient higher-order masking schemes. Indeed, it is known that as the masking order increases, the difficulty of side-channel attack increases exponentially. However, the main problem in higher-order masking is to design an efficient and secure technique for S-box computations in block cipher implementations. At FSE 2012, Carlet et al. proposed a generic masking scheme that can be applied to any S-box at any order. This is the first generic scheme for efficient software implementations. Analysis of the running time, or masking complexity, of this scheme is related to a variant of the well-known problem of efficient exponentiation (addition chain), and evaluation of polynomials.

In this paper we investigate optimal methods for exponentiation in \(\mathbb{F}_{2^{n}}\) by studying a variant of addition chain, which we call cyclotomic-class addition chain, or CC-addition chain. Among several interesting properties, we prove lower bounds on min-length CC-addition chains. We define the notion of \(\mathbb{F}_{2^n}\)-polynomial chain, and use it to count the number of non-linear multiplications required while evaluating polynomials over \(\mathbb{F}_{2^{n}}\). We also give a lower bound on the length of such a chain for any polynomial. As a consequence, we show that a lower bound for the masking complexity of DES S-boxes is three, and that of PRESENT S-box is two. We disprove a claim previously made by Carlet et al. regarding min-length CC-addition chains. Finally, we give a polynomial evaluation method, which results into an improved masking scheme (compared to the technique of Carlet et al.) for DES S-boxes. As an illustration we apply this method to several other S-boxes and show significant improvement for them.

Keywords

block cipher S-box masking complexity addition chain polynomial evaluation side-channel attack 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Akkar, M.-L., Giraud, C.: An implementation of DES and AES, secure against some attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 309–318. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: A 128-bit block cipher suitable for multiple platforms - design and analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Brauer, A.: On addition chains. Bull. Amer. Math. Soc. 45(10), 736–739 (1939)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Carlet, C., Goubin, L., Prouff, E., Quisquater, M., Rivain, M.: Higher-order masking schemes for s-boxes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 366–384. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  5. 5.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener [23], pp. 398–412CrossRefGoogle Scholar
  6. 6.
    Coron, J.-S., Prouff, E., Rivain, M.: Side channel cryptanalysis of a higher order masking scheme. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 28–44. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Goubin, L., Patarin, J.: DES and differential power analysis. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  8. 8.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: Securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Kim, H., Hong, S., Lim, J.: A fast and provably secure higher-order masking of AES S-box. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 95–107. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Knuth, D.E.: The Art of Computer Programming, 3rd edn. Seminumerical Algorithms, vol. II. Addison-Wesley (1997)Google Scholar
  11. 11.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener (ed.) [23], pp. 388–397CrossRefGoogle Scholar
  12. 12.
    Messerges, T.S.: Securing the AES finalists against power analysis attacks. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 150–164. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Nawaz, Y., Gupta, K.C., Gong, G.: Algebraic immunity of s-boxes based on power mappings: analysis and construction. IEEE Transactions on Information Theory 55(9), 4263–4273 (2009)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Paterson, M., Stockmeyer, L.J.: On the number of nonscalar multiplications necessary to evaluate polynomials. SIAM J. Comput. 2(1), 60–66 (1973)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Rivain, M., Dottax, E., Prouff, E.: Block ciphers implementations provably secure against second order side channel analysis. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 127–143. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  17. 17.
    Satoh, A., Morioka, S., Takano, K., Munetoh, S.: A compact rijndael hardware architecture with S-box optimization. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 239–254. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Schramm, K., Paar, C.: Higher order masking of the AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 208–225. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit blockcipher CLEFIA (Extended abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    von zur Gathen, J.: Efficient and optimal exponentiation in finite fields. Computational Complexity 1, 360–394 (1991)MathSciNetCrossRefGoogle Scholar
  21. 21.
    von zur Gathen, J., Nöcker, M.: Exponentiation in finite fields: Theory and practice. In: Mattson, H., Mora, T. (eds.) AAECC 1997. LNCS, vol. 1255, pp. 88–113. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  22. 22.
    von zur Gathen, J., Nöcker, M.: Computing special powers in finite fields. Math. Comput. 73(247), 1499–1523 (2004)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999)zbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Arnab Roy
    • 1
  • Srinivas Vivek
    • 1
  1. 1.University of LuxembourgLuxembourg

Personalised recommendations