Skip to main content
SpringerLink
Log in

Addition with Blinded Operands

  • Conference paper
  • First Online:
Book cover Constructive Side-Channel Analysis and Secure Design (COSADE 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8622))

Abstract

The masking countermeasure is an efficient method to protect cryptographic algorithms against Differential Power Analysis (DPA) and similar attacks. For symmetric cryptosystems, two techniques are commonly used: Boolean masking and arithmetic masking. Conversion methods have been proposed for switching from Boolean masking to arithmetic masking, and conversely. The way conversion is applied depends on the combination of arithmetic and Boolean/logical operations executed by the underlying cryptographic algorithm.

This paper focuses on a combination of one addition with one or more Boolean operations. Building on a secure version of a binary addition algorithm (namely, the and-xor-and-double method), we show that conversions from Boolean masking to arithmetic masking can be avoided. We present an application of the new algorithm to the XTEA block-cipher.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Akkar, M.-L., Giraud, C.: An implementation of DES and AES, secure against some attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 309–318. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  2. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  3. Coron, J.-S., Goubin, L.: On boolean and arithmetic masking against differential power analysis. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 231–237. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  4. Coron, J.-S., Tchulkine, A.: A new algorithm for switching from arithmetic to boolean masking. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 89–97. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  5. Debraize, B.: Efficient and provably secure methods for switching from arithmetic to boolean masking. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 107–121. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  6. Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein hash function family. Submission to NIST (Round 3), October 2010. http://www.skein-hash.info/sites/default/files/skein1.3.pdf

  7. Golić, J.D.: Techniques for random masking in hardware. IEEE Trans. Circuits Syst. 54(2), 291–300 (2007)

    Article  MathSciNet  Google Scholar 

  8. Goubin, L.: A sound method for switching between boolean and arithmetic masking. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 3–15. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  9. Goubin, L., Patarin, J.: DES and differential power analysis (The “duplication” method). In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  10. Kelsey, J., Schneier, B., Wagner, D.: Related-key cryptanalysis of \(3\)-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. In: Han, Y., Quing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 233–246. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  11. Knuth, D.E.: The Art of Computer Programming, vol. 2, 2nd edn. Addison-Wesley, Readin (1981)

    MATH  Google Scholar 

  12. Knuth, D.E.: The Art of Computer Programming, vol. 4A. Addison-Wesley, Reading (2011)

    Google Scholar 

  13. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  14. Lipmaa, H., Moriai, S.: Efficient algorithms for computing differential properties of addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  15. Massey, J.L.: SAFER K-64: a byte-oriented block-ciphering algorithm. In: Anderson, R. (ed.) FSE 1993. LNCS, vol. 809, pp. 1–17. Springer, Heidelberg (1994)

    Chapter  Google Scholar 

  16. Messerges, T.S.: Securing the AES finalists against power analysis attacks. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 150–164. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  17. Needham, R.M., Wheeler, D.J.: TEA extensions. Technical report, Computer Laboratory, University of Cambridge, October 1997. http://www.cl.cam.ac.uk/ftp/users/djw3/xtea.ps

  18. Neiße, O., Pulkus, J.: Switching blindings with a view towards IDEA. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 230–239. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  19. Örs, S.B., Gürkaynak, F.K., Oswald, E., Preneel, B.: Power-analysis attack on an ASIC AES implementation. In: International Conference on Information Technology: Coding and Computing (ITCC ’04), vol. 2, pp. 546–552. IEEE Computer Society (2004)

    Google Scholar 

  20. Trichina, E.: Combinational logic design for AES SubByte transformation on masked data. Cryptology ePrint Archive, Report 2003/236 (2003). http://eprint.iacr.org/2003/236

  21. Wheeler, D.J., Needham, R.M.: TEA, a tiny encryption algorithm. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 363–366. Springer, Heidelberg (1995)

    Chapter  Google Scholar 

  22. Wheeler, D.J., Needham, R.M.: Corrections to XTEA. Technical report, Computer Laboratory, University of Cambridge, October 1998. http://www.movable-type.co.uk/scripts/xxtea.pdf

Download references

Author information

Authors and Affiliations

  1. Technicolor, 975 Avenue des Champs Blancs, 35576, Cesson-Sévigné Cedex, France

    Mohamed Karroumi & Benjamin Richard

  2. Technicolor, 735 Emerson Street, Palo Alto, CA, 94301, USA

    Marc Joye

Authors
  1. Mohamed Karroumi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Benjamin Richard
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marc Joye
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohamed Karroumi .

Editor information

Editors and Affiliations

  1. FNISA, Paris, France

    Emmanuel Prouff

A Optimized Variant of Goubin’s Method

A Optimized Variant of Goubin’s Method

We show in this appendix how to rearrange the operations in the secure \(\mathrm {A}{\rightarrow }\mathrm {B}\) algorithm used for converting \(A = x-r\) to \(x'=x\oplus r\). As a result, the algorithm cost is slightly reduced.

The carry expansion formula expressed using \(t_i\), \(0\le i \le k-1\) (see [8, Corollary 2.1]) can be simplified. The idea is to start the recursion with \(t_0 = 0\) instead of \(t_0 = 2\gamma \). The value of \(t_1\) then simplifies to \( t_1 = 2\bigl [t_0 \mathbin { \& }(A \mathbin {\oplus }r) \mathbin {\oplus }\omega \bigr ] = 2\omega \). The recursion formula can so be re-written as

$$ t_i = {\left\{ \begin{array}{ll} 2\omega &{} \text {if } i = 1 ,\\ 2\left[ t_i\mathbin { \& }(A\mathbin {\oplus }r)\mathbin {\oplus }\omega \right] &{} \text {for } 2 \leqslant i \leqslant k-1 . \end{array}\right. } $$

The main loop within the secure \(\mathrm {A}{\rightarrow }\mathrm {B}\) conversion algorithm becomes then:

figure e

We extract the first loop iteration and trade five operations against one logical shift operation. This reduces the algorithm cost to \({\underline{5k+1}}\) operations. This small change has no impact on the security of the algorithm.

figure f

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Karroumi, M., Richard, B., Joye, M. (2014). Addition with Blinded Operands. In: Prouff, E. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2014. Lecture Notes in Computer Science(), vol 8622. Springer, Cham. https://doi.org/10.1007/978-3-319-10175-0_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-10175-0_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-10174-3

  • Online ISBN: 978-3-319-10175-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation