An Improved Masking Scheme for S-Box Software Implementations

Abstract

A typical approach, to protect a given symmetric key cryptographic algorithm against differential power analysis(DPA), is a masking method which is to randomize all intermediate values of the cryptographic algorithm and the main time-consuming part of the masking method is to generate masked S-Boxes. The masked S-Boxes are implemented by generating the look-up tables for most of DPA countermeasures in the software manner.

In this paper, we present an improved masking scheme that makes the efficient masked S-Boxes by revisiting the ways to use the low composite fields arithmetic. Our improved masking scheme is basically slower than the standard AES implementation, but much faster than existing method which makes a whole S-Box random with 16 masks. In addition, our scheme is 20\(\%\) faster using less memory, compared to Oswald’s work using the similar method with the proposed approach. In other case of our scheme, we reduce almost half of memory with 9\(\%\) slow rate. We concentrate on the trade-off between memory sizes and operation speed.

A Appendix: Security Analysis

We show that an improved masking scheme is provably secure. For investigating all masked values, we should analyze outputs of several tables: \(T_{m_1}\),\(T_{m_2}\),\(T_{m_3}\), MIDbox(x), map and \(map^{-1}\) and output values from arithmetic operations in formulas (4) to (9). We can follow the security analysis methods in  [16–18], which are developed from  [21]. In  [18], Lemmas 1 to 3 show the security of four types of tables. In  [17], Lemmas 1 to 4 indicate that output values of all operations are secure. Lemma 5 shows the summation of intermediate results can be also secure. We use the same Lemmas as the papers.

Lemma 1

Let \(a \in GF(2^n)\) be arbitrary. Let \(m \in GF(2^n)\) be uniformly distributed in \(GF(2^n)\) independent of a. Then, a+m is uniformly distributed. It means that the distribution of a+m is independent of a.

This follows the Lemma 1 in [16]. This lemma implies that any values can be random values when it combines with a random value with arithmetics. Thus, the value \(a+m\) doesn’t depend on a. Furthermore, even though it sums more \(a_{i}+m_{i}\) values, it keeps the security which is described in the next Lemma 2.

Lemma 2

Let \(a_{i} \in GF(2^n)\) be arbitrary. Let \(m_{i} \in GF(2^n)\) be uniformly distributed in \(GF(2^n)\) independent of \(a_{i}\). Then, the distribution of \(\sum _{i} a_{i}+\sum _{i} m_{i}\) is independent of \(a_{i}\).

Lemma 2 shows that a sum of values is important for secure implementation such as the order of XOR operations and independent masks  [17]. Thus, Some operations of formulas (5) to (9) can be independent of important information. And we have to prove the security of our three tables. but it also follows the same Lemmas. we reuse the Lemma 3 of  [18] for the security of \(T_{m_1}\) which is multiplication table in \(GF(2^4)\).

Lemma 3

Let \(a_{1},a_{2} \in GF(2^n)\) be arbitrary. Let \(m_{1},m_{2} \in GF(2^n)\) be independently and uniformly distributed in \(GF(2^n)\). Then, the probability distribution of \( T_{m_1}(a_{1}+m_{1},a_{2}+m_{2})=(a_{1}+m_{1}) \times (a_{2}+m_{2})\) is

$$\begin{aligned} Pr((a_{1}+m_{1}) \times (a_{2}+m_{2})=i)= \left\{ \begin{array}{ll} \frac{2^{n+1}-1}{2^{2n}} &{} ,if~i=0~i.e.,~ifm_{1}=a_{1}~or~m_{2}=a_{2}\\ \frac{2^{n}-1}{2^{2n}} &{} ,if~i \ne 0 \end{array} \right. \end{aligned}$$

Therefore, the distribution of \((a_{1}+m_{1}) \times (a_{2}+m_{2})\) is independent of \(a_{1} and ~a_{2}\).

We also reuse the Lemma 4 of  [17] the security of \(T_{m_2}\) which is multiplication and square table in \(GF(2^4)\). We fix a constant value as {e} in \(GF(2^4)\).

Lemma 4

Let \(a \in GF(2^n)\) be arbitrary and \(0xE \in GF(2^n)\) a constant. Let \(m \in GF(2^n)\) be independently and uniformly distributed in \(GF(2^n)\) Then, the distribution of \((a+m)^{2}\) and \({e} \times (a+m)^{2}\) is independent of a.

And \(T_{m_3}\) is a table for inverse operations which is bijective and input value of this table is \(a+m\) which is independent of a. Thus, it is clearly independent from the input values. The mapping from \(GF(2^8)\) to \(GF(2^4) \times GF(2^4)\) and the combination of inverse mapping and affine function are bijective. Therefore, the masked output values are statistically independent of the unmasked input values.