Analysis and Improvement of the Generic Higher-Order Masking Scheme of FSE 2012

Masking is a well-known technique used to prevent block cipher implementations from side-channel attacks. Higher-order side channel attacks (e.g. higher-order DPA attack) on widely used block cipher like AES have motivated the design of efficient higher-order masking schemes. Indeed, it is known that as the masking order increases, the difficulty of side-channel attack increases exponentially. However, the main problem in higher-order masking is to design an efficient and secure technique for S-box computations in block cipher implementations. At FSE 2012, Carlet et al. proposed a generic masking scheme that can be applied to any S-box at any order. This is the first generic scheme for efficient software implementations. Analysis of the running time, or masking complexity, of this scheme is related to a variant of the well-known problem of efficient exponentiation (addition chain), and evaluation of polynomials. In this paper we investigate optimal methods for exponentiation in $\mathbb{F}_{2^{n}}$ by studying a variant of addition chain, which we call cyclotomic-class addition chain, or CC-addition chain. Among several interesting properties, we prove lower bounds on min-length CC-addition chains. We define the notion of $\mathbb{F}_{2^n}$-polynomial chain, and use it to count the number of non-linear multiplications required while evaluating polynomials over $\mathbb{F}_{2^{n}}$. We also give a lower bound on the length of such a chain for any polynomial. As a consequence, we show that a lower bound for the masking complexity of DES S-boxes is three, and that of PRESENT S-box is two. We disprove a claim previously made by Carlet et al. regarding min-length CC-addition chains. Finally, we give a polynomial evaluation method, which results into an improved masking scheme (compared to the technique of Carlet et al.) for DES S-boxes. As an illustration we apply this method to several other S-boxes and show significant improvement for them.

[1]  Emmanuel Prouff,et al.  Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis , 2008, FSE.

[2]  Richard Zippel,et al.  Probabilistic algorithms for sparse polynomials , 1979, EUROSAM.

[3]  Mitsuru Matsui,et al.  Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis , 2000, Selected Areas in Cryptography.

[4]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[5]  Guang Gong,et al.  Algebraic Immunity of S-Boxes Based on Power Mappings: Analysis and Construction , 2009, IEEE Transactions on Information Theory.

[6]  Jacob T. Schwartz,et al.  Fast Probabilistic Algorithms for Verification of Polynomial Identities , 1980, J. ACM.

[7]  Masanobu Katagi,et al.  The 128-Bit Blockcipher CLEFIA , 2007, RFC.

[8]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[9]  Akashi Satoh,et al.  A Compact Rijndael Hardware Architecture with S-Box Optimization , 2001, ASIACRYPT.

[10]  Joachim von zur Gathen,et al.  Efficient and optimal exponentiation in finite fields , 1991, computational complexity.

[11]  Donald Ervin Knuth,et al.  The Art of Computer Programming, Volume II: Seminumerical Algorithms , 1970 .

[12]  Christof Paar,et al.  Higher Order Masking of the AES , 2006, CT-RSA.

[13]  Joachim von zur Gathen,et al.  Computing special powers in finite fields , 2003, Math. Comput..

[14]  Joachim von zur Gathen,et al.  Exponentiation in Finite Fields: Theory and Practice , 1997, AAECC.

[15]  Thomas S. Messerges,et al.  Securing the AES Finalists Against Power Analysis Attacks , 2000, FSE.

[16]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .

[17]  J. von zur Gathen,et al.  Exponentiation in Nite Elds: Theory and Practice , 1997 .

[18]  Claude Carlet,et al.  Higher-Order Masking Schemes for S-Boxes , 2012, FSE.

[19]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[20]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[21]  Michael J. Wiener,et al.  Advances in cryptology, CRYPTO '99 : 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15-19, 1999 : proceedings , 1999, CRYPTO 1999.

[22]  Michael J. Oudshoorn,et al.  Visualization techniques for various programming paradigms , 1993, Proceedings of TENCON '93. IEEE Region 10 International Conference on Computers, Communications and Automation.

[23]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[24]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[25]  Larry J. Stockmeyer,et al.  On the Number of Nonscalar Multiplications Necessary to Evaluate Polynomials , 1973, SIAM J. Comput..

[26]  Jean-Sébastien Coron,et al.  Side Channel Cryptanalysis of a Higher Order Masking Scheme , 2007, CHES.

[27]  Kyoji Shibutani,et al.  The 128-Bit Blockcipher CLEFIA (Extended Abstract) , 2007, FSE.

[28]  A. Brauer On addition chains , 1939 .

[29]  Seokhie Hong,et al.  A Fast and Provably Secure Higher-Order Masking of AES S-Box , 2011, CHES.

[30]  Christophe Giraud,et al.  An Implementation of DES and AES, Secure against Some Attacks , 2001, CHES.

[31]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .