Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity

A general technique to protect a cryptographic algorithm against side-channel attacks consists in masking all intermediate variables with a random value. For cryptographic algorithms combining Boolean operations with arithmetic operations, one must then perform conversions between Boolean masking and arithmetic masking. At CHES 2001, Goubin described a very elegant algorithm for converting from Boolean masking to arithmetic masking, with only a constant number of operations. Goubin also described an algorithm for converting from arithmetic to Boolean masking, but with \(\mathcal{O}(k)\) operations where k is the addition bit size. In this paper we describe an improved algorithm with time complexity \(\mathcal{O}(\log k)\) only. Our new algorithm is based on the Kogge-Stone carry look-ahead adder, which computes the carry signal in \(\mathcal{O}(\log k)\) instead of \(\mathcal{O}(k)\) for the classical ripple carry adder. We also describe an algorithm for performing arithmetic addition modulo \(2^k\) directly on Boolean shares, with the same complexity \(\mathcal{O}(\log k)\) instead of \(\mathcal{O}(k)\). We prove the security of our new algorithm against first-order attacks. Our algorithm performs well in practice, as for \(k=64\) we obtain a \(23\,\%\) improvement compared to Goubin’s algorithm.

[1]  Mi-Jung Noh,et al.  DIFFERENTIAL POWER ATTACK AND MASKING METHOD , 2005 .

[2]  Jason Smith,et al.  The SIMON and SPECK Families of Lightweight Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[3]  Harold S. Stone,et al.  A Parallel Algorithm for the Efficient Solution of a General Class of Recurrence Equations , 1973, IEEE Transactions on Computers.

[4]  Jean-Sébastien Coron,et al.  A New Algorithm for Switching from Arithmetic to Boolean Masking , 2003, CHES.

[5]  Jean-Sébastien Coron,et al.  Secure Conversion between Boolean and Arithmetic Masking of Any Order , 2014, CHES.

[6]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[7]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[8]  James H. Burrows,et al.  Secure Hash Standard , 1995 .

[9]  Louis Goubin,et al.  A Sound Method for Switching between Boolean and Arithmetic Masking , 2001, CHES.

[10]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[11]  Jürgen Pulkus,et al.  Switching Blindings with a View Towards IDEA , 2004, CHES.

[12]  Quynh H. Dang,et al.  Secure Hash Standard | NIST , 2015 .

[13]  Stefan Mangard,et al.  Power Analysis Attacks and Countermeasures , 2007, IEEE Design & Test of Computers.

[14]  Blandine Debraize Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking , 2012, CHES.

[15]  S StoneHarold,et al.  A Parallel Algorithm for the Efficient Solution of a General Class of Recurrence Equations , 1973 .

[16]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[17]  Marc Joye,et al.  Addition with Blinded Operands , 2014, COSADE.