In this article, we study a first-order masking scheme, that makes use of one $n$-bit mask taking values in a strict subset of $\mathbb{F}_2^n$. For a given entropy budget, we show that the security does depend on the choice of the mask values. More specifically, we explore the space of mask sets that resist first and second-order correlation analysis (CPA and 2O-CPA), using exhaustive search for word size $n \leqslant 5$~bit and a SAT-solver for $n$ up to $8$~bit. We notably show that it is possible to protect algorithms against both CPA and 2O-CPA such as AES with only $12$ mask values. If the general trend is that more entropy means less leakage, some particular mask subsets can leak less (or on the contrary leak remarkably more). Additionally, we exhibit such mask subsets that allows a minimal leakage.
Category / Keywords: implementation / Publication Info: Extended version of a paper that will appear at INDOCRYPT'2011 Date: received 30 Sep 2011, last revised 19 Nov 2011 Contact author: sylvain guilley at TELECOM-ParisTech fr Available formats: PDF | BibTeX Citation Note: Updates of the notations, that comply more with that used customarily in the field of statistics. Also added references to the implementation of the presented concept of rotating sboxes masking. Version: 20111119:161329 (All versions of this report) Discussion forum: Show discussion | Start new discussion