Paper 2017/1024

Revisiting a Masked Lookup-Table Compression Scheme

Srinivas Vivek

Abstract

Lookup-table based side-channel countermeasure is the prime choice for masked S-box software implementations at very low orders. To mask an $n$-bit to $m$-bit S-box at first- and second- orders, one requires a temporary table in RAM of size $m 2^n$ bits. Recently, Vadnala (CT-RSA 2017) suggested masked table compression schemes at first- and second-orders to reduce the table size by (approximately) a factor of $2^l$, where $l$ is a parameter. Though greater compression results in a greater execution time, these proposals would still be attractive for highly resource constrained devices. In this work, we contradict the second-order security claim of the second-order table compression scheme by Vadnala. We do this by exhibiting several pairs of intermediate variables that jointly depend on the bits of the secret. Motivated by the fact that randomness is also a costly resource for highly resource constrained devices, we then propose a variant of the first-order table compression scheme of Vadnala that has the new randomness complexity of about $l$ instead of $2^l$ for the original proposal. We achieve this without inducing any noticeable difference in the overall execution time or memory requirement of the original scheme. Finally, we show that the randomness complexity of $l$ is optimal in an algebraic sense.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. INDOCRYPT 2017
Keywords
side-channel attackmaskingblock cipherimplementation
Contact author(s)
sv venkatesh @ bristol ac uk
History
2017-10-25: received
Short URL
https://ia.cr/2017/1024
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/1024,
      author = {Srinivas Vivek},
      title = {Revisiting a Masked Lookup-Table Compression Scheme},
      howpublished = {Cryptology {ePrint} Archive, Paper 2017/1024},
      year = {2017},
      url = {https://eprint.iacr.org/2017/1024}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.