Paper 2018/1007

Masking the AES with Only Two Random Bits

Hannes Gross and Lauren De Meyer and Martin Krenn and Stefan Mangard

Abstract

Masking is the best-researched countermeasure against side-channel analysis attacks. Even though masking was invented almost 20 years ago, research on the efficient implementation of masking continues to be an active research topic. Many of the existing works focus on the reduction of randomness requirements since the production of fresh random bits with high entropy is very costly in practice. Most of these works rely on the assumption that only so-called online randomness results in additional costs. In practice, however, it shows that the distinction between randomness costs to produce the initial masking and the randomness to maintain security during computation (online) is not meaningful. In this work, we thus study the question of minimum randomness requirements for first-order Boolean masking when taking the costs for initial randomness into account. We demonstrate that first-order masking can always be performed by just using two fresh random bits and without requiring online randomness. We first show that two random bits are enough to mask linear transformations and then discuss prerequisites under which nonlinear transformations are securely performed likewise. Subsequently, we introduce a new masked AND gate that fulfills these requirements which form the basis for our synthesis tool that automatically transforms an unmasked circuit into a first-order secure masked circuit. We demonstrate the feasibility of this approach by implementing an AES circuit with only two bits of randomness.