Cryptology ePrint Archive: Report 2021/067

Analysis and Comparison of Table-based Arithmetic to Boolean Masking

Michiel Van Beirendonck and Jan-Pieter D’Anvers and Ingrid Verbauwhede

Abstract: Masking is a popular technique to protect cryptographic implementations against side-channel attacks and comes in several variants including Boolean and arithmetic masking. Some masked implementations require conversion between these two variants, which is increasingly the case for masking of post-quantum encryption and signature schemes. One way to perform Arithmetic to Boolean (A2B) mask conversion is a table-based approach first introduced by Coron and Tchulkine, and later corrected and adapted by Debraize in CHES 2012. In this work, we show both analytically and experimentally that the table-based A2B conversion algorithm proposed by Debraize does not achieve the claimed resistance against differential power analysis due to a non-uniform masking of an intermediate variable. This non-uniformity is hard to find analytically but leads to clear leakage in experimental validation. To address the non-uniform masking issue, we propose two new A2B conversions: one that maintains efficiency at the cost of additional memory and one that trades efficiency for a reduced memory footprint. We give analytical and experimental evidence for their security, and will make their implementations, which are shown to be free from side-channel leakage in 100.000 power traces collected on the ARM Cortex-M4, available online. We conclude that when designing side-channel protection mechanisms, it is of paramount importance to perform both a theoretical analysis and an experimental validation of the method.

Category / Keywords: implementation / Masking, A2B conversion, ARM Cortex-M4, Post-Quantum Cryptography

Date: received 18 Jan 2021

Contact author: michiel vanbeirendonck at esat kuleuven be

Available format(s): PDF | BibTeX Citation

Version: 20210122:202734 (All versions of this report)

Short URL: ia.cr/2021/067