Cryptology ePrint Archive: Report 2021/067
Analysis and Comparison of Table-based Arithmetic to Boolean Masking
Michiel Van Beirendonck and Jan-Pieter D’Anvers and Ingrid Verbauwhede
Abstract: Masking is a popular technique to protect cryptographic implementations
against side-channel attacks and comes in several variants including Boolean and
arithmetic masking. Some masked implementations require conversion between these
two variants, which is increasingly the case for masking of post-quantum encryption and
signature schemes. One way to perform Arithmetic to Boolean (A2B) mask conversion
is a table-based approach first introduced by Coron and Tchulkine, and later corrected
and adapted by Debraize in CHES 2012. In this work, we show both analytically and
experimentally that the table-based A2B conversion algorithm proposed by Debraize
does not achieve the claimed resistance against differential power analysis due to a
non-uniform masking of an intermediate variable. This non-uniformity is hard to find
analytically but leads to clear leakage in experimental validation. To address the
non-uniform masking issue, we propose two new A2B conversions: one that maintains
efficiency at the cost of additional memory and one that trades efficiency for a reduced
memory footprint. We give analytical and experimental evidence for their security, and
will make their implementations, which are shown to be free from side-channel leakage
in 100.000 power traces collected on the ARM Cortex-M4, available online. We conclude
that when designing side-channel protection mechanisms, it is of paramount importance
to perform both a theoretical analysis and an experimental validation of the method.
Category / Keywords: implementation / Masking, A2B conversion, ARM Cortex-M4, Post-Quantum Cryptography
Date: received 18 Jan 2021
Contact author: michiel vanbeirendonck at esat kuleuven be
Available format(s): PDF | BibTeX Citation
Version: 20210122:202734 (All versions of this report)
Short URL: ia.cr/2021/067
[ Cryptology ePrint archive ]