Cryptology ePrint Archive: Report 2021/369

A Note on Algebraic Decomposition Method for Masked Implementation

Shoichi Hirose

Abstract: Side-channel attacks are a serious problem in the implementation of cryptosystems. Masking is an effective countermeasure to this problem and it has been actively studied for implementations of block ciphers. An obstacle to efficient masked implementation is the complexity of an evaluation of multiplication, which is quadratic in the order of masking. A natural approach to this problem is to explore ways to reduce the number of multiplications required to compute an S-box. Algebraic decomposition is another interesting approach proposed by Carlet et al. in 2015, which gives a way to represent an S-box as composition of polynomials with low algebraic degrees. In this paper, for the algebraic decomposition, we propose to use a special type of low-algebraic-degree polynomials, which we call generalized multiplication (GM) polynomials. The masking scheme for multiplication can be applied to GM polynomials, which is more efficient than the masking scheme for general low-algebraic-degree polynomials. Our performance evaluation based on some experimental results shows the effectiveness of masked implementation using the proposed decomposition compared to masked implementation using the decomposition of Carlet et al.

Category / Keywords: secret-key cryptography / Algebraic decomposition, Boolean function, Masking, S-box

Original Publication (with major differences): EAI AC3 2021

Date: received 18 Mar 2021, last revised 21 Dec 2021

Contact author: hrs_shch at u-fukui ac jp

Available format(s): PDF | BibTeX Citation

Note: An error in the decomposition of SKINNY 4-Bit S-box (Sect. 3.3) is fixed.

Version: 20211221:064151 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]