Efficient Conversion Method from Arithmetic to Boolean Masking in Constrained Devices

Abstract

A common technique employed for preventing a side channel analysis is Boolean masking. However, the application of this scheme is not so straightforward when it comes to block ciphers based on Addition-Rotation-Xor structure. In order to address this issue, since 2000, scholars have investigated schemes for converting Arithmetic to Boolean (AtoB) masking and Boolean to Arithmetic (BtoA) masking schemes. However, these solutions have certain limitations. The time performance of the AtoB scheme is extremely unsatisfactory because of the high complexity of \(\mathcal {O}(k)\) where k is the size of arithmetic operation. At the FSE 2015, an improved algorithm with time complexity \(\mathcal {O}(\log k)\) based on the Kogge-Stone carry look-ahead adder was suggested. Despite its efficiency, this algorithm cannot consider for constrained environments. Although the original algorithm inherently extends to low-resource devices, there is no advantage in time performance; we call this variant as the generic variant. In this study, we suggest an enhanced variant algorithm to apply to constrained devices. Our solution is based on the principle of the Kogge-Stone carry look-ahead adder, and it uses a divide and conquer approach. In addition, we prove the security of our new algorithm against first-order attack.

By reducing the main loop complexity to \(\lceil \log {(l-1)} \rceil \) from \(\lceil \log {(k-1)} \rceil \) where l is the size of register bit, we can expect the reasonable time complexity for our variant algorithms. In implementation results based on this fact, when \(k=64\) and the register bit size of a chip is 8, 16 or 32, we obtain 58%, 72%, or 68% improvement, respectively, over the results obtained using the generic variant. When applying those algorithms to first-order SPECK, we also achieve roughly 40% improvement. Moreover, our proposal extends to higher-order countermeasures as previous study.

Appendices

A Remaining Proof of Theorem 1

Here, we provide the remaining proof of Theorem 1, and thereby prove the following Lemma.

Lemma 3

\(\sum _{i=0}^{m-1}{x_{(i)}}\) is equal to \(\sum _{i=0}^{m}{X_{(i)}'}\).

Proof

$$\begin{aligned} \begin{aligned}&\sum _{i=0}^{m-1}{x_{(i)}} \\&=x_{(0)}+x_{(1)}+\cdots +x_{(m-2)}+x_{(m-1)} \\&=2^{0} \left( 2^{0}x^{(0)}+\cdots +2^{l-1}x^{(l-1)} \right) \\&\,\,+2^{l} \left( 2^{0}x^{(l+0)}+\cdots +2^{l-1}x^{(l+l-1)} \right) +\cdots \\&\,\,+2^{l(m-2)} \left( 2^{0}x^{(l(m-2)+0)}+\cdots +2^{l-1}x^{(l(m-2)+l-1)} \right) \\&\,\,+2^{l(m-1)} \left( 2^{0}x^{(l(m-1)+0)}+\cdots +2^{l-1}x^{(l(m-1)+l-1)} \right) \\&=2^{0} \left( 2^{0}x^{(0)}+\cdots +2^{l-1}x^{(l-1)} \right) \\&\,\,+2^{l-1} \left( 2^{1}x^{((l-1)+1)}+\cdots +2^{l-1}x^{((l-1)+l-1)} \right) +\cdots \\&\,\,+2^{(l-1)(m-1)} \left( 2^{1}x^{((l-1)(m-1)+1)}+\cdots +2^{l-1}x^{((l-1)(m-1)+l-1)} \right) \\&\,\,+2^{(l-1)m} \left( 2^{1}x^{((l-1)m+1)}+\cdots +2^{l-1}x^{((l-1)m+(m-1))} \right) \\&=X_{(0)}'+\cdots +X_{(m-1)}'+X_{(m)}'=\sum _{i=0}^{m}{X_{(i)}'} \end{aligned} \end{aligned}$$

   \(\square \)

Lemma 4

\(d^{(j)}\) is equal to \(c^{(i(l-1)+j-1)}\).

Proof

We proceed by mathematical induction.

Lemma 4 holds for \(j=0\),

$$\begin{aligned} \begin{aligned}&d^{(1)}=\{ (a^{(0)} \oplus b^{(0)}) \wedge d^{(0)}\} \oplus (a^{(0)} \wedge b^{(0)}) \\&=\{ ( c^{(i(l-1))} \oplus c^{(i(l-1))}) \wedge d^{(0)}\} \oplus (c^{(i(l-1))} \wedge c^{(i(l-1))}) \\&=(0 \wedge d^{(0)}) \oplus (c^{(i(l-1))} \wedge c^{(i(l-1))})=c^{(i(l-1))} \end{aligned} \end{aligned}$$

If Lemma 4 holds for \(j=k\), then it holds for \(j=k+1\), i.e., \(d^{(k)}=c^{(i(l-1)+k-1)}\).

$$\begin{aligned} \begin{aligned}&d^{(k+1)} \\&=\{ ( a^{(k)} \oplus b^{(k)}) \wedge d^{(k)} \} \oplus (x^{(i(l-1)+k-1)} \wedge y^{(i(l-1)+k-1)}) \\&=\{ (x^{(i(l-1)+k-1)} \wedge y^{(i(l-1)+k-1)}) \wedge c^{(i(l-1)+k-1)} \} \oplus (x^{(i(l-1)+k-1)} \wedge y^{(i(l-1)+k-1)}) \\&=c^{(i(l-1)+k)} \end{aligned} \end{aligned}$$

   \(\square \)

B Secure Computation of Basic Operation and Its Computational Complexity

We provide the basic operations used in Algorithms 3, 4, and the AtoB masking algorithm of [12]. For AtoB masking countermeasure, the basic operation required for sensitive information is secure computation. We show how to secure the Shift operations against first-order attacks, SecXor and SecAnd operations are a direct application of secure computations in [12].

SecXor and SecAnd algorithms are very straightforward. However, in contrast to [12] the SecShift algorithm should be some modified.

Table 6. Computational complexity of basic operations

Without loss of generality, we assume that bk in Algorithm 5 is identical to 0. Then, the SecShift algorithm requires \((4m-2)\) Xor operations and \((4m-2)\) Shift operations in Table 6. More precisely, by the loop of m times, \(4(m-1)\) is required. However, only two Xor and Shift are required in the initial loop.