Abstract
A common technique employed for preventing a side channel analysis is Boolean masking. However, the application of this scheme is not so straightforward when it comes to block ciphers based on Addition-Rotation-Xor structure. In order to address this issue, since 2000, scholars have investigated schemes for converting Arithmetic to Boolean (AtoB) masking and Boolean to Arithmetic (BtoA) masking schemes. However, these solutions have certain limitations. The time performance of the AtoB scheme is extremely unsatisfactory because of the high complexity of \(\mathcal {O}(k)\) where k is the size of arithmetic operation. At the FSE 2015, an improved algorithm with time complexity \(\mathcal {O}(\log k)\) based on the Kogge-Stone carry look-ahead adder was suggested. Despite its efficiency, this algorithm cannot consider for constrained environments. Although the original algorithm inherently extends to low-resource devices, there is no advantage in time performance; we call this variant as the generic variant. In this study, we suggest an enhanced variant algorithm to apply to constrained devices. Our solution is based on the principle of the Kogge-Stone carry look-ahead adder, and it uses a divide and conquer approach. In addition, we prove the security of our new algorithm against first-order attack.
By reducing the main loop complexity to \(\lceil \log {(l-1)} \rceil \) from \(\lceil \log {(k-1)} \rceil \) where l is the size of register bit, we can expect the reasonable time complexity for our variant algorithms. In implementation results based on this fact, when \(k=64\) and the register bit size of a chip is 8, 16 or 32, we obtain 58%, 72%, or 68% improvement, respectively, over the results obtained using the generic variant. When applying those algorithms to first-order SPECK, we also achieve roughly 40% improvement. Moreover, our proposal extends to higher-order countermeasures as previous study.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Kogge, P.M., Stone, H.S.: A parallel algorithm for the efficient solution of a general class of recurrence equations. IEEE Trans. Comput. 100(8), 786–793 (1973)
Goubin, L.: A sound method for switching between Boolean and arithmetic masking. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 3–15. Springer, Heidelberg (2001). doi:10.1007/3-540-44709-1_2
Coron, J.-S., Tchulkine, A.: A new algorithm for switching from arithmetic to Boolean masking. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 89–97. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45238-6_8
Neiße, O., Pulkus, J.: Switching blindings with a view towards IDEA. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 230–239. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28632-5_17
Rivain, M., Dottax, E., Prouff, E.: Block ciphers implementations provably secure against second order side channel analysis. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 127–143. Springer, Heidelberg (2008). doi:10.1007/978-3-540-71039-4_8
Debraize, B.: Efficient and provably secure methods for switching from arithmetic to Boolean masking. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 107–121. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33027-8_7
Vadnala, P.K., Großschädl, J.: Algorithms for switching between Boolean and arithmetic masking of second order. In: Gierlichs, B., Guilley, S., Mukhopadhyay, D. (eds.) SPACE 2013. LNCS, vol. 8204, pp. 95–110. Springer, Heidelberg (2013). doi:10.1007/978-3-642-41224-0_8
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013)
Coron, J.-S., Großschädl, J., Vadnala, P.K.: Secure conversion between Boolean and arithmetic masking of any order. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 188–205. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44709-3_11
Karroumi, M., Richard, B., Joye, M.: Addition with blinded operands. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 41–55. Springer, Cham (2014). doi:10.1007/978-3-319-10175-0_4
Vadnala, P.K., Großschädl, J.: Faster mask conversion with lookup tables. In: Mangard, S., Poschmann, A.Y. (eds.) COSADE 2014. LNCS, vol. 9064, pp. 207–221. Springer, Cham (2015). doi:10.1007/978-3-319-21476-4_14
Coron, J.-S., Großschädl, J., Tibouchi, M., Vadnala, P.K.: Conversion from arithmetic to Boolean masking with logarithmic complexity. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 130–149. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48116-5_7
Acknowledgements
The authors would like to thank the anonymous reviewers for their useful comments that improved the quality of the paper. This work was partially supported by the Institute for Information and Communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No. B0126-15-1008) and by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (NRF-2013R1A1A2A10062137).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Remaining Proof of Theorem 1
Here, we provide the remaining proof of Theorem 1, and thereby prove the following Lemma.
Lemma 3
\(\sum _{i=0}^{m-1}{x_{(i)}}\) is equal to \(\sum _{i=0}^{m}{X_{(i)}'}\).
Proof
   \(\square \)
Lemma 4
\(d^{(j)}\) is equal to \(c^{(i(l-1)+j-1)}\).
Proof
We proceed by mathematical induction.
Lemma 4 holds for \(j=0\),
If Lemma 4 holds for \(j=k\), then it holds for \(j=k+1\), i.e., \(d^{(k)}=c^{(i(l-1)+k-1)}\).
   \(\square \)
B Secure Computation of Basic Operation and Its Computational Complexity
We provide the basic operations used in Algorithms 3, 4, and the AtoB masking algorithm of [12]. For AtoB masking countermeasure, the basic operation required for sensitive information is secure computation. We show how to secure the Shift operations against first-order attacks, SecXor and SecAnd operations are a direct application of secure computations in [12].
SecXor and SecAnd algorithms are very straightforward. However, in contrast to [12] the SecShift algorithm should be some modified.
Without loss of generality, we assume that bk in Algorithm 5 is identical to 0. Then, the SecShift algorithm requires \((4m-2)\) Xor operations and \((4m-2)\) Shift operations in Table 6. More precisely, by the loop of m times, \(4(m-1)\) is required. However, only two Xor and Shift are required in the initial loop.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Won, YS., Han, DG. (2017). Efficient Conversion Method from Arithmetic to Boolean Masking in Constrained Devices. In: Guilley, S. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2017. Lecture Notes in Computer Science(), vol 10348. Springer, Cham. https://doi.org/10.1007/978-3-319-64647-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-64647-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64646-6
Online ISBN: 978-3-319-64647-3
eBook Packages: Computer ScienceComputer Science (R0)