Algorithms for Switching between Boolean and Arithmetic Masking of Second Order

Masking is a widely-used countermeasure to thwart Differential Power Analysis (DPA) attacks, which, depending on the involved operations, can be either Boolean, arithmetic, or multiplicative. When used to protect a cryptographic algorithm that performs both Boolean and arithmetic operations, it is necessary to change the masks from one form to the other in order to be able to unmask the secret value at the end of the algorithm. To date, known techniques for conversion between Boolean and arithmetic masking can only resist first-order DPA. This paper presents the first solution to the problem of converting between Boolean and arithmetic masking of second order. To set the context, we show that a straightforward extension of first-order conversion schemes to second order is not possible. Then, we introduce two algorithms to convert from Boolean to arithmetic masking based on the second-order provably secure S-box output computation method proposed by Rivain et al (FSE 2008). The same can be used to obtain second-order secure arithmetic to Boolean masking. We prove the security of our conversion algorithms using similar arguments as Rivain et al. Finally, we provide implementation results of the algorithms on three different platforms.