Optimal First-Order Boolean Masking for Embedded IoT Devices
English
Biryukov, Alex[University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
Dinu, Dumitru-Daniel[University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Le Corre, Yann[University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
Udovenko, Aleksei[University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
26-Jan-2018
CARDIS 2017: Smart Card Research and Advanced Applications
Springer, Cham
Lecture Notes in Computer Science, volume 10728
22-41
Yes
International
978-3-319-75207-5
16th International Conference on Smart Card Research and Advanced Applications
[en] Boolean masking is an effective side-channel countermeasure that consists in splitting each sensitive variable into two or more shares which are carefully manipulated to avoid leakage of the sensitive variable. The best known expressions for Boolean masking of bitwise operations are relatively compact, but even a small improvement of these expressions can significantly reduce the performance penalty of more complex masked operations such as modular addition on Boolean shares or of masked ciphers. In this paper, we present and evaluate new secure expressions for performing bitwise operations on Boolean shares. To this end, we describe an algorithm for efficient search of expressions that have an optimal cost in number of elementary operations. We show that bitwise AND and OR on Boolean shares can be performed using less instructions than the best known expressions. More importantly, our expressions do no require additional random values as the best known expressions do. We apply our new expressions to the masked addition/subtraction on Boolean shares based on the Kogge-Stone adder and we report an improvement of the execution time between 14% and 19%. Then, we compare the efficiency of first-order masked implementations of three lightweight block ciphers on an ARM Cortex-M3 to determine which design strategies are most suitable for efficient masking. All our masked implementations passed the t-test evaluation and thus are deemed secure against first-order side-channel attacks.