 Research
 Open Access
 Published:
A secure and highly efficient firstorder masking scheme for AES linear operations
Cybersecurity volume 4, Article number: 14 (2021)
Abstract
Due to its provable security and remarkable deviceindependence, masking has been widely accepted as a noteworthy algorithmiclevel countermeasure against sidechannel attacks. However, relatively high cost of masking severely limits its applicability. Considering the high tackling complexity of nonlinear operations, most masked AES implementations focus on the security and cost reduction of masked Sboxes. In this paper, we focus on linear operations, which seems to be underestimated, on the contrary. Specifically, we discover some security flaws and redundant processes in popular firstorder masked AES linear operations, and pinpoint the underlying root causes. Then we propose a provably secure and highly efficient masking scheme for AES linear operations. In order to show its practical implications, we replace the linear operations of stateoftheart firstorder AES masking schemes with our proposal, while keeping their original nonlinear operations unchanged. We implement four newly combined masking schemes on an Intel Core i74790 CPU, and the results show they are roughly 20% faster than those original ones. Then we select one masked implementation named RSMv2 due to its popularity, and investigate its security and efficiency on an AVR ATMega163 processor and four different FPGA devices. The results show that no exploitable firstorder sidechannel leakages are detected. Moreover, compared with original masked AES implementations, our combined approach is nearly 25% faster on the AVR processor, and at least 70% more efficient on four FPGA devices.
Introduction
SideChannel Attacks (SCAs) exploit physical leakages (e.g. running time (Kocher 1996), power consumption (Kocher et al. 1999) and electromagnetic radiations (Quisquater and Samyde 2001)) of a cryptographic implementation to recover the corresponding secrets. During the past two decades, SCAs have been proved to be serious threats to practical security of cryptographic devices, like CPUs, GPUs, smart cards, ASICs and FPGAs. The recent Meltdown and Spectre (Prout et al. 2018) attacks are typical examples of utilizing cache running time to steal secret data. As a consequence, countermeasures against SCAs must be developed and applied to protect the secret information. In fact, the necessity of protection against SCAs has been reached a broad consensus in the industry. There have been international standards that require cryptographic modules to protect against SCAs. For example, FIPS 1403 (FIPS Publication 1403 2019) and ISO/IEC 17825:2016 (JTC 2016), which both are security standards for cryptographic modules, claim that cryptographic modules with high level security should concern with the mitigation of SCAs. Obviously, designing secure (symmetrical) cryptography implementations against SCAs has become one of the most important hot spot in physical security.
Among different kinds of SCAs, firstorder attacks, such as firstorder differential power analysis (DPA) (Kocher et al. 1999) and firstorder correlation power analysis (CPA) (Schneider and Krishnamoorthy 1996), are widely used due to their low costs. Thus, they are the first into considerations when guarding devices against SCAs. ISO/IEC 17825:2016 specifies the use of Test Vector Leakage Assessment (TVLA) framework as a certain measure to assess whether an implementation of symmetrical cryptography is vulnerable to firstorder attacks or not. According to the highest security level, namely ISO/IEC 17825 level4, there should be at least 100,000 traces collected to test whether a specific implementation is resistant to them.
Due to its provable security and remarkable deviceindependence, masking (Rivain et al. 2009) has been one of the most wideadopted countermeasures against SCAs (Duc et al. 2019). Specifically, masking countermeasure randomizes the subtle dependency between a sensitive intermediate values and its corresponding sidechannel leakages by splitting the sensitive intermediate into several shares. Usually, it is called d^{th}order masking when the sensitive intermediate is split into d+1 shares to thwart d^{th}order SCAs (Ishai et al. 2003). Namely, a firstorder masked implementation should be able to protect against firstorder attacks. However, the main drawback of a masked implementation is that its cost is relatively high compared with the unprotected counterpart. In order to make masking countermeasure more practical, it is worthwhile to reduce its cost as much as possible.
Since relatively high complexity of nonlinear operations, most studies focus on improving nonlinear operations for masking schemes (Rivain and Prouff 2010). Specifically, for symmetric cryptographic algorithms such as AES, most studies focus on increasing the Sbox efficiency by improving the lookup table (LUT) operations (Coron 2014; Coron et al. 2018) or mending polynomial computation over the finite field (Coron et al. 2014). However, the security and efficiency of linear masking schemes (For sake of simplicity, the masking scheme of linear operations is called linear masking scheme in the rest of this paper) are widely ignored. In this paper, we focus on the security and efficiency of masked AES linear operations, and we find linear part should not be ignored. As for security, we find that there are serious flaws in MixColumns operations in some masking schemes because correlative masks are adopted in each round. As for efficiency, to figure out which part of operations account more in whole cryptographic computation, we evaluate the running time proportions of nonlinear and linear operations in stateoftheart masking schemes. Due to the primacy of firstorder security, we evaluate those in four different firstorder masking schemes firstly, and these masking schemes are described in details as follows.
SP. SP (Schramm and Paar 2006) scheme is designed to be secure at any order d. This scheme is now regarded to be firstorder and secondorder secure, as an thirdorder attack against it was shown in (Coron et al. 2007). Additionally, they claimed that it is sufficient to use a single 8bit mask for the entire masked AES algorithm.
ASCAD. ASCAD (Prouff et al. 2018) is a public dataset for the study of sidechannel analysis, which is also implemented by a firstorder masking AES scheme. So we use the same name to represent this masking scheme in this paper.
RSMv1. RSM (Nassar et al. 2012) is a low entropy masking scheme, which aims at keeping performances and complexity close to unprotected AES design while being as robust against firstorder SCAs as other masking in cryptographic implementations. In this paper, we use RSMv1 to denote the first vision of RSM. Note that this masking scheme was adopted by DPA Contest v4.1 as a study case for sidechannel security. Moreover, it has been proven in (Veshchikov and Guilley 2017) that the linear part of RSMv1 has a firstorder flaw, and similar flaw also happens in SP scheme.
RSMv2. RSM was revisited in (Bhasin et al. 2014), and we use RSMv2 to denote this improved RSM scheme. Actually, RSMv2 was adopted by DPA Contest v4.2, and is one of the most popular firstorder masking schemes.
All benchmarkings have been done on an Intel Core i74790 CPU. The results are shown in Fig. 1.
Moreover, we evaluate the running time proportions of nonlinear and linear operations in three higher order masking schemes (proposed in (Rivain and Prouff 2010; Coron 2014; Coron et al. 2018), and denoted by RP, Cor and CRZ respectively in this paper) with d=1 and d=2 in same experimental setting. The results are shown in Fig. 2.
It can be seen that linear operations account for at least 70% in these four firstorder masking schemes, while they account for less than 20% in secondorder masking schemes. Note that complexity of nonlinear part grows much faster than that of linear part with increasing d, so linear operations would account for lower in whole computations when masking order d gets higher than two. Considering that firstorder security is primacy in masking countermeasure and linear operations are relatively important in firstorder masking, in this paper we mainly focus on the optimization of linear operations to make firstorder masking countermeasure secure and more efficient.
Our Contribution. In this paper, we find that AES linear operations are widely ignored in stateoftheart firstorder masking countermeasures. Specifically, these masking schemes are insecure when correlative masks are adopted in each round, and inefficient because some linear operations are called redundantly. Consequently, we propose a secure and highly efficient firstorder linear masking scheme for AES, then heuristically prove its security and critically analyze its efficiency. In fact, this linear masking scheme can be combined with existing nonlinear masking schemes, which not only maintains the original security level, but also further improves the implementation efficiency. As a concrete illustration, we apply it to four stateoftheart AES masking schemes on an Intel Core i74790 CPU by replacing their linear operations with our proposal. The results demonstrate that by combining our proposal, these popular masking schemes are approximately 20% faster compared to the original ones. Furthermore, we combine a wellstudied masking scheme named RSMv2 with our proposal, then evaluate its practical security, and carry out a detailed performance comparison on five different embedded devices. The results of security evaluation verify that there is no available firstorder leakage in both software and hardware implementations. In addition, the results of efficiency evaluation show that the implementations combined our proposal are nearly 25% faster than existing implementations on AVR ATMega163 Processor, and the efficiency is improved by more than 70% on four different FPGA devices.
The rest of our paper is organized as follows. Sec. 2 reviews the basic knowledge of masking schemes for AES, and Sec. 3 illustrates the issues of the masking schemes in their linear operations. In Sec. 4, we propose our new firstorder masking scheme for AES linear operations and analyze its security and efficiency in theory. Then in Sec. 5 we evaluate the performance of our proposal on different implementations. Finally, Sec. 6 concludes the paper.
Preliminary
In this section, we review the existing masking schemes for AES. In masking schemes, each sensitive value is split into d+1 shares x_{0},x_{1}⋯x_{d}, and their relation can be expressed as Eq.(1).
where x means the sensitive value while x_{i} means ith split share, and ⊥ denotes the mask operation. In the rest of the paper, we shall consider that ⊥ is the exclusiveor (XOR) operation denoted by ⊕. Usually, the d shares {x_{1},⋯,x_{d}} called masks are randomly picked up and the {x_{0}} called the masked value is processed such that it satisfied Eq. (1). Recently, most studies focus on designing the masked Sbox with d+1 shares, such as d^{th}order masking scheme based on LUT (Coron 2014), based on polynomial computation over the finite field (Coron et al. 2014) and so on. But the designing for linear operations is widely ignored. As illustrated above, the costs of linear operations account much more than that of nonlinear operations in firstorder masked implementations. Thus in this paper, we focus on firstorder masking scheme, and accordingly each sensitive value is split into two shares (d=1). Recently, a common masking approach for linear operations is to compute each share successively (Schramm and Paar 2006; ParisTech 2015; Coron et al. 2014), as shown in Fig. 3. First of all, 16 Sboxes are processed respectively, and the input 8bit value of each Sbox is split into 2 shares, so each Sbox is fed with 2*8 bits. Next, all 16*8 bits of each share are fed to two linear operations, because F(x_{0}⊕x_{1})=F(x_{0})⊕F(x_{1}) if F is a linear function. Thus, it is obvious that this masking scheme for linear operations will cost 2 times as much as unprotected AES implementation.
In this paper, to distinguish the two shares and sensitive value clearer, x_{0},x_{1} and x are expressed as ST, M and V respectively. Then we consider the masked AES implementation, while a general masked AES128 implementation is shown in Algorithm 1, with the following linear operations:
AddRoundKey. AddRoundKey is a Boolean operation, which XOR the state data with round keys. As for Boolean masking schemes, the round keys need to do XOR with only one share (generally ST), so this operation costs the same in masked implementation with unprotected one.
Remask. Remask is not a necessary operation for all firstorder masking schemes. Specifically, remask operation refreshes the two shares ST and M without changing ST⊕M (it is different with mask refresh, since the new M may be not generated randomly). For example, the masking scheme in (Prouff et al. 2018) needs to remask before and after MSbox, which corresponds to the line 6, 8, 15 and 17 in Algorithm 1. And the masking schemes in (Nassar et al. 2012; Bhasin et al. 2014) need to remask after MixColumns, which corresponds to the line 13 in Algorithm 1.
ShiftRows. ShiftRows is necessary for AES. In the existing firstorder masking schemes, ShiftRows operation executes once for each share in one round, as shown in line 9 and line 10 in Algorithm 1.
MixColumns. MixColumns is also necessary for masked AES schemes. MixColumns is usually expressed as several sequences of multiplications by 2 over \(\mathbb {F}_{2^{8}}\) and XOR operations. Specifically, it can be expressed as Eq. (2).
where i∈{0,1,2,3}. Actually, MixColumns can be implemented as Eq. (2) directly, which is an original and trivial implementation but is still adopted by (Coron 2014; Coron et al. 2018). Then it was improved in (Fang 2009), which is shown as Algorithm 2. The GF256MUL2(·) operation denotes the multiplication by 2 over \(\mathbb {F}_{2^{8}}\). Actually, this improved MixColumns module has been adopted in (Nassar et al. 2012; Bhasin et al. 2014; Prouff et al. 2018). In original MixColumns, the GF256MUL2 operations for ST[4i+j] and ST[4i+(j+1)_{mod 4}] need to compute respectively, so each ST_{i} in Eq. (2) needs 2 GF256MUL2 and 4 XOR (3 XOR expressed in equation and one for 3 ×ST[4i+(j+1)_{mod 4}]). Since the linear operations are called twice in firstorder masking scheme, there are totally 32 × 2 GF256MUL2 and 64 × 2 XOR in original MixColumns. Comparatively, it can be counted that there are 16 GF256MUL2 and 60 XOR in Algorithm 2, then totally 16 × 2 GF256MUL2 and 60 × 2 XOR for improved MixColumns in firstorder masking scheme.
However, there are security flaws and redundant calls in the linear operations, which will be explained in next section.
Security and efficiency of linear operations
In this section, we illustrate the flaws of existing masked AES implementations in linear operations. Then we show a protected algorithm as an example, which satisfied firstorder secure but not efficient. This example could help to understand our proposal described in next section.
In firstorder masking schemes, each sensitive intermediate should be randomized by at least one randomness. Certainly, the output of a linear operation (e.g. XOR) should also be randomized, so we have Eq. (3).
Two sensitive intermediates V_{0} and V_{1} are randomized by masks M_{0} and M_{1} separately, while masked values are denoted by ST_{0} and ST_{1}. Then, the output (V_{0}⊕V_{1}) is randomized by (M_{0}⊕M_{1}). If these masks are correlative (e.g. in SP scheme, M_{0}=M_{1}), then (V_{0}⊕V_{1}) are not randomized enough and this masking scheme cannot reach firstorder security. Similarly, in a masked AES scheme, these linear operations cannot reach firstorder security while the masks in each round are correlative. Specifically, in MixColumns module, the different masked values (ST_{i}) get XOR without any new random number introduced. Thus if these intermediates are protected by correlative masks, the new intermediate (their XOR results) may no longer be protected.
It can be verified by simulated experiments. We simulated the leakages of one loop in Algorithm 2 using a very popular leakage model (Ming et al. 2020), which can be expressed by L=HW(x)+N, where L denotes the leakages and HW(x) denotes Hamming weight of the intermediate x. N denotes Gaussian noise and we use σ to denote its standard deviation. σ is set to 2 in all simulated experiments. We simulated 200 points totally, and 19 points among them are corresponding to 3+4 × 4=19 operations in one loop in Algorithm 2 while other points are simulated by Gaussian noise. We launch ttest (Gilbert Goodwill et al. 2011) to detect the firstorder leakages on these simulated points, and the results are shown in Fig. 4a. It can be seen that firstorder leakages are really obvious. Additionally, this flaw is also found in RSMv1. In this scheme, third bit of masks after XOR operation are totally the same, so the third bit of output is not randomized. Utilizing this unprotected bit, firstorder leakages can also be detected, which are shown in Fig. 5b. Similar results were illustrated in (Veshchikov and Guilley 2017), which utilized this unprotected bit to launch firstorder attack on DPA contest v4 dataset, and successfully recovered the secret key. However, they thought this attack worked due to improper mask set, but the implementation with their revisited mask sets is still firstorder attackable (Ming et al. 2020).
We show one protected example to make our proposal easier to understand. Specially, we generate a new randomness s and introduce it to line 2 and line 4 in Algorithm 2 to protected sensitive intermediates, and the protected example is shown in Algorithm 3. It is easy to verify that the inputs and outputs of Algorithm 3 are the same as those of Algorithm 2, since randomness s is cancelled out before output.
It is also trivial to verify the security of Algorithm 3. We denote by I the set of intermediate variables that processed during an execution of Algorithm 3, and we denote by EI the set of extra variables due to accumulation in an intermediate variable. Table 1 lists these variables of Algorithm 3. In order to prove Algorithm 3 is secure against firstorder SCA, we need to show that all variables are protected at least by one randomness. Specifically, I_{1} and I_{2} are straightforwardly secure. I_{3},I_{4} and I_{5} are protected by s or GF256MUL2(s). Note that if t (resp.tmp) is not cleared to zero before overwriting with ST[4i] (resp. ST[4i+j]), there will be two sets of extra variables, which are denoted by EI_{1} and EI_{2}. The extra variables in EI_{1} and EI_{2} are related to the leakages function. For example, the extra variable in EI_{1} can be denoted by t⊕ST[4(i+1)] in Hamming distance leakage function. Since t (resp.tmp) is still protected by s (resp. GF256MUL2(s)) which is independent with ST, the two sets EI_{1} and EI_{2} are secure as well. Note that the output OT might be attackable since s is removed. However, if the 16 masks M[16] are the same, OT will be still protected well. Because the masks M are also removed in line 3 and line5, so GF256MUL2(tmp) and t are only protected by s, which is removed in line 6. Then OT will be under the same protection of the masks of ST, namely M.
In addition, we simulate the points for each operation in protected example with 16 same masks and detect their firstorder leakages. There are 200 simulated points while 24 points among them are corresponding to 24 operations in one loop in Algorithm 3. The detection results for protected SP and protected RSMv1 are shown in Figs. 4b and 5b respectively. It can be seen that no firstorder leakages detected after protection. And our proposal described in next section is an improvement from this example.
On the other hand, these linear operations usually become inefficient because some linear operations are called repeatedly and redundantly. Only considering the necessary operations, the ShiftRows and MixColumns are called for each shares, as shown in line 9, line 10 and line 11, line 12 in Algorithm 1. Clearly, calling linear operations repeatedly is surely satisfied with correctness for a linear function, since F(ST⊕M) equals to F(ST)⊕F(M) for a linear function F(·). However, the masks M are randomly picked up, and linear operations for M seem wasteful. Thus, it is important to design a secure linear algorithm without changing the masks M while ST is updated, then the linear operations for masks M can be saved.
Linear masking scheme
In this section, we propose a secure and highly efficient firstorder linear masking scheme for AES, then analyze its efficiency and prove its security.
Core idea
In fact, designing two linear operations is a waste of resources for masked AES implementation. Therefore, we introduce the idea that: reduce two masked linear operations in Fig. 3 to one while extra randomness is induced to maintain the security level, as shown in Fig. 6. Consequently, the efficiency on linear operation can be considerably increased by a factor of two.
Following this core idea, we propose our firstorder linear masking scheme.
Firstorder linear masking scheme
As shown above, there are 3 necessary modules of the linear operations in AES: AddRoundKey, ShiftRows and MixColumns. Among them, AddRoundKey and ShiftRows have been secure and efficient. As for AddRoundKey, only one share needs to do XOR with corresponding round key, which cost the same with unprotected AES. As for ShiftRows, we can just reorder the computation of 16 Sboxes (Bhasin et al. 2014) to save half costs. However, designing the masked MixColumns module is the most complex and significant for improving the linear operation since it costs the highest in these modules.
The masked MixColumns is shown as Algorithm 4, which is called SEMixColumns in this paper to distinguish it from others. In order to combine two MixColumns into one while maintaining the same security, new generated random numbers (line 1) are needed to protect the intermediates, then part of masks can be removed. Finally, these random numbers s are removed in line 10 while this line is protected by the masks of ST_{4i+j}, and the outputs of Algorithm 4 (16 bytes OT[16]) are still protected by M, so the MixColumns for M in Algorithm 1 (line 12) can be saved.
Thus, line 11 and line 12 in Algorithm 1 are replaced by “ ST← SEMixColumns (ST,M)” in our masked AES algorithm, while other parts are all the same. Note that the ST should be cleared to zero before overwriting with OT, otherwise there will be extra leakages corresponding to the sensitive intermediate GUL2MUL(tmp)⊕t. One MixColumns module is saved by the optimization, although SEMixColumns costs more since new variables are introduced. It can be counted that there are totally 20 GF256MUL2 and 120 XOR in Algorithm 4. Since Algorithm 4 is only called once in masked AES implementation, it costs less than other algorithm in sum. In order to make clearer comparison of the costs on linear operations, we list the required number of basic operations (XOR, Shift and GF256MUL2) of these linear implementations in one AES round, as shown in Table 2.
It can be seen in Table 2 that our proposal is advantaged particularly on the number of GF256MUL2. Our proposal only cost 20 GF256MUL2 in each AES round. So the implementation for GF256MUL2 certainly affects the efficiency gain though our proposal. Moreover, Table 2 is only a theoretical comparison, the practical improvements may be different more or less due to different implementation targets.
Security analysis
In this section, we prove that our proposed masking scheme can actually reach firstorder security against SCAs.
First of all, other linear parts except MixColumns have been proven to reach firstorder security. As for MixColumns, both original implementation (Coron et al. 2018) and efficient implementation (Veshchikov and Guilley 2017) will be threaten by firstorder attacks if the masks in each round are correlative, which has been demonstrate in Sec. 3. So we need to prove that our proposed SEMixColumns (Algorithm 4) is able to protect against firstorder attacks, namely each sensitive value is protected by a random number.
We heuristically prove the firstorder security of Algorithm 4 with the approach similar to that in Sec. 3. We also denote by I the set of intermediate variables that processed during an execution of Algorithm 4, and we denote by EI the set of extra variables due to accumulation in an intermediate variable. Table 3 lists these variables of Algorithm 4. Specifically, I_{1},I_{3},I_{4},I_{5} and I_{7} are the same as the sets in Table 3, which have been proved to be secure. And I_{2} and I_{6} are also protected by s or GF256MUL2(s). Since random numbers s are removed in line 10 while ST is protected by the masks M, the outputs I_{8} are still protected by M. In addition, if t (resp.tmp) is not cleared to zero before overwriting with ST[4i] (resp. ST[4i+j]), there will also be two set of extra variables, which are denoted by EI_{1} and EI_{2} in Table 3. Similarly, EI_{1} and EI_{2} are protected by s or GF256MUL2(s) as well.
In summary, all sensitive intermediates in linear operations are still under protection, which proves that our proposal for linear operations can theoretically achieve firstorder security.
More efficient implementation in certain cases
Our proposal as shown in Algorithm 4 can be optimized further in certain cases. Specifically, if Eq. (4) is satisfied, the masks in each column after ShiftRows are equal (the same color in Fig. 7), then r_{0},r_{1},r_{2} and r_{3} in Algorithm 4 equal to 0. Therefore, there is no need for the XOR operations related with these intermediates, which can save an additional 40 XOR per round.
However, the optimized method cannot be adopted by all firstorder masking schemes since: (1) this method requires the masks to satisfied Eq. (4) (m_{i} denotes the ith mask of the 16 bytes masks M[16]), so it may be incompatible with some firstorder masking schemes with similar type restrictions (e.g. the masking scheme RSMv1 requires the masks to be a regular sequence, which is not compatible with this more efficient implementation). (2) after the Mixcolumns, it is necessary to remask to ensure continuous implementation process (as shown in Fig. 7). So the masking scheme should contain the remask operation after Mixcolumns (line 13 in Algorithm 1), or this optimized method would not work for the scheme duo to extra XOR introduced.
Experiment
In this section, we combine our linear masking algorithm with different firstorder masking schemes, and evaluate their practical efficiency in a CPU implementation. Next, we choose the scheme named RSMv2, which have been studied well because of DPA Contest v4.2, as our main target. Specifically, RSMv2 is implemented in both software and hardware, then its sidechannel security and practical efficiency are evaluated later.
Evaluation of running time on CPU
A masked AES implementation is consist of two parts: nonlinear part and linear part, so the speedup of our proposal toward whole AES execution time is also affected by the implementations of nonlinear part. Generally speaking, if the nonlinear part is welldesigned and efficient, the improvement of our proposal will get more remarkable. In this experiment, we combine our proposal with four stateoftheart firstorder masking schemes, which have been introduced in details.
These schemes are implemented on an Intel Core i74790 CPU running at 3.60GHz. Considering that the function GF256MUL2 also affects speedup of our proposal, we implement GF256MUL2 by two methods: (1) Computation (slower but save memories). Rotate the 8bits input to the left by 1 bit, then judge whether the most significant bit equals to 1. If so, then XOR this intermediate with 0x1b. (2) LUT (faster but need extra memories). Look up the outputs in a stored table. The results of speedup in different firstorder masking schemes are shown in Table 4. It can be seen that our proposal can get approximately 20% speedup on these masking schemes. Moreover, for each masking scheme, the speedup of our proposal is greater while GF256MUL2 is achieved by computation, because computation based GF256MUL2 requires more running time than LUT based one, which lead to more cost savings by using our proposal.
Moreover, we discuss about how the compiler treats these software implementations, and the details are shown in Appendix.
Evaluation of embedded implementations
Considering that RSMv2 has been studied well because of DPA Contest v4.2 and its software implementation has been published in (ParisTech 2015), we select this popular firstorder masking scheme as our study object. And in our experiments, we replaced the linear operations by our more efficient proposal while keeping the nonlinear operations unchanged.
As for software implementation, we adopt the similar RSMv2 implementation as used in DPA Contest v4.2. We programmed the hexfiles on a FunCard with an Atmel ATmega 163 microprocessor, which is the suggested platform from DPA Contest v4.2. The implementation codes of RSMv2 scheme can be also downloaded from the DPA Contest v4.2 (ParisTech 2015), which uses C Language on connection between the processor and computer, and uses assembly language on cryptographic implementation. To take a fair comparison, we only use assembly language to change the linear operations. Note that GF256MUL2 is implemented by LUT in the published codes, and we implement this function in the same way.
Compared to the RSMv2 implementation, the code size of our proposal gets similar. Actually both of these two hexfiles are 42KB. As for execution time, our proposal gets obviously faster. The FunCard is connected with computer by SASEBOW board, and we measured the running time of RSMv2 and our proposal with a trigger in codes and an oscilloscope. Since ATmega 163 microprocessor is running at 8MHz, it is easy to get the results on the software implementation in cycles, which are show as Table 5. The results show that using our proposal the masked AES is nearly 25% faster than before on the software implementation.
As for hardware implementations, the RSMv2 scheme in (Bhasin et al. 2014) and our proposal are both implemented in Kintex7, Virtex6, Virtex5 and Spartan3E FPGA devices, the consumed resources for masked AES are shown in Table 6. Since these AES implementations take 128bit inputs and outputs, the data size is 128 bit. And the latency of these implementations is 14 cycles. The delay column represent the longest path between registers. Note that nonlinear part is implemented using fixed BRAM costs, which is a common and popular implementation (Nassar et al. 2012). As for GF256MUL2, it is implemented by computation on FPGA. Above all, it can be seen that our proposal greatly outperforms the RSMv2 scheme in efficiency on these four different FPGA devices, and the efficiency are all increased by more than 70%.

On Kintex7 device, which is built on 28nm process technology, our proposal achieves better performance with 70.78% efficiency gain compared to existing implementation.

Virtex6 is also built on 28nm process technology, and the performance on it gets worse (more delays and LUTs) than that on Virtex6 device. But our proposal still achieves better performance with 71.35% efficiency gain, which is similar to the result on Kintex7 device.

Virtex5 is for integration at 56nm, but the performance on it is similar with that on Virtex6, and our proposal achieves better performance with 80.60% efficiency gain, which is the most in these four devices.

Spartan3E is built on 90nm process technology. On Spartan3E device, our proposal can also achieve better performance with 74.38% efficiency gain.
An interesting finding is that the delays and LUTs on Spartan3E are much more than other three devices. We think it is because Kintex7, Virtex6 and Virtex5 are 6input LUTs based FPGA, while Spartan3E devices is 4input LUTs based one. Therefore, the implementation on Spartan3E requires more LUTs (almost 50% than others), and accordingly needs more running time.
From the results of these experiments, our proposal for linear operations of AES masking schemes greatly improves the efficiency of masked AES on both hardware and software cryptographic implementations.
Sidechannel security
To evaluate the practical security of our proposal, we launch ttests (Gilbert Goodwill et al. 2011) and firstorder CPA (Rivain 2008) to both software and hardware implementations respectively. The traces for software implementation are collected from an Atmel ATmega 163 microprocessor on SASEBOW board with an Agilent DSO9104A oscilloscope. The sampling rate is set to be 20MS/s, and the collected traces are compressed with a step of 4 points. The traces for hardware implementation are collected from a Xilinx Kintex7 family device XC7K160T1FBG676 embeded on SAKURAX board with also an Agilent DSO9104A oscilloscope. The sampling rate is set to be 1GS/s.
We use leakage detection test to evaluate whether any firstorder sidechannel leakages existing in our proposal. Specifically, We apply firstorder ttest on both software implementation and hardware implementation. For software implementation, we totally collect 200,000 traces, each trace has 12,000 points and is compressed to 3,000 points. Considering that FPGA implementation is faster and gets more noise, we totally collect 560,000 traces, each trace has 750 points. The results of firstorder ttests are shown in Fig. 8. It is obvious that the firstorder leakages of two implementations are always lower than ± 4.5, which means our proposal has no exploitable firstorder leakages on these two implementations.
In Fig. 8a, the leakages near No.400 point get more obvious than other points. Actually, it is the operations for data input (reading plaintexts), so these points cannot be used to recover the secret key, and the following attack results also demonstrate it. We used 200,000 traces to launch a firstorder attack on the software implementation, and used 560,000 traces to launch firstorder attack on hardware implementations. Figures 9 and 10 show the success rate and guessing entropy results (Rivain 2008) for these two implementations. We can see that the success rate always equals to zero in both implementations, and there is no downward trend in the guess entropy results.
Above all, all experimental results show that our proposal can actually provide firstorder security to the software and hardware implementations.
Application in higher order masking schemes
Our proposal performs well in firstorder masking schemes in different implementations. However, we do not think it can achieve similar performance in higher order masking implementations.
We have shown the running time proportion of linear operations in different AES higher order masking implementations in Fig. 2, and we find that the significance of the linear part progressively decreases with the increase of the masking order. Take CRZ (Coron et al. 2018) higher order masking scheme as an example, which is stateoftheart provably secure masked implementation for AES at any order d. When the order of CRZ masking scheme exceeds two, linear operations account for less than 3% of the total AES implementation. In fact, the evaluations on other higher order masking schemes get similar results. Therefore, we think that it is of little meaning to improve the efficiency of AES higher order masking schemes by optimizing their linear operations. Namely, it should be still focused on nonlinear operations to improve the higher order masking schemes.
Conclusion
In this paper, we point out that there are some design defects in the linear operation of stateoftheart masked AES implementations. These defects not only decrease the security level of some popular firstorder masking schemes, but also reduce their implementation efficiency. In order to remedy these defects, we propose a firstorder linear masking scheme with inspired performance, then prove its security and analyze its efficiency. Specifically, this masking scheme is designed for AES linear operations, so it can be combined with any existing masked AES scheme to further improve the implementation efficiency. To demonstrate its practical security and efficiency, we combine our proposal with four different stateoftheart firstorder masking schemes on an Intel Core i74790 CPU. The results show that the four masking schemes can get roughly 20% faster than before by using our proposal. Moreover, we select a wellstudied masking scheme named RSMv2, and implement it on five different embedded devices. The results show that by using our proposal, the masking implementations achieve much higher efficiency without exploitable firstorder leakages.
Appendix
To figure out how the compiler treats the software implementation, we optimize the implementations with the help of “O3” option. Then we measure the performance of all popular firstorder masking schemes on an Intel Core i74790 CPU again. The results are shown in Table 7. It can be seen that the speedup is not impressive under this environment.
We additionally take ARM as embedded software target. Specifically, we evaluate the performance of unprotected AES and four masking schemes on a STM32F4 MCU based on ARM CortexM4. Thanks to the simulator in Keil uVision5, the performance results of all the schemes are straightforwardly in cycles, as shown in Table 8. It can be seen that our proposal is nearly 15% faster on the typical 32bit processor, which is not as much as the benefis on 64bit Intel processor. Namely, the performance gains are different due to implemented compiler.
Availability of data and materials
Not applicable.
References
Bhasin, S, Bruneau N, Danger J, Guilley S, Najm Z (2014) Analysis and improvements of the DPA contest v4 implementation. In: Chakraborty RS, Matyas V, Schaumont P (eds)Security, Privacy, and Applied Cryptography Engineering. SPACE 2014. Lecture Notes in Computer Science, vol 8804.. Springer, Cham. https://doi.org/10.1007/9783319120607_14.
Coron, J (2014) Higher order masking of lookup tables. In: Nguyen PQ Oswald E (eds)Advances in Cryptology  EUROCRYPT 2014. EUROCRYPT 2014. Lecture Notes in Computer Science, vol 8441.. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783642552205_25.
Coron, J, Prouff E, Rivain M (2007) Side channel cryptanalysis of a higher order masking scheme. In: Paillier P Verbauwhede I (eds)Cryptographic Hardware and Embedded Systems  CHES 2007. CHES 2007. Lecture Notes in Computer Science, vol 4727.. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783540747352_3.
Coron, J, Roy A, Vivek S (2014) Fast evaluation of polynomials over binary finite fields and application to sidechannel countermeasures. In: Batina L Robshaw M (eds)Cryptographic Hardware and Embedded Systems  CHES 2014. CHES 2014. Lecture Notes in Computer Science, vol 8731.. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783662447093_10.
Coron, J, Rondepierre F, Zeitoun R (2018) High order masking of lookup tables with common shares. IACR Trans Cryptogr Hardw Embed Syst 1:40–72. https://doi.org/10.13154/tches.v2018.i1.4072.
Duc, A, Faust S, Standaert F (2019) Making masking security proofs concrete (or how to evaluate the security of any leaking device), extended version. J Cryptol 32(4):1263–1297. https://doi.org/10.1007/s0014501892770.
Fang, J (2009) Mixcolumn round transformation optimization and improvement in the aes algorithm. Microcomput Inf 25(21):49–51.
FIPS Publication 1403 (2019) Security Requirements for Cryptographic Modules. The National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.1403.pdf.
Gilbert Goodwill, BJ, Jaffe J, Rohatgi P, et al. (2011) A testing methodology for sidechannel resistance validation In: NIST noninvasive attack testing workshop, vol 7, 115–136.. NIST. https://csrc.nist.gov/csrc/media/events/noninvasiveattacktestingworkshop/documents/08_goodwill.pdf.
Ishai, Y, Sahai A, Wagner DA (2003) Private circuits: Securing hardware against probing attacks. In: Boneh D (ed)Advances in Cryptology  CRYPTO 2003. CRYPTO 2003. Lecture Notes in Computer Science, vol 2729.. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783540451464_27.
JTC, I (2016) Iso/iec 17825:2016 information technology  security techniques  testing methods for the mitigation of noninvasive attack classes against cryptographic modules. https://www.iso.org/standard/60612.html.
Kocher, P (1996) Timing Attacks on Implementations of DiffieHellman, RSA, DSS, and Other Systems. In: Koblitz N (ed)Advances in Cryptology  CRYPTO ’96. CRYPTO 1996. Lecture Notes in Computer Science, vol 1109.. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3540686975_9.
Kocher, PC, Jaffe J, Jun B (1999) Differential power analysis. In: Wiener M (ed)Advances in Cryptology ? CRYPTO? 99. CRYPTO 1999. Lecture Notes in Computer Science, vol 1666.. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3540484051_25.
Ming, J, Zhou Y, Cheng W, Li H, Yang G, Zhang Q (2020) Mind the balance: Revealing the vulnerabilities in low entropy masking schemes. IEEE Trans Inf Forensics Secur 15:3694–3708. https://doi.org/10.1109/TIFS.2020.2994775.
Nassar, M, Souissi Y, Guilley S, Danger J (2012) RSM: A small and fast countermeasure for aes, secure against 1st and 2ndorder zerooffset scas In: 2012 Design, Automation & Test in Europe Conference & Exhibition, DATE 2012, Dresden, Germany, March 1216, 2012, 1173–1178. https://doi.org/10.1109/DATE.2012.6176671.
ParisTech, T (2015) Dpa contest v4.2. documentation. http://www.dpacontest.org/v4/42_doc.php. Accessed 27 Aug 2015.
Prouff, E, Strullu R, Benadjila R, Cagli E, Dumas C (2018) Study of deep learning techniques for sidechannel analysis and introduction to ASCAD database. IACR Cryptol ePrint Arch 53. http://eprint.iacr.org/2018/053.
Prout, A, Arcand W, Bestor D, Bergeron B, Byun C, Gadepally V, Houle M, Hubbell M, Jones M, Klein A, Michaleas P, Milechin L, Mullen J, Rosa A, Samsi S, Yee C, Reuther A, Kepner J (2018) Measuring the impact of spectre and meltdown In: 2018 IEEE High Performance Extreme Computing Conference, HPEC 2018, Waltham, MA, USA, September 2527, 2018, 1–5. https://doi.org/10.1109/HPEC.2018.8547554.
Quisquater, J, Samyde D (2001) Electromagnetic analysis (EMA): measures and countermeasures for smart cards. In: Attali I Jensen T (eds)Smart Card Programming and Security. Esmart 2001. Lecture Notes in Computer Science, vol 2140.. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3540454187_17.
Rivain, M (2008) On the exact success rate of side channel analysis in the gaussian model In: Selected Areas in Cryptography, 15th International Workshop, SAC 2008, Sackville, New Brunswick, Canada, August 1415, Revised Selected Papers, 165–183. https://doi.org/10.1007/9783642041594_11.
Rivain, M, Prouff E (2010) Provably secure higherorder masking of AES. In: Mangard S Standaert FX (eds)Cryptographic Hardware and Embedded Systems, CHES 2010. CHES 2010. Lecture Notes in Computer Science, vol 6225.. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783642150319_28.
Rivain, M, Prouff E, Doget J (2009) Higherorder masking and shuffling for software implementations of block ciphers. In: Clavier C Gaj K (eds)Cryptographic Hardware and Embedded Systems  CHES 2009. CHES 2009. Lecture Notes in Computer Science, vol 5747.. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783642041389_13.
Schneider, PH, Krishnamoorthy S (1996) Effects of correlations on accuracy of power analysis  an experimental study In: Proceedings of the 1996 International Symposium on Low Power Electronics and Design, 1996, Monterey, California, USA, August 1214, 1996, 113–116. https://doi.org/10.1109/LPE.1996.547490.
Schramm, K, Paar C (2006) Higher order masking of the AES. In: Pointcheval D (ed)Topics in Cryptology  CTRSA 2006. CTRSA 2006. Lecture Notes in Computer Science, vol 3860.. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11605805_14.
Veshchikov, N, Guilley S (2017) Implementation flaws in the masking scheme of DPA contest v4. IET Inf Secur 11(6):356–362. https://doi.org/10.1049/ietifs.2016.0475.
Acknowledgments
The authors would like to thank the Xinkuan Qiu for his valuable comments.
Funding
This work is supported in part by National Natural Science Foundation of China (No.61632020, No.U1936209 and No.62002353) and Beijing Natural Science Foundation (No.4192067).
Author information
Affiliations
Contributions
Authors’ contributions
JM and YZ proposed the firstorder AES masking scheme, and drafted the manuscript. HL participated in problem discussions and improvements of the manuscript. QZ implemented and benchmarked the proposed scheme in FPGA devices. All authors read and approved the final manuscript.
Authors’ information
All authors (Email: mingjingdian, zhouyongbin, lihuizhong, zhangqian@iie.ac.cn) are with State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China, and School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China. Yongbin Zhou is the corresponding author of this paper.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Ming, J., Zhou, Y., Li, H. et al. A secure and highly efficient firstorder masking scheme for AES linear operations. Cybersecur 4, 14 (2021). https://doi.org/10.1186/s4240002100082w
Received:
Accepted:
Published:
Keywords
 SideChannel Attacks (SCAs)
 Masking scheme
 Advanced Encryption Standard (AES)
 Linear operations