Security and Communication Networks

Volume 2018, Article ID 7206835, 8 pages

https://doi.org/10.1155/2018/7206835

## Analysis of Software Implemented Low Entropy Masking Schemes

Correspondence should be addressed to Jiazhe Chen; moc.liamg@nehcehzaij and Xiaoyun Wang; nc.ude.auhgnist.liam@gnawnuyoaix

Received 31 October 2017; Accepted 16 January 2018; Published 26 March 2018

Academic Editor: Emanuele Maiorana

Copyright © 2018 Dan Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Low Entropy Masking Schemes (LEMS) are countermeasure techniques to mitigate the high performance overhead of masked hardware and software implementations of symmetric block ciphers by reducing the entropy of the mask sets. The security of LEMS depends on the choice of the mask sets. Previous research mainly focused on searching balanced mask sets for hardware implementations. In this paper, we find that those balanced mask sets may have vulnerabilities in terms of absolute difference when applied in software implemented LEMS. The experiments verify that such vulnerabilities certainly make the software LEMS implementations insecure. To fix the vulnerabilities, we present a selection criterion to choose the mask sets. When some feasible mask sets are already picked out by certain searching algorithms, our selection criterion could be a reference factor to help decide on a more secure one for software LEMS.

#### 1. Introduction

First introduced by Kocher [1], side channel attacks (SCA) can be used to evaluate the implementation security of cryptographic ciphers by analyzing the time, the electromagnetic radiation, the power consumption, and so on [2–6].

To resist SCA, several valid countermeasures have been proposed [7–10]. Among those countermeasures, masking schemes are most popular and widely applied. The main idea of masking schemes is to make the side channel information independent of the sensitive data by randomizing the intermediate values. In general first-order masking scheme, any sensitive intermediate variable denoted by will be split into two shares so that , where the randomly drawn variable is called the mask. All the computations of the cryptographic algorithm are performed on the shared values independently. At the same time, the sensitive data must be recovered by recombining the two shares. For this purpose, every computation function of cryptographic algorithms should be designed to satisfy , where and are the new shares after the operation . If is a linear operation with respect to XOR, then and . When is the substitution box (S-Box), some adjustment is necessary to make up for its nonlinear property. The adjusted S-Box function changes along with the value of the mask, which makes it hard to compute canceling the sensitive intermediate value analytically. Therefore, precomputing and caching the required masked S-Boxes are more relevant and efficient. However, if the mask is drawn randomly from possible masks, too much memory is required to keep all the possible masked S-Boxes. To offer a reasonable solution to balance the security protection and the performance of implementations, Low Entropy Masking Schemes (LEMS) [10, 11] are designed by limiting the amount of mask entropy.

LEMS use the masks drawn from the limited mask set whose mask entropy is . The security of LEMS implementations should be guaranteed in two aspects. In the architecture aspect, cryptographic algorithms should carefully be implemented to avoid first-order leakage [12]. Some countermeasure techniques such as shuffling [13] can also be combined to help defeat certain bivariate and higher order attacks [14–17]. Another aspect is the chosen mask set which plays significant roles in security. Some research studied how to select them for hardware implemented LEMS [11, 18]. The selection criterion of the mask sets considered finding secure mask sets under two important assumptions [19]. The first one is that the attackers could only exploit the leakage of the masked value . The second one is that the deterministic part of the leakage function is linear in the bits of masked variable , such as Hamming weight function. Under those two conditions, the main goal of selecting mask sets for LEMS is to find balanced mask sets resistant to high order univariate CPA (following the definition of [20], the attack combining different time instances is called -variate attack and the order attack is the one with order statistical moments). Therefore, making independent of intermediate is the selection criterion of the mask sets for the designer of the hardware countermeasures. However, we find it is not enough for software implemented LEMS. The absolute difference may bring the unbalance to the intermediate pair , which allows attackers to get the information of when only the leakages corresponding to the masked values are available.

*Our Contributions*. In this paper, we study the unbalance in terms of absolute difference on software Low Entropy Masking Schemes (LEMS) implementations and make selection criterion for their mask sets.(i)We find that the mask sets selected according to selection criteria in [11, 18] have the vulnerabilities based on the absolute difference measurements on software LEMS. Such vulnerabilities make the software LEMS implementations insecure when the leakages corresponding to the masked values could be exploited.(ii)To fix the vulnerabilities and make software LEMS implementations resistant to high order univariate attacks, we further extend the selection criterion of balanced mask sets. Moreover, we prove the perfect balanced mask sets should not be linear, and their cardinalities should satisfy certain conditions.(iii)When some feasible mask sets are already picked out by searching algorithms like those in [11], our selection criterion could be a reference factor to help decide on a more secure one from them.

*Organization*. The rest of the paper is organized as follows. In Section 2, we introduce the notations and some related background knowledge. Section 3 presents vulnerabilities that make the software LEMS insecure. Section 4 proves the necessary conditions that the balanced mask sets should satisfy and discusses the selection methods of mask sets. Finally, Section 5 concludes the paper.

#### 2. Preliminaries

In this paper, sets are denoted with calligraphic letters (e.g., ). We use capital letters (e.g., ) and lowercase ones (e.g., ) for random variables and their realizations, respectively. Throughout the paper, and are independent and uniformly distributed random variables representing intermediates. and are two independent random variables drawn from the uniform distribution in the mask set .

Let be the value of leakage measurements corresponding to the intermediate value , . To match with realistic leakage functions in practice, the widely applied Hamming weight leakage model is used during the choice of the mask sets in this paper. Thus, in software environments, , where is an unknown constant and is the Gaussian distributed (, ) noise. In hardware environments, (to describe the theories in [11, 18] more clearly, we use the same no noise model here). We further denote the absolute difference of two measurements corresponding to the values and by .

Mean and variance are denoted by and , respectively. Let and be two independent random variables and be a certain function. is randomly drawn from . is the conditional expectation when . The variance among those conditional expectations iswhich can measure the dispersion degree of . Obviously, when , the specific value of cannot be recognized according to . This property was mainly applied by some works [11, 18] studying the selection criterion of mask sets for hardware LEMS. Their theories are as follows.

To defeat high order univariate CPA, the value of intermediate should be independent of the statistic values of . Usually, those statistics indicate th moments denoted by . Hence, is the selection criterion. The mask set is said to resist univariate th-order attacks if , , .

The work in [11] proved that only 12 mask values are sufficient for when , (). The work in [18] further studied the linear code mask sets for different and . For example, in linear code mask set can reach the standard of with 16 mask values when (like used in DPA Contest v4). The linear mask set has the property that , , [21]. We will discuss and use the property in the following sections.

#### 3. Vulnerabilities on Software LEMS

As stated in Section 2, the selection of the mask sets for hardware LEMS considers the balance between the intermediate values and the leakage measurements to avoid leaking the information of . Nonetheless, the unbalance of absolute difference measurements may leak the information of intermediate pair in software LEMS. In this section, we will study ( represents the order with respect to the absolute difference; indeed, the absolute difference itself is not first order according to Taylor expansion [22]; hence, the order with respect to the original leakage measurement here is higher than ) , . The proofs will show that is independent of if the mask set satisfies the hardware selection criterion: , . And it is uncertain for . The unbalanced leads to the unbalanced variance and coefficient of variation (coefficient of variation is the ratio of standard deviation to mean), which can also help identify the intermediate pair in attacks. The results of experiments show that the unbalance of makes the implementations insecure. Those vulnerabilities are the properties of mask sets and cannot be fixed by the architectures of specific implementations like shuffling. So finding the balanced mask sets in terms of absolute difference is necessary for software LEMS, which will be discussed in the next section.

As , and according to Appendix A. We deduce that

Obviously, for the mask set which satisfies the hardware selection criterion (, ), is independent of .

is associated with the noise. For certain value , the value of converges from to along with . Hence, we can evaluate the unbalance of for a certain mask set with . We take the mask set mentioned in Section 2 as an example and draw values of for intermediate pairs in Figure 1 which shows that has vulnerabilities in terms of the absolute difference. Univariate attacks using these vulnerabilities can be performed on one S-Box.