#### Abstract

Low Entropy Masking Schemes (LEMS) are countermeasure techniques to mitigate the high performance overhead of masked hardware and software implementations of symmetric block ciphers by reducing the entropy of the mask sets. The security of LEMS depends on the choice of the mask sets. Previous research mainly focused on searching balanced mask sets for hardware implementations. In this paper, we find that those balanced mask sets may have vulnerabilities in terms of absolute difference when applied in software implemented LEMS. The experiments verify that such vulnerabilities certainly make the software LEMS implementations insecure. To fix the vulnerabilities, we present a selection criterion to choose the mask sets. When some feasible mask sets are already picked out by certain searching algorithms, our selection criterion could be a reference factor to help decide on a more secure one for software LEMS.

#### 1. Introduction

First introduced by Kocher [1], side channel attacks (SCA) can be used to evaluate the implementation security of cryptographic ciphers by analyzing the time, the electromagnetic radiation, the power consumption, and so on [2–6].

To resist SCA, several valid countermeasures have been proposed [7–10]. Among those countermeasures, masking schemes are most popular and widely applied. The main idea of masking schemes is to make the side channel information independent of the sensitive data by randomizing the intermediate values. In general first-order masking scheme, any sensitive intermediate variable denoted by will be split into two shares so that , where the randomly drawn variable is called the mask. All the computations of the cryptographic algorithm are performed on the shared values independently. At the same time, the sensitive data must be recovered by recombining the two shares. For this purpose, every computation function of cryptographic algorithms should be designed to satisfy , where and are the new shares after the operation . If is a linear operation with respect to XOR, then and . When is the substitution box (S-Box), some adjustment is necessary to make up for its nonlinear property. The adjusted S-Box function changes along with the value of the mask, which makes it hard to compute canceling the sensitive intermediate value analytically. Therefore, precomputing and caching the required masked S-Boxes are more relevant and efficient. However, if the mask is drawn randomly from possible masks, too much memory is required to keep all the possible masked S-Boxes. To offer a reasonable solution to balance the security protection and the performance of implementations, Low Entropy Masking Schemes (LEMS) [10, 11] are designed by limiting the amount of mask entropy.

LEMS use the masks drawn from the limited mask set whose mask entropy is . The security of LEMS implementations should be guaranteed in two aspects. In the architecture aspect, cryptographic algorithms should carefully be implemented to avoid first-order leakage [12]. Some countermeasure techniques such as shuffling [13] can also be combined to help defeat certain bivariate and higher order attacks [14–17]. Another aspect is the chosen mask set which plays significant roles in security. Some research studied how to select them for hardware implemented LEMS [11, 18]. The selection criterion of the mask sets considered finding secure mask sets under two important assumptions [19]. The first one is that the attackers could only exploit the leakage of the masked value . The second one is that the deterministic part of the leakage function is linear in the bits of masked variable , such as Hamming weight function. Under those two conditions, the main goal of selecting mask sets for LEMS is to find balanced mask sets resistant to high order univariate CPA (following the definition of [20], the attack combining different time instances is called -variate attack and the order attack is the one with order statistical moments). Therefore, making independent of intermediate is the selection criterion of the mask sets for the designer of the hardware countermeasures. However, we find it is not enough for software implemented LEMS. The absolute difference may bring the unbalance to the intermediate pair , which allows attackers to get the information of when only the leakages corresponding to the masked values are available.

*Our Contributions*. In this paper, we study the unbalance in terms of absolute difference on software Low Entropy Masking Schemes (LEMS) implementations and make selection criterion for their mask sets.(i)We find that the mask sets selected according to selection criteria in [11, 18] have the vulnerabilities based on the absolute difference measurements on software LEMS. Such vulnerabilities make the software LEMS implementations insecure when the leakages corresponding to the masked values could be exploited.(ii)To fix the vulnerabilities and make software LEMS implementations resistant to high order univariate attacks, we further extend the selection criterion of balanced mask sets. Moreover, we prove the perfect balanced mask sets should not be linear, and their cardinalities should satisfy certain conditions.(iii)When some feasible mask sets are already picked out by searching algorithms like those in [11], our selection criterion could be a reference factor to help decide on a more secure one from them.

*Organization*. The rest of the paper is organized as follows. In Section 2, we introduce the notations and some related background knowledge. Section 3 presents vulnerabilities that make the software LEMS insecure. Section 4 proves the necessary conditions that the balanced mask sets should satisfy and discusses the selection methods of mask sets. Finally, Section 5 concludes the paper.

#### 2. Preliminaries

In this paper, sets are denoted with calligraphic letters (e.g., ). We use capital letters (e.g., ) and lowercase ones (e.g., ) for random variables and their realizations, respectively. Throughout the paper, and are independent and uniformly distributed random variables representing intermediates. and are two independent random variables drawn from the uniform distribution in the mask set .

Let be the value of leakage measurements corresponding to the intermediate value , . To match with realistic leakage functions in practice, the widely applied Hamming weight leakage model is used during the choice of the mask sets in this paper. Thus, in software environments, , where is an unknown constant and is the Gaussian distributed (, ) noise. In hardware environments, (to describe the theories in [11, 18] more clearly, we use the same no noise model here). We further denote the absolute difference of two measurements corresponding to the values and by .

Mean and variance are denoted by and , respectively. Let and be two independent random variables and be a certain function. is randomly drawn from . is the conditional expectation when . The variance among those conditional expectations iswhich can measure the dispersion degree of . Obviously, when , the specific value of cannot be recognized according to . This property was mainly applied by some works [11, 18] studying the selection criterion of mask sets for hardware LEMS. Their theories are as follows.

To defeat high order univariate CPA, the value of intermediate should be independent of the statistic values of . Usually, those statistics indicate th moments denoted by . Hence, is the selection criterion. The mask set is said to resist univariate th-order attacks if , , .

The work in [11] proved that only 12 mask values are sufficient for when , (). The work in [18] further studied the linear code mask sets for different and . For example, in linear code mask set can reach the standard of with 16 mask values when (like used in DPA Contest v4). The linear mask set has the property that , , [21]. We will discuss and use the property in the following sections.

#### 3. Vulnerabilities on Software LEMS

As stated in Section 2, the selection of the mask sets for hardware LEMS considers the balance between the intermediate values and the leakage measurements to avoid leaking the information of . Nonetheless, the unbalance of absolute difference measurements may leak the information of intermediate pair in software LEMS. In this section, we will study ( represents the order with respect to the absolute difference; indeed, the absolute difference itself is not first order according to Taylor expansion [22]; hence, the order with respect to the original leakage measurement here is higher than ) , . The proofs will show that is independent of if the mask set satisfies the hardware selection criterion: , . And it is uncertain for . The unbalanced leads to the unbalanced variance and coefficient of variation (coefficient of variation is the ratio of standard deviation to mean), which can also help identify the intermediate pair in attacks. The results of experiments show that the unbalance of makes the implementations insecure. Those vulnerabilities are the properties of mask sets and cannot be fixed by the architectures of specific implementations like shuffling. So finding the balanced mask sets in terms of absolute difference is necessary for software LEMS, which will be discussed in the next section.

As , and according to Appendix A. We deduce that

Obviously, for the mask set which satisfies the hardware selection criterion (, ), is independent of .

is associated with the noise. For certain value , the value of converges from to along with . Hence, we can evaluate the unbalance of for a certain mask set with . We take the mask set mentioned in Section 2 as an example and draw values of for intermediate pairs in Figure 1 which shows that has vulnerabilities in terms of the absolute difference. Univariate attacks using these vulnerabilities can be performed on one S-Box.

The results of experiments in Appendix B verify that such vulnerabilities we highlighted can really threaten the security of software LEMS implementations. To make software LEMS implementations resistant to high order univariate attacks (CPA and also attacks based on the vulnerabilities above), specific implementations like shuffling are not enough and selecting the balanced mask sets in terms of the absolute difference is necessary.

#### 4. Selection of Balanced Mask Sets

In this section, we will modify the selection criterion to find the balanced mask sets. The proofs give two conditions that the balanced mask sets should satisfy, which considerably narrow down the search for the mask sets.

The selection of the mask sets should first satisfy the criteria for hardware selections: at least for . In such a condition, is balanced as analyzed in Section 3. Hence, if , , and will also be balanced. According to (4), can further be denoted by . We can deduce that

will converge from 0 to when for any fixed value .

The value of is an intrinsic property of the mask set. Thus, is the selection criterion. In this case, will be balanced for any . Aiming at the selection criterion, we can deduce the following conclusions to help select mask sets.

indicates is a constant, the value of which is . We have the following.

Lemma 1. *.*

*Proof. *Let . , obviously. For , we can deduce that The second equality uses .

The third one is according to and .

Similarly, . Hence We will use mathematical induction to prove .

When , .

Suppose . If is odd, we haveThe second equality is based on . The fourth one follows , and the fifth one uses .

The situation when is even can be proved similarly.

Thus, .

As stated above, for any pair and the means of their combinations such as should be equal to the constant value . We can prove two necessary conditions for balanced mask set by analyzing .

Theorem 2. *One necessary condition for is , .*

*Proof. *We deduce that Let , where As , , , is even. Let , . As , . If , we can deduce The reason of the second arrow is as follows: Recall in Lemma 1. , . In other words, , . and is odd. Therefore, must be divisible by .

Hence, , .

Theorem 3. *, if is a linear mask set, .*

*Proof. *If is linear, , . Let . Obviously, , . And (16) will further be where . is defined by (17).

If , we can deduce which contradicts . Thus, , which indicates .

Theorem 2 indicates that the search should be among mask sets satisfying , , to find the perfect balanced mask set with . However, in consideration of the effect of the noise, could not be necessary. According to Theorem 3 and the results in Appendix B, the linear mask sets will be more vulnerable because of their linear property. Hence, one can first use the searching algorithms like those in [11] to get some nonlinear mask sets and use our selection criterion as a reference factor to select the one with smaller .

#### 5. Conclusion

In this paper, we analyzed the vulnerabilities on the mask sets of software Low Entropy Masking Schemes implementations. We found that satisfying the conditions in [11, 18] was not enough for mask sets used in software LEMS implementations. The experiments verified that such vulnerabilities certainly made the software LEMS implementations insecure. To fix the vulnerabilities, we further gave a selection criterion. Moreover, two theorems were proved, and our selection criterion could be a reference factor when selecting the mask sets picked out by searching algorithms like those in [11].

For future work, there remain two research directions. The first direction is the proof of the existence of such perfect balanced mask sets. The second one is designing more feasible search algorithms and giving the masking values selection rules based on those conditions.

#### Appendix

#### A. The Proof of

, where random variable . We can deduce that

Here where can be checked on the normal distribution table.

Therefore, using (A.3) and (A.4)

#### B. Results of Experiments

We take a typical linear code mask set mentioned in Section 2 and its variant , which are, respectively, used in the RSM (Rotating S-Box Masking (RSM) [10] is a realization of LEMS.) implementations of DPA Contest v4 and DPA Contest v4.2 [15], as examples to analyze the security in different SNR environment in practice. The software implementation of AES-256 in DPAcv4 is protected by basic RSM countermeasure, and the traces are collected from an ATMega-163 smart card. Our attacks are performed on the leakage of the outputs of S-Boxes in first-round AES. As the implementation of AES-128 in DPAcv4.2 is protected by enhanced RSM countermeasure using shuffling techniques, we carry out the attacks on the leakage of the ShiftRow in the first round where the noise is bigger.

Aiming at the vulnerabilities of unbalanced , lots of distinguishers can be designed. Here, we will present examples combined with the linear property of the mask set : , , .

Such property results in the following: for any intermediate , is the same as that of [21]. The reason is, , , which means . Moreover, . Hence, . We further find the variants of the linear mask set , where is a constant also having the same properties. Gathering the intermediates with the same masked values together, is divided into several sets , (, if ).

Let be the set of all the measurements. represents the set of measurements whose corresponding plaintext satisfies , where is the function of sensitive intermediate. The distinguisher could bewhere is the estimated statistic value of absolute difference values between two measurements sets. When is wrong, the classification will be wrong and random, which makes the values of numerator and denominator approximate. When is the correct key, the value of numerator will differ from that of denominator (Theorem 3 in Section 4 will prove this). or .

can be , obviously. As is independent of and , , we can also use and as . We name those distinguishers for different statistics as , , and , respectively.

Using the traces in DPAcv4, we obtain 256 , , and curves and show the time samples around the output of one S-Box in Figure 2(a). The correct key’s and curves have apparent peaks with 1000 traces. Furthermore, we generate , , and curves over the number of traces at the peak time sample and show the results in Figure 2(b). The black and 255 grey curves represent the cases of the correct key and wrong key hypotheses, respectively. The results show that all those distinguishers can recover the key with enough traces.

**(a)**

**(b)**

We then do the second experiment using traces in DPAcv4.2 at the ShiftRow in the first round where the weaker information is leaked. The three distinguishers succeed with about 6000 traces because of the lower SNR. We omit similar figures here.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This research was supported by National Key Research and Development Program of China (Grant no. 2017YFA0303903), National Natural Science Foundation of China (Grant nos. 61402536 and 61402252), Beijing Natural Science Foundation (Grant no. 4162053), National Cryptography Development Fund (Grant no. MMJJ20170201), and 973 Program (Grant no. 2013CB834205).