Lightweight Conversion from Arithmetic to Boolean Masking for Embedded IoT Processor

Abstract

A masking method is a widely known countermeasure against side-channel attacks. To apply a masking method to cryptosystems consisting of Boolean and arithmetic operations, such as ARX (Addition, Rotation, XOR) block ciphers, a masking conversion algorithm should be used. Masking conversion algorithms can be classified into two categories: Boolean to Arithmetic (B2A) and Arithmetic to Boolean (A2B). The A2B algorithm generally requires more execution time than the B2A algorithm. Using pre-computation tables, the A2B algorithm substantially reduces its execution time, although it requires additional space in RAM. In CHES2012, B. Debraize proposed a conversion algorithm that somewhat reduced the memory cost of using pre-computation tables. However, they still require (2(k+1)) entries of length (k+1)-bit where k denotes the size of the processed data. In this paper, we propose a low-memory algorithm to convert A2B masking that requires only (2k)(k)-bit. Our contributions are three-fold. First, we specifically show how to reduce the pre-computation table from (k+1)-bit to (k)-bit, as a result, the memory use for the pre-computation table is reduced from (2(k+1))(k+1)-bit to (2k)(k)-bit. Second, we optimize the execution times of the pre-computation phase and the conversion phase, and determine that our pre-computation algorithm requires approximately half of the operations than Debraize's algorithm. The results of the 8/16/32-bit simulation show improved speed in the pre-computation phase and the conversion phase as compared to Debraize's results. Finally, we verify the security of the algorithm against side-channel attacks as well as the soundness of the proposed algorithm.