Analysis of Software Implemented Low Entropy Masking Schemes

,


Introduction
First introduced by Kocher [1], side channel attacks (SCA) can be used to evaluate the implementation security of cryptographic ciphers by analyzing the time, the electromagnetic radiation, the power consumption, and so on [2][3][4][5][6].
To resist SCA, several valid countermeasures have been proposed [7][8][9][10].Among those countermeasures, masking schemes are most popular and widely applied.The main idea of masking schemes is to make the side channel information independent of the sensitive data by randomizing the intermediate values.In general first-order masking scheme, any sensitive intermediate variable denoted by  will be split into two shares so that  =  0 ⊕  1 , where the randomly drawn variable  0 is called the mask.All the computations of the cryptographic algorithm are performed on the shared values independently.At the same time, the sensitive data must be recovered by recombining the two shares.For this purpose, every computation function  of cryptographic algorithms should be designed to satisfy () =   0 ⊕    1 , where   0 and    1 are the new shares after the operation .If  is a linear operation with respect to XOR, then   0 = ( 0 ) and   1 = ( 1 ).When  is the substitution box (S-Box), some adjustment is necessary to make up for its nonlinear property.The adjusted S-Box function changes along with the value of the mask, which makes it hard to compute canceling the sensitive intermediate value analytically.Therefore, precomputing and caching the required masked S-Boxes are more relevant and efficient.However, if the mask is drawn randomly from 2  possible masks, too much memory is required to keep all the possible masked S-Boxes.To offer a reasonable solution to balance the security protection and the performance of implementations, Low Entropy Masking Schemes (LEMS) [10,11] are designed by limiting the amount of mask entropy.
LEMS use the masks drawn from the limited mask set M = { 1 ,  2 , . . .,   } ⊂ F  2 whose mask entropy is log 2 ().The security of LEMS implementations should be guaranteed in two aspects.In the architecture aspect, cryptographic algorithms should carefully be implemented to avoid firstorder leakage [12].Some countermeasure techniques such as shuffling [13] can also be combined to help defeat certain bivariate and higher order attacks [14][15][16][17].Another aspect is the chosen mask set which plays significant roles in security.Some research studied how to select them for hardware implemented LEMS [11,18].The selection criterion of the mask sets considered finding secure mask sets under two important assumptions [19].The first one is that the attackers could only exploit the leakage of the masked value  ⊕ .The second one is that the deterministic part of the leakage function  ⊕ is linear in the bits of masked variable  ⊕ , such as Hamming weight function.Under those two conditions, the main goal of selecting mask sets for LEMS is to find balanced mask sets resistant to high order univariate CPA (following the definition of [20], the attack combining  different time instances is called -variate attack and the  th order attack is the one with  th order statistical moments).Therefore, making E(( ⊕ )  | ) independent of intermediate  is the selection criterion of the mask sets for the designer of the hardware countermeasures.However, we find it is not enough for software implemented LEMS.The absolute difference | ⊕ −    ⊕  | may bring the unbalance to the intermediate pair (,   ), which allows attackers to get the information of (,   ) when only the leakages corresponding to the masked values are available.
Our Contributions.In this paper, we study the unbalance in terms of absolute difference on software Low Entropy Masking Schemes (LEMS) implementations and make selection criterion for their mask sets.
(i) We find that the mask sets selected according to selection criteria in [11,18] have the vulnerabilities based on the absolute difference measurements on software LEMS.Such vulnerabilities make the software LEMS implementations insecure when the leakages corresponding to the masked values could be exploited.(ii) To fix the vulnerabilities and make software LEMS implementations resistant to high order univariate attacks, we further extend the selection criterion of balanced mask sets.Moreover, we prove the perfect balanced mask sets should not be linear, and their cardinalities should satisfy certain conditions.(iii) When some feasible mask sets are already picked out by searching algorithms like those in [11], our selection criterion could be a reference factor to help decide on a more secure one from them.
Organization.The rest of the paper is organized as follows.
In Section 2, we introduce the notations and some related background knowledge.Section 3 presents vulnerabilities that make the software LEMS insecure.Section 4 proves the necessary conditions that the balanced mask sets should satisfy and discusses the selection methods of mask sets.Finally, Section 5 concludes the paper.

Preliminaries
In this paper, sets are denoted with calligraphic letters (e.g., M).We use capital letters (e.g., ) and lowercase ones (e.g., ) for random variables and their realizations, respectively.Throughout the paper,  and   are independent and uniformly distributed random variables representing intermediates. and   are two independent random variables drawn from the uniform distribution in the mask set M.
Let   be the value of leakage measurements corresponding to the intermediate value ,  ∈ F  2 .To match with realistic leakage functions in practice, the widely applied Hamming weight leakage model is used during the choice of the mask sets in this paper.Thus, in software environments,   = HW[] + , where  is an unknown constant and  is the Gaussian distributed (N(0,  2 )) noise.In hardware environments,   = HW[] (to describe the theories in [11,18] more clearly, we use the same no noise model here).We further denote the absolute difference of two measurements corresponding to the values  1 and  2 by Mean and variance are denoted by E and Var, respectively.Let  1 and  2 be two independent random variables and  be a certain function. 1 is randomly drawn from X.
The variance among those conditional expectations is which can measure the dispersion degree of E(( 1 ,  2 ) |  1 ).Obviously, when Var(E(( 1 ,  2 ) |  1 )) = 0, the specific value of  1 cannot be recognized according to E(( 1 ,  2 ) |  1 ).This property was mainly applied by some works [11,18] studying the selection criterion of mask sets for hardware LEMS.Their theories are as follows.

Vulnerabilities on Software LEMS
As stated in Section 2, the selection of the mask sets for hardware LEMS considers the balance between the intermediate values  and the leakage measurements  ⊕ to avoid leaking the information of .Nonetheless, the unbalance of absolute difference measurements | ⊕ −    ⊕  | may leak the information of intermediate pair (,   ) in software LEMS.In this section, we will study ( represents the order with respect to the absolute difference; indeed, the absolute difference itself is not first order according to Taylor expansion [22]; hence, the order with respect to the original leakage measurement here is higher than ) The proofs will show that E (2)  (,  ) is independent of (,   ) if the mask set satisfies the hardware selection criterion: And it is uncertain for E (1)  (,  ) .The unbalanced E (1)  (,  ) leads to the unbalanced variance and coefficient of variation (coefficient of variation is the ratio of standard deviation to mean), which can also help identify the intermediate pair (,   ) in attacks.The results of experiments show that the unbalance of E (1)  (,  ) makes the implementations insecure.Those vulnerabilities are the properties of mask sets and cannot be fixed by the architectures of specific implementations like shuffling.So finding the balanced mask sets in terms of absolute difference is necessary for software LEMS, which will be discussed in the next section.
The results of experiments in Appendix B verify that such vulnerabilities we highlighted can really threaten the security of software LEMS implementations.To make software LEMS implementations resistant to high order univariate attacks (CPA and also attacks based on the vulnerabilities above), specific implementations like shuffling are not enough and selecting the balanced mask sets in terms of the absolute difference is necessary.

Selection of Balanced Mask Sets
In this section, we will modify the selection criterion to find the balanced mask sets.The proofs give two conditions that the balanced mask sets should satisfy, which considerably narrow down the search for the mask sets.
We have the following.

Lemma 1. E(|HW[𝑍⊕𝑀]−HW[𝑍
W 0 = 0, obviously.For  ∈ N, we can deduce that The second equality uses We will use mathematical induction to prove The second equality is based on ( +1  ) = (   ) + (  −1 ).The fourth one follows W 2+1 = W 2+2 , and the fifth one uses The situation when  is even can be proved similarly.
If E M = (2 − 1)!!/2  ( − 1)!, we can deduce Theorem 2 indicates that the search should be among mask sets satisfying |M| = 2 ⌊/2⌋+1 ,  ∈ N, to find the perfect balanced mask set with  = 0.However, in consideration of the effect of the noise,  = 0 could not be necessary.According to Theorem 3 and the results in Appendix B, the linear mask sets will be more vulnerable because of their linear property.Hence, one can first use the searching algorithms like those in [11] to get some nonlinear mask sets and use our selection criterion as a reference factor to select the one with smaller .

Conclusion
In this paper, we analyzed the vulnerabilities on the mask sets of software Low Entropy Masking Schemes implementations.We found that satisfying the conditions in [11,18] was not enough for mask sets used in software LEMS implementations.The experiments verified that such vulnerabilities certainly made the software LEMS implementations insecure.To fix the vulnerabilities, we further gave a selection criterion.Moreover, two theorems were proved, and our selection criterion could be a reference factor when selecting the mask sets picked out by searching algorithms like those in [11].
For future work, there remain two research directions.The first direction is the proof of the existence of such perfect balanced mask sets.The second one is designing more feasible search algorithms and giving the masking values selection rules based on those conditions.Figure 2:  V ,  cv , and  (1)   over (a) time samples using 1000 traces (b) and number of traces at the peak location.
about 6000 traces because of the lower SNR.We omit similar figures here.