Efficient Table-Based Masking with Pre-processing | IACR

Masking for Enhanced Security: Unlocking the Power of Pre-Processing

Masking is a well-established countermeasure against side-channel attacks, a critical concern in the world of cryptography. By randomly encoding sensitive variables into multiple shares and operating on those shares instead of the original data, masking offers robust protection against various analysis techniques that could compromise the security of a system.

However, the implementation of masking comes with its own set of challenges. Notably, the software-based execution of masked operations often incurs significant performance overhead, slowing down cryptographic implementations and requiring a substantial amount of random bits from a true random number generator. Addressing these concerns is an essential and ongoing task for security researchers and IT professionals alike.

One promising approach in this domain is the Table-Based Masking (TBM) scheme, which stands out for its generality and the ability to leverage pre-processing techniques. The pre-processing paradigm allows for a computationally intensive initial phase to be executed independently of the inputs, followed by a highly efficient online phase that utilizes the precomputed tables to calculate the desired results.

In this article, we will delve into the intricacies of TBM, exploring a specific scheme that offers a compelling combination of linear complexity (in terms of the security order) during the online phase and compact precomputed tables. We will then apply this scheme to the AES-128 algorithm and provide an implementation on the ARM Cortex architecture, showcasing its practical advantages and addressing the challenges associated with random bit generation.

Understanding Table-Based Masking (TBM)

At the core of the TBM approach is the idea of precomputing lookup tables that can be leveraged during the online phase of a masked cryptographic implementation. This strategy aims to strike a balance between the security benefits of masking and the performance efficiency that is crucial for practical deployment, especially in resource-constrained environments like embedded systems.

The key elements of the TBM scheme are as follows:

1. Generality: TBM is designed to be applicable to a wide range of lookup-table-based cryptographic operations, making it a versatile solution.

2. Pre-processing: The TBM scheme involves a pre-processing phase that is executed independently of the inputs. This phase generates the necessary precomputed tables, which can then be efficiently utilized during the online phase.

3. Linear Complexity: During the online phase, the TBM scheme exhibits a linear complexity in terms of the security order (denoted as d), which is a crucial factor in determining the overall performance impact of the masking countermeasure.

4. Compact Tables: The precomputed tables generated in the TBM scheme are designed to be compact in size, minimizing the memory footprint and storage requirements.

By leveraging these characteristics, the TBM approach aims to provide a practical and efficient solution for implementing masked cryptographic operations, addressing the performance challenges often associated with traditional masking techniques.

Applying TBM to AES-128

To demonstrate the practical application of the TBM scheme, we have implemented it for the AES-128 algorithm, a widely used symmetric-key cipher. AES-128 is a prime target for side-channel attacks, making it an essential candidate for robust masking countermeasures.

The TBM Scheme for AES-128

The TBM scheme we have developed for AES-128 consists of the following key components:

1. Pre-processing Phase: In this phase, we generate the necessary precomputed tables. These tables are built independently of the inputs, ensuring that the computationally intensive operations are performed upfront, without impacting the online phase.

2. Online Phase: During the online phase, the precomputed tables are utilized to perform the masked AES-128 operations. This phase exhibits a linear complexity in terms of the security order d, ensuring efficient execution even at higher security levels.

3. Compact Table Size: The precomputed tables in our TBM scheme for AES-128 are designed to be compact, minimizing the memory footprint and storage requirements. This is a crucial consideration for deployment on resource-constrained embedded systems.

Performance Evaluation on ARM Cortex

To assess the practical benefits of our TBM-based AES-128 implementation, we have conducted extensive testing on the ARM Cortex architecture, a widely-used platform for embedded systems.

Our findings are as follows:

1. Online Phase Efficiency: For a security order of d = 8, our TBM-based AES-128 implementation outperforms the current state-of-the-art AES implementations on ARM Cortex processors that are vulnerable to side-channel attacks. This demonstrates the performance advantages of the TBM scheme, even at higher security levels.

2. Security Validation: We have proven the security of our TBM scheme theoretically and verified it through practical T-test evaluations, ensuring that the masking provides the expected resistance against differential power analysis attacks.

3. Random Bit Generation: We have also investigated the speed overhead associated with the random bit generation required by our masking technique. Our findings indicate that this overhead can be effectively balanced by leveraging the parallel processing capabilities of the ARM Cortex architecture, ensuring a constant supply of fresh random bits for the masked computations.

Balancing Security and Performance

The successful implementation of the TBM scheme for AES-128 on the ARM Cortex architecture highlights the potential of this approach in delivering both security and performance benefits. By carefully designing the pre-processing and online phases, as well as addressing the random bit generation challenges, we have been able to create a practical and efficient masked cryptographic solution.

Key Takeaways:

1. Masking is a powerful countermeasure against side-channel attacks, but its software implementation can introduce significant performance overhead.
2. The Table-Based Masking (TBM) scheme offers a promising solution by leveraging pre-processing techniques to achieve linear complexity during the online phase and compact precomputed tables.
3. Our TBM-based AES-128 implementation on the ARM Cortex architecture demonstrates the practical advantages of this approach, outperforming the current state-of-the-art AES implementations that are vulnerable to side-channel attacks.
4. Careful design and optimization of the pre-processing and online phases, as well as effective management of random bit generation, are crucial for balancing security and performance in masked cryptographic implementations.

As the demand for secure and efficient cryptographic solutions continues to grow, especially in the context of embedded systems, the insights and practical guidance provided in this article can serve as a valuable resource for IT professionals, security researchers, and system architects. By understanding and leveraging the power of table-based masking with pre-processing, you can unlock new possibilities in protecting your critical systems against side-channel attacks while maintaining high-performance standards.

For more information on our IT solutions and support services, please visit https://itfix.org.uk/networking-support/.