A White-Box Masking Scheme Resisting Computational and Algebraic Attacks

White-box cryptography attempts to protect cryptographic secrets in pure software implementations. Due to its high utility, whitebox cryptosystems (WBC) are deployed even though their secure construction is not well understood. A major breakthrough in generic cryptanalysis of WBC was Differential Computation Analysis (DCA), which requires minimal knowledge of the underlying white-box protection and also thwarts many obfuscation methods. To avert DCA, classic masking countermeasures originally intended to protect against highly related side channel attacks have been proposed for use in WBC. However, due to the controlled environment of WBCs, new algebraic attacks able to break all classic masking schemes have quickly been found. These algebraic DCA attacks break classic masking countermeasures efficiently, as they are independent of the masking order. In this work, we propose a novel generic masking scheme that can resist both DCA and algebraic attacks. The proposed scheme extends the seminal work by Ishai et al. which is probing secure and thus resists DCA, to also resist algebraic attacks. To prove the security of our scheme, we demonstrate the connection between two main security notions in whitebox cryptography: Side Channel Analysis (SCA) security and prediction security. Resistance of our masking scheme to DCA is proven for an arbitrary order of protection. Our masking scheme also resists algebraic attacks, which we show concretely for first and second order algebraic protection, and show how it can be generalized to any order. Moreover, we present an extensive performance analysis and quantify the overhead of our scheme, for a proof-of-concept protection of an AES implementation.


Introduction
Protecting secrets purely in software is a great challenge, especially if a full system compromise is not simply declared out-of-scope of the security model. With fully homomorphic encryption still complex and computationally expensive [34] and secure enclaves being notoriously buggy at this time [12,33,44], industry may opt for white-box cryptosystems (WBC). White-box cryptography promises implementation security of cryptographic services in pure software solutions, mainly by protecting keys and intermediate cipher states through layers of obfuscation. While white-box cryptography is successfully sold by several companies as one ingredient of secure software solutions (e.g. [21]), analysis of deployed solutions is lacking, as is a sound framework to analyze white-box implementations. The white-box model assumes the cryptographic primitive to run in an untrusted environment where the white-box adversary has full control over the implementation. The adversary has full access to every memory access, can read and modify intermediate states and can interrupt the implementation at will. White-box cryptography was introduced in 2002 by Chow et al. [15,16]. The main idea of their scheme is to represent a cryptographic algorithm as a network of look-up tables and key-dependent tables. In order to protect the key dependent tables, Chow et al. proposed to use input and output encodings.
Cryptanalysis of WBCs usually requires a time-consuming reverse engineering step to overcome included obfuscation layers [24]. To overcome this, computational analysis of white-box cryptosystems have been proposed. Computational analysis is inspired by physical grey box attacks, mainly side-channel attacks. Computational analysis attacks, like side channel attacks, perform statistical analysis of observable intermediate states of a cryptographic implementation, e.g. via its physical side channel [20,22,28]; if the implementation is not protected against this kind of attack, the side channel may reveal critical information, usually the secret key material used. At CHES 2016, Bos et al. [9] proposed Differential Computation Analysis (DCA) and showed that DCA can extract keys from a wide range of different white-box implementations very efficiently, without requiring a detailed reverse engineering of the implementation. Following this work, further generic computational analysis techniques have been proposed for white-box implementations, such as Zero Difference Enumeration [1], Collision Attacks, and Mutual Information Analysis [39]. Bock et al. [6] analyzed the ineffectiveness of internal encodings and explain why DCA works so well in the white-box setting. Even fault attacks [2,8] have been shown to be an effective method for state and key recovery attacks on white-box implementations [5,9]. Biryukov et al. [4] introduced two new types of fault attacks to reveal the structure of a white-box implementation, an important step of overcoming obfuscation in WBC.
To overcome the threat of DCA and other computational analysis, a natural protection mechanism are masking schemes. Masking splits a sensitive variable x into n shares, such that x can be recovered from d + 1 (n ≥ d + 1) shares, while no information can be recovered from fewer than d + 1 shares [14]. It is a popular and effective countermeasure in the SCA literature. Most important examples are Boolean masking introduced by Ishai et al. [26] which has been generalized by Rivain and Prouff [37], Threshold Implementations defined by Nikova et al. [35], and polynomial masking as defined in [40] based on Shamir's secret sharing [43]. And recently the idea of combined countermeasures to resist both side-channel and fault attacks are introduced in the literature [36,41,42].
Unlike the attacks, countermeasures cannot be applied to white-box implementations directly. For example, a dedicated masked white-box implementation introduced in [29] and it is broken in [39]. In addition, for secure WBC, other countermeasures such as fault protection and obfuscation layers need to be added [4] and additional randomness should be included in the input [7], as internal randomness generators could be disabled by the white-box adversary. Furthermore, higher order variants of DCA have been shown to be effective when applied to masked white-box implementations due to the adversary's ability to observe shares without noise [7]. Although the noise-free environment makes the attack easier, techniques like control flow obfuscation, input/output encodings and shuffling [45] create artificial noise in white-box environments [1,7], effectively increasing the complexity of higher order DCA significantly. More devastatingly, a new class of generic algebraic DCA (or in short algebraic attacks) has been proposed recently [4,24]. Algebraic DCA is shown to break masked WBC independently of the masking orders if the masking is linear. Yet all current masking proposals are vulnerable to algebraic DCA.
To sum up, although there exist informal ideas on how to create a secure white-box design that can resist both computational and algebraic DCA, formal and generic constructions with their security analysis are missing.
Our contribution: In this paper, we provide the first generic and combined masking scheme that resists state-of-the-art white-box attacks: DCA and algebraic attacks. Classic masking schemes can be applied to WBC, however none of them can individually achieve security against both attacks. To fill this gap, we examine the ISW transformation introduced by Ishai et al. [26] and extend it to the white-box context.
As explained earlier, a Boolean masking scheme provides protection against DCA, however it is shown in [4] that they are vulnerable to algebraic attacks, independently of the masking order. We improve the ISW transformation by replacing a secret share with a multiplicative representation in order to gain security against algebraic attacks. The secret sharing of our masking scheme consists of two components: linear and non-linear shares. The main aim of this separation can be summarized as follows: 1. Linear shares to resist DCA attacks (or computational attacks), 2. Non-linear shares to increase the degree of decoding and therefore prevent the algebraic attacks.
Using the generic construction, we give a comprehensive performance analysis and comparison of our scheme. The analysis includes the total number of bitwise operations and randomness requirements of the masking scheme with various degrees of protections.
To analyze the security of our construction, we focus on two security notions in cryptography: SCA security and prediction security that cover security against computational attacks and security algebraic attacks respectively. The first model that deals with passive adversaries at any order is introduced by Ishai et al. [26] and it is called probing model. The idea is then revised by Rivain et al. [37]. The new model is called n th SCA security and it states that every tuple of n or less intermediate variables must be independent of any sensitive variable. The attacker can observe any set of intermediate variables with n elements. It is shown that an n th -order Boolean masking provides security against n th order SCA. The complexity of computational attacks grows with the masking order. Moreover, the model is also used in the white-box context. As stated in [7], an n th -order masking provides security against n th -order SCA and n th -order DCA attacks with additional obfuscation layers. However, security in the SCA model is necessary but not sufficient, since the SCA model covers only computational attacks (DCA).
Another approach is given by the prediction security model, in which an attacker can observe every intermediate variable and can only use a d th order function to combine them. For example, an n th -order Boolean masking that is inherently protected against DCA is vulnerable against first order algebraic attacks since the adversary can utilize a linear function (i.e. a first order function) and combine a subset of intermediate variables to recover the secret value.
In this work, we further show that SCA security and prediction security notions are incomparable. The models cover different aspects of white-box leakages and both of them are required to achieve security in the white-box model. However, security in either model can be achieved without achieving the other, resulting in insecure schemes. Therefore, we prove the security of our constructions using both notions. First, we prove that our masking scheme is indeed secure against computational attacks by showing that it is secure in SCA model with the given order. Moreover we prove the first and second order prediction security of our scheme. Besides the formal proof, we update and use the tool given in [4] to experimentally verify the first order prediction security of our scheme. The updated version of the tool is available as open source 1 .
Although the masking scheme is generic, the prediction security depends on the structure of the operations. We give a concrete construction for first and second order prediction security and prove their security. Furthermore, the presented methodology can be adapted to arbitrary orders of prediction security.
In the last part of the paper we introduce a proof-of-concept AES implementation to analyze the overhead and experimentally verify the security properties of our scheme using a simple leakage test. The analysis includes the number of needed gates and number of required randomness for different orders of protection. We show that our combined approach outperforms the previous approaches which required to use the combination of two different masking schemes to resist both attacks. Outline of the Paper: Section 2 provides preliminaries. In Section 3, we present the structure of generic masking that resists computational and algebraic attacks for arbitrary orders of protection. In Section 4, we prove the security of our scheme using the notions SCA security and prediction security. Finally, in Section 5, we propose a proof-of-concept AES-128 implementation with the performance analysis using various security parameters.

Preliminaries
In this section, we provide the notation and definitions used in this paper. Also we identify the challenges that need to be addressed for secure white-box designs.
Firstly, we summarize the notation that is needed for the masked white-box design. We denote the Boolean (or linear) masking order by n and multiplicative (or non-linear) masking order as d. The letters x, y, z, . . . represent the sensitive variables. Random variables are represented by letter r, with an index as r i or r i . To denote a random selection of a variable from the field, we use ∈ R . The subscripts x i , y i , z i , . . . represent the i th linear share of a variables whilex i ,ỹ i ,z i , . . . represent the i th non-linear share. A vector of shares (x 0 , . . . ,x d , x 1 , . . . , x n ) is denoted by x. Bold numbers 0 and 1 are used to denote constant functions.
As usual, we model the white-box implementations as Boolean circuits represented by directed acyclic graphs. Each node in a circuit C, with k > 0 inputs, corresponds to a k-ary Boolean function. Nodes with the indegree equal to zero are called inputs of C and nodes with the outdegree equal to zero are called outputs of C.
Let x = (x 1 , . . . , x N ) (resp. y = (y 1 , . . . , y M )) be a vector of input (resp. output) nodes in some fixed order. For each node v in C, we say that it computes a Boolean function f v : F N 2 → F 2 defined as follows: . . , f c k (z)), where c 1 , . . . , c k are nodes having an outgoing edge to v.
The set of f v for all nodes v in C is denoted F(C) and the set of f xi for all input nodes x i is denoted X (C).
Differential Computational Analysis: The idea of using side-channel attacks to recover critical secrets in WBC has been introduced by Bos et al. [9]. Differential computational analysis utilizes internal states of the software execution (such as memory accesses) to generate software traces. DCA is regarded as one of the most efficient attacks against white-box implementations, since it does not require full knowledge of white-box design and thus makes the time-consuming reverse engineering process avoidable. The first part of DCA consists of collecting software traces using memory addresses, intermediate values or written/read values by the implementation. In the second part a statistical analysis is performed using the software traces collected in the first part.
To resist against DCA, a natural approach is to use the well-known sidechannel analysis countermeasure masking [14]. The masking is carried out in two steps as defined in the seminal work by Ishai, Sahai, and Wagner in 2003 [26]. First, input data is transformed by representing each input x by n + 1 shares in such a way that where x ∈ F 2 and n of the shares are distributed uniformly and independently. Additionally, the circuit is adapted by replacing all AND and XOR gates with gadgets processing the shares of the inputs. Throughout the paper, the two stages of masking will be defined as ISW transformation.
Masking schemes rely on the availability of good randomness, which is usually provided by secure RNGs, e.g. in the form of a secure and efficient Pseudorandom Generator [18,25]. Similarly, randomness generation for white-box implementations has been analyzed in the literature. Due to the adversarial ability to control the execution environment in white-box model, the attacker can simply disable an external randomness source. Therefore, white-box implementations have to rely on internal randomness sources in combination with additional obfuscation countermeasures [1,4,7]. Remark that the effectiveness of DCA comes from its universality and its ability to avoid reverse-engineering, which can be extremely costly [24]. By combining masking with an obfuscation layer, the adversary is this forced to invest on a time-consuming reverse engineering step to bypass the obfuscation which cannot be done by an automated tool, while the masking prevents obfuscation-oblivious attacks such as DCA.
Algebraic Attacks: Algebraic attacks have been introduced during the WhibOx contest of CHES2017 [17]. Although the majority of the implementations in the contest were broken in less than one day, the strongest design (by means of the surviving time: 28 days) was broken by algebraic analysis [4,24]. Algebraic attacks try to find a set of circuit nodes whose d th -order of combination equals to a predictable vector. Observe that if an implementation is protected by a linear masking, there exists a set of circuit nodes (corresponding to the secret shares) such that the linear combination (i.e. the first order combination) is always equal to a predictable secret value. This means that, linear maskings are inherently vulnerable to first-order algebraic attacks independently of the masking order [4,24]. Like DCA, Algebraic attacks do not require complex reverse engineering and are thus a generic threat that any white-box implementation needs to address.
Thus, to thwart both of the above-mentioned generic attacks, secure masking for white-box implementations needs to fulfill the following two requirements: -The number of shares needs to be sufficiently high to prevent computation attacks (DCA). -There may be no low degree decoder in order to counteract algebraic attacks.
Another challenge of the secure white-box implementation is the adversaries ability to collect noise-free measurements. Remark that the security of masking schemes against side-channel attacks or DCA comes from the inherently noisy measurements [13]. To deal with this problem, artificial noise sources such as control flow obfuscation [1], shuffling [7] and input and output encodings [6] have been analyzed in the literature. The artificial noise introduced by these methods increases the complexity of higher order DCA dramatically. It has been shown in [7] that the complexity of the attacks increases with the order of the masking and the order of the obfuscation layers. Therefore, the SCA model is a valid approach to analyze the security of masking schmes of white-box implementations against DCA. Due to the artificial noise sources, it becomes infeasible for an attacker to combine the required number of shares to recover the sensitive information. Throughout the paper we assume a reliable randomness source is provided as part of the implementation, that is fed internally and protected by obfuscation layers, as done in [1,4,39]. Therefore, the attacks on randomness sources and the adversaries' ability to disable randomness is out-of-scope of this work. For a full white-box implementation, other problems (fault protection, randomness generation, obscurity layers) need to be added [4,7] in addition to a secure masking scheme, which we introduce throughout this work.
In the next Section, we introduce our masking scheme to resist both computational and algebraic attacks using an adapted version of the ISW transformation.

Secure Masking Construction
The proposed masking scheme is based on two ideas: an ISW-like masking to increase the number of shares required to eliminate the computation attacks and using a multiplicative sharing to increase the degree of the decoding function. We denote the first part as linear sharing of order n and the second part as non-linear sharing of degree d. And the resulting construction is named as (n, d)-masking. The summary and the security properties of the schemes are presented in Table 1. (resp. ) means the scheme is vulnerable (resp. resistance against) both to computational and algebraic attacks. Mark (resp. ) for vulnerability to computational but resistance against algebraic attacks (resp. resistance against computational but vulnerability to algebraic attacks). Remark that a masking scheme with (n, 0) is the ISW transformation [26] while a masking scheme with (1, 1) is the scheme in [4]. The example structures for the masking schemes with (2, 1) and (3, 1) can be found in Appendix B.
We start with the data transformation and define our masking function: wherex 0 , . . . ,x d , x 1 , . . . , x n−1 ∈ R F 2 are chosen randomly and independently from F 2 , and x i . Observe that our masking scheme is obtained from ISW transformation by replacing the first share x 0 in ISW by a non-linear sharing x 0 = d j=0x j . The unmasking function is defined as follows: The data transformation is followed by the transformations of each AND and XOR gate. Throughout the paper, we define the transformed gates as And and Xor (or And[n, d] and Xor[n, d]) gadgets respectively.

Gate Transformations
In this section the generic constructions for Xor, And are presented. Additionally, we provide definition of the RefreshMask gadget, which is needed to protect against algebraic attacks. The scheme can be used for an arbitrary order n of linear masking and any degree d of the non-linear component. Though the constructions are general, the algebraic security depends on the structure of the nodes (the details can be found in Section 4). The intermediate variables (which we called the bottlenecks) that needs a special structure depending the non-linear degree d are the following: Let x and y be two bits and consider an (n, d)-masking scheme, i.e. x and y have been split into (n + d + 1) shares such that Below, we describe each gadget and simultaneously give a corresponding algorithm in pseudocode and explicit structure of the bottlenecks of the [n, 1] and [n, 2] gadgets.
Step-1: The values of the non-linear shares are processed: Step-2: Computation of linear shares are operated: where U can be defined as follows: As the explicit constructions, we can introduce U as follows: , U can be calculated as in Equation (1). However the circuit nodes should be constructed carefully in order not to create vulnerabilities in algebraic security.
And[n, d] Gadget: A masked representation of z = xy with n + d + 1 shares such that d j=0z j ⊕ n i=1 z i = z can be calculated as follows: Step-0: The input shares processed by RefreshMask gadgets; x ← RefreshMask(x) and y ← RefreshMask(y).
Step-1: The calculations of the values of multiplicative representation are processed. Additional random bits r i,j are generated in order to attain algebraic security in the second step.
Step-2: The variables r j,i for 0 ≤ i < j ≤ n are generated as follows: The calculations for 1 ≤ i ≤ n are processed as identical to the ISW-And gadget. However, for i = 0 the calculations require special attention and we need to define a function F as follows: Unlike to the Step-2(a), r 0,j cannot be assigned as random. Instead, r 0,j should be defined in such a way that the following equation holds: Throughout the paper we denote right hand side of the above equation as V.
Note that the above structure for F(x j , y j ) (given on the right hand side of Equation (2)) is not secure against algebraic attack even of the first order. Below we provide secure construction for the case (n, 1) and (n, 2)-masking. - where u = r 1,1 ⊕ · · · ⊕ r 1,n and v = r 2,1 ⊕ · · · ⊕ r 2,n .
-And[n, d] for d ≥ 3 the circuit nodes that calculates F(x j , y j ) should be structured in such a way that algebraic security properties are satisfied.
Step-3: The final step can be performed identical to an ISW-And gadget: For RefreshMask[n, d] Gadget: The operation has a crucial importance for generating an algebraically secure implementation. In fact, the gadget should be combined with each Xor and And gadget in order to obtain a fully secure masking scheme. The security details can be found in Section 4. Step-1: Step-2: Step-3: In the last step we need to define two intermediate variables as follows: Here, as usually, a product over the empty set I is evaluated as 1. Using the above equations, we can introduce the variables that need to be added the share x n as: Remark that we cannot directly add W to the final share x n due to algebraic security properties. Therefore, the variables W with R should be added to the final share in order to define an algebraically secure mask refreshing gadget. The explicit structure of the circuit nodes to calculate W and R for RefreshMask[n, 1] and RefreshMask[n, 2] can be found below.
-RefreshMask[n, d] for d ≥ 3 the circuit nodes that calculates W and R should be structured in such a way that algebraic security properties are satisfied.

Algorithm 3 RefreshMask(x)
r0 is used to compute W and R 9:

Correctness and Performance Analysis
Next we introduce the transformation T (n,d) to generate a Boolean circuit that is protected by an (n, d)-masking scheme and uses the gadgets described in Section 3.1. The following lemma summarizes the correctness of the transformation T (n,d) . Proof of the lemma can be found in Appendix A. In conclusion the transformation T (n,d) can be used to transform any circuit to an (n, d)-masked circuit in a functionality preserving manner. Although we are using an n th order linear masking, the scheme only provides an (n − 1) th SCA security. Due to the nonlinear sharing, the masking loses one share to increase the decoding order. Also the algebraic security depends on the structure of the Equations (1), (2), and (3) in each gadget as underlined above. The details can be found in Section 4.2.
Performance Analysis: In order to compare our construction with the previous schemes we analyze the performance of our scheme in terms of bitwise operations and randomness requirements. An analytical comparison of different orders and a comparison between ISW transformation and (n, d)-masking scheme can be found in Table 2.
In the following analysis for the simplicity, we use the symbol vertical bar (|) to separate the number of Xor, And operations respectively. And we exclude the RefreshMask gadgets inside the Xor and And gadgets to analyze the constructions straightforwardly. Since the structure of the bottleneck variables depends on the non-linear degree d, we use a symbolic approach to analyze the performance numbers for the higher orders (i.e. for d ≤ 3). We use the subscripts Table 2. The number of bitwise operations in Masked Operations. Remark that (n, 0)masking scheme corresponds to ISW gadgets. The last part of the table corresponds to the overhead of (n, d)-masking scheme compared to ISW transformation.

Xor
And Randomness to denote the number of operations within U, V, W, and R, e.g., U x and U a represent the number of bitwise Xor, And operations within U.
As seen in Table 2, the Xor gadget can be transformed efficiently. The cost of the gadget in the ISW transformation is n + 1 bitwise Xor while an (n, d)masking requires n + d + 2 bitwise Xor and the additional cost of the variables U. Therefore, the cost of the Xor gadget can be calculated as; (n+d+2+U x )|U a .
The cost of an And gadget can be analyzed easily by comparing the steps with ISW transformation. As seen in the construction in Section 3, the gadget can be divided into three stages.
Step-3 involve the calculations of r j,i for 1 ≤ i < j ≤ n, i = 0 and Step-3. These parts can be processed as identical to the ISW transformation and cost 2n(n − 1)|n 2 while the required number of random bits is n(n − 1)/2. Observe that the cost of these parts equals to an ISW-AND gadget with n shares.
We analyze the performance of the RefreshMask gadget using a similar methodology. The total number of required randomness and the number of required bitwise Xor operations can be calculated as n+d+1 and 2n+d+1 respectively. As in the previous gadgets, the calculations of W and R add more calculations to the structure. The numbers for RefreshMask[n, 1] and RefreshMask[n, 2] can be seen in Table 2.
Using the performance analysis, we reveal the exact overhead of our scheme. The numbers in the overhead section of Table 2 can be calculated by comparing the cost of with n th -order ISW transformation by an (n, d)-masking scheme. As seen in the table, the cost principally depends of the calculation on the values U, V, W, and R while the randomness is affected by the masking degrees n and d.

Security Against Computational and Algebraic Attacks
Security in the grey-box model is a well-established issue of cryptography. In this paper, we use the definition for n th order SCA security (security against t-probes for t ≤ n as proposed by Ishai et al. [26]) for white-box designs and security against algebraic attacks of degree d as proposed in [4]. First we recall briefly both security notions and then we prove that our construction is secure against SCA of any order up to n − 1 and against algebraic attacks for d = 1 and d = 2. Remark that the security against SCA follows the security against computational attacks of the same order, since the underlying idea of computational attacks relies on side-channel analysis.

Security Models
Roughly speaking, in the setting of the n th order SCA security, an adversary may invoke the (randomized) construction multiple times and adaptively choose the inputs. Prior to each invocation, the adversary may fix an arbitrary set of t ≤ n internal wires of the circuit values of which can be observed during that invocation. We use in this paper the following common definition of the SCA model (see e.g. [26,37]).

Definition 1.
A randomized secret key encryption algorithm is said to achieve n th -order SCA security if every t-tuple, with t ≤ n, of its intermediate variables is independent of any sensitive variable.
Here, by a sensitive variable of an encryption construction we mean any variable, with the exception of the resulting ciphertext or any deterministic function on it, that can be expressed as a deterministic function of the given plaintext and the secret key. Additionally, we assume that the function is not constant with respect to the secret key.
In [26] Ishai et al. provide a general construction of circuits using masking shares of size n and they proved that the generic construction achieves the (n/2) th -order SCA security. Rivain and Prouff [37] improved the analysis in [26] showing that the ISW transformations achieves SCA security of order n.
Note that SCA security is a necessary but not a sufficient condition for a secure white-box implementation. A white-box adversary can implement an algebraic attack to recover secret key from a masked white-box implementation. The main idea of the algebraic attack is finding a d th order function of intermediate variables 2 such that the output of this function will be equal to a predictable vector. To cover the algebraic attacks a new security notion called Prediction Security is defined in [4]: an arbitrary function, d ≥ 1 an integer, and A an adversary. Consider the following security experiment: 1 , r1),r1), . . . , f (E(x The pair (C, E) is said to be d th order prediction-secure (d-PS) if for any adversary A the advantage is negligible.
Although it may seem that one definition covers the other one, in fact they are incomparable. Therefore, both definitions are needed to analyze a secure white-box implementation.
To illustrate the incomparability of two notions, let us consider two examples; a white-box implementation protected with a n th -order Boolean masking and minimalist quadratic masking defined in [4].  Fig. 1. A first-order leakage detection on a circuit that simulates AES-128 with the masking defined in [4]. Clearly, the t-test value exceeds the threshold values shown by red lines.
Example 1 (SCA Secure Masking Vulnerable to Algebraic Attacks). By definition, an ISW transformation to the circuit and the data results in an n th -order SCA secure implementation. However, a first-order algebraic attack can exploit a first-order (linear) combinations of intermediate values which equal to a predictable value. Therefore, an n th -order Boolean masking is secure in SCA model, but not secure in prediction security as seen in [4].
Example 2 (Algebraically secure masking vulnerable to SCA). As the second example, we use the encoding function Encode(x, x 0 , x 1 ) = (x 0 , x 1 , x 0 x 1 ⊕ x). As given in [4] the masking scheme satisfies the first order algebraic security. However, it is not SCA secure, even with respect to the first order, due to its unbalanced sharing which causes that intermediate variable x 0 x 1 ⊕ x encoding the third share is dependent of the sensitive variable x. Indeed, for any value x we have Pr x0,x1∈ R F2 [(x 0 x 1 ⊕x) = x] = 3/4. Thus, there exists no first order function that is equal to a predictable vector, but there exits one node (the last share) that is highly correlated with a predictable vector. In order to verify this, we implement a basic bitwise AES-128 circuit using Sbox designed by Boyar and Peralta [10] and implement a basic leakage detection test using 500 traces with 45000 nodes (N = 500 and M = 45000). As seen in Figure 1, the test shows the intense leakage. The details of the experimental setup regarding the leakage detection, trace collection and the variable selection can be found Section 5.1.
As illustrated in Example 1, the prediction security is based on finding a degree-d function whose output equals to a predictable value. However, in SCA we only need to find a set of variables which depends on a predictable value as seen in Example 2. As a main result, we prove the security of our scheme in two steps: -There exits no set of intermediate variables with t ≤ n elements such that the set depends on a predictable value. -There exists no d th order function such that the output equals to a predictable value.

Security Against Computational Attacks in the SCA model
We start with providing some auxiliary notions which generalize the corresponding definitions given in [37,38]. A vector x = (x 0 , . . . ,x d , x 1 , . . . , x n ) of n + d + 1 intermediate variables is called an (n, d)-family of shares if every tuple of the form ((x i ) i∈Ĩ , (x i ) i∈I ) such that |Ĩ| ≤ d + 1 and |I| ≤ n − 1 of x 0 , . . . ,x d , x 1 , . . . , x n is uniformly distributed and independent of any sensitive variable and x i is a sensitive variable. Two (n, d)-families of shares x = (x 0 . . . ,x d , x 1 , . . . , x n ) and y = (ỹ 0 . . . ,x d , y 1 , . . . , x n ) are called to be (n − 1)-independent of one another if every tuple composed of ((x i ) i∈Ĩ , (x i ) i∈I ) and ((ỹ j ) j∈J , (y j ) j∈J ) with |Ĩ|, |J| ≤ d + 1 and |I|, |J| ≤ n − 1 is uniformly distributed and independent of any sensitive variable. Two (n, d)-families are (n − 1)-dependent of one another if they are not (n − 1)-independent.
To prove the SCA security of an implementation C of an encryption scheme, we decompose C into basic components, which we call randomized elementary transformations. Such a component gets as input two (n − 1)-independent (n, d)families of shares, resp. one (n, d)-family of shares, and it returns a (n, d)-family of shares.
In this section we prove first that the randomized elementary transformations specified as Algorithm 1, 2, and 3 for computing Xor, And, respectively RefrashMask gadgets are (n − 1) th SCA secure. In the proofs we will use the following slight generalization of Lemma 1 given in the full version [38] of the work [37]. Since the proof in [37] can be easily modified for our setting, we skip it here.
Proof. In order to prove the proposition, we use Lemma 2 and show that every tuple of intermediate variables (v 1 , . . . , v t ) with t ≤ n − 1 elements can be simulated from two tuples of input shares (x i ) i∈Ĩ and (x i ) i∈I such that |Ĩ| ≤ d+1 and |I| ≤ n−1. We denote the concatenation of these tuples as U = ((x i ) i∈Ĩ , (x i ) i∈I ).
We first need to construct the sets of indices I andĨ depending on the selected intermediate variables v k which can be divided as follows: -For all selected r i , x i and x i ⊕ r i add i to I.
-For all selectedr i ,x i andx i ⊕r i add i toĨ.
-For all selected x n and x n ⊕ r i add n to I.
The above steps cover all the variables besides those used in line 11 in Algorithm 3. In order to simulate the variables in line 11 we need to consider the following (note that in the expression in line 11, only sharesx i and random variables are used): -For all selected values of the formx i ⊕ r 0 add i toĨ.
-If one of the variables of form i∈J ( According to our selection, we add at most one index to I and in the worst case we add d + 1 elements toĨ per selected internal variable v k . Next we will show how to simulate a t-tuple of intermediate variables in Algorithm 3 using the tuple U . First we need to consider the simulation of random values r i and r i involved in the computation of v k . -All r i (resp.r i ) are assigned random values.
After assigning the random values we can consider the intermediate variables.
-Every value of the form x i , r i , or x i ⊕ r i (resp.x i ,r i , orx i ⊕r i ) can be perfectly simulated since i ∈ I (resp. i ∈Ĩ) and the needed values of r i (resp.r i ) have already been assigned in the simulation as stated above. -Thus the only remaining variables are of the form x n and x n ⊕ r i .
• if n / ∈ I the values do not enter the computation of any selected value and therefore the values can be left unassigned.
• if n ∈ I then the value x n can be simulated by the tuple U (since n ∈ I) and x n ⊕ r i can be simulated by assigning r i a random value. -We need to pay special attention to the values in W and R used in line 11.
• Every value of the formx i ⊕ r 0 can be perfectly simulated since i ∈Ĩ and r 0 is assigned a random value as stated above. • Every value of the form i∈J (x i ⊕ r 0 ) i / ∈Jr j where j {0, . . . , d} can be simulated according to our selection. Either all i ∈ [0, d] is inĨ or the value of the form is not selected at all. In both cases we can perfectly simulate variables with the set U .
• Every value in R contains the non-linear input shares or random values.
Therefore we either have all i ∈ [0, d] inĨ or the values in R are not selected at all. In both cases we can perfectly simulate variables with the set U .
In conclusion, we show that any set of intermediate variables (v 1 , . . . , v t ), with t ≤ n − 1 elements, can be simulated by U = ((x i ) i∈Ĩ , (x i ) i∈I ) such that |Ĩ| ≤ d + 1 and |I| ≤ n − 1. By the definition of our masking U is uniformly distributed and independent of any sensitive variable and hence RefreshMask gadget seen in Algorithm 3 is an (n − 1) th SCA secure gadget. Proposition 2. Let x = (x 0 . . . ,x d , x 1 , . . . , x n ) and y = (ỹ 0 . . . ,ỹ d , y 1 , . . . , x n ) be two (n − 1)-independent (n, d)-families of shares, with n ≥ 2, inputs of Algorithm 2 for And. Then the distribution of every tuple of t ≤ n − 1 intermediate variables in Algorithm 2 is independent of the distribution of values taken by Proof. In order to prove the proposition, we use the Lemma 2 and show that every set of intermediate variables (v 1 , . . . , v t ) with t ≤ n − 1 elements can be simulated by two sets of input shares (x i ) i∈Ĩ and (x i ) i∈I such that |Ĩ| ≤ d + 1 and |I| ≤ n − 1, resp. (ỹ j ) j∈J and (y j ) j∈J such that |J| ≤ d + 1 and |J| ≤ n − 1. We denote the concatenations of these tuples by U = ((x i ) i∈Ĩ , (x i ) i∈I ) and V = ((ỹ j ) j∈J , (y j ) j∈J ).
We first need to construct the sets of indices I andĨ corresponding to shares of x, and J andJ corresponding to shares of y. The following two cases cover every variable in Step-2(b) and Step-3: -For all x i , y i , x i y i , r i,j or xor of these values add i to I and J.
-For all x i y j or r i,j ⊕ x i y j add i to I and j to J.

To cover
Step-1 and Step-2(a) we need to follow the steps below: -For allx i ,ỹ i , r i,j and combination of these add i toĨ andJ.
-For allx iỹi add i toĨ and i toJ.
-For allx i y j (resp.ỹ j x i ) add i toĨ and j to J (resp. add i to I and j toJ).
-For all values of the form i∈Kx i j∈Lỹ j where K, L {0, . . . , d} add all i ∈ K toĨ and all j ∈ L to J.
According to our selection, we add at most one index to I (resp. J) and in the worst case d + 1 elements toĨ (resp.J). Let us examine the simulation of the random values: -If i / ∈ I (resp. i / ∈Ĩ) then r i (resp.r i ) does not enter the computation of any selected value and therefore can be left unassigned.
-If i ∈ I and j / ∈ J then: • if i < j then r i,j is assigned a random value, • otherwise r j,i is not involved in the computation of any selected value; therefore we can assign a random value to r i,j . -If i, j ∈ I ∩J then the values x i , x j , y i , y j can be simulated and r i,j (assigned as random) and r j,i can be calculated as in Algorithm 2 i.e., the value r j,i can be calculated as (r i,j ⊕ x i y j ) ⊕ x j y i . -If i, j ∈ I and if i, j / ∈ I ∩ J then at least one of the r i,j or r j,i does not enter the computation of the selected value, therefore the values can be assigned a random value.
Note, that the above classification is based on the one given in [38]. In our construction we need to examine the additional randomness used in Step-1.
-If i / ∈Ĩ then r i,j for j ∈ [1, n] is not involved in any computation and therefore it can be left unassigned.
-If i ∈Ĩ then r i,j for j ∈ [1, n] should be assigned a random value.
Next we show how to simulate the variables using the tuples U and V .
-Every variable x i , y i , x i y i , r i,j or xor of these values can be simulated according to our selection. x i y j or r i,j ⊕ x i y j can be perfectly simulated since i ∈ I, j ∈ J which enables us to compute x i y j and r i,j have been assigned.
We note, that the above steps cover the variables in Step-2(b) and Step-3 and are based on [38]. In order to simulate the remaining variables we need to examine the variables as follows: Hence, we show that any set of intermediate variables (v 1 , . . . , v t ) with t ≤ n− 1 elements can be simulated by U = ((x i ) i∈Ĩ , (x i ) i∈I ) and V = (ỹ j ) j∈J , (y j ) j∈J ) such that |Ĩ|, |J| ≤ d + 1 and |I|, |J| ≤ n − 1. By the definition of our masking U and V are uniformly distributed and independent of any sensitive variable and hence the And gadget introduced in Algorithm 2 is an (n − 1) th SCA secure elementary transformation. The proof of Proposition 3 can be found in Appendix A. Thus we prove the SCA security aspect of the individual gadgets introduced in Section 3. The following theorem analyzes an arbitrary circuit C as a combination of our gadgets and shows that C (as defined below) is secure against (n−1) th -order SCA attacks and therefore secure against (n − 1) th -order computational attacks. Theorem 1. Assume a circuit C is transformed to C using T (n,d) , with n ≥ 2 and d ≥ 1, described in Section 3. Then C is secure against (n − 1) th -order computational attacks.
Proof. The randomized circuit C is expressed as a combination of Xor[n, d], And[n, d] and RefreshMask[n, d] gadgets and the gadgets take either an (n, d)family of shares or two (n, d)-family of shares. By the Propositions 1, 2, and 3 we know that the gadgets achieve (n − 1) th order SCA security and any set of intermediate variables with ≤ n − 1 elements selected within the gadgets can be simulated by a set of inputs such that ((x i ) i∈Ĩ , (x i ) i∈I ) with |Ĩ| ≤ d + 1 and |I| ≤ n − 1. By the definition of our masking, the set of input stated above is uniformly distributed and independent of any sensitive variable. Any set of intermediate variables in C with ≤ n − 1 elements can be perfectly simulated by a set of input shares which is uniformly distributed and independent of any sensitive variable. Hence C is an (n − 1) th SCA secure circuit.

Algebraic Security of the (n, 1)-Masking Scheme
In this section we analyze the algebraic security (Def. 2) of (n, 1)-masking scheme using the gadgets in Section 3.1. We use the auxiliary ( -1-AS) security definition from [4].
The methodology to prove the algebraic security in [4] can be divided into two steps. The first part consists of showing E(f (x, r)) = 1/2 for all f ∈ F (1) (C) and for all x ∈ F N 2 except the constant functions and affine functions of x. To solve this, a verification algorithm is given in [4]. Briefly speaking, the algorithm generates a truth table by evaluating the circuit on all possible inputs and recording each node in the circuit. Another truth table is formed by selecting the values where the input is fixed x = c. That is, the second truth table corresponds to the values of the circuit nodes where the input x is fixed to a value c while r takes all possible values. Observe that, the latter truth table is a subset of the former one. Finally, the algorithm compares the dimensions of the basis of the truth tables for each restriction, to check if there is a constant function f when the input is fixed to a value c.
The second part is processed by finding the maximum degree term (i.e. node in the circuit) and calculating the corresponding bias bound. As proven in [32], the degree of a Boolean function gives us a boundary for the weight of the function such that wt(f ) ≤ 2 N −deg(f ) where N is the number of inputs of the function f . Observe that, the maximum degree that f ∈ F (1) (C) can have is equal to the maximum degree node in C since f contains only the linear combinations of the nodes. That is for all f ∈ F (1) (C), deg(f ) ≤ max(deg(c i ) ci∈C ) and thus wt(f ) ≥ 2 N −max(deg(ci) c i ∈C ) . Using this minimum weight value, the linear-bias bound of the gadget can be calculated as: Due to the first part of the proof, we know that there are no constant functions and therefore bias cannot grow.
Using the discussion above we will prove the security of our gadgets by showing that there exists no constant function f (c, ·) ∈ F (1) (C) for all c ∈ F N 2 and by calculating the corresponding bias boundary of the gadgets. We start with the first order algebraic security proof for an RefreshMask[n, 1] gadget that uses the construction given in Section 3.1.
Proposition 4. Let C be the circuit representation of the RefreshMask gadget using a masking scheme with an arbitrary order n and a fixed degree d = 1. C takes as input n + 2 shares (x 0 ,x 1 , (x i ) 1≤i≤n ) and outputs n + 2 shares The proof of Proposition 4 can be found in Appendix A. We proceed with first order algebraic security proof for an And[n, 1] gadget that uses the construction given in Section 3.1.

Proposition 5.
Let C be the circuit representation of the And gadget using a masking scheme with an arbitrary order n and a fixed degree d = 1. C takes as input n + 2 shares (x 0 ,x 1 , (x i ) 1≤i≤n ) and (ỹ 0 ,ỹ 1 , (y i ) 1≤i≤n ) and outputs n + 2 shares (z 0 ,z 1 , (z i ) 1≤i≤n ). The gadget And[n, 1] is -1-AS with ε ≤ 7/16.
Proof. In the first part of the proof, we show that there exists no function f ∈ F (1) (C) such that f is constant when inputs are fixed.
First, let us the reformulate the circuit C as follows: wherer denotes the set of randomness that is used in the circuit. Next, we define three classes of edges within the circuit: -R: The set of random bits, -B: The set of linear shares i.e. x i and y j for all 1 ≤ i, j ≤ n, -M: The set of non-linear shares i.e.x 0 ,x 1 ,ỹ 0 andỹ 1 .
Using the above classification we can analyze the nodes c i1≤i≤M ∈ C with respect to its input edges where M is the number of nodes in C. We define the nodes as c i : the input bits of the node and v i ∈ F 2 represents the output bit of the node. The classification of the nodes can be listed as follows; Assume that there exists a function f ∈ F (1) (C) such that f is constant when the inputs x and y are fixed. We can represent the function as f = i∈I v i where I ⊆ [1, M ]. Remark that the input shares are randomized, since they are first processed by RefreshMask gadgets. Therefore f should include a reconstructed combination of the shares i.e., f should include a combination of nodes such that x 0x1 ⊕ x 1 ⊕ · · · ⊕ x n (resp.ỹ 0ỹ1 ⊕ y 1 ⊕ · · · ⊕ y n ) is formed.
Any linear combination of the nodes of 1 and 2 cannot be constant due to RefreshMask gadgets, since either a node is random (non fixed by definition) or the node corresponds to linear masking (non fixed by RefreshMask). Therefore f should include at least one node from the 3 rd class to form the reconstructed multiplicative representation: x 0 or y 0 . Clearly, the nodes from the 3 rd class can be found in Step-1 and Step-2(a) where the following computations are processed: The use of parenthesis indicates the order in which the nodes are used in the above equations. Therefore the order of the nodes eliminates the generation of an affine function of x 0 or y 0 (the shares represented byx 0 ,x 1 andỹ 0 ,ỹ 1 respectively), although these nodes calculate the correct function (F(x j , y j ) as seen in Equation (2)). Any linear combination of these nodes cannot be constant and thus there exists no constant function f ∈ F (1) (C) such that inputs are fixed.
In the second part, we examine the highest degree term in the gadget and find the corresponding bias. For And[n, 1] the maximum degree term can be found in line 18 of Algorithm 2. Specifically, x n y n which contains a node of the form r x 0r x 1r y 0r y 1 wherer x 0 ,r x 1 (resp.r y 0 ,r y 1 ) are the randomness used in RefreshMask(x) (resp. RefreshMask(y)). Clearly the corresponding bias and the bias bound of the gadget can be calculated as 2 −4 and ≤ 1/2 − 1/2 4 = 7/16 respectively. Thus And gadget is -1-AS with ε ≤ 7/16.
Although we are not giving a proof for the Xor gadget (however the experimental verification of the Xor gadget can be found below), the same discussion can be carried out. Since any combination of algebraically secure gadgets is also algebraically secure by [4], we can use the gadgets in Section 3.1 to securely calculate an arbitrary Boolean circuit.
Experimental Verification: To support the results, we provide the experimental verification of the first order gadgets; And[n, 1], Xor[n, 1] (and inherently RefreshMask[n, 1]) for n = 1, 2 and 3 using the tool given in [4] 3 . First we adapt our scheme to work with the tool, i.e. we implement our masking scheme (with the given orders n and d ) as a class inside the tool. Next we run the verification algorithm as explained above. The updated version of the tool including our scheme is available as open source 4 . Table 3. First-order algebraic security verification of individual gadgets. Input corresponds the number of shares for both inputs (i.e. 2(n + 2)). Random states the number of random values (RC ) within the circuit and it is calculated by the randomness requirement of two RefreshMask gadgets and additional randomness in the gadget. We confirm the first order algebraic security of our scheme for different orders and the details can be seen in Table 3. The algorithm is run on an Intel Xeon Silver 4114 CPU@2.20GHz and, as seen in the table, the time that algorithm takes increases exponentially with the increasing number of nodes within the gadgets. Observe that the bias bound does not depend on the linear degree n, since the maximum degree term is found within the terms that depend on the non-linear degree d.

Algebraic Security of the (n, 2)-Masking Scheme
In this section we use a similar strategy given in the Section 4.3 to prove the second order algebraic security of our gadgets. As we highlighted in Section 3.1, we can use the generic constructions for higher orders, however the sequence of nodes should be defined carefully in order to satisfy the algebraic security given in the previous sections. In order to prove the higher order algebraic security we propose the following lemma to extend a circuit. The main idea is to reduce the problem of the d th -order algebraic security of the original circuit to the first-order algebraic security of the extended circuit.
Lemma 3. Let C be a Boolean circuit with M nodes i.e. |C| = M and let C (d) be the d th order extension of the circuit C defined as follows: where v i denotes the output bit of the i th node. C is d th -order prediction secure if and only if C (d) is first-order prediction secure.
Proof. By the definition, C (d) is generated by using all nodes and all up to d th order combinations of the nodes of C. Thus the set of linear combinations of C (d) is equal to the set of d th order combinations of the nodes of C, i.e.
By Definition 2, we can define the connection between advantage of the adversaries as follows: Therefore, the d th order prediction security aspect of C will be identical to first order prediction security aspect of C (d) Hence C is d th order prediction secure if and only if C (d) is first order prediction secure.
Using Lemma 3, we will prove the second order prediction security of our (n, 2) construction by creating the second order extension of the circuit as shown in Equation (4). Then we show that there exists no constant function f (c, ·) ∈ F (1) (C (2) ) for all c ∈ F N 2 and calculate the corresponding second-order bias bound of the gadget. We start with the -2-AS of the RefreshMash[n, 2] gadget. Proposition 6. Let C be the circuit representation of the RefreshMask gadget using a masking scheme with an arbitrary order n and a fixed degree d = 2. C takes as input n + 3 shares (x 0 ,x 1 ,x 2 , (x i ) 1≤i≤n ) and outputs n + 3 shares The proof of Proposition 6 can be found in Appendix A. Next we prove the second order algebraic security of And[n, 2] gadget. Proposition 7. Let C be the circuit representation of the And gadget using a masking scheme with an arbitrary order n and a fixed degree d = 2. C takes as input n + 3 shares (x 0 ,x 1 ,x 2 , (x i ) 1≤i≤n ) , (ỹ 0 ,ỹ 1 ,ỹ 2 , (y i ) 1≤i≤n ) and outputs n+3 shares (z 0 ,z 1 ,z 2 , (z i ) 1≤i≤n ). The gadget And[n, 2] is -2-AS with ε ≤ (1/2− 1/2 12 ).
Proof. Similar to the proof of Proposition 5, we reformulate the circuit C as follows: By the Lemma 3 we can define the second order extension of the circuit C as follows: Next we use the classification of the nodes that we used in the proof of Proposition 5: -R: The set of random bits, -B: The set of linear shares i.e. x i and y j for all 1 ≤ i, j ≤ n, -M: The set of non-linear shares i.e.x 0 ,x 1 ,x 2 ,ỹ 0 ,ỹ 1 andỹ 2 .
Using the above classification we can analyze the nodes c i ∈ C with respect to its input edges. We define the nodes as c i : (u 1 i , u 2 i ) → v i where u 1 i , u 2 i ∈ F 2 represent the input bits of the node and v i ∈ F 2 represents the output bit of the node. The classification of the nodes depending be listed as follows; Assume that there exists a second-order combination f ∈ F (2)(C) that is constant when the inputs are fixed. It follows that there exists a linear combination f ∈ F (1) (C ) such that f is constant when the inputs are fixed.
Let us denote the linear combination as f = i∈I v i where I ⊂ C . As in Proposition 5, input shares are randomized, due to the initial RefreshMask gadgets. Therefore f should include a reconstructed combination of the shares i.e., f should include a combination of nodes such thatx 0x1x2 ⊕ x 1 ⊕ · · · ⊕ x n (resp.ỹ 0ỹ1ỹ2 ⊕ y 1 ⊕ · · · ⊕ y n ) is formed. Using the same discussion we can see that f should include a node from the third class which can be found in Step-1 and Step-2(a).
However, the nodes c i ∈ C contains at most one value from the each multiplicative representation, i.e. all nodes in c i are of the formx iỹj where i, j ∈ {0, 1, 2}. Therefore the nodes c i ∈ C can contain at most two non-linear share from an input. And hence any linear combinations of the nodes of C i.e. for all f ∈ F (1) (C ) cannot be fixed.
Thus we can conclude that there exits no constant function f ∈ F (1) (C ) when the inputs are fixed. This result is followed by there exits no constant function f ∈ F (2) (C) when the inputs are fixed by the Lemma 3.
In the second part of the proof we examine the highest degree term in the circuit. Similarly the maximum degree term can be found in line 18 of Algorithm 2 for And[n, 2]. We can see that the maximum degree term for this case is 6. Since we are looking into second-order combinations of the circuit i.e for all f ∈ F (1) (C ), the maximum degree can be stated as 12. Therefore the bias bound can be calculated as: ≤ |1/2 − 1/2 12 |. Thus C is -1-AS circuit with ≤ |1/2 − 1/2 12 | and C (the circuit representation of And[n, 2] gadget) is -2-AS circuit with ≤ |1/2 − 1/2 12 | Using the same idea we can prove that Xor[n, 2] gadget is -2-AS circuit with ≤ |1/2 − 1/2 6 |.

A Proof-of-Concept AES Implementation
In this section we introduce a white-box AES design based on the masking scheme defined in Section 3. The AES block cipher consists of multiple rounds of operations on its state. The operations include three linear layers: MixColumns, ShiftRows, and AddRoundKey and one non-linear layer SubBytes. The bitwise implementation for the linear operations can be defined straightforwardly. In our construction we use the bitwise AES-Sbox design by Boyar and Peralta [10] and the exact number of And and Xor gadgets within one round of AES-128 can be seen in Table 4. The total number of bitwise operations 5 can be calculated using Table 4 and the performance analysis in Table 2. A visual representation of AES-128 implementations with (n, 0) (i.e. ISW-transformation), (n, 1)-masking scheme and (n, 2)-masking scheme is shown in Figure 2. Moreover the analysis contains the algebraically secure gadgets where each input is associated with a RefreshMask gadget, and the idea of using two different masking schemes (first Minimalist quadratic Masking and second Boolean masking as in [4]). As seen in Figure 2, our hybrid constriction outperforms the idea of using a first order linear masking on top of a non-linear masking. As stated in [4] using a combination of two masks even with the first order protections requires roughly 200.000 gates per AES round. Since the foundation of our scheme is ISW transformation, we can increase the SCA security aspect of our scheme efficiently. However increasing the non-linear order is the bottleneck of our scheme. When we compare the smallest possible implementations, we see that one round of AES-128 with (2, 0), (2, 1) and (2, 2)-masking schemes requires 15201, 30808(90658) and 76358(270385) gates respectively where the values in the parenthesis correspond to the gadgets associated with RefreshMask gadgets. Clearly, RefreshMask gadgets impose a heavy overhead on our scheme. Therefore a significant performance advantage can be achieved by further optimizing the RefreshMask gadget. While the first order algebraically secure implementation requires a small overhead over an unprotected implementation, the second-order algebraically secure implementation comes with a substantial cost. One round of AES-128 with (2, 1), (3, 1) and (4, 1)-masking schemes requires 30808(90658), 46115(113945) and 64494(140304) gates respectively. Therefore we can conclude that, one can increase the security against computational attacks with small overhead. Furthermore, the randomness requirements of our scheme increases similarly to the ISW-transformation as seen in Figure 2.

Experimental Setup
To experimentally verify the security properties of our scheme we used the proofof-concept AES-128 implementation. The implementations using (n, 0), (n, 1) and (n, 2) masking schemes including the analysis are available as open source 6 . Software traces are simulated by encrypting N random plaintext and collecting the output of each node. We denote i th trace (corresponds to the encryption of i th plaintext) by t i = {v i 1 , . . . , v i M } where v i j denotes the output of j th node and M denotes the number of the nodes in the circuit. Using the software traces we demonstrate a simple leakage detection test by the test vector leakage assessment (TVLA) as proposed by Gilbert et al. [23]. In the first part of the test, two different sets of side-channel traces are collected by processing either a fixed input or a random input under the same conditions in a random pattern. After collecting the traces means (µ f , µ r ) and standard deviations (σ f , σ r ) for two sets are calculated. Welch's t-test is executed as in Equation (5) where n f and n r denote the number of traces for fixed and random sets respectively.
Using the experimental setup we implement a first order leakage detection test using 10000 traces (i.e. n f + n r = 10000) and M = 80000 (corresponds to the two round of AES-128). As expected the test results in no observable leakage. The illustration of the test can be seen in Figure 3.

Conclusion
White-box cryptography has become a popular method to protect cryptographic keys in an insecure software realm potentially controlled by the adversary. All white-box cryptosystems in the literature have been practically broken due to differential computation analysis. Moreover algebraic attacks have shown the inefficiency of classic side-channel countermeasures when they are applied in the white-box setting. Therefore, the need for a secure and reliable white-box implementation protected against both attacks has become evident.
We proposed the first masking scheme that combines linear and non-linear components to achieve resistance against computational and algebraic attacks. The new scheme extended the ISW transformation to resist algebraic attacks by increasing the order of the decoding function. It has been defined generic and can be applied to any orders of n and d, however the structure of the nodes should satisfy the algebraic properties. We have examined the implementation cost of our scheme for arbitrary orders of protection and compare it with the ISW transformation.
We analyzed the two prevalent security notions in white-box model, side channel analysis security and prediction security, and underlined the incompatibility of the notions, which reveals that a scheme should satisfy both notions. We used the well-known SCA security notion to prove the (n − 1) th order SCA security of an (n, d)-masking scheme and thus we showed that our scheme can resist (n − 1) th -order computation attacks. We proved first and second order prediction security for the concrete construction of the (n, 1) and (n, 2) masking scheme, respectively. Furthermore, the proposed methodology to prove the algebraic security can be extended to higher orders. We implemented our scheme to the algebraic verification tool to support our results and the code has been made publicly available. Finally, a proof-of-concept AES-128 bitwise implementation was provided to perform leakage detection and extensive performance analysis. The analysis showed that the new combined masking scheme outperforms the previous approaches which requires to combine two different masking schemes to resist both attacks.

A Additional Proofs
In this Appendix, we give proofs for Lemma 1, proof of correctness of our scheme, and Propositions that concern the security features of the gadgets whose proof is not given in the paper.
Hence we showed that the gadgets introduced in Section 3 are functionally preserving gadgets. Therefore, the transformation that generate an (n, d)-masked circuit is a functionally preserving transformation.
Proof (Proposition 3: (n − 1) th order SCA Security of Xor[n, d] gadget). In order to prove the proposition, we show that every set of intermediate variables with ≤ n − 1 elements can be simulated by two sets of input shares (x i ) i∈Ĩ and (x i ) i∈I such that |Ĩ| ≤ d + 1 and |I| ≤ n − 1 (resp. (ỹ j ) j∈J and (y j ) j∈J such that |J| ≤ d + 1 and |J| ≤ n − 1). We denote the concatenations of these tuples by U = ((x i ) i∈Ĩ , (x i ) i∈I ) and V = ((ỹ j ) j∈J , (y j ) j∈J ).
We first need to construct the sets of indices I andĨ corresponding to shares of x, and J andJ corresponding to shares of y.
-For all x i , y i , x i ⊕ y i (resp.x i ,ỹ i ,x i ⊕ỹ i ) add i to I and J (resp.Ĩ andJ).
-For allx iỹj add i toĨ and j toJ.
-For all i∈Kx i j / ∈Kỹ j where K {0, . . . , d} add all i ∈ K toĨ and add all j / ∈ K toJ.
According to our selection, we add at most one index to I (resp. J) and in the worst case d + 1 elements toĨ (resp.J). Clearly, every variable of the form x i , y i , x i ⊕ y i (resp.x i ,ỹ i ,x i ⊕ỹ i ) can be simulated by the sets U and V . Moreover every variable of the form i∈Kx i j / ∈Kỹ j where K {0, . . . , d} can be simulated according to our selection since even in the worst case scenario |Ĩ| = |J| = d + 1.
Hence, we show that any set of intermediate variables with ≤ n − 1 elements can be simulated by U = ((x i ) i∈Ĩ , (x i ) i∈I ) and V = ((ỹ j ) j∈J , (y j ) j∈J ) such that |Ĩ|, |J| ≤ d + 1 and |I|, |J| ≤ n − 1. By the definition of our masking, U and V are uniformly distributed and independent of any sensitive variable and hence the Xor gadget seen in Algorithm 1 is an (n − 1) th SCA secure gadget.
Proof (Proposition 4: -1-AS of RefreshMask[n, 1] Gadget). In the first part of the proof, we show that there exists no function f ∈ F (1) (C) such that f is constant when inputs are fixed. Assume that there exists a function f ∈ F (1) (C) such that f is constant when the inputs (x 0 ,x 1 , (x i ) 1≤i≤n ) are fixed. As seen in Algorithm 3 the only nodes that does not contain a random (i.e. not fixed) can be found in line 11 where the values W and R are processed. By the definition of W each input is accompanied by a random value. And R contains only random values. Therefore each each node is accompanied by a random node and any linear combination of these nodes cannot be constant. Hence there exists no constant function f ∈ F (1) (C) such that inputs are fixed.
In the second part, we examine the highest degree term in the gadget. The maximum degree term can be found in R with degree 2. Therefore the corresponding bias and the bias bound of the gadget can be calculated as 2 −2 and ≤ 1/2 − 1/2 2 = 1/4 respectively. Thus RefreshMask gadget is -1-AS with ε ≤ 1/4. Proof (Proposition 6: -2-AS of RefreshMask[n, 2] Gadget).
The first part of the proof follows the same structure of the proof of Proposition 7, and the same circuit extension idea used in the proof of Proposition 7. We reformulate the circuit C as follows: ((x 0 ,x 1 ,x 2 , (x i ) 1≤i≤n ), (ỹ 0 ,ỹ 1 ,ỹ 2 , (y i ) 1≤i≤n ),r) → (z 0 ,z 1 ,z 2 , (z i ) 1≤i≤n ).
By the Lemma 3 we can define the second order extension of the circuit C as follows: Assume that there exists a function f ∈ F (1) (C) such that f is constant when the inputs (x 0 ,x 1 , (x i ) 1≤i≤n ) are fixed. As seen in Algorithm 3 the only nodes that does not contain a random (i.e. not fixed) can be found in line 11 where the values W and R are processed. By the definition of W each input is accompanied by a random value. And R contains only random values. Since each each node is accompanied by a random node any linear combination of the