TY - JOUR AU - Valiveti, Annapurna AU - Vivek, Srinivas PY - 2020/08/26 Y2 - 2024/03/28 TI - Second-Order Masked Lookup Table Compression Scheme JF - IACR Transactions on Cryptographic Hardware and Embedded Systems JA - TCHES VL - 2020 IS - 4 SE - Articles DO - 10.13154/tches.v2020.i4.129-153 UR - https://tches.iacr.org/index.php/TCHES/article/view/8679 SP - 129-153 AB - <p>Masking by lookup table randomisation is a well-known technique used to achieve side-channel attack resistance for software implementations, particularly, against DPA attacks. The randomised table technique for first- and second-order security requires about <em>m</em>•2<sup><em>n</em></sup> bits of RAM to store an (<em>n</em>,<em>m</em>)-bit masked S-box lookup table. Table compression helps in reducing the amount of memory required, and this is useful for highly resource-constrained IoT devices. Recently, Vadnala (CT-RSA 2017) proposed a randomised table compression scheme for first- and second-order security in the probing leakage model. This scheme reduces the RAM memory required by about a factor of 2<sup><em>l</em></sup>, where <em>l</em> is a compression parameter. Vivek (Indocrypt 2017) demonstrated an attack against the second-order scheme of Vadnala. Hence achieving table compression at second and higher orders is an open problem.<br>In this work, we propose a second-order secure randomised table compression scheme which works for any (<em>n</em>,<em>m</em>)-bit S-box. Our proposal is a variant of Vadnala’s scheme that is not only secure but also significantly improves the time-memory trade-off. Specifically, we improve the online execution time by a factor of 2<sup><em>n</em>−<em>l</em></sup>. Our proposed scheme is proved 2-SNI secure in the probing leakage model. We have implemented our method for AES-128 on a 32-bit ARM Cortex processor. We are able to reduce the memory required to store a randomised S-box table for second-order AES-128 implementation to 59 bytes.</p> ER -