Lookup-table based side-channel countermeasure is the prime choice for masked S-box software implementations at very low orders. To mask an n-bit to m-bit S-box at first- and second- orders, one requires a temporary table in RAM of size m · 2~n bits. Recently, Vadnala (CT-RSA 2017) suggested masked table compression schemes at first- and second-orders to reduce the table size by (approximately) a factor of 2~l, where l is a parameter. Though greater compression results in a greater execution time, these proposals would still be attractive for highly resource constrained devices. In this work, we contradict the second-order security claim of the second-order table compression scheme by Vadnala. We do this by exhibiting several pairs of intermediate variables that jointly depend on the bits of the secret. Motivated by the fact that randomness is also a costly resource for highly resource constrained devices, we then propose a variant of the first-order table compression scheme of Vadnala that has the new randomness complexity of about l instead of 2~l for the original proposal. We achieve this without inducing any noticeable difference in the overall execution time or memory requirement of the original scheme. Finally, we show that the randomness complexity of l is optimal in an algebraic sense.
展开▼
