Resumen
A masking method is a widely known countermeasure against side-channel attacks. To apply a masking method to cryptosystems consisting of Boolean and arithmetic operations, such as ARX (Addition, Rotation, XOR) block ciphers, a masking conversion algorithm should be used. Masking conversion algorithms can be classified into two categories: ?Boolean to Arithmetic (B2A)? and ?Arithmetic to Boolean (A2B)?. The A2B algorithm generally requires more execution time than the B2A algorithm. Using pre-computation tables, the A2B algorithm substantially reduces its execution time, although it requires additional space in RAM. In CHES2012, B. Debraize proposed a conversion algorithm that somewhat reduced the memory cost of using pre-computation tables. However, they still require (2(??+1))
(
2
(
k
+
1
)
)
entries of length (??+1)
(
k
+
1
)
-bit where k denotes the size of the processed data. In this paper, we propose a low-memory algorithm to convert A2B masking that requires only (2??)(??)
(
2
k
)
(
k
)
-bit. Our contributions are three-fold. First, we specifically show how to reduce the pre-computation table from (??+1)
(
k
+
1
)
-bit to (??)
(
k
)
-bit, as a result, the memory use for the pre-computation table is reduced from (2(??+1))(??+1)
(
2
(
k
+
1
)
)
(
k
+
1
)
-bit to (2??)(??)
(
2
k
)
(
k
)
-bit. Second, we optimize the execution times of the pre-computation phase and the conversion phase, and determine that our pre-computation algorithm requires approximately half of the operations than Debraize?s algorithm. The results of the 8/16/32-bit simulation show improved speed in the pre-computation phase and the conversion phase as compared to Debraize?s results. Finally, we verify the security of the algorithm against side-channel attacks as well as the soundness of the proposed algorithm.