Tiny Security Hole: First-Order Vulnerability of Masked SEED and Its Countermeasure

Abstract

Side-channel analysis is a type of cryptanalysis that utilizes the physical leakage of a cryptographic device. An adversary exploits the relationship between a physical leakage and the secret intermediate value of an encryption algorithm. In order to prevent side-channel analysis, the masking method was proposed. Several masking methods of the ISO/IEC 18033-3 standard encryption algorithm SEED have been proposed, as the Korean financial IC (integrated circuit) card standard (CFIP.ST.FINIC-01-2021) mandates using a robust implementation of SEED as an encryption algorithm against side-channel analyses. However, vulnerabilities were reported, except for with only one masking method. This study proposes the first-order vulnerability of that masking method. That is, an adversary is able to perform a side-channel analysis with the same complexity as an unprotected implementation. In order to fix this vulnerability, we revise the masking method with negligible additional overhead. Its vulnerability and security are theoretically verified and experimentally demonstrated. The round key of the existing masking method is revealed with only 210 power consumption traces, while that of the proposed masking method is not disclosed with 10,000 traces.

1. Introduction

The physical leakages of computing devices, such as power consumption or electromagnetic emissions, are related to the data being processed. Hence, a cryptographic device could leak secret information through physical leakage. Side-channel analysis is a type of cryptanalysis that exploits a relationship between a physical leakage and the secret intermediate value of an encryption algorithm [1,2,3,4,5]. For instance, a correlation power analysis (CPA) reveals the secret key by investigating the correlation between power consumption and the hypothetical intermediate value calculated with a guessed key and known information (e.g., plaintext or ciphertext) [6]. Therefore, a security designer should implement an encryption algorithm so that the physical leakage is independent of a secret intermediate value [7,8,9]. Masking is a countermeasure against CPA that splits secret intermediate values using random masks [10]. The cryptographic device computes each share of the intermediate value separately. Hence, an adversary is unable to directly evaluate each guessed key based on the observed power consumption.

SEED is the ISO/IEC 18033-3 standard encryption algorithm developed by the Korea Internet and Security Agency (KISA) for financial applications [11]. Specifically, the Korean financial IC (integrated circuit) card standard mandates the use of a side-channel analysis-resistant SEED as its encryption algorithm [12]. Hence, several SEED masking methods have been proposed. Chang Kyun Kim et al. proposed the first masking method [13]. It was designed for memory efficiency by implementing two S-Boxes with one masked inverse table. To the best of our knowledge, the first-order vulnerability, which is that an intermediate value related to a secret key that is not concealed with a mask, of that masking method has not been reported. HeeSeok Kim et al. enhanced its computational efficiency by modifying the masked S-Box table to reduce the conversion from Boolean masking to arithmetic masking [14]. However, HeeSeok Kim’s masking method could be vulnerable because an adversary is able to reveal the mask by investigating the shape of the side-channel information emitted when calculating carry tables [15]. Therefore, this study inspects the vulnerability of Chang Kyun Kim’s masking method. To the best of our knowledge, the only known attack on a masking method is [16]. They proposed an efficient second-order CPA [17] attack when shuffling [10] and masking countermeasures are implemented.

Most Boolean masking schemes struggle to reduce the overhead related to the substitution operation. Linear operations require a few additional XOR operations because they generally consist of linear operations. In contrast, the substitution operation requires a precomputed table related to the mask. Consequently, the security designer typically focuses on constructing a masking scheme related to the substitution operation; security evaluators also target the substitution operation’s output. Our motivation is that the intermediate value of the linear operation could be exploited to disclose secret information with much lower attack complexity. This security hole could occur while combining substitution layer outputs in linear operations [18].

Our contributions

• Revealing the first-order vulnerability of the masked SEED:
  We propose the first-order vulnerability of the existing SEED masking method, the only method for which a vulnerability has not been reported. This vulnerability allows an adversary to reveal the secret key of the algorithm with the same difficulty as the unprotected SEED.
• Presenting a secure first-order SEED masking method:
  We patch the existing masking method to conceal every sensitive intermediate value. The proposed masking method does not use an additional random mask which necessitates a more expensive operation, such as a deterministic random number generator.
• Demonstrating the vulnerability of the existing countermeasure and the robustness of the proposed countermeasure:
  The methods’ vulnerability and robustness are demonstrated by performing a CPA and test vector leakage assessment (TVLA) [19]. The round keys of the existing masking method are revealed with only 210 traces, whereas the CPA of the proposed method failed to reveal the key with 10,000 traces.

2. Preliminaries

2.1. SEED

SEED is a 128-bit symmetric key encryption algorithm with a 16-round Feistel structure [11]. Figure 1 shows the structure of its Feistel function F. The function first computes the XOR (⊕) between the 32-bit inputs (C and D) and round keys ($K_{i,0}$ and $K_{i,1}$). Next, it calculates function G and the 32-bit modular addition (⊞) three times. Function G consists of two 8-bit S-Boxes $S_1$, $S_2$ permutated by ANDing with the constants $m_0=0\mathrm{x}\mathrm{fc},{\mathrm{m}}_1=0\mathrm{xf}3,{\mathrm{m}}_2=0\mathrm{xcf}$, and $m_3=0\mathrm{x}3\mathrm{f}$ and XORing four bytes. That is, the permutation is composed of a 6-bit extraction of each of the four S-Box outputs and their XORing. The SEED S-Boxes are defined as follows:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill S_1\left(x\right)& =A_1·x^{247}\oplus 0\mathrm{xa}9,\hfill \\ \hfill S_2\left(x\right)& =A_2·x^{251}\oplus 0\mathrm{x}38,\hfill \end{array}\end{array}$$

(1)

where $A_1$ and $A_2$ are constant binary matrices and x is an element of the finite field ${\mathbb{Z}}_{2^8}$.

2.2. CPA and TVLA

CPA is a traditional side-channel analysis method that exploits the relationship between the power consumption of a cryptographic device and the intermediate value related to its secret key. An adversary first chooses a proper power model that describes the relationship between the manipulated data and the device’s power consumption. For instance, an adversary may use the Hamming weight model, which assumes that the power consumption is linearly related to the number of bit 1s of data. The power model allows the adversary to estimate the power consumption corresponding to the intermediate value. Thus, the adversary is able to evaluate each candidate key in the keyspace. The adversary calculates the hypothetical intermediate value by assuming that the secret key is the candidate key. Then, the candidate key is evaluated in terms of the linearity between the power consumption and the hypothetical power consumption, which is calculated by inputting the hypothetical intermediate value into the power model. The linearity is measured by the Pearson correlation coefficient. If the candidate key is correct, then the hypothetical power consumption is linearly related to the power consumption; the absolute correlation coefficient is close to 1. If the candidate key is incorrect, then the hypothetical intermediate value is mostly not equal to the actual intermediate value; the correlation coefficient is close to 0. The adversary decides that the candidate key with the highest absolute correlation coefficient is the secret key. In order to evaluate the performance of a CPA, the guessing entropy and the success rate are typically employed [20]. The guessing entropy is defined as the average rank of the secret key when sorting keys by their corresponding correlation coefficients. The success rate is the proportion of attacks where the secret key is sorted first among several attacks. The convergence of the guessing entropy and success rate to 1 indicates that every CPA successfully discloses the secret key.

In order to evaluate CPA resistance, TVLA is generally utilized [19]. TVLA measures whether power consumption depends on a secret intermediate value. An evaluator first divides the power consumption traces into two sets using a sensitive intermediate value. For instance, one set is constructed using traces of specific fixed plaintext, while another is random plaintext traces. Next, the statistical difference between the two sets is measured by Welch’s t-test, a statistical hypothesis test. The null hypothesis of the t-test is that the two population means are equal. Thus, rejecting the null hypothesis suggests that the side-channel trace depends on the secret intermediate value. The statistic T-value is defined as follows:

$$T={\displaystyle \frac{{\mu }_A-{\mu }_B}{\frac{{\sigma }_A^2}{N_A}+\frac{{\sigma }_B^2}{N_B}}},$$

where $N_A$, ${\mu }_A$, and ${\sigma }_A$ are the size, mean, and standard deviation of A, respectively. If the absolute T-value exceeds the threshold, the null hypothesis is rejected in favor of the alternative hypothesis. For instance, if the absolute T-value is greater than 4.5, the null hypothesis is rejected with a confidence level of 99.999%.

2.3. Existing SEED Masking Method

Chang Kyun Kim et al. proposed a memory-efficient masking method that implements two S-Boxes with one masked lookup table ${\mathbf{M}}^{-1}$, as illustrated in Figure 2 [11].

The power of x in Equation (1) can be calculated by $x^{247}=x^{255-8}={\left(x^{-1}\right)}^8,x^{251}=x^{255-4}={\left(x^{-1}\right)}^4$ because x is an element of the finite field ${\mathbb{Z}}_{2^8}$. Therefore, for constant binary matrices $C_1$ and $C_2$, the S-Boxes are expressed as follows:

$$\begin{array}{cccc}\hfill S_1\left(x\right)& =A_1·x^{247}\oplus 0\mathrm{xa}9\hfill & \hfill =& C_1·x^{-1}\oplus 0\mathrm{xa}9,\hfill \\ \hfill S_2\left(x\right)& =A_2·x^{251}\oplus 0\mathrm{x}38\hfill & \hfill =& C_2·x^{-1}\oplus 0\mathrm{x}38.\hfill \end{array}$$

The above equations signify that only the lookup table for the masked inverse operation is required to implement two S-Boxes. The masked inverse lookup table ${\mathbf{M}}^{-1}$ is defined as follows:

$${\mathbf{M}}^{-1}\left[x\oplus M_1\right]=x^{-1}\oplus M_4,$$

where $M_1$ and $M_4$ are random 8-bit numbers. As shown in Figure 2, masked the S-Boxes are calculated as follows:

$$\begin{array}{cccc}\hfill Masked{S}_1\left(x\oplus M_1\right)& =C_1·{\mathbf{M}}^{-1}\left[x\oplus M_1\right]\oplus M_6\hfill & \hfill =& C_1·\left(x^{-1}\oplus M_4\right)\oplus M_6\hfill \\ & =C_1·x^{-1}\oplus C_1·M_4\oplus M_6\hfill & \hfill =& C_1·x^{-1}\oplus M_5\oplus 0\mathrm{xa}9\oplus {\mathrm{M}}_6\hfill \\ & =S_1\left(x\right)\oplus M_3,\hfill & \hfill & \\ \hfill Masked{S}_2\left(x\oplus M_1\right)& =C_2·{\mathbf{M}}^{-1}\left[x\oplus M_1\right]\oplus M_1\hfill & \hfill =& C_2·\left(x^{-1}\oplus M_4\right)\oplus M_1\hfill \\ & =C_2·x^{-1}\oplus C_2·M_4\oplus M_1\hfill & \hfill =& C_2·x^{-1}\oplus M_2\oplus 0\mathrm{x}38\oplus {\mathrm{M}}_1\hfill \\ & =S_2\left(x\right)\oplus M_3,\hfill & \hfill \end{array}$$

where $M_2,M_3,M_5$, and $M_6$ are driven masks from $M_1$ and $M_4$ and defined as follows:

$$\begin{array}{cccc}\hfill M_2& =C_2·M_4\oplus 0\mathrm{x}38,{\mathrm{M}}_3\hfill & \hfill =& M_1\oplus M_2,\hfill \\ \hfill M_5& =C_1·M_4\oplus 0\mathrm{xa}9,{\mathrm{M}}_6\hfill & \hfill =& M_3\oplus M_5.\hfill \end{array}$$

3. First-Order Vulnerability of Masked SEED

3.1. Theoretical Analysis

The motivation of the proposed method is that the operands of the last XOR operation of the function G are concealed with the same mask, $M_3$. As XORing two masked intermediate values induces a canceling of the mask, the adversary is able to exploit the XOR output as an intermediate value of the first-order CPA. Even though the operands are ANDed before the XOR operation, a part of the mask is still canceled. The SEED AND constants $m_0$, $m_1$, $m_2$, and $m_3$ are designed to extract 6 bits of the S-Box output. Each $m_i$ is the left rotation of $m_{i-1}$ by 2. The binary representation of the constants is presented as follows:

$$\begin{array}{cccc}\hfill m_0& ={\left(11111100\right)}_2,m_1\hfill & \hfill =& {\left(11110011\right)}_2,\hfill \\ \hfill m_2& ={\left(11001111\right)}_2,m_3\hfill & \hfill =& {\left(00111111\right)}_2.\hfill \end{array}$$

Let us define $m_{i\&j}=m_i\wedge m_j$ and $m_{i-j}=m_i\wedge \overline{m_j}$; the bit of $m_{i-j}$ is set as one if, and only if, the corresponding bit of $m_i$ is one but the bit of $m_j$ is zero. That is, $m_{i-j}\wedge m_{i\&j}=0$ and $m_{i-j}\oplus m_{i\&j}=m_i$. Similarly, let us define $m_{i\&j\&k}=m_i\wedge m_j\wedge m_k$ and $m_{i\&j-k}=m_{i\&j}\wedge \overline{m_k}$. The definition of the AND constants directly drives the two properties below:

Property 1.

For all distinct $i,j\in \left\{0,1,2,3\right\},\mathrm{HW}\left(m_{i\&j}\right)=4$ and $\mathrm{HW}\left(m_{i-j}\right)=2$.

Property 2.

For all distinct $i,j,k\in \left\{0,1,2,3\right\},m_{i\&j-k}=m_{i-k}=m_{j-k}$.

$\mathrm{HW}$ denotes the Hamming weight, the number of 1s in binary representation.

XOR is a binary operator; the last XOR does not calculate four operands simultaneously. In order to investigate intermediate values during the last XOR, we utilize the following property:

Property 3.

$\left(A\wedge C\right)\oplus \left(B\wedge C\right)=\left(A\oplus B\right)\wedge C$.

Proof. 

The XOR between A and B can be implemented by AND (∧) and OR (∨) as $\left(A\wedge \overline{B}\right)\vee \left(\overline{A}\wedge B\right)$, where $\overline{A}$ is NOT A. Then, the following is derived:

$$\begin{array}{cc}\hfill & \left(A\oplus B\right)\wedge C\hfill \\ \hfill & =\left(\left(A\wedge \overline{B}\right)\vee \left(\overline{A}\wedge B\right)\right)\wedge C\hfill \\ \hfill & =\left(A\wedge \overline{B}\wedge C\right)\vee \left(\overline{A}\wedge B\wedge C\right)\hfill \\ \hfill & =\left(A\wedge \overline{B}\wedge C\right)\vee \left(\overline{A}\wedge B\wedge C\right)\vee 0\hfill \\ \hfill & =\left(A\wedge \overline{B}\wedge C\right)\vee \left(\overline{A}\wedge B\wedge C\right)\vee \left(\left(A\vee B\right)\wedge 0\right)\hfill \\ \hfill & =\left(A\wedge \overline{B}\wedge C\right)\vee \left(\overline{A}\wedge B\wedge C\right)\vee \left(\left(A\vee B\right)\wedge \left(\overline{C}\wedge C\right)\right)\hfill \\ \hfill & =\left(A\wedge \overline{B}\wedge C\right)\vee \left(\overline{A}\wedge B\wedge C\right)\vee \left(A\wedge \overline{C}\wedge C\right)\vee \left(B\wedge \overline{C}\wedge C\right)\hfill \\ \hfill & =\left(A\wedge C\wedge \left(\overline{B}\vee \overline{C}\right)\right)\vee \left(\left(\overline{A}\vee \overline{C}\right)\wedge B\wedge C\right)\hfill \\ \hfill & =\left(\left(A\wedge C\right)\wedge \overline{\left(B\wedge C\right)}\right)\vee \left(\overline{\left(A\wedge C\right)}\wedge \left(B\wedge C\right)\right)\hfill \\ \hfill & =\left(A\wedge C\right)\oplus \left(B\wedge C\right).\hfill \end{array}$$

□

Without a loss of generality, let the XOR calculate four operands in order, from the left to the right of Figure 2. The first operands are $\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_2$ and $\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_1$. Property 3 enables splitting the output of the first XOR, as shown below:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill & \left(\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_2\right)\oplus \left(\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_1\right)\hfill \\ \hfill =& \left(\left(S_2\left[X_3\right]\oplus M_3\right)\wedge \left(m_{1\&2}\oplus m_{2-1}\right)\right)\oplus \left(\left(S_1\left[X_2\right]\oplus M_3\right)\wedge \left(m_{1\&2}\oplus m_{1-2}\right)\right)\hfill \\ \hfill =& \left(\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_{1\&2}\right)\oplus \left(\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_{2-1}\right)\oplus \hfill \\ \hfill & \left(\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_{1\&2}\right)\oplus \left(\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_{1-2}\right)\hfill \\ \hfill =& \left(\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\right)\wedge m_{1\&2}\right)\oplus \left(\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_{2-1}\right)\oplus \left(\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_{1-2}\right).\hfill \end{array}\end{array}$$

(2)

As the output of AND between any two elements in the set $\left\{m_{1\&2},m_{2-1},m_{1-2}\right\}$ is zero, Equation (2) drives the following:

$$\begin{array}{cc}\hfill \left(\left(\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_2\right)\oplus \left(\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_1\right)\right)\wedge m_{1\&2}& =\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\right)\wedge m_{1\&2},\hfill \\ \hfill \left(\left(\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_2\right)\oplus \left(\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_1\right)\right)\wedge m_{2-1}& =\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_{2-1},\hfill \\ \hfill \left(\left(\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_2\right)\oplus \left(\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_1\right)\right)\wedge m_{1-2}& =\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_{1-2}.\hfill \end{array}$$

The above equations indicate that the first XOR output consists of four bits of the unmasked XORed S-Box outputs $S_2\left[X_3\right]\oplus S_1\left[X_2\right]$ and two bits of the masked $S_2\left[X_3\right]\oplus M_3$ and $S_1\left[X_2\right]\oplus M_3$ attributed to Property 1.

Likewise, the output of the second XOR, whose operand is the first XOR output and $S_2\left[X_1\right]\oplus M_3$, consists of six bits of the unmasked intermediate value. As the output of AND between any two elements in $\{m_{0\&1\&2},m_{0\&1-2},m_{1\&2-0},$$m_{0\&2-1}\}$ is zero, the second XOR output can be split as shown in Equation (3). The second XOR output consists of two bits of each of the unmasked XORed S-Box outputs $S_2\left[X_3\right]\oplus S_1\left[X_2\right]$, $S_2\left[X_3\right]\oplus S_2\left[X_1\right]$, and $S_1\left[X_2\right]\oplus S_2\left[X_1\right]$ and two bits of masked $S_2\left[X_3\right]\oplus S_1\left[X_2\right]\oplus S_2\left[X_1\right]\oplus M_3$.

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill & \left(\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\right)\wedge m_{1\&2}\right)\oplus \left(\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_{2-1}\right)\oplus \left(\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_{1-2}\right)\hfill \\ \hfill & \oplus \left(\left(S_2\left[X_1\right]\oplus M_3\right)\wedge m_0\right)\hfill \\ \hfill =& \left(\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\right)\wedge \left(m_{1\&2-0}\oplus m_{0\&1\&2}\right)\right)\hfill \\ \hfill & \oplus \left(\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_{2-1}\right)\oplus \left(\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_{1-2}\right)\oplus \left(\left(S_2\left[X_1\right]\oplus M_3\right)\wedge m_0\right)\hfill \\ \hfill =& \left(\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\right)\wedge m_{1\&2-0}\right)\oplus \left(\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\right)\wedge m_{0\&1\&2}\right)\hfill \\ \hfill & \oplus \left(\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_{2-1}\right)\oplus \left(\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_{1-2}\right)\oplus \left(\left(S_2\left[X_1\right]\oplus M_3\right)\wedge m_0\right)\hfill \\ \hfill =& \left(\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\right)\wedge m_{1-0}\right)\oplus \left(\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\right)\wedge m_{0\&1\&2}\right)\hfill \\ \hfill & \oplus \left(\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_{2-1}\right)\oplus \left(\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_{1-2}\right)\oplus \left(\left(S_2\left[X_1\right]\oplus M_3\right)\wedge m_0\right)\hfill \\ \hfill & \left(\because \mathrm{Property}\right)\hfill \\ \hfill =& \left(\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\right)\wedge m_{1-0}\right)\oplus \left(\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\right)\wedge m_{0\&1\&2}\right)\hfill \\ \hfill & \oplus \left(\left(S_2\left[X_3\right]\oplus M_3\right)\wedge m_{2-1}\right)\oplus \left(\left(S_1\left[X_2\right]\oplus M_3\right)\wedge m_{1-2}\right)\hfill \\ \hfill & \oplus \left(\left(S_2\left[X_1\right]\oplus M_3\right)\wedge m_{2-1}\right)\oplus \left(\left(S_2\left[X_1\right]\oplus M_3\right)\wedge m_{1-2}\right)\hfill \\ \hfill & \oplus \left(\left(S_2\left[X_1\right]\oplus M_3\right)\wedge m_{0\&1\&2}\right)\hfill \\ \hfill & \left(\because m_0=m_{0-1}\oplus m_{0\&1}=m_{0-1}\oplus m_{0\&1-2}\oplus m_{0\&1\&2}=m_{2-1}\oplus m_{1-2}\oplus m_{0\&1\&2}\right)\hfill \\ \hfill =& \left(\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\right)\wedge m_{1-0}\right)\hfill \\ \hfill & \oplus \left(\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\oplus S_2\left[X_1\right]\oplus M_3\right)\wedge m_{0\&1\&2}\right)\hfill \\ \hfill & \oplus \left(\left(S_2\left[X_3\right]\oplus S_2\left[X_1\right]\right)\wedge m_{2-1}\right)\hfill \\ \hfill & \oplus \left(\left(S_1\left[X_2\right]\oplus S_2\left[X_1\right]\right)\wedge m_{1-2}\right).\hfill \end{array}\end{array}$$

(3)

Equations (2) and (3) evidently verify the presence of an unmasked secret intermediate value. Namely, the existing masking method has a first-order vulnerability and enables the adversary to perform a first-order CPA with the XORed S-Box outputs. If the adversary knows the order of the XORs, the adversary can utilize the exact intermediate value, such as $\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\right)\wedge m_{1\&2}$ in Equation (2). Although the order is unkown to the adversary, the adversary can still perform a first-order CPA with the 8-bit XORed S-Box outputs. The left bits, which are not part of the intermediate value, like $\left(S_2\left[X_3\right]\oplus S_1\left[X_2\right]\right)\wedge \overline{m_{1\&2}}$ in Equation (2), drop the correlation. However, the 8-bit XORed S-Box outputs are still related to the power consumption.

The limitation of the proposed method is that it may reveal three of four bytes of the round key depending on the order of the XOR operation. Suppose that every four bytes of function G’s output is calculated by XORing four S-Box inputs in the same order. In this case, the round key associated with the last operand is unrelated to the proposed intermediate value, and the adversary reveals only three bytes of the round key; the round key related to the last operand is not revealed. On the other hand, if XOR calculates four operands in a different order, then the adversary reveals four bytes of the round key.

3.2. Experiments

The proposed method is demonstrated using the side-channel evaluation board ChipWhisperer-Lite XMEGA. A SEED compiled by avr-gcc 11.1.0 is executed on an 8-bit microcontroller ATXmega128D4-AU, and its power consumption during the calculation of the first function G is collected. The function G calculates the last XORs, from the left to the right of Figure 2. We measured 10,000 power consumption traces for each of the random plaintext and fixed plaintext encryptions for the TVLA. A CPA was performed ten times with different 10,000 traces to calculate the guessing entropy and success rate.

Figure 3 shows the point-wise T-value and the absolute correlation coefficient of the right intermediate value. The maximum absolute T-value of power consumption during the XOR operation is 76.1, which is considerably higher than the threshold of 4.5 (represented by the red line in the middle subplot of Figure 3). This outcome signifies that the null hypothesis is rejected with a confidence level of 99.999%. That is, the power consumption is related to the input; the mask does not conceal some of the intermediate values related to the input. For the CPA, we assume a practical attacker model in which the adversary does not know the order of the XORs; the 8 bits of the XORed S-Box outputs are used as an intermediate value. The bottom subplot of Figure 3 shows the absolute correlation coefficient of each intermediate value. $\left(X_3,X_2\right)$ in the legend indicates that the intermediate value is $S_2\left[X_3\right]\oplus S_1\left[X_2\right]$. As expected, in Section 3.1, the power consumption is related to the secret intermediate value. The correlation of the intermediate value derived from the front three XOR operands is significantly high. As an example, $\left(X_3,X_2\right)$, $\left(X_3,X_0\right)$, and $\left(X_2,X_1\right)$ are the proposed intermediate values for the first XOR operation over four inputs. The correlations of those intermediate values are significantly high during the first XOR operation (from 980 to 1640 points).

Figure 4 shows the absolute correlation coefficient of the correct and other keys according to the number of traces performed. If the number of traces exceeds 210, then the correlation of the correct key is greater than that of the 65,535 other incorrect keys. The correct key is evidently distinguishable if the number of traces exceeds 300. Figure 5 shows a guessing entropy and success rate that converge to one if the number of traces exceeds 210. Each CPA successfully reveals each round key with 210 traces. The CPA results exhibit the presence of a first-order vulnerability in the existing masking scheme.

4. Proposed Masking Scheme

4.1. Masking Scheme

The existing masking method has a first-order vulnerability because its S-Box outputs are concealed with the same mask. We patch this method by concealing the S-Box outputs with different masks. Figure 6 illustrates the proposed masking method. The dissimilarity between the proposed masking method and the existing method is highlighted. The outputs of $C_1$ and $C_2$ are already concealed with different masks, $M_2$ and $M_5$, respectively. Therefore, the proposed masking method only remasks the first two bytes by XORing $M_1^{\prime }$ and $M_2^{\prime }$ instead of $M_1$ and $M_6$, respectively, where $M_1^{\prime }=C_2·M_1$ and $M_2^{\prime }=C_1·M_1$. After XORing four S-Box outputs, they are remasked to $M_3$ by XORing $M_3^{\prime }$, $M_4^{\prime }$, $M_5^{\prime }$, and $M_6^{\prime }$, where

$$\begin{array}{cc}\hfill M_3^{\prime }=& \left(\left(M_1\oplus M_1^{\prime }\right)\wedge m_2\right)\oplus \left(\left(M_6\oplus M_2^{\prime }\right)\wedge m_1\right)\oplus \left(M_1\wedge m_0\right)\oplus \left(M_6\wedge m_3\right),\hfill \\ \hfill M_4^{\prime }=& \left(\left(M_1\oplus M_1^{\prime }\right)\wedge m_1\right)\oplus \left(\left(M_6\oplus M_2^{\prime }\right)\wedge m_0\right)\oplus \left(M_1\wedge m_3\right)\oplus \left(M_6\wedge m_2\right),\hfill \\ \hfill M_5^{\prime }=& \left(\left(M_1\oplus M_1^{\prime }\right)\wedge m_0\right)\oplus \left(\left(M_6\oplus M_2^{\prime }\right)\wedge m_3\right)\oplus \left(M_1\wedge m_2\right)\oplus \left(M_6\wedge m_1\right),\hfill \\ \hfill M_6^{\prime }=& \left(\left(M_1\oplus M_1^{\prime }\right)\wedge m_3\right)\oplus \left(\left(M_6\oplus M_2^{\prime }\right)\wedge m_2\right)\oplus \left(M_1\wedge m_1\right)\oplus \left(M_6\wedge m_0\right).\hfill \end{array}$$

The proposed masking method does not use an additional random mask. Generating a random mask substantially increases the computational overhead because it requires more expensive operations, such as a deterministic random number generator. The proposed masking method requires only two more XOR operations per function G. The generation of masking requires a supplementary six bytes of memory, 20 XORs, and 16 ANDs. The additional overhead is negligible because the conversion from Boolean masking to arithmetic masking is the primary overhead of the masking method.

In order to validate the security of the proposed masking scheme, Property 4 is defined as follows:

Property 4.

$M_2\oplus M_5$ and $M_1^{\prime }\oplus M_2^{\prime }$ are uniformly distributed if $M_4$ and $M_1$ are uniformly chosen.

Proof. 

The definitions of $C_1$ and $C_2$ drive $\left(C_2·i\right)\oplus \left(C_1·i\right)\ne \left(C_2·j\right)\oplus \left(C_1·j\right)$ for any distinct $i,j\in \left\{0,1,\cdots ,255\right\}$. □

Recall that $M_2=C_2·M_4\oplus 0\mathrm{x}38$, $M_5=C_1·M_4\oplus 0\mathrm{xa}9$, $M_1^{\prime }=C_2·M_1$, and $M_2^{\prime }=C_1·M_1$. The outputs of XOR between the two masks concealing the S-Box output are as shown below:

$$\begin{array}{cc}\hfill \left(M_2\oplus M_1^{\prime }\right)\oplus \left(M_5\oplus M_2^{\prime }\right)& =\left(M_2\oplus M_5\right)\oplus \left(M_1^{\prime }\oplus M_2^{\prime }\right),\hfill \\ \hfill \left(M_2\oplus M_1^{\prime }\right)\oplus M_2& =M_1^{\prime },\hfill \\ \hfill \left(M_2\oplus M_1^{\prime }\right)\oplus M_5& =\left(M_2\oplus M_5\right)\oplus M_1^{\prime },\hfill \\ \hfill \left(M_5\oplus M_2^{\prime }\right)\oplus M_2& =\left(M_2\oplus M_5\right)\oplus M_2^{\prime },\hfill \\ \hfill \left(M_5\oplus M_2^{\prime }\right)\oplus M_5& =M_2^{\prime },\hfill \\ \hfill M_2\oplus M_5& =M_2\oplus M_5.\hfill \end{array}$$

The above masks are uniformly distributed because of Property 4. For example, $\left(M_2\oplus M_5\right)$ and $\left(M_1^{\prime }\oplus M_2^{\prime }\right)$ are driven by independently chosen masks $M_4$ and $M_1$, respectively, and each is uniformly distributed. Therefore, the XOR output is also uniformly distributed.

The outputs of XOR between three masks concealing the S-Box output are shown below:

$$\begin{array}{cc}\hfill \left(M_5\oplus M_2^{\prime }\right)\oplus M_2\oplus M_5& =M_2\oplus M_2^{\prime },\hfill \\ \hfill \left(M_2\oplus M_1^{\prime }\right)\oplus M_2\oplus M_5& =M_1^{\prime }\oplus M_5,\hfill \\ \hfill \left(M_2\oplus M_1^{\prime }\right)\oplus \left(M_5\oplus M_2^{\prime }\right)\oplus M_5& =M_2\oplus \left(M_1^{\prime }\oplus M_2^{\prime }\right),\hfill \\ \hfill \left(M_2\oplus M_1^{\prime }\right)\oplus \left(M_5\oplus M_2^{\prime }\right)\oplus M_2& =M_5\oplus \left(M_1^{\prime }\oplus M_2^{\prime }\right).\hfill \end{array}$$

Similarly, $M_2$ and $M_5$ are derived from mask $M_4$, and $M_1^{\prime }$, $M_2^{\prime }$, and $M_1^{\prime }\oplus M_2^{\prime }$ are derived from mask $M_1$. Because $M_1$ and $M_4$ are independent, the output of XOR between any three masks is uniform.

4.2. Experiments

TVLA and CPA were performed in the same environment as in Section 3. All T-values are less than 4.5, as shown in the middle subplot of Figure 7; the maximum T-value is only 3.9. This result suggests that the difference between the means of the random plaintext traces and the fixed plaintext traces is insignificant. The proposed masking method successfully conceals intermediate values related to the input. In terms of the CPA, while the maximum absolute correlation coefficient of the existing masking method is 0.64, as shown in Figure 3, that of the proposed masking method is only as large as 0.04. This result suggests that the power consumption is unrelated to the proposed intermediate value, as shown in the bottom subplot.

CPA fails to reveal the secret key of the proposed masking method, as shown in Figure 8 and Figure 9. The absolute correlation coefficient of the correct key is less than that of an incorrect key for each S-Box output combination, as shown in Figure 8. Recall that the round key of the existing masking method was revealed with only 210 traces, and the correct key was clearly distinguishable from the incorrect keys, as shown in Figure 4. The correlation of the correct key when using the proposed method is indistinguishable even with 10,000 traces, and increasing the number of traces does not increase the correlation coefficient of the correct key. Each CPA fails to reveal the secret key, as shown in Figure 9. The guessing entropy is around 33,000, which is the expectation when the adversary randomly chooses the key. Moreover, increasing the number of traces does not decrease the guessing entropy. The results suggest that the proposed masking method does not have a first-order vulnerability.

We measured the number of clock cycles for each SEED component to compare the overhead between the existing and proposed countermeasures, as shown in

Table 1. Number of clock cycles for each SEED component.

	Existing Masking (Clock Cycle)	Proposed Masking (Clock Cycle)	Ratio
Masking generation	7174	7246	101.00%
Function G	136	160	117.65%
Entire encryption	153,821	154,973	100.75%

The ratio in the table is calculated by dividing the number of clock cycles of the proposed masking method by that of the existing masking method. As discussed in Section 4.1, the increase in overhead is negligible. The conversion from Boolean masking to arithmetic masking primarily contributes to the masking overhead. Although the number of clock cycles for the function G increased by 17 percentage points, the overall increase in encryption, including masking generation, is only 0.75 percentage points.

5. Conclusions

The existing masking method of the SEED has a first-order vulnerability because its S-Box outputs are concealed with the same mask. The mask is inevitably canceled because the function G performs XOR with its S-Box outputs. Hence, a CPA adversary is able to utilize the intermediate value of the last XOR operation and perform a first-order CPA on the masked SEED. That is, the adversary is able to disclose the secret key with the same complexity required as for its unprotected implementation. In order to fix the security hole, we proposed a masking method that concealed each S-Box output with a different mask but required negligible overhead. Its vulnerability and security were theoretically verified and practically demonstrated. A CPA performed on the existing masking method discloses the correct key with only 210 traces, whereas a CPA performed on the proposed masking method failed even with 10,000 traces.

The proposed security hole could also be present in other encryption algorithms. Although the AND operation is insufficient to prevent mask canceling, a security designer might mistakenly design a masking scheme to conceal the XOR operand with the same mask, like SEED. For instance, the block cipher ARIA also performs XOR on four S-Box outputs after the AND operation. Consequently, some ARIA masking methods might also have the same security holes as SEED masking. Our future work will investigate another masking scheme that has the proposed vulnerability and patch it.