Squeezing polynomial masking in tower fields a higher-order masked AES S-box

Abstract

Polynomial masking is a higher-order and glitch-resistant masking scheme to protect cryptographic implementations against sidechannel attacks. Polynomial masking was introduced at CHES 2011, while a 1st-order polynomially masked AES S-box hardware implementation was presented at CHES 2013, and later on improved at TIs 2016. Polynomial masking schemes are advantageous in the way they can be easily adapted to every block-cipher and inherently scaled to any masking order using simple hardware design patterns. As a drawback, they typically have large area, time, and randomness requirements when compared to other masking schemes, e.g. threshold implementations. In this work, we show how tower fields can be perfectly committed to polynomial masking schemes, to reduce both area and randomness requirements of higher-order polynomially masked implementations, with application to AES. We provide ASIC synthesis results up to the 6thmasking order and perform side-channel attacks on a Xilinx Spartan6 FPGA up to the 2ndmasking order.