Mask Compression: High-Order Masking on Memory-Constrained Devices

Masking is a well-studied method for achieving provable security against side-channel attacks. In masking, each sensitive variable is split into d randomized shares, and computations are performed with those shares. In addition to the computational overhead of masked arithmetic, masking also has a storage cost, increasing the requirements for working memory and secret key storage proportionally with d. In this work, we introduce mask compression. This conceptually simple technique is based on standard, non-masked symmetric cryptography. Mask compression allows an implementation to dynamically replace individual shares of large arithmetic objects (such as polynomial rings) with kappa-bit cryptographic seeds (or temporary keys) when they are not in computational use. Since kappa does not need to be larger than the security parameter (e.g., kappa = 256 bits) and each polynomial share may be several kilobytes in size, this radically reduces the memory requirement of high-order masking. Overall provable security properties can be maintained using appropriate gadgets to manage the compressed shares. We describe gadgets with Non-Interference (NI) and composable Strong-Non Interference (SNI) security arguments. Mask compression can be applied in various settings, including symmetric cryptography, code-based cryptography, and lattice-based cryptography. It is especially useful for cryptographic primitives that allow quasilinear-complexity masking and are practically capable of very high masking orders. We illustrate this with a d = 32 (Order-31) implementation of the recently introduced lattice-based signature scheme Raccoon on an FPGA platform with limited memory resources.