International Association
for Cryptologic Research

With the dramatic increase of easily accessible IoT devices, there is a growing demand to protect these cryptographic hardware implementations against Side-Channel Analysis (SCA) attacks. Among various proposed countermeasures against SCA, masking is a widely adopted countermeasure. Constructing a correct and secure masking hardware scheme is a challenging task, even for experienced engineers. Composable gadgets have recently been proposed to facilitate the process of masking large circuits by using the free composition property. For the composable gadget design, besides composability, minimizing hardware overhead in the overall composable masking scheme is also an important factor. To reduce the area overhead, we propose first- and second-order composable gadgets based on a ring circuit design, named OBS. The design of the ring circuit reduces the number of registers and sources of randomness, thereby reducing the area of the gadgets. From the perspective of composing large masked circuits, we propose several optimization methods based on the characteristics of ring circuits, such as register optimization, frozen technique and bubble strategy. These optimization methods can further optimize the overall area of the masked circuit. Furthermore, we also provide the proof of the first- and second-order security of the OBS gadgets under the glitch- and transition-extended probe model. To show the area advantage of the OBS schemes, we give the are comparison results with other schemes at the gadget level and masked circuit level. The best optimization rate compared to the state-of-the-art can reach 40% for the AES S-box. The comparison results of different implementations show that our scheme outperforms various other composable masking schemes in terms of area overhead. We also use the formal verification tool SILVER and practical FPGA-based experiments to confirm the claimed first- and second-order security.