Optimal First-Order Masking with Linear and Non-Linear Bijections

Hardware implementations of block-oriented cryptographic functions are vulnerable to side-channel attacks. Yet their lack of algebraic structure makes them hard to protect efficiently. Boolean masking is one answer to secure them, because it can be adapted to any function implemented. Early masking schemes involved only one mask per data to protect. The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers. Nonetheless, this setup can be attacked by a zero-offset second-order CPA attack. The countermeasure can be improved by manipulating the mask through a bijection F, aimed at reducing the dependency between the shares.