{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T17:04:57Z","timestamp":1753895097973,"version":"3.41.2"},"reference-count":35,"publisher":"International Association for Cryptologic Research","license":[{"start":{"date-parts":[[2024,4,8]],"date-time":"2024-04-08T00:00:00Z","timestamp":1712534400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,6,3]]},"abstract":"<jats:p>    Several cryptographic schemes, including lattice-based cryptography and the SHA-2 family of hash functions, involve both integer arithmetic and Boolean logic. Each of these classes of operations, considered separately, can be efficiently implemented under the masking countermeasure when resistance against vertical attacks is required. However, protecting interleaved arithmetic and logic operations is much more expensive, requiring either additional masking conversions to switch between masking schemes, or implementing arithmetic functions as nonlinear operations over a Boolean masking. Both solutions can be achieved by providing masked arithmetic addition over Boolean shares, which is an operation with relatively long latency and usually high area utilization in hardware. A further complication arises when the arithmetic performed by the scheme is over a prime modulus, which is common in lattice-based cryptography. In this work, we propose a first-order masked implementation of arithmetic addition over Boolean shares occupying a very small area, while still having reasonable latency. Our proposal is specifically tuned for efficient addition and subtraction modulo an arbitrary integer, but it can also be configured at runtime for power-of-two arithmetic. To the best of our knowledge, we propose the first such construction whose security is formally proven in the glitch+transition-robust probing model. <\/jats:p>","DOI":"10.62056\/aee0zoja5","type":"journal-article","created":{"date-parts":[[2024,7,8]],"date-time":"2024-07-08T15:52:04Z","timestamp":1720453924000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Provably Secure and Area-Efficient Modular Addition over Boolean Shares"],"prefix":"10.62056","author":[{"given":"Guilh\u00e8m","family":"Assael","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/01c74sd89","id-type":"ROR","asserted-by":"publisher"}],"name":"STMicroelectronics","place":["Rousset, France"]},{"id":[{"id":"https:\/\/ror.org\/05rwrfh97","id-type":"ROR","asserted-by":"publisher"}],"name":"Univ. Grenoble Alpes, CNRS, IF","place":["Grenoble, 38000, France"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8629-3021","authenticated-orcid":false,"given":"Philippe","family":"Elbaz-Vincent","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05rwrfh97","id-type":"ROR","asserted-by":"publisher"}],"name":"Univ. Grenoble Alpes, CNRS, IF","place":["Grenoble, 38000, France"]}]}],"member":"48349","published-online":{"date-parts":[[2024,7,8]]},"reference":[{"key":"ref1:ESORICS:KSWH98","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"97","DOI":"10.1007\/BFb0055858","article-title":"Side Channel Cryptanalysis of Product Ciphers","volume-title":"ESORICS'98: 5th European Symposium on Research in Computer\n  Security","volume":"1485","author":"John Kelsey","year":"1998"},{"key":"ref2:C:CJRR99","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"398","DOI":"10.1007\/3-540-48405-1_26","article-title":"Towards Sound Approaches to Counteract Power-Analysis\n  Attacks","volume-title":"Advances in Cryptology \u2013 CRYPTO'99","volume":"1666","author":"Suresh Chari","year":"1999"},{"key":"ref3:EC:ProRiv13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"142","DOI":"10.1007\/978-3-642-38348-9_9","article-title":"Masking against Side-Channel Attacks: A Formal Security\n  Proof","volume-title":"Advances in Cryptology \u2013 EUROCRYPT\u00a02013","volume":"7881","author":"Emmanuel Prouff","year":"2013"},{"key":"ref4:C:IshSahWag03","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"463","DOI":"10.1007\/978-3-540-45146-4_27","article-title":"Private Circuits: Securing Hardware against Probing\n  Attacks","volume-title":"Advances in Cryptology \u2013 CRYPTO\u00a02003","volume":"2729","author":"Yuval Ishai","year":"2003"},{"key":"ref5:TCHES:FGPPS18","doi-asserted-by":"publisher","first-page":"89","DOI":"10.13154\/tches.v2018.i3.89-120","article-title":"Composable Masking Schemes in the Presence of Physical\n  Defaults & the Robust Probing Model","volume":"2018","author":"Sebastian Faust","year":"2018","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n  Systems","ISSN":"https:\/\/id.crossref.org\/issn\/2569-2925","issn-type":"electronic"},{"key":"ref6:EC:DucDziFau14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"423","DOI":"10.1007\/978-3-642-55220-5_24","article-title":"Unifying Leakage Models: From Probing Attacks to Noisy\n  Leakage","volume-title":"Advances in Cryptology \u2013 EUROCRYPT\u00a02014","volume":"8441","author":"Alexandre Duc","year":"2014"},{"key":"ref7:C:CFOS21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"185","DOI":"10.1007\/978-3-030-84252-9_7","article-title":"Towards Tight Random Probing Security","volume-title":"Advances in Cryptology \u2013 CRYPTO\u00a02021, Part\u00a0III","volume":"12827","author":"Ga\u00ebtan Cassiers","year":"2021"},{"key":"ref8:TCHES:CasSta21","doi-asserted-by":"publisher","first-page":"136","DOI":"10.46586\/tches.v2021.i2.136-158","article-title":"Provably Secure Hardware Masking in the Transition- and\n  Glitch-Robust Probing Model: Better Safe than Sorry","volume":"2021","author":"Ga\u00ebtan Cassiers","year":"2021","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n  Systems","ISSN":"https:\/\/id.crossref.org\/issn\/2569-2925","issn-type":"electronic"},{"key":"ref9:TCHES:FBRKSVS22","doi-asserted-by":"publisher","first-page":"414","DOI":"10.46586\/tches.v2022.i1.414-460","article-title":"Masked Accelerators and Instruction Set Extensions for\n  Post-Quantum Cryptography","volume":"2022","author":"Tim Fritzmann","year":"2022","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n  Systems"},{"key":"ref10:TCHES:BGRSv21","doi-asserted-by":"publisher","first-page":"173","DOI":"10.46586\/tches.v2021.i4.173-214","article-title":"Masking Kyber: First- and Higher-Order Implementations","volume":"2021","author":"Joppe W. Bos","year":"2021","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n  Systems","ISSN":"https:\/\/id.crossref.org\/issn\/2569-2925","issn-type":"electronic"},{"key":"ref11:CHES:FisGam05","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"187","DOI":"10.1007\/11545262_14","article-title":"Masking at Gate Level in the Presence of Glitches","volume-title":"Cryptographic Hardware and Embedded Systems \u2013 CHES\u00a02005","volume":"3659","author":"Wieland Fischer","year":"2005"},{"key":"ref12:cassiers2020","doi-asserted-by":"publisher","first-page":"2542","DOI":"10.1109\/TIFS.2020.2971153","article-title":"Trivially and Efficiently Composing Masked Gadgets With\n  Probe Isolating Non-Interference","volume":"15","author":"Ga\u00ebtan Cassiers","year":"2020","journal-title":"IEEE Transactions on Information Forensics and Security","ISSN":"https:\/\/id.crossref.org\/issn\/1556-6021","issn-type":"electronic"},{"key":"ref13:cassiers2021","doi-asserted-by":"publisher","first-page":"1677","DOI":"10.1109\/TC.2020.3022979","article-title":"Hardware Private Circuits: From Trivial Composition to\n  Full Verification","volume":"70","author":"Ga\u00ebtan Cassiers","year":"2021","journal-title":"IEEE Transactions on Computers"},{"key":"ref14:SP:BMRT22","doi-asserted-by":"publisher","first-page":"142","DOI":"10.1109\/SP46214.2022.9833600","article-title":"IronMask: Versatile Verification of Masking Security","volume-title":"2022 IEEE Symposium on Security and Privacy","author":"Sonia Bela\u00efd","year":"2022"},{"key":"ref15:AC:KniSasMor20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"787","DOI":"10.1007\/978-3-030-64837-4_26","article-title":"SILVER - Statistical Independence and Leakage\n  Verification","volume-title":"Advances in Cryptology \u2013 ASIACRYPT\u00a02020, Part\u00a0I","volume":"12491","author":"David Knichel","year":"2020"},{"article-title":"CRYSTALS-KYBER","year":"2020","author":"Peter Schwabe","key":"ref16:NISTPQC-R3:CRYSTALS-KYBER20"},{"article-title":"CRYSTALS-DILITHIUM","year":"2020","author":"Vadim Lyubashevsky","key":"ref17:NISTPQC-R3:CRYSTALS-DILITHIUM20"},{"year":"2023","key":"ref18:fips203draft","article-title":"Module-Lattice-Based Key-Encapsulation Mechanism"},{"year":"2023","key":"ref19:fips204draft","article-title":"Module-Lattice-Based Digital Signature Standard"},{"key":"ref20:CHES:CorGroVad14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"188","DOI":"10.1007\/978-3-662-44709-3_11","article-title":"Secure Conversion between Boolean and Arithmetic Masking\n  of Any Order","volume-title":"Cryptographic Hardware and Embedded Systems \u2013 CHES\u00a02014","volume":"8731","author":"Jean-S\u00e9bastien Coron","year":"2014"},{"key":"ref21:EC:BBEFGR18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"354","DOI":"10.1007\/978-3-319-78375-8_12","article-title":"Masking the GLP Lattice-Based Signature Scheme at Any\n  Order","volume-title":"Advances in Cryptology \u2013 EUROCRYPT\u00a02018, Part\u00a0II","volume":"10821","author":"Gilles Barthe","year":"2018"},{"key":"ref22:macsorley1961","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1109\/JRPROC.1961.287779","article-title":"High-Speed Arithmetic in Binary Computers","volume":"49","author":"O. L. MacSorley","year":"1961","journal-title":"Proceedings of the IRE"},{"key":"ref23:bedrij1962","doi-asserted-by":"publisher","first-page":"340","DOI":"10.1109\/IRETELC.1962.5407919","article-title":"Carry-Select Adder","volume":"EC-11","author":"O. J. Bedrij","year":"1962","journal-title":"IRE Transactions on Electronic Computers"},{"key":"ref24:lehman1961","doi-asserted-by":"publisher","first-page":"691","DOI":"10.1109\/TEC.1961.5219274","article-title":"Skip Techniques for High-Speed Carry-Propagation in Binary\n  Arithmetic Units","volume":"EC-10","author":"M. Lehman","year":"1961","journal-title":"IRE Transactions on Electronic Computers"},{"key":"ref25:sklansky1960","doi-asserted-by":"publisher","first-page":"226","DOI":"10.1109\/TEC.1960.5219822","article-title":"Conditional-Sum Addition Logic","volume":"EC-9","author":"Jack Sklansky","year":"1960","journal-title":"IRE Transactions on Electronic Computers"},{"key":"ref26:wei1990","doi-asserted-by":"publisher","first-page":"666","DOI":"10.1109\/12.53579","article-title":"Area-time optimal adder design","volume":"39","author":"B.W.Y. Wei","year":"1990","journal-title":"IEEE Transactions on Computers"},{"key":"ref27:ACNS:SchMorGun15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"559","DOI":"10.1007\/978-3-319-28166-7_27","article-title":"Arithmetic Addition over Boolean Masking \u2013 Towards First-\n  and Second-Order Resistance in Hardware","volume-title":"ACNS 15: 13th International Conference on Applied\n  Cryptography and Network Security","volume":"9092","author":"Tobias Schneider","year":"2015"},{"key":"ref28:bache2022","doi-asserted-by":"publisher","DOI":"10.3390\/app12052274","article-title":"Boolean Masking for Arithmetic Additions at Arbitrary Order\n  in Hardware","volume":"12","author":"Florian Bache","year":"2022","journal-title":"Applied Sciences","ISSN":"https:\/\/id.crossref.org\/issn\/2076-3417","issn-type":"electronic"},{"article-title":"Compress: Reducing Area and Latency of Masked Pipelined\n  Circuits","year":"2023","author":"Ga\u00ebtan Cassiers","key":"ref29:cassiers2023"},{"key":"ref30:CCS:KniMor22","doi-asserted-by":"publisher","first-page":"1799","DOI":"10.1145\/3548606.3559362","article-title":"Low-Latency Hardware Private Circuits","volume-title":"ACM CCS 2022: 29th Conference on Computer and Communications\n  Security","author":"David Knichel","year":"2022"},{"key":"ref31:CHES:Goubin01","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/3-540-44709-1_2","article-title":"A Sound Method for Switching between Boolean and\n  Arithmetic Masking","volume-title":"Cryptographic Hardware and Embedded Systems \u2013 CHES\u00a02001","volume":"2162","author":"Louis Goubin","year":"2001"},{"article-title":"Randomness Generation for Secure Hardware Masking \u2013\n  Unrolled Trivium to the Rescue","year":"2023","author":"Ga\u00ebtan Cassiers","key":"ref32:EPRINT:CMMMMS23"},{"key":"ref33:sadhukhan2019","doi-asserted-by":"publisher","first-page":"605","DOI":"10.1007\/s10836-019-05826-8","article-title":"Count Your Toggles: a New Leakage Model for Pre-Silicon\n  Power Analysis of Crypto Designs","volume":"35","author":"Rajat Sadhukhan","year":"2019","journal-title":"Journal of Electronic Testing","ISSN":"https:\/\/id.crossref.org\/issn\/1573-0727","issn-type":"electronic"},{"key":"ref34:goodwill2011","first-page":"115","article-title":"A testing methodology for side-channel resistance\n  validation","volume-title":"NIST non-invasive attack testing workshop","volume":"7","author":"Gilbert Goodwill","year":"2011"},{"key":"ref35:ding2018","doi-asserted-by":"publisher","first-page":"105","DOI":"10.1007\/978-3-319-75208-2_7","article-title":"Towards sound and optimal leakage detection procedure","volume-title":"Smart Card Research and Advanced Applications: 16th\n  International Conference, CARDIS 2017, Lugano, Switzerland, November\n  13\u201315, 2017, Revised Selected Papers","author":"A. Adam Ding","year":"2018"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T21:26:54Z","timestamp":1733866014000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/2\/9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,8]]},"references-count":35,"URL":"https:\/\/doi.org\/10.62056\/aee0zoja5","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"subject":[],"published":{"date-parts":[[2024,7,8]]},"assertion":[{"value":"2024-04-08","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-06-03","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-2-27"}}