We provide a C implementation of the anti-DPA countermeasure based on table recomputation described in [Cor14], and its variants described in [CRZ17]. We also provide a C implementation of the Rivain-Prouff countermeasure for AES [RP10] and of the Carlet et al. countermeasure [CGP+12] implemented with the Coron-Roy-Vivek technique [CRV14].

These countermeasures are shown to be secure against a t-th order DPA attack, when the number of shares n is such that n>=2t+1 (or n>=t+1 in some cases).

The countermeasure are implemented for the DES and AES block-ciphers.

• AES without countermeasure
• AES with the Rivain-Prouff countermeasure [RP10]
• AES with the table recomputation countermeasure and its variants. [Cor14]
• AES with various PRG constructions.
• DES without countermeasure
• DES with Carlet et al. countermeasure, with the Parity-Split method for Sbox computation (requiring 10 non-linear multiplications) [CGP+12]
• DES with the improved method from Roy-Vivek (requiring 7 non-linear multiplications).
• DES with the [CRV14] method (requiring only 4 non-linear multiplications).
• DES with the table recomputation countermeasure and its variants. [Cor14,CRZ17]

• We have not protected the key-schedule. Therefore we assume that the block-cipher initially receives the shares of the subkeys, instead of the shares of the key. Moreover we have not implemented the refresh of the key between executions; therefore the implementation would be secure only in a restricted model in which always the same intermediate variables are probed. To get security in the full model one would need to refresh the subkeys between executions.

• We do not claim that in practice the implementation would be secure against a t-th order attack. Namely the implementation is only provided for illustrative purpose, and timing comparisons. Obtaining a secure implementation would require to carefully examine the assembly code. In particular one should make sure that no two shares of the same variable are stored in the same register.

[Cor14] Jean-Sébastien Coron. Higher order masking of look-up tables. In Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11-15, 2014. Proceedings, pages 441–458, 2014.

[RP10] Matthieu Rivain and Emmanuel Prouff. Provably secure higher-order masking of AES. In CHES, pages 413–427, 2010.

[CGP+12] Claude Carlet, Louis Goubin, Emmanuel Prouff, Michaël Quisquater, and Matthieu Rivain. Higher-order masking schemes for s-boxes. In FSE, pages 366–384, 2012.

[CRV14] Jean-Sébastien Coron, Arnab Roy, and Srinivas Vivek. Fast evaluation of polynomials over binary finite fields and application to side-channel counter- measures. In Cryptographic Hardware and Embedded Systems - CHES 2014 - 16th International Workshop, Busan, South Korea, September 23-26, 2014. Proceedings, pages 170–187, 2014.

[CRZ17] Jean-Sébastien Coron, Franck Rondepierre, Rina Zeitoun: High Order Masking of Look-up Tables with Common Shares. IACR Cryptology ePrint Archive 2017: 271 (2017).