ABSTRACT
The remainder of the paper is organized as follow. Section 2 presents related work. Section 3 describes the RSM scheme and S-box reuse masking scheme. Section 4 concludes this paper.
2 RELATEDWORK
LUT-based masking scheme always adopts the table re-computation technique. In 1999 (Chari 1999), Chari et al. firstly proposed this scheme, the S-box was randomized into T (x)= S(x ⊕ r)⊕ s, where x was an eight-bit unmasked data, r was input mask, s was output mask. This scheme only masked the first and last rounds and had been proved only against first-order DPA. Later, many high-order masking schemes were
proposed, but most of the countermeasures brought a significant cost overhead in terms of memory, time or both. In order to make the masking schemes practicable, various LEMSs were proposed. In 2001 (Itoh 2001), Itoh et al. proposed the fixed value masking scheme to reduce the RAM and computation time for masked S-box, the main idea of this scheme was to use the same group masking values for each round of encryption, and each state byte also used the same masking byte, this idea could be expressed in this form T (x)= S(x ⊕ r)⊕ r. The random masks and the recomputed S-boxeswere stored in the ROM in advance. With this method, one of the pairs was selected randomly during the encryption process. It reduced not only the chip processor load, but also the space occupied by RAM. The disadvantage of the scheme was only against first-order CPA attacks. In 2012 (Nassar 2012), Nassar et al. proposed the RSM scheme, RSM was belong to the fixed value masking scheme, but unlike any previous masking schemes, all those S-boxes were different, the RSM scheme would have a detailed description in Section 3.1. Furthermore, the RSM has an advantage to counteract first-order and zero offset second-order DPA. In 2014 (Yamashita 2014), Yamashita et al proposed a variant RSM to reduce the complexity further by omitting the re-masking operation for the intermediate rounds, which was necessary for RSM. However, the output masking values were determined by the input masking values.
