Revisiting a Masked Lookup-Table Compression Scheme

Lookup-table based side-channel countermeasure is the prime choice for masked S-box software implementations at very low orders. To mask an n-bit to m-bit S-box at first- and second- orders, one requires a temporary table in RAM of size \(m \cdot 2^n\) bits. Recently, Vadnala (CT-RSA 2017) suggested masked table compression schemes at first- and second-orders to reduce the table size by (approximately) a factor of \(2^l\), where l is a parameter. Though greater compression results in a greater execution time, these proposals would still be attractive for highly resource constrained devices.