Low Entropy Masking Schemes (LEMS) have attracted wide attention due to their implementations simplicity and relatively good performance in protecting cryptographic implementations against Side-Channel-Attacks (SCAs). To achieve desired security, it is necessary (but not sufficient) to find proper low entropy mask sets to protect all sensitive secret-dependant intermediate variables. However, one crucial problem concerning this intuitive idea is that what ‘proper’ mask sets should be. To formally capture such crucial qualification, we introduce the notion of balancedness to characterize this natural attribute of mask sets themselves. Considering that this notion is limited to characterize first-order security, we generalize it to dd -dimension balancedness to accommodate dthd^{th} -order security, then we exhibit lower and upper bounds on dd -dimension balancedness for any dd . With the help of these essential definitions, we prove that no balanced low entropy mask set really exists, which implies that LEMS implementations always have vulnerabilities in theory due to the unbalancedness of underlying mask sets. In order to further demonstrate the practical implications of balancedness, we show 4 different kinds of attacks on three state-of-the-art LEMS implementations. Specifically, the distribution attack proposed in this paper is a general first-order attack on LEMS. The results demonstrate that unbalanced mask sets actually do lead to serious vulnerabilities.

中文翻译：

---

注意平衡：揭示低熵掩蔽方案中的漏洞


低熵屏蔽方案（LEMS）因其实现简单且在保护加密实现免受侧通道攻击（SCA）方面相对良好的性能而引起了广泛关注。为了实现所需的安全性，有必要（但不够）找到适当的低熵掩码集来保护所有敏感的依赖于秘密的中间变量。然而，关于这一直观想法的一个关键问题是“正确的”掩模组应该是什么。为了正式捕捉这种关键的资格，我们引入了平衡性的概念来表征掩模组本身的这种自然属性。考虑到这个概念仅限于表征一阶安全性，我们将其推广到 dd 维平衡性以适应 dthd^{th} 阶安全性，然后我们展示任何 dd 的 dd 维平衡性的下限和上限。借助这些基本定义，我们证明平衡的低熵掩码集确实不存在，这意味着由于底层掩码集的不平衡，LEMS 实现在理论上总是存在漏洞。为了进一步证明平衡性的实际影响，我们展示了对三种最先进的 LEMS 实现的 4 种不同类型的攻击。具体来说，本文提出的分布攻击是针对LEMS的一般一阶攻击。结果表明，不平衡的掩码集实际上确实会导致严重的漏洞。