On Non-Completeness and G-Equivariance

: With the growing threat of the side-channel attack (SCA) to the cryptographic algorithm’s implementations, the masking method has become one of the most promising SCA countermeasures for securely implementing, for example, block ciphers. The basic principle of the masking method is that if the sensitive variable (which, by deﬁnition, depends on sensitive information) is split into some random variables and they are manipulated in a secure manner, then the relationship between the random variables and the corresponding side-channel information may look independent from the outside world. However, after the introduction of the glitch attack, there has been a lot of concern about the security of the masking method itself. And, to mitigate the threat of the glitch attack, the threshold implementation (TI) and G-equivariant gates were independently introduced as countermeasures. In this paper, we consider the main notions of two such independent glitch attack’s countermeasures, say, non-completeness and G-equivariance, and investigate their relationship. The contribution of this paper is three-fold. First, we show that the widely-circulated proof that the non-complete TI with uniform inputs guarantees the security against the 1st order DPA even in the presence of glitches is not satisfactory. Next, using the extended notion of G-equivariance to the higher-order setting, we prove that non-completeness implies G-equivariance, which, in turn, means that the non-complete TI with uniform inputs has resistance against the glitch attack. Thirdly, we prove that the set of non-complete gates is a proper subset of the set of G-equivariant gates by showing there is a gate that is G-equivariant but not non-complete.


Introduction
With the growing threat of SCA (Side-Channel Attack, [1][2][3][4]), many countermeasures have been proposed accordingly, and the masking method has been one of the most promising power attack countermeasures for securely implementing block ciphers [5,6].
The basic principle of the masking methods is that if the sensitive variable (which depends on key material and some known information by definition) is split into some random shares and then is manipulated in a secure manner, the relationship between the behavior of internal variables and the corresponding side-channel information may look independent from the outside world. However, after the introduction of the glitch attack, there has been a lot of concern about the security of the masking method itself [7][8][9].
The glitch attack primarily utilizes a specific hardware (HW) criterion, say, the glitch. More precisely, most of the HW-based masking schemes prior to the glitch attack were mainly based on the assumption that all gates' input signals arrive at the gate simultaneously. However, that is not true in practice. That is, the gate delay and the variable path lengths are very common in semiconductor technologies, so each input signal arrives at a gate at different times. And, with this phenomenon in hand, the state of the gate's output signal fluctuates within a clock cycle until it is for denoting a component element of a finite field element (when the finite field is considered as a vector space over a base field), a component function of a vectorial function, or an input parameter of a multivariate function. For example, a ∈ GF(2 n ) can be written as a = (a 0 , a 1 , . . . , a n−1 ) for a i ∈ GF (2). The n-th order mask of a ∈ GF(2 n ) (which will more precisely be defined later) is denoted as (a 0 , x 1 , . . . , a n−1 ) for a i ∈ GF(2 n ).

Masking Method
Power attack, which was first introduced by P. Kocher et al. can retrieve sensitive information in cryptographic devices using devices' power consumption patterns ( [2]). Various techniques were introduced as power attack countermeasures, among which the masking method is representative for securely implementing, for example, block ciphers against DPA(differential power attack).
To apply the (Boolean) masking method to a function z = f (x) : GF(2 n ) → GF(2 m ), one should first determine the input masking order d in and the output masking order d out and then should take the following procedure: for given x ∈ GF(2 n ), (1) Randomly choose x 1 , . . . , x d in ∈ GF(2 n ).
(3) From (x 0 , x 1 , . . . , x d in ), compute (z 0 , z 1 , . . . , in the manner that any information about the original input x is not leaked during the computation. The procedure above is usually called the (d in , d out ) -order masking scheme for z = f (x) and, if d in = d out = d, it is also called the d-th order masking scheme. The vector (x 0 , x 1 , . . . , x d in ) is called the d in -th order mask (or, sharing) of x or the d in -th order input mask of z = f (x) and each x i is called a share of x. Similarly, (z 0 , z 1 , . . . , z d out ) is called the d out -th order mask of z or the d out -th order output mask of z = f (x), and each z i is called a share of z. Importantly, the quantities d in and d out are closely related to the effort an attacker has to pay to break the masking scheme. For example, to successfully recover a key from the masking scheme with d in -th input order, it is believed that an attacker needs to observe at least d in + 1 individual shares or statistical moments.
The function computing the output mask (z 0 , z 1 , . . . , z d out ) given the input mask (x 0 , x 1 , . . . , x d in ) is denoted as ( f 0 , . . . , f d out ) and is called a shared implementation of z = f (x), thus f i (x 0 , x 1 , . . . , x d in ) = z i for each i.
Devising a masking scheme for linear or affine functions is known to be an easy task. For example, if z = f (x) is linear (with respect to ⊕) and gives a well-established masking scheme for f . However, designing a masking scheme for non-linear functions, such as block ciphers' S-box, is non-trivial, and the gate-level masking method was introduced to address this issue, especially in the hardware masking scheme design [15].
The idea of the gate-level masking method is very simple: after decomposing any function (or circuit) into basic gates, like AND, XOR and so on, and individually applying an appropriate masking scheme to the corresponding basic gates, the resulting circuit will serve as the masking scheme for the original function. Especially, since AND, OR, NAND, and NOR gates are the only non-linear basic gates, and OR, NAND, and NOR gates can be constructed with the composition of AND, XOR, and NOT gates; the main research of the gate-level masking method focuses on how to apply the masking method to the AND gate. For example, Figure 1 shows the masking scheme for the 2-input AND gate proposed by E. Trichina [15], which can be mathematically described as: for a random bit r, (1)

Glitch Attack and Countermeasures
Most of the previous gate level masking methods prior to the glitch attack implicitly or explicitly assumed that all input signals of any gate arrive at the gate simultaneously. However, the idealized assumption is shown not to hold in practice. That is, due to the gate delay and the variable path lengths, which are very common in the semiconductor technology, each input signal arrives at the gate at different times. Moreover, eliminating such the arrival time variation is known to be a hard task, especially for CMOS, the most widely used semiconductor technology. And, when input signals get to a gate at a different time, the state of the gate's output signal fluctuates within a clock cycle until it is finally stabilized at a certain value. This phenomenon is called the glitch or the hazard.
The glitch phenomenon highly affects the amount of electrical power consumed by circuits. Moreover, the amount of consumed power is highly related to the circuit's input. And, the power analysis attack which analyzes the relationship between the glitch phenomenon and the power consumption pattern is called the glitch attack [7][8][9]. Unfortunately, many gate-level masking schemes are known to be vulnerable to the glitch attack. Various countermeasures have been proposed since the glitch attack was introduced, and this paper focuses on the G-equivariant gates [14] and the threshold implementation [10][11][12][13].
The notion of G-equivariant gates relies on the belief that if a (averaged) toggling count of the gate's output is constant regardless of the arrival order of the gate input signals [14], the gate's power consumption pattern will not be influenced by the glitch phenomenon so that the glitch attack can be prevented. Unfortunately, as noted in [14], there are no 2-share G-equivariant gates in which the XOR sum gives rise to the AND-gate evaluation of the original input values. More precisely, there are no G-equivariant gates , : GF(2) → GF(2) satisfying To remedy this undesirable situation, the authors introduced the concept of semi-Gequivariance with the weakened condition that, in the Equation (2), , arrives at the gate at the same time and , arrives at the gate simultaneously. However, even though there are some semi-G-equivariant gates that are available for glitch-attack-resistantly constructing the AND gate, there have been some doubts about the appropriateness of such weakened conditions. TI (Threshold Implementation, [10][11][12][13]) was proposed as another glitch attack countermeasure and is said to be provably secure even in the presence of glitches. TI is defined to be a masking scheme satisfying three specific properties: correctness, non-completeness, and uniformness. Given a function = ( ), the shared implementation ( , … , ) of is said to be correct if

Glitch Attack and Countermeasures
Most of the previous gate level masking methods prior to the glitch attack implicitly or explicitly assumed that all input signals of any gate arrive at the gate simultaneously. However, the idealized assumption is shown not to hold in practice. That is, due to the gate delay and the variable path lengths, which are very common in the semiconductor technology, each input signal arrives at the gate at different times. Moreover, eliminating such the arrival time variation is known to be a hard task, especially for CMOS, the most widely used semiconductor technology. And, when input signals get to a gate at a different time, the state of the gate's output signal fluctuates within a clock cycle until it is finally stabilized at a certain value. This phenomenon is called the glitch or the hazard.
The glitch phenomenon highly affects the amount of electrical power consumed by circuits. Moreover, the amount of consumed power is highly related to the circuit's input. And, the power analysis attack which analyzes the relationship between the glitch phenomenon and the power consumption pattern is called the glitch attack [7][8][9]. Unfortunately, many gate-level masking schemes are known to be vulnerable to the glitch attack. Various countermeasures have been proposed since the glitch attack was introduced, and this paper focuses on the G-equivariant gates [14] and the threshold implementation [10][11][12][13].
The notion of G-equivariant gates relies on the belief that if a (averaged) toggling count of the gate's output is constant regardless of the arrival order of the gate input signals [14], the gate's power consumption pattern will not be influenced by the glitch phenomenon so that the glitch attack can be prevented. Unfortunately, as noted in [14], there are no 2-share G-equivariant gates in which the XOR sum gives rise to the AND-gate evaluation of the original input values. More precisely, there are no G-equivariant gates g 0 , g 1 : GF(2) 4 → GF(2) satisfying To remedy this undesirable situation, the authors introduced the concept of semi-G-equivariance with the weakened condition that, in the Equation (2), x 0 , x 1 arrives at the gate at the same time and y 0 , y 1 arrives at the gate simultaneously. However, even though there are some semi-G-equivariant gates that are available for glitch-attack-resistantly constructing the AND gate, there have been some doubts about the appropriateness of such weakened conditions. TI (Threshold Implementation, [10][11][12][13]) was proposed as another glitch attack countermeasure and is said to be provably secure even in the presence of glitches. TI is defined to be a masking scheme satisfying three specific properties: correctness, non-completeness, and uniformness. Given a function is defined to be d-th order non-complete if any processing of up to d component functions f i does not require at least one input share. Thus, for example, the following ( f 0 , f 1 , f 2 ) is the first-order non-complete shared implementation of the AND gate: for x 0 , x 1 , x 2 , y 0 , y 1 , y 2 ∈ GF(2), For example, the following shared implementation of the AND gate is uniform as Table 1 shows: for random bits r, s and x 0 , Table 1. Probability distribution of (z 0 , z 1 , z 2 ) in (4).

Non-Completeness Implies 1st-Order DPA Security?
As stated in Section 2, Threshold Implementation is known to be provably secure against the 1st-order differential power attack even in the presence of glitches, and it is usually referenced that the corresponding security proof is given in Theorem 2 and Corollary 1 of [11]. Unfortunately, as indicated below, the proof is not satisfactory in the sense that there is a counter-example of not being secure against the glitch attack while satisfying the condition presented in [11]. For easy reference, here, we re-state the theorem. Theorem 1 (same with Theorem 2 in [11]). For a shared implementation ( f 0 , . . . , f d out ) of z = f (x), if the input shares are uniform and ( f 0 , . . . , f d out ) is correct and non-complete, then each output share z i is statistically independent of the original input x and the original output z. And, the same holds for any intermediate result that is appearing during the computation of ( f 0 , . . . , f d out ) and for any physical quantities like power consumption, electro-magnetic radiation, etc., which are a function of these intermediate results.
Note that the original theorem in [11] was stated for the multi-input and multi-output function, while Theorem 1 above assumes that f has a single input and single output. However, the difference does not affect the validity of the argument below.
In [11], for proving the theorem above, the authors showed that, for any variable τ appearing in the computation of ( f 0 , . . . , f d out ) and any input x of f , Clearly, the Equation (5) implies that τ and x are statistically independent. And then, [11] presented the following corollary: , if the input shares are uniform and ( f 0 , . . . , f d out ) is correct and non-complete, then the expected value of the power consumption of a circuit implementing ( f 0 , . . . , f d out ) is independent of x and z, even in the presence of glitches or the delayed arrival of some inputs. Now, in proving the corollary above, the authors of [11] stated that "Since the proof of Theorem 2 makes no assumption on the behavior of the circuit and/or the presence of glitches, the theorem holds for each sub-circuit computing one of the y j i , also in the case of delayed inputs or glitches. Furthermore, the mean power consumption of the whole circuit is the sum of the mean power consumptions of the sub-circuits and expectation is a linear operation" [11]. After all, [11] used the argument that, if all the intermediate variables of the shared circuit are statistically independent of the input and the output, the shared implementation is secure against the 1st-order DPA even in the presence of a glitch. However, this argument is not true, in general. That is, there are some shared circuits whose intermediate variables are statistically independent of the input and the output, but that are not secure against the glitch attack. For example, consider the masking scheme by Trichina described in Figure 1. First, it can be proved that all the intermediate results of the scheme, say, x 0 y 0 , x 1 y 0 , x 0 y 1 , are statistically independent of the original input and output. More precisely, for any α, β ∈ GF(2), if τ ∈ x 0 y 0 , x 1 y 0 , x 0 y 1 , x 1 y 1 , then Pr(τ = 0) = Pr( τ = 0 (x, y) = (α, β) ) = 3 4 , while if τ ∈ r ⊕ x 0 y 0 , (r ⊕ x 0 y 0 ) ⊕ x 1 y 0 , ((r ⊕ x 0 y 0 ) ⊕ x 1 y 0 ) ⊕ x 0 y 1 , (((r ⊕ x 0 y 0 ) ⊕ x 1 y 0 ) ⊕ x 0 y 1 ) ⊕ x 1 y 1 , then Pr(τ = 0) = Pr( τ = 0 (x, y) = (α, β) ) = 1 2 . Similarly, we can prove that Pr(τ = 0) = Pr( τ = 0 xy = αβ) ) for any α, β and τ ∈ x 0 y 0 , x 1 y 0 , x 0 y 1 , x 1 y 1 , r ⊕ x 0 y 0 , (r ⊕ x 0 y 0 ) ⊕ x 1 y 0 , ((r ⊕ x 0 y 0 ) ⊕ x 1 y 0 ) ⊕ x 0 y 1 , (((r ⊕ x 0 y 0 ) ⊕ x 1 y 0 ) ⊕ x 0 y 1 ) ⊕ x 1 y 1 }. Thus, the presupposition of Corollary 1 is satisfied for the Trichina's scheme; however, the scheme is also known to be susceptible to the glitch attack [7][8][9], which contradicts the conclusion of Corollary 1.

Remark 1.
We note that the security guarantee of TI given in [11] is against the 1st-order univariate DPA. Thus, the attackers are assumed to be able to utilize only the mean value of power traces gathered at a specific time moment. And, the attackers who rely on the variance value of gathered power traces or power traces gathered at several time moments are called the higher-order DPA attackers, and [11] and this paper do not consider such attackers.
At this point, it is emphasized that we do not claim that the non-complete TI with uniform inputs has some power attack weaknesses. Actually, the non-complete TI is shown to be very secure in various leakage detection tests [10][11][12][13]. Thus, it is plausible that TI gives a lot of resistance to DPA, even in the presence of glitches. However, as the previous argument shows, it is not clear why it gives such security from a theoretical viewpoint. After all, the problem is that [11] does not contain any theoretical explanation of how we can mitigate the glitch effect. And, as will be explained in the next section, the G-equivariance [14] gives a useful instrument for how to mitigate such an effect. However, G-equivariance also has its own drawbacks. Most notably, there are no (1st-order) G-equivariant gates, the XOR sum in which the output gives rise to the ordinary 2-input AND gate evaluation, and that is why we should use the extended concept of G-equivariance to the higher-order setting in [16]. More details can be found in Section 4.

Non-Completeness Implies G-Equivariance
To solve the problem discussed in the previous section, we use the extended concept of the G-equivariance in [16].
Originally, the G-equivariance was introduced as a glitch attack countermeasure, and a gate (or a function) is defined to be G-equivariant if the energy consumption of the gate is independent of the arrival order of input signals [14]. However, as paper [14] indicated, there are no G-equivariant gates in which the Boolean sum is equal to the 2-input AND gate evaluation, and the authors loosened the condition imposed on the G-equivariance to get the semi-G-equivariance. The semi-G-equivariance (the exact definition of which can be found in [14]) requires the energy consumption of a gate to be independent of the order of input signals with the constraint that some signals should arrive at the gate simultaneously, and [14] proved that there are some semi-G-equivariant gates that summed up to give the 2-input AND gate. For example, the gates g 0 , g 1 with have the property that they are semi-G-equivariant, that is, their energy consumption is independent of the arrival order of input signals if x 0 and x 1 arrive at g 0 or g 1 at the same time and y 0 and y 1 arrive at g 0 or g 1 simultaneously, and g 0 (x 0 , x 1 , y 0 , y 1 ) ⊕ g 1 (x 0 , x 1 , y 0 , y 1 ) = (x 0 ⊕ x 1 )(y 0 ⊕ y 1 ). However, there is a critical problem with semi-G-equivariant gates. It is not easy to satisfy the condition imposed on the gates. That is, for example, it is very hard to make x 0 and x 1 (and y 0 and y 1 as well) in (6) arrive at g 0 or g 1 at the same time. The custom design process may solve the issue; however, with a high cost. The G-equivariance and semi-G-equivariance in [14] were basically defined in the 1st-order setting. More precisely, any input signal x of a gate is assumed to be decomposed as (x 0 , However, there is no justification for why the input signals for the G-equivariant gate should have such form. And, using the extended notion of G-equivariance to the higher-order setting in [16], this paper assumes that every signal x is represented as (x 0 , x 1 , . . . , x d ) with x = x 0 ⊕ x 1 ⊕ · · · ⊕ x d for a given positive integer d.
In the subsequent, a gate with n inputs and 1 output is considered as a Boolean function g : GF(2 n ) → GF(2) , where GF(2) stands for the binary finite field with addition operation ⊕, and GF(2 n ) is an extension field of degree n over GF (2), which can be considered as an n-dimensional vector space over GF (2). For a positive integer n, we denote Map(n) as the set of all mappings from the set {0, . . . , n − 1} into itself. Definition 1 ([14,16]). Given a positive integer n, a gate g : GF(2 n ) → GF(2) and i = 0, 1, . . . , n − 1, the partial energy function E g,i is defined as where V stands for the 4-dimensional real vector space with the basis e 00 , e 01, e 10, e 11 and, for a = (a 0 , . . . , a n−1 ), x = (x 0 , . . . , x n−1 ) and φ ∈ Map(n), b In Definition 1, the basis vectors e 00 , e 01, e 10, e 11 of V can actually be interpreted as the amount of power consumed while g changes or holds its output. That is, when the output of g changes from 0 to 1, it is assumed that g consumes the energy e 01 , while g is assumed to consume the energy e 10 , if g changes its output from 1 to 0. And, when the output bit of g is fixed at 0 or 1, g is assumed to consume the energy e 00 or e 11 , respectively. Also, in the definition, φ ∈ Map(n) was introduced to describe the arrival order of the gate's input signal. Thus, for example, φ( j) = i in (8) implies that the j-th input signal a j arrives at the i-th order.
Finally, we are at the moment when we can prove that non-completeness implies G-equivariance. However, since the provable security is believed to hold for TI satisfying the first-order non-completeness (in fact, the higher-order non-completeness does not guarantee the higher-order security, as shown in [17]), and the first-order non-completeness is generally realized in the 2nd-order masking scheme ( [10][11][12][13]), we will focus on the 2nd-order masked gate in the sequel. Theorem 2. Given a 2nd order masked gate (g 0 , g 1 , g 2 ) of a gate g : GF(2 2 ) → GF(2) , if a 2nd order component masked gate, say g k : GF(2 6 ) → GF(2) is first-order non-complete, then it is 2nd-order G-equivariant.

Corollary 2.
The following 2nd-order component masked gates f 0 , f 1 , f 2 : GF(2 6 ) → GF (2) give the shared implementation ( f 0 , f 1 , f 2 ) of the 2-input AND gate whose energy consumption is independent of the arrival order of input signals: f 0 (x 0 , x 1 , x 2 , y 0 , y 1 , In other words, the energy consumption of f 0 , f 1 , f 2 in (15) is independent of the arrival order of input signals and f 0 (x 0 , x 1 , x 2 , y 0 , y 1 , Proof. The claim is a direct consequence of Theorem 2 since f 0 , f 1 , f 2 are first-order non-complete.
By Corollary 2, the set of first-order non-complete gates is a subset of the set of 2nd-order G-equivariant gates. And, at this point, it may be questionable if there are any 2nd-order G-equivariant but first-order complete gates that can be used for implementing the AND gate in a shared form.

Remark 2.
The G-equivariant gate is for ensuring the security only for the single gate; thus, it does not guarantee the security of the composition of several gates. And, to get the security of composited gates, the cryptosystem's implementers must consider inserting some registers, for example, to eliminate the glitch's effect to not propagate through the several gates. However, we emphasize that the same undesirable increase of circuit's size from inserting registers is very common in most hardware masking schemes, including the threshold implementation [10][11][12][13], mainly due to the glitch's effect.

Conclusions
In this paper, we re-investigated the proof that TI is secure against the 1st-order DPA even in the presence of glitches and argued that the proof is missing some points. To remedy it, we proposed to utilize the extended concept of G-equivariance to a higher-order setting. Also, this paper proves that any non-complete masked gates are actually G-equivariant, which implies that any non-complete TI can successfully prevent the glitch attack. Finally, we show that there are some G-equivariant gates that are complete; thus, the notion of G-equivariance is broader than that of non-completeness.
Funding: This paper is a result that was implemented as a research project on Efficiency and Security of Higher-Order Threshold Implementation by the affiliated institute of ETRI. When giving a presentation on this report, the presenter has to clarify that it is the research by the affiliated institute of ETRI.

Conflicts of Interest:
The author declares no conflict of interest.