Side-channel resistant multiplicatively masked encryption engine with zero-value attack detection

What is claimed is: 1. A method comprising: combining, in a first adder circuit of a cryptographic engine, a round key with masked plaintext to generate an additively masked input; converting, in a first converter of the cryptographic engine, the additively masked input to a multiplicatively masked input; and performing, in a substitution box (Sbox) circuit of the cryptographic engine, a non-linear inverse operation on the multiplicatively masked input when the multiplicatively masked input is non-zero and performing the non-linear inverse operation on a random non-zero value when the multiplicatively masked input is zero. 2. The method of claim 1 , further comprising detecting that the multiplicatively masked input is zero in a balanced zero-value detector. 3. The method of claim 2 , further comprising, in response to detecting that the multiplicatively masked input is zero: providing the random non-zero value to the Sbox circuit and to a second converter of the cryptographic engine, the second converter coupled to an output of the Sbox circuit; and converting, in the second converter, an output of the Sbox circuit to an additive output using the random non-zero value. 4. The method of claim 1 , further comprising: generating a mask value in a random number generator; and combining the mask value with plaintext to obtain the masked plaintext. 5. The method of claim 4 , further comprising: providing the mask value to a mask zero-value detector; and in response to detecting that the mask value is zero, providing the random non-zero value to the Sbox circuit instead of the multiplicatively masked input. 6. The method of claim 1 , wherein converting the additively masked input to the multiplicatively masked input comprises: multiplying the additively masked input with a reflected mask value to obtain a first product; multiplying the reflected mask value with a mask value to obtain a second product; and combining the first product and the second product to obtain the multiplicatively masked input. 7. The method of claim 1 , further comprising converting, in a second converter of the cryptographic engine, a multiplicative inverse output of the non-linear inverse operation to an additive inverse output. 8. The method of claim 7 , wherein converting the multiplicative inverse output to the additive inverse output comprises: multiplying a fresh mask value with an input mask value to obtain a first product; summing the first product with the multiplicative inverse output to obtain a sum; and merging the sum with an inverse of the input mask value to obtain the additive inverse output. 9. The method of claim 8 , further comprising performing a Galois field ( 24 ) inverse operation to obtain the inverse of the input mask value. 10. The method of claim 1 , wherein performing the non-linear inverse operation comprises performing a Galois field ( 24 ) inverse operation to generate a multiplicative inverse output. 11. The method of claim 10 , further comprising merging the multiplicative inverse output with a fresh mask value to obtain an additive inverse output. 12. An apparatus comprising: an additive-to-multiplicative converter to convert an additive masked input to a multiplicative masked input; a substitution circuit to perform a composite-field substitution of bytes of the multiplicative masked input, and output a multiplicative output; a zero-value detector coupled to the substitution circuit to detect a zero value of the multiplicative masked input, wherein in response to detection of the zero value of the multiplicative masked input, a non-zero value is to be provided to the substitution circuit instead of the multiplicative masked input; and a multiplicative-to-additive converter coupled to the substitution circuit to convert the multiplicative output to an additive output. 13. The apparatus of claim 12 , wherein the additive-to-multiplicative converter comprises: a first multiplier to multiply the additive masked input with a reflected mask value to obtain a first product; a second multiplier to multiply the reflected mask value with a mask value to obtain a second product; and an adder to combine the first product and the second product to obtain the multiplicative masked input. 14. The apparatus of claim 12 , wherein the multiplicative-to-additive converter comprises: a first multiplier to multiply a fresh mask value with an input mask value to obtain a first product; an adder to sum the first product with the multiplicative output to obtain a sum; and a second multiplier coupled to the adder to multiply the sum with an inverse of the input mask value to obtain the additive output. 15. The apparatus of claim 12 , wherein the zero-value detector comprises a balanced detector comprising: a first data path to output an active zero detect signal when the multiplicative masked input has a zero value; and a second data path to output an inactive complementary zero detect signal when the multiplicative masked input has the zero value. 16. The apparatus of claim 15 , wherein the first data path comprises first logic circuitry and the second data path comprises second logic circuitry, the second logic circuitry to balance the first logic circuitry. 17. The apparatus of claim 12 , further comprising a mask zero-value detector to detect a zero value within a mask value, and provide a random non-zero value to the substitution circuit in place of the detected zero value within the mask value. 18. A system comprising: a cryptographic circuit to encrypt plaintext into ciphertext, the cryptographic circuit comprising: a first exclusive-OR (XOR) circuit to add a random mask value with the plaintext to generate a first sum; a second XOR circuit to add the first sum with a key to generate an additive masked input; an additive-to-multiplicative converter to convert the additive masked input to a multiplicative masked input using a permuted mask value; a substitution circuit coupled to the additive-to-multiplicative converter to perform a composite-field substitution of bytes of the multiplicative masked input, and output a multiplicative output, wherein in response to detection of a zero value within a portion of the multiplicative masked input, the substitution circuit is to perform the composite-field substitution on a random non-zero value instead of the portion of the multiplicative masked input; and a multiplicative-to-additive converter coupled to the substitution circuit to convert the multiplicative output to an additive output using a fresh mask value; and a memory coupled to the cryptographic circuit, wherein the memory is to store the ciphertext. 19. The system of claim 18 , wherein the cryptographic circuit comprises a dual-rail balanced zero-value detector to detect the zero value within the portion of the multiplicative masked input. 20. The system of claim 18 , further comprising a system on chip comprising a plurality of cores and the cryptographic circuit.