A Side-Channel Analysis Resistant Description of the AES S-Box

Oswald, Elisabeth; Mangard, Stefan; Pramstaller, Norbert; Rijmen, Vincent

doi:10.1007/11502760_28

Cited by 236 publications

(199 citation statements)

References 13 publications

Supporting

Mentioning

198

Contrasting

Order By: Relevance

“…In the particular case of the AES algorithm, some S-Box implementations have been proved to be DPA-resistant [3,23]. Nevertheless, as they rely on the algebraic structure of the AES S-Box, they are not generic.…”

Section: Procedures 1 S-box Calculationmentioning

confidence: 99%

“…Rijmen's remark has been used in [24,23,32,30] to fix the flaw of TMM when accessing S-Box: the so-called Tower Field Methods perform the inversion in F 2 8 by using masked multiplications and masked inversions in F 2 4 or F 2 2 .…”

Section: ])mentioning

confidence: 99%

“…In the following [23,24]. It only differs from Algorithm 2 in its approach to compute the inversion ofd ∈ F 16 .…”

Section: ])mentioning

confidence: 99%

“…It only differs from Algorithm 2 in its approach to compute the inversion ofd ∈ F 16 . In [23,24], the inversion is performed by going down to F 4 and its complexity approximatively equals the one of Algorithm 2 excluding the 5 th…”

Section: ])mentioning

confidence: 99%

See 3 more Smart Citations

Provably Secure S-Box Implementation Based on Fourier Transform

Prouff

Giraud

Aumônier

2006

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Cryptographic algorithms implemented in embedded devices must withstand Side Channel Attacks such as the Differential Power Analysis (DPA). A common method of protecting symmetric cryptographic implementations against DPA is to use masking techniques. However, clever masking of non-linear parts such as S-Boxes is difficult and has been the flaw of many countermeasures. In this article, we take advantage of some remarkable properties of the Fourier Transform to propose a new method to thwart DPA on the implementation of every S-Box. After introducing criteria so that an implementation is qualified as DPA-resistant, we prove the security of our scheme. Finally, we apply the method to FOX and AES S-Boxes and we show in the latter case that the resulting implementation is one of the most efficient.

show abstract

Section: Procedures 1 S-box Calculationmentioning

confidence: 99%

Section: ])mentioning

confidence: 99%

“…In the following [23,24]. It only differs from Algorithm 2 in its approach to compute the inversion ofd ∈ F 16 .…”

Section: ])mentioning

confidence: 99%

Section: ])mentioning

confidence: 99%

See 2 more Smart Citations

Provably Secure S-Box Implementation Based on Fourier Transform

Prouff

Giraud

Aumônier

2006

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In the open literature, the masking technique is among the most popular suggested ways to protect an implementation against Differential Power Analysis [1,6,7,18]. However, several works have shown that such protected devices are still sensitive to higher-order attacks, originally described in [13].…”

Section: Introductionmentioning

confidence: 99%

Improved Higher-Order Side-Channel Attacks with FPGA Experiments

Peeters

Standaert

Donckers

et al. 2005

Cryptographic Hardware and Embedded Systems – CHES 2005

View full text Add to dashboard Cite

Abstract. We demonstrate that masking a block cipher implementation does not sufficiently improve its security against side-channel attacks. Under exactly the same hypotheses as in a Differential Power Analysis (DPA), we describe an improvement of the previously introduced higherorder techniques allowing us to defeat masked implementations in a low (i.e. practically tractable) number of measurements. The proposed technique is based on the efficient use of the statistical distributions of the power consumption in an actual design. It is confirmed both by theoretical predictions and practical experiments against FPGA devices.

show abstract