Simplified Adaptive Multiplicative Masking for AES

236

183

Abstract. So far, efficient algorithmic countermeasures to secure the AES algorithm against (first-order) differential side-channel attacks have been very expensive to implement. In this article, we introduce a new masking countermeasure which is not only secure against first-order sidechannel attacks, but which also leads to relatively small implementations compared to other masking schemes implemented in dedicated hardware. Our approach is based on shifting the computation of the finite field inversion in the AES S-box down to GF (4). In this field, the inversion is a linear operation and therefore it is easy to mask. Summarizing, the new masking scheme combines the concepts of multiplicative and additive masking in such a way that security against firstorder side-channel attacks is maintained, and that small implementations in dedicated hardware can be achieved.

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

A Side-Channel Analysis Resistant Description of the AES S-Box

Oswald¹,

Mangard²,

Pramstaller³

et al. 2005

236

183

“…For example, there are several publications on how to mask DES [1,8] and AES [1,2,7,24]. However, there also exist two publications [3,9] that discuss masking in a more generic way.…”

Section: The Theory Behind Masked Gatesmentioning

confidence: 99%

“…Applying masking at the algorithm level means that an algorithm is rewritten such that all intermediate results are randomized, while the input and the output of the algorithm are identical to those of the unmasked version. There are several publications that discuss how symmetric [1,7,8,24] and asymmetric ciphers [5,15] can be rewritten this way.…”

Section: Introductionmentioning

confidence: 99%

Side-Channel Leakage of Masked CMOS Gates

Mangard

Popp

Gammel

2005

239

171

Abstract. There are many articles and patents on the masking of logic gates. However, the existing publications assume that a masked logic gate switches its output no more than once per clock cycle. Unfortunately, this assumption usually does not hold true in practice. In this article, we show that glitches occurring in circuits of masked gates make these circuits susceptible to classical first-order DPA attacks. Besides a thorough theoretical analysis of the DPA-resistance of masked gates in the presence of glitches, we also provide simulation results that confirm the theoretical elaborations. Glitches occur in every CMOS circuit. Consequently, the currently known masking schemes for CMOS gates do not prevent DPA attacks.

“…Then, the computation can be securely carried out by performing calculations with these random blocks. The second method, called the re-computation method [1,2,29], involves a recomputation of the lookup tables corresponding to the S-Box with one or several random value(s) which must be changed each time the algorithm is executed. The third generic method, that we call here S-Box secure calculation, has been essentially applied to protect AES implementations [5,15,28,32] due to the strong algebraic structure of the AES S-Box.…”

Section: Introductionmentioning

confidence: 99%

Provably Secure S-Box Implementation Based on Fourier Transform

Prouff

Giraud

Aumônier

2006

Abstract. Cryptographic algorithms implemented in embedded devices must withstand Side Channel Attacks such as the Differential Power Analysis (DPA). A common method of protecting symmetric cryptographic implementations against DPA is to use masking techniques. However, clever masking of non-linear parts such as S-Boxes is difficult and has been the flaw of many countermeasures. In this article, we take advantage of some remarkable properties of the Fourier Transform to propose a new method to thwart DPA on the implementation of every S-Box. After introducing criteria so that an implementation is qualified as DPA-resistant, we prove the security of our scheme. Finally, we apply the method to FOX and AES S-Boxes and we show in the latter case that the resulting implementation is one of the most efficient.