Designs, Codes and Cryptography

, Volume 69, Issue 3, pp 331–349 | Cite as

AES side-channel countermeasure using random tower field constructions

  • Alexis Bonnecaze
  • Pierre Liardet
  • Alexandre Venelli
Article

Abstract

Masking schemes to secure AES implementations against side-channel attacks is a topic of ongoing research. The most sensitive part of the AES is the non-linear SubBytes operation, in particular, the inversion in GF(28), the Galois field of 28 elements. In hardware implementations, it is well known that the use of the tower of extensions \({GF(2)\subset GF(2^2)\subset GF(2^4)\subset GF(2^8)}\) leads to a more efficient inversion. We propose to use a random isomorphism instead of a fixed one. Then, we study the effect of this randomization in terms of security and efficiency. Considering the field extension GF(28)/GF(24), the inverse operation leads to computation of its norm in GF(24). Hence, in order to thwart side-channel attack, we manage to spread the values of norms over GF(24). Combined with a technique of boolean masking in tower fields, our countermeasure strengthens resistance against first-order differential side-channel attacks.

Keywords

AES Side-channel attack Countermeasure Masking technique Composite field arithmetic 

Mathematics Subject Classification

94A60 11T71 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Akkar M., Giraud C.: An implementation of DES and AES, Secure against some attacks. In: CHES 2001. Lecture Notes in Computer Science, vol. 2162, pp. 309–318. Springer, Heidelberg (2001).Google Scholar
  2. 2.
  3. 3.
    Blömer J., Guajardo J., Krummel V.: Provably secure masking of AES. In: Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 3357, pp. 69–83. Springer, Heidelberg (2005).Google Scholar
  4. 4.
    Brier E., Clavier C., Olivier F.: Correlation power analysis with a leakage model. In: CHES 2004. Lecture Notes in Computer Science, vol. 3156, pp. 135–152. Springer, Heidelberg (2004).Google Scholar
  5. 5.
    Brier E., Déchène I., Joye M.: Unified point addition formulæ for elliptic curve cryptosystems. In: Nedjah N., Mourelle L.M. (eds.) Embedded Cryptographic Hardware: Methodologies and Architectures, pp. 247–256. Nova Science, New York (2004).Google Scholar
  6. 6.
    Canright D.: A very compact S-box for AES. In: CHES 2005. Lecture Notes in Computer Science, vol. 3659, pp. 441–455. Springer, Heidelberg (2005).Google Scholar
  7. 7.
    Canright D., Batina L.: A very compact “perfectly masked” S-Box for AES. In: ACNS 2008, pp. 446–459. Springer, Heidelberg (2008).Google Scholar
  8. 8.
    Coron J., Kizhvatov I.: Analysis of the split mask countermeasure for embedded systems. In: Proceedings of the 4th Workshop on Embedded Systems Security, Grenoble, pp. 1–10 (2009).Google Scholar
  9. 9.
    Coron J., Giraud C., Prouff E., Rivain M.: Attack and improvement of a secure S-box calculation based on the Fourier transform. In: CHES 2008. Lecture Notes in Computer Science, vol. 5154, pp. 1–14. Springer, Heidelberg (2008).Google Scholar
  10. 10.
    Doget J., Prouff E., Rivain M., Standaert F.-X.: Univariate side channel attacks and leakage modeling. J. Cryptogr. Eng. 1(2), 123–144 (2011)CrossRefGoogle Scholar
  11. 11.
    Genelle L., Prouff E., Quisquater M.: Secure multiplicative masking of power functions. In: ACNS 2010. Lecture Notes in Computer Science, vol. 6123, pp. 200–217. Springer, Heidelberg (2010).Google Scholar
  12. 12.
    Genelle L., Prouff E., Quisquater M.: Montgomery’s trick and fast implementation of masked AES. In: AFRICACRYPT 2011. Lecture Notes in Computer Science, vol. 6737, pp. 153–169. Springer, Heidelberg (2011).Google Scholar
  13. 13.
    Gierlichs B., Batina L., Tuyls P., Preneel B.: Mutual information analysis—a generic side-channel distinguisher. In: CHES 2008. Lecture Notes in Computer Science, vol. 5154, pp. 426–442. Springer, Heidelberg (2008).Google Scholar
  14. 14.
    Golić J., Tymen C.: Multiplicative masking and power analysis of AES. In: CHES 2002, Lecture Notes in Computer Science, vol. 2535, pp. 31–47. Springer, Heidelberg (2002).Google Scholar
  15. 15.
    Itoh K., Takenaka M., Torii N.: DPA countermeasure based on the “masking method”. In: ICISC 2001. Lecture Notes in Computer Science, vol. 2288, pp. 440–456. Springer, Heidelberg (2002).Google Scholar
  16. 16.
    Kocher P., Jaffe J., Jun B.: Differential power analysis. In: CRYPTO 1999. Lecture Notes in Computer Science, vol. 1666, pp. 388–397. Springer, Heidelberg (1999).Google Scholar
  17. 17.
    Li Y., Sakiyama K., Kawamura S., Komano Y., Ohta K.: Security evaluation of a DPA-resistant S-Box based on the Fourier transform. In: Information and Communications Security, Lecture Notes in Computer Science, vol. 5927, pp. 3–16. Springer, Heidelberg (2009).Google Scholar
  18. 18.
    Mangard S., Pramstaller N., Oswald E.: Successfully attacking masked AES hardware implementations. In: CHES 2005. Lecture Notes in Computer Science, vol. 3659, pp. 157–171. Springer, Heidelberg (2005).Google Scholar
  19. 19.
    Mangard S., Oswald E., Standaert F.-X.: One for all–all for one: Unifying standard DPA attacks. IET Information Security, Cryptology ePrint Archive, Report 2009/449 (in press) (2009).Google Scholar
  20. 20.
    Messerges T.: Securing the AES finalists against power analysis attacks. In: Fast Software Encryption. Lecture Notes in Computer Science, vol. 1978, pp. 293–301. Springer, Heidelberg (2001).Google Scholar
  21. 21.
    Messerges T.S., Dabbish E.A., Sloan R.H.: Investigations of power analysis attacks on smartcards. In: USENIX Workshop on Smartcard Technology, Chicago, pp. 151–162 (1999).Google Scholar
  22. 22.
    Messerges T.S., Dabbish E.A., Sloan R.H.: Power analysis attacks of modular exponentiation in smartcard. In: CHES 1999. Lecture Notes in Computer Science, vol. 1717, pp. 144–157. Springer, Heidelberg (1999).Google Scholar
  23. 23.
    Morioka S., Satoh A.: An optimized S-Box circuit architecture for low power AES design. In: CHES 2002. Lecture Notes in Computer Science, vol. 2523, pp. 271–295. Springer, Heidelberg (2002).Google Scholar
  24. 24.
    National Institute Standards and Technology: Data encryption standard (DES). Publication 46–2 (1993).Google Scholar
  25. 25.
    National Institute Standards and Technology: Advanced encryption standard (AES). Publication 197 (2001).Google Scholar
  26. 26.
    Nikova S., Rijmen V., Schläffer M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptol. 24(2), 292–321 (2011)MATHCrossRefGoogle Scholar
  27. 27.
    Nogami Y., Nekado K., Toyota T., Hongo N.Y.M.: Mixed bases for efficient inversion in \({\mathbb{F}_{((2^2)^2)^2}}\) and conversion matrices of SubBytes of AES. In: CHES 2010. Lecture Notes in Computer Science, vol. 6225, pp. 234–247. Springer, Heidelberg (2010).Google Scholar
  28. 28.
    Oswald E., Schramm K.: An efficient masking scheme for AES software implementations. In: Information Security Applications. Lecture Notes in Computer Science, vol. 3786, pp. 292–305. Springer, Heidelberg (2006).Google Scholar
  29. 29.
    Oswald E., Mangard S., Pramstaller N.: Secure and efficient masking of AES-A mission impossible. Cryptology ePrint Archive, Report 2004/134 (2004).Google Scholar
  30. 30.
    Oswald E., Mangard S., Pramstaller N., Rijmen V.: A side-channel analysis resistant description of the AES S-Box. In: Fast Software Encryption. Lecture Notes in Computer Science, vol. 3557, pp. 413–423. Springer, Heidelberg (2005).Google Scholar
  31. 31.
    Prouff E., Roche T.: Higher-order glitches free implementation of the AES using secure multi-party computation protocols. In: CHES 2011. Lecture Notes in Computer Science, vol. 6917, pp. 63–78. Springer, Heidelberg (2011).Google Scholar
  32. 32.
    Prouff E., Giraud C., Aumônier S.: Provably secure S-box implementation based on Fourier transform. In: CHES 2006. Lecture Notes in Computer Science, vol. 4249, pp. 216–230. Springer, Heidelberg (2006).Google Scholar
  33. 33.
    Rostovtsev A., Shemyakina O.: AES side channel attack protection using random isomorphisms. Cryptology ePrint Archive, Report 2005/087 (2005).Google Scholar
  34. 34.
    Rudra A., Dubey P., Jutla C., Kumar V., Rao J., Rohatgi P.: Efficient Rijndael encryption implementation with composite field arithmetic. In: CHES 2001. Lecture Notes in Computer Science, vol. 2162, pp. 171–184. Springer, Heidelberg (2001).Google Scholar
  35. 35.
    Standaert F.X., Malkin T., Yung M.: A unified framework for the analysis of side-channel key recovery attacks. In: EUROCRYPT 2009. Lecture Notes in Computer Science, vol. 5479, pp. 443–461. Springer, Heidelberg (2009).Google Scholar
  36. 36.
    Trichina E., Korkishko L.: Secure and efficient AES software implementation for smart cards. In: Information Security Applications. Lecture Notes in Computer Science, vol. 3325, pp. 425–439. Springer, Heidelberg (2005).Google Scholar
  37. 37.
    Trichina, E., De Seta D., Germani L.: Simplified adaptive multiplicative masking for AES. In: CHES 2002. Lecture Notes in Computer Science, vol. 2523, pp. 71–85. Springer, Heidelberg (2003).Google Scholar
  38. 38.
    Wolkerstorfer J., Oswald E., Lamberger M.: An ASIC implementation of the AES SBoxes. In: CT-RSA 2002. Lecture Notes in Computer Science, vol. 2271, pp. 29–52. Springer, Heidelberg (2002).Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  • Alexis Bonnecaze
    • 1
  • Pierre Liardet
    • 2
  • Alexandre Venelli
    • 3
  1. 1.Aix-Marseille University, IML, ERISCSMarseille Cedex 09France
  2. 2.Université de Provence, LATPMarseille Cedex 13France
  3. 3.Inside SecureRoussetFrance

Personalised recommendations