Advertisement

An Algebraic Masking Method to Protect AES Against Power Attacks

  • Nicolas T. Courtois
  • Louis Goubin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3935)

Abstract

The central question in constructing a secure and efficient masking method for AES is to address the interaction between additive masking and the inverse S-box of Rijndael. All recently proposed methods to protect AES against power attacks try to avoid this problem and work by decomposing the inverse in terms of simpler operations that are more easily protected against DPA by generic methods.

In this paper, for the first time, we look at the problem in the face, and show that this interaction is not as intricate as it seems. In fact, any operation, even complex, can be directly protected against DPA of any given order, if it can be embedded in a group that has a compact representation. We show that a secure computation of a whole masked inverse can be done directly in this way, using the group of homographic transformations over the projective space (but not exactly, with some non-trivial technicalities).

Keywords

Rijndael AES inverse S-box homographic transformations linear fractional transformations Möbius transformations the zero-masking problem Differential Power analysis higher-order DPA 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Akkar, M.-L., Giraud, C.: An Implementation of DES and AES secure against Some Attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 309–318. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Akkar, M.-L., Goubin, L.: A Generic Protection against High-Order Differential Power Analysis. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 192–205. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Akkar, M.-L., Bevan, R., Goubin, L.: Two Power Analysis Attacks against One-Mask Methods. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 332–347. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Aoki, K., Vaudenay, S.: On the Use of GF-Inversion as a Cryptographic Primitive. In: SAC 2003. LNCS, vol. 3006, pp. 234–247. Springer, Heidelberg (2004)Google Scholar
  5. 5.
    Biham, E., Shamir, A.: Power Analysis of the Key Scheduling of the AES Candidates. In: The second Advanced Encryption Standard (AES) Candidate Conference (March 1999), Available from: http://csrc.nist.gov/encryption/aes/round1/Conf2/aes2conf.htm
  6. 6.
    Blömer, J., Merchan, J.G., Krummel, V.: Provably Secure Masking of AES. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 69–83. Springer, Heidelberg (2005), Available on: eprint.iacr.org/2004/101 CrossRefGoogle Scholar
  7. 7.
    Blömer, J., Seifert, J.-P.: Fault based cryptanalysis of the Advanced Encryption Standard. In: Proceedings of Financial Cryptography 2004. LNCS, vol. 2742, pp. 162–181. Springer, Heidelberg (2004), Available on: eprint.iacr.org/2002/075 Google Scholar
  8. 8.
    Brier, E., Clavier, C., Olivier, F.: Optimal Statistical Power Analysis, Available on: http://eprint.iacr.org/2003/152
  9. 9.
    Carlier, V., Chabanne, H., Dottax, E., Pelletier, H.: Electromagnetic Side Channels of an FPGA Implementation of AES, http://eprint.iacr.org/2004/145
  10. 10.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards. In: The second Advanced Encryption Standard (AES) Candidate Conference (March 1999), Available from: http://csrc.nist.gov/encryption/aes/round1/Conf2/aes2conf.htm
  11. 11.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards Sound Approaches to Counteract Power-Analysis Attacks. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999)Google Scholar
  12. 12.
    Courtois, N.: The Inverse S-box, Non-linear Polynomial Relations and Cryptanalysis of Block Ciphers. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 170–188. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Courtois, N.: The Inverse S-box and Two Paradoxes of Whitening, Long extended version of the Crypto 2004, rump session presentation, Whitening the AES S-box. Also explained in Appendix B of the extended version of [12], Available at: http://www.minrank.org/invglc_rump_c04.zip
  14. 14.
    Daemen, J., Rijmen, V.: AES proposal: Rijndael, The latest revised version of the proposal is available on the internet, http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
  15. 15.
    Daemen, J., Rijmen, V.: The Design of Rijndael. AES - The Advanced Encryption Standard. Springer, Berlin (2002)CrossRefzbMATHGoogle Scholar
  16. 16.
    Daemen, J., Rijmen, V.: Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals. In: 2nd AES Candidate Conference (March 1999), Available from: http://csrc.nist.gov/encryption/aes/round1/Conf2/aes2conf.htm
  17. 17.
    Dusart, P., Letourneux, G., Vivolo, O.: Differential Fault Analysis on A.E.S., Rapport interne n2003-01, Laco, Université de Limoges, France, Available on: http://eprint.iacr.org/2003/010
  18. 18.
    Giraud, C.: DFA on AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 27–41. Springer, Heidelberg (2005), Available on: eprint.iacr.org/2003/008 CrossRefGoogle Scholar
  19. 19.
    Golić, J.D.: Multiplicative Masking and Power Analysis of AES, claimed as being presented at an (internal) Gemplus Quarterly meeting. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 198–212. Springer, Heidelberg (2003), Available at: http://eprint.iacr.org/2002/091/ CrossRefGoogle Scholar
  20. 20.
    Golić, J.D., Tymen, C.: Multiplicative Masking and Power Analysis of AES. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 198–212. Springer, Heidelberg (2003), Available at: http://eprint.iacr.org/2002/091/ CrossRefGoogle Scholar
  21. 21.
    Goubin, L., Patarin, J.: Procédé de sécurisation d’un ensemble électronique de cryptographie à clé secrète contre les attaques par analyse physique. European Patent, Axalto (previously SchlumbergerSema), Publication Number 2789535 (February 4, 1999)Google Scholar
  22. 22.
    Goubin, L., Patarin, J.: DES and Differential Power Analysis – The Duplication Method. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  23. 23.
    Kocher, P., Jaffe, J., Jun, B.: Introduction to Differential Power Analysis and Related Attacks. Technical Report, Cryptography Research Inc. (1998), Available from: http://www.cryptography.com/dpa/technical/index.html
  24. 24.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  25. 25.
    Jakobsen, T., Knudsen, L.: Attacks on Block Ciphers of Low Algebraic Degree. Journal of Cryptology 14(3), 197–210 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Jakobsen, T., Knudsen, L.R.: The Interpolation Attack on Block Ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  27. 27.
    Messerges, T.S.: Securing the AES Finalists Against Power Analysis Attacks. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 150–164. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  28. 28.
    Messerges, T.S.: Using second-Order Power Analysis to Attack DPA Resistant software. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 238–251. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  29. 29.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Investigations of Power Analysis Attacks on Smartcards. The USENIX Workshop on Smartcard Technology, pp. 151–161 (May 1999), Available from: http://www.eecs.uic.edu/~tmesserg/papers.html
  30. 30.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Power Analysis Attacks of Modular Exponentiation in Smartcards. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 144–157. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  31. 31.
    Oswald, E., Mangard, S., Pramstaller, N.: Secure and Efficient Masking of AES - A Mission Impossible?, http://eprint.iacr.org/2004/134
  32. 32.
    Oswald, E., Mangard, S., Pramstaller, N., Rijmen, V.: A Side-Channel Analysis Resistant Description of the AES S-Box. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 413–423. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  33. 33.
    Rostovtsev, A.G., Shemyakina, O.V.: AES side channel attack protection using random isomorphisms, Available on: http://eprint.iacr.org/2005/087.pdf
  34. 34.
    Prouff, E.: DPA attacks and S-boxes. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 424–441. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  35. 35.
    Standaert, F.-X., Ors, S.B., Preneel, B.: Power Analysis of an FPGA Implementation of Rijndael: Is Pipelining a DPA Countermeasure? In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 30–44. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  36. 36.
    Trichina, E.: Combinational Logic Design for AES SubByte Transformation on Masked Data, Available on: http://eprint.iacr.org/2003/236
  37. 37.
    Trichina, E., Korkishko, T., Lee, K.H.: Small Size, Low Power, Side Channel-Immune AES Coprocessor, Design and Synthesis Results. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 113–127. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  38. 38.
    Trichina, E., Korkishko, L.: Secure and Efficient AES Software Implementation for Smart Cards. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 425–439. Springer, Heidelberg (2005), Available on: eprint.iacr.org/2004/149 CrossRefGoogle Scholar
  39. 39.
    Trichina, E., Seta, D.D., Germani, L.: Simplifed Adaptive Multiplicative Masking for AES. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 187–197. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  40. 40.
    Waddle, J., Wagner, D.: Towards Efficient Second-Order Power Analysis. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 1–15. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  41. 41.
    The Wikipedia entry “Möbius transformation”, freely available at: http://en.wikipedia.org/wiki/Mobius_group

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Nicolas T. Courtois
    • 1
  • Louis Goubin
    • 1
    • 2
  1. 1.Axalto Crypto Research & Advanced SecurityLouveciennesFrance
  2. 2.PRiSM LaboratoryVersailles UniversityVersaillesFrance

Personalised recommendations