Simplified Adaptive Multiplicative Masking for AES

  • Elena Trichina
  • Domenico De Seta
  • Lucia Germani
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2523)


Software counter measures against side channel attacks considerably hinder performance of cryptographic algorithms in terms of memory or execution time or both. The challenge is to achieve secure implementation with as little extra cost as possible. In this paper we optimize a counter measure for the AES block cipher consisting in transforming a boolean mask to a multiplicative mask prior to a non-linear Byte Substitution operation (thus, avoiding S-box re-computations for every run or storing multiple S-box tables in RAM), while preserving a boolean mask everywhere else. We demonstrate that it is possible to achieve such transformation for a cost of two additional multiplications in the field.

However, due to an inherent vulnerability of multiplicative masking to so-called zero attack, an additional care must be taken to securize its implementation. We describe one possible, although not perfect, approach to such an implementation which combines algebraic techniques and partial re-computation of S-boxes. This adds one more multiplication operation, and either occasional S-box re-computations or extra 528 bytes of memory to the total price of the counter measure.


Smart Card Advance Encryption Standard Counter Measure Advanced Encryption Stan Algorithm Cryptographic Hardware 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Akkar, M., Giraud, C.: An implementation of DES and AES, secure against some attacks. Proc. Cryptographic Hardware and Embedded Systems: CHES 2001, LNCS 2162 (2001) 309–318Google Scholar
  2. 2.
    Akkar, M., Goubin, L.: A generic protection against high-order differential power analysis. Manuscript Google Scholar
  3. 3.
    Chari, S., Jutla, C., Rao, J., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. Proc. Advances in Cryptology-Crypto’99, LNCS 1666 (1999) 398–412Google Scholar
  4. 4.
    Courtois, N., Akkar, M.: Time and memory efficiency in protecting against higher order power attacks. Manuscript Google Scholar
  5. 6.
    Daemen, J., Rijmen, V.: The design of Rijndael: AES-The Advanced Encryption Standard. Springer-Verlag Berlin Heidelberg, 2002zbMATHGoogle Scholar
  6. 7.
    Gandol., K., Mourtel, C., Oliver, F.: Electromagnetic analysis: concrete results. Proc. Cryptographic Hardware and Embedded Systems: CHES 2001, LNCS 2162 (2001) 251–261Google Scholar
  7. 8.
    Golic, J., Tymen, Ch.:: Multiplicative masking and power analysis of AES. Proc. Cryptographic Hardware and Embedded Systems: CHES 2002, LNCS 2523 (2002) These proceedings.Google Scholar
  8. 9.
    Goubin, L., Patarin, J.: DES and differential power analysis. Proc. Cryptographic Hardware and Embedded Systems: CHES’99, LNCS 1717 (1999) 158–172Google Scholar
  9. 10.
    Kocher, P.: Timing attacks on implementations of Diffie-Hellmann, RSA, DSS, and other systems. Proc. Advances in Cryptology-Crypto’96, LNCS 1109 (1996) 104–113Google Scholar
  10. 11.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. Proc. Advances in Cryptology-Crypto’99, LNCS 1666 (1999) 388–397Google Scholar
  11. 12.
    Massey, J. L., Lai, X.: Device for the conversion of a digital block and use of same. U.S. Patent # 5,214,703, 25 May 1993Google Scholar
  12. 13.
    Messerges, T.: Securing the AES finalists against power analysis attacks. Proc. Fast Software Encryption Workshop 2000 LNCS 1978 (2000) 150–165Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Elena Trichina
    • 1
  • Domenico De Seta
    • 1
  • Lucia Germani
    • 1
  1. 1.Cryptographic Design CenterGemplus Technology R & DRomeItaly

Personalised recommendations