Simplified Adaptive Multiplicative Masking for AES
Software counter measures against side channel attacks considerably hinder performance of cryptographic algorithms in terms of memory or execution time or both. The challenge is to achieve secure implementation with as little extra cost as possible. In this paper we optimize a counter measure for the AES block cipher consisting in transforming a boolean mask to a multiplicative mask prior to a non-linear Byte Substitution operation (thus, avoiding S-box re-computations for every run or storing multiple S-box tables in RAM), while preserving a boolean mask everywhere else. We demonstrate that it is possible to achieve such transformation for a cost of two additional multiplications in the field.
However, due to an inherent vulnerability of multiplicative masking to so-called zero attack, an additional care must be taken to securize its implementation. We describe one possible, although not perfect, approach to such an implementation which combines algebraic techniques and partial re-computation of S-boxes. This adds one more multiplication operation, and either occasional S-box re-computations or extra 528 bytes of memory to the total price of the counter measure.
KeywordsSmart Card Advance Encryption Standard Counter Measure Advanced Encryption Stan Algorithm Cryptographic Hardware
- 1.Akkar, M., Giraud, C.: An implementation of DES and AES, secure against some attacks. Proc. Cryptographic Hardware and Embedded Systems: CHES 2001, LNCS 2162 (2001) 309–318Google Scholar
- 2.Akkar, M., Goubin, L.: A generic protection against high-order differential power analysis. Manuscript Google Scholar
- 3.Chari, S., Jutla, C., Rao, J., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. Proc. Advances in Cryptology-Crypto’99, LNCS 1666 (1999) 398–412Google Scholar
- 4.Courtois, N., Akkar, M.: Time and memory efficiency in protecting against higher order power attacks. Manuscript Google Scholar
- 7.Gandol., K., Mourtel, C., Oliver, F.: Electromagnetic analysis: concrete results. Proc. Cryptographic Hardware and Embedded Systems: CHES 2001, LNCS 2162 (2001) 251–261Google Scholar
- 8.Golic, J., Tymen, Ch.:: Multiplicative masking and power analysis of AES. Proc. Cryptographic Hardware and Embedded Systems: CHES 2002, LNCS 2523 (2002) These proceedings.Google Scholar
- 9.Goubin, L., Patarin, J.: DES and differential power analysis. Proc. Cryptographic Hardware and Embedded Systems: CHES’99, LNCS 1717 (1999) 158–172Google Scholar
- 10.Kocher, P.: Timing attacks on implementations of Diffie-Hellmann, RSA, DSS, and other systems. Proc. Advances in Cryptology-Crypto’96, LNCS 1109 (1996) 104–113Google Scholar
- 11.Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. Proc. Advances in Cryptology-Crypto’99, LNCS 1666 (1999) 388–397Google Scholar
- 12.Massey, J. L., Lai, X.: Device for the conversion of a digital block and use of same. U.S. Patent # 5,214,703, 25 May 1993Google Scholar
- 13.Messerges, T.: Securing the AES finalists against power analysis attacks. Proc. Fast Software Encryption Workshop 2000 LNCS 1978 (2000) 150–165Google Scholar