Multiplicative Masking and Power Analysis of AES
The recently proposed multiplicative masking countermeasure against power analysis attacks on AES is interesting as it does not require the costly recomputation and RAM storage of S-boxes for every run of AES. This is important for applications where the available space is very limited such as the smart card applications. Unfortunately, it is here shown that this method is in fact inherently vulnerable to differential power analysis. However, it is also shown that the multiplicative masking method can be modified so as to provide resistance to differential power analysis of nonideal but controllable security level, at the expense of increased computational complexity. Other possible random masking methods are also discussed.
KeywordsAES differential power analysis countermeasures multiplicative masking
- 3.S. Chari, C. Jutla, J. Rao, and P. Rohatgi, “Towards sound approaches to counteract power-analysis attacks,” Advances in Cryptology-CRYPTO’ 99, Lecture Notes in Computer Science, vol. 1666, pp. 398–412, 1999.Google Scholar
- 6.J. Daemen and V. Rijmen, “AES proposal: Rijndael,” 1999, available at http://www.nist.gov/aes/.
- 7.L. Goubin and J. Patarin, “DES and differential power analysis: The duplication method,” Cryptographic Hardware and Embedded Systems-CHES’ 99, Lecture Notes in Computer Science, vol. 1717, pp. 158–172, 1999.Google Scholar
- 8.D. E. Knuth, The Art of Computer Programming, Vol. 2, Addison-Wesley, Reading, MA, 1973.Google Scholar
- 9.P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” Advances in Cryptology-CRYPTO’ 99, Lecture Notes in Computer Science, vol. 1666, pp. 388–397, 1999.Google Scholar
- 12.R. Schroeppel, H. Orman, S. O'Malley, and O. Spatscheck, “Fast key exchange with elliptic curve systems,” Advances in Cryptology-CRYPTO’ 95, Lecture Notes in Computer Science, vol. 963, pp. 43–56, 1995.Google Scholar
- 13.J. H. Silverman, “Fast multiplication in finite fields GF(2N),” Cryptographic Hardware and Embedded Systems-CHES’ 99, Lecture Notes in Computer Science, vol. 1717, pp. 122–134, 1999.Google Scholar