Provably Secure Masking of AES

  • Johannes Blömer
  • Jorge Guajardo
  • Volker Krummel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3357)


A general method to secure cryptographic algorithms against side-channel attacks is the use of randomization techniques and, in particular, masking. Roughly speaking, using random values unknown to an adversary one masks the input to a cryptographic algorithm. As a result, the intermediate results in the algorithm computation are uncorrelated to the input and the adversary cannot obtain any useful information from the side-channel. Unfortunately, previous AES randomization techniques have based their security on heuristics and experiments. Thus, flaws have been found which make AES randomized implementations still vulnerable to side-channel cryptanalysis. In this paper, we provide a formal notion of security for randomized maskings of arbitrary cryptographic algorithms. Furthermore, we present an AES randomization technique that is provably secure against side-channel attacks if the adversary is able to access a single intermediate result. Our randomized masking technique is quite general and it can be applied to arbitrary algorithms using only arithmetic operations over some finite field. To our knowledge this is the first time that a randomization technique for the AES has been proven secure in a formal model.


Intermediate Result Advance Encryption Standard Cryptographic Algorithm Security Notion Fast Software Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Akkar, M.-L., Bévan, R., Goubin, L.: Two Power Analysis Attacks against One-Mask Methods. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 332–347. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Akkar, M.-L., Giraud, C.: An Implementation of DES and AES, Secure against Some Attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 309–318. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Biham, E., Shamir, A.: Power Analysis of the Key Scheduling of the AES Candidates. In: Proceedings of the Second AES Candidate Conference (AES2), Rome, Italy (March 1999)Google Scholar
  4. 4.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards Sound Approaches to Counteract Power-Analysis Attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999)Google Scholar
  5. 5.
    Clavier, C., Coron, J.-S., Dabbous, N.: Differential Power Analysis in the Presence of Hardware Countermeasures. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 252–263. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Daemen, J., Rijmen, V.: Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals. In: Proceedings of the Second AES Candidate Conference (AES2), Rome, Italy (March 1999)Google Scholar
  7. 7.
    Drolet, G.: A New Representation of Elements of Finite Fields GF(2m) Yielding Small Complexity Arithmetic Circuits. IEEE Transactions on Computers 47(9), 938–946 (1998)CrossRefMathSciNetGoogle Scholar
  8. 8.
    Fournier, J.J.A., Moore, S., Li, H., Mullins, R., Taylor, G.: Security Evaluation of Asynchronous Circuits. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 137–151. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Golić, J.D., Tymen, C.: Multiplicative Masking and Power Analysis of AES. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 198–212. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Golić, J.D.: DeKaRT: A New Paradigm for Key-Dependent Reversible Circuits. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 98–112. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Goubin, L., Patarin, J.: DES and Differential Power Analysis. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  12. 12.
    Guajardo, J., Paar, C.: Itoh-Tsujii Inversion in Standard Basis and Its Application in Cryptography and Codes. Design, Codes, and Cryptography 25(2), 207–216 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Itoh, T., Tsujii, S.: A Fast Algorithm for Computing Multiplicative Inverses in GF(2m) Using Normal Bases. Information and Computation 78, 171–177 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Kocher, P., Jaffe, J., Jun, B.: Introduction to Differential Power Analysis and Related Attacks. Technical Report, Cryptography Research, Inc (1998)Google Scholar
  15. 15.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  16. 16.
    Kocher, P.C.: Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  17. 17.
    Koeune, F., Quisquater, J.-J.: A timing attack against Rijndael. Technical Report CG-1999/1, Université Catholique de Louvain (1999)Google Scholar
  18. 18.
    Mangard, S.: A Simple Power-Analysis (SPA) Attackon Implementations of the AES Key Expansion. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 343–358. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Messerges, T.S.: Securing the AES Finalists Against Power Analysis Attacks. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 150–164. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Moore, S., Anderson, R., Mullins, R., Taylor, G., Fournier, J.J.A.: Balanced Self-Checking Asynchronous Logic for Smart Card Applications. Journal of Microprocessors and Microsystems 27(9), 421–430 (2003)CrossRefGoogle Scholar
  21. 21.
    Örs, S.B., Gürkaynak, F., Oswald, E., Preneel, B.: Power-Analysis Attack on an ASIC AES Implementation. In: Proceedings of the 2004 International Symposium on Information Technology (ITCC 2004). IEEE Computer Society Press, Los Alamitos (2004)Google Scholar
  22. 22.
    Satoh, A., Morioka, S., Takano, K., Munetoh, S.: A Compact Rijndael Hardware Architecture with S-Box Optimization. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 239–254. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  23. 23.
    Tiri, K., Akmal, M., Verbauwhede, I.: A Dynamic and Differential CMOS Logic with Signal Independent Power Consumption to Withstand Differential Power Analysis on Smart Cards. In: 28th European Solid-State Circuits Conference, ESSCIRC 2002 (2002)Google Scholar
  24. 24.
    Tiri, K., Verbauwhede, I.: Securing Encryption Algorithms against DPA at the Logic Level: Next Generation Smart Card Technology. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 125–136. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  25. 25.
    Trichina, E.: Combinational logic design for aes subbyte transformation on masked data. Cryptology eprint archive: Report 2003/236, IACR, November 11 (2003)Google Scholar
  26. 26.
    Trichina, E., De Seta, D., Germani, L.: Simplified Adaptive Multiplicative Masking for AES. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 187–197. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  27. 27.
    U.S. Department of Commerce/National Institute of Standard and Technology. FIPS PUB 197, Specification for the Advanced Encryption Standard (AES) (November 2001), Available at
  28. 28.
    Voigtländer, P.: Entwicklung einer Hardwarearchitektur für einen AES-Coprozessor. In: Diplomarbeit, Fachbereich Informatik, Mathematik und Naturwissenshaften, Technische Informatik, May 2, 2003, HTWK Leipzig, Germany (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Johannes Blömer
    • 1
  • Jorge Guajardo
    • 2
  • Volker Krummel
    • 1
  1. 1.University of PaderbornPaderbornGermany
  2. 2.Infineon Technologies, Secure Mobile SolutionsMunichGermany

Personalised recommendations