A Very Compact "Perfectly Masked" S-Box for AES

10 years 9 months ago
A Very Compact "Perfectly Masked" S-Box for AES
Implementations of the Advanced Encryption Standard (AES), including hardware applications with limited resources (e.g., smart cards), may be vulnerable to “side-channel attacks” such as differential power analysis. One countermeasure against such attacks is adding a random mask to the data; this randomizes the statistics of the calculation at the cost of computing “mask corrections.” The single nonlinear step in each AES round is the “S-box” (involving a Galois inversion), which incurs the majority of the cost for mask corrections. Oswald et al.[1] showed how the “tower field” representation allows maintaining an additive mask throughout the Galois inverse calculation. This work applies a similar masking strategy to the most compact (unmasked) S-box to date[2]. The result is the most compact masked S-box so far, with “perfect masking” (by the definition of Bl¨omer[3]) giving suitable implementations immunity to first-order differential side-channel attacks.
D. Canright, Lejla Batina
Added 01 Jun 2010
Updated 01 Jun 2010
Type Conference
Year 2008
Where ACNS
Authors D. Canright, Lejla Batina
Comments (0)