Abstract
A typical approach, to protect a given symmetric key cryptographic algorithm against differential power analysis(DPA), is a masking method which is to randomize all intermediate values of the cryptographic algorithm and the main time-consuming part of the masking method is to generate masked S-Boxes. The masked S-Boxes are implemented by generating the look-up tables for most of DPA countermeasures in the software manner.
In this paper, we present an improved masking scheme that makes the efficient masked S-Boxes by revisiting the ways to use the low composite fields arithmetic. Our improved masking scheme is basically slower than the standard AES implementation, but much faster than existing method which makes a whole S-Box random with 16 masks. In addition, our scheme is 20\(\%\) faster using less memory, compared to Oswald’s work using the similar method with the proposed approach. In other case of our scheme, we reduce almost half of memory with 9\(\%\) slow rate. We concentrate on the trade-off between memory sizes and operation speed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Daemen, J., Rijmen, V.: AES proposal: Rijndael (1998)
Satoh, A., Morioka, S., Takano, K., Munetoh, S.: A compact Rijndael hardware architecture with S-Box optimization. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 239–254. Springer, Heidelberg (2001)
Rudra, A., Dubey, P.K., Jutla, C.S., Kumar, V., Rao, J.R., Rohatgi, P.: Efficient Rijndael encryption implementation with composite field arithmetic. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 171–184. Springer, Heidelberg (2001)
Paar, C.: Effecient VLSI architecture for bit-parallel computations in Galois field, Ph.D. dissertation, Institute for Experimental Mathematics, University of Essen, Germany (1994)
Canright, D.: A very compact S-Box for AES. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 441–455. Springer, Heidelberg (2005)
Canright, D., Batina, L.: A very compact “Perfectly Masked” S-Box for AES. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 446–459. Springer, Heidelberg (2008)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)
Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001)
Akkar, M.-L., Giraud, C.: An implementation of DES and AES, secure against some attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 309–318. Springer, Heidelberg (2001)
Golic, J.D., Christophe, T.: Multiplicative masking and power analysis of AES. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523. Springer, Heidelberg (2003)
Trichina, E., de Seta, D., Germani, L.: Simplified adaptive multiplicative masking for AES. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523. Springer, Heidelberg (2003)
Oswald, E., Mangard, S., Herbst, C., Tillich, S.: Practical second-order DPA attacks for masked smart card implementations of block ciphers. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 192–207. Springer, Heidelberg (2006)
Messerges, T.S.: Using second-order power analysis to attack DPA resistant software. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 238–251. Springer, Heidelberg (2000)
Trichina, E., Korkishko, L.: Secure and efficient AES software implementation for smart cards. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 425–439. Springer, Heidelberg (2005)
Blömer, J., Guajardo, J., Krummel, V.: Provably secure masking of AES. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 69–83. Springer, Heidelberg (2004)
Oswald, E., Mangard, S., Pramstaller, N., Rijmen, V.: A side-channel analysis resistant description of the AES S-Box. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 413–423. Springer, Heidelberg (2005)
Oswald, E., Schramm, K.: An efficient masking scheme for AES software implementations. In: Song, J.-S., Kwon, T., Yung, M. (eds.) WISA 2005. LNCS, vol. 3786, pp. 292–305. Springer, Heidelberg (2006)
Herbst, C., Oswald, E., Mangard, S.: An AES smart card implementation resistant to power analysis attacks. In: Zhou, J., Yung, M., Bao, F. (eds.) ACNS 2006. LNCS, vol. 3989, pp. 239–252. Springer, Heidelberg (2006)
Wolkerstorfer, J., Oswald, E., Lamberger, M.: An ASIC implementation of the AES SBoxes. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 67–78. Springer, Heidelberg (2002)
Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)
ETRI and ICTK, SCARF evaluation board SCARF-ARM. http://www.k-scarf.or.kr
Acknowledgments
This work was supported by the K-SCARF project, the ICT R&D program of ETRI [Research on Key Leakage Analysis and Response Technologies].
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix: Security Analysis
A Appendix: Security Analysis
We show that an improved masking scheme is provably secure. For investigating all masked values, we should analyze outputs of several tables: \(T_{m_1}\),\(T_{m_2}\),\(T_{m_3}\), MIDbox(x), map and \(map^{-1}\) and output values from arithmetic operations in formulas (4) to (9). We can follow the security analysis methods in [16–18], which are developed from [21]. In [18], Lemmas 1 to 3 show the security of four types of tables. In [17], Lemmas 1 to 4 indicate that output values of all operations are secure. Lemma 5 shows the summation of intermediate results can be also secure. We use the same Lemmas as the papers.
Lemma 1
Let \(a \in GF(2^n)\) be arbitrary. Let \(m \in GF(2^n)\) be uniformly distributed in \(GF(2^n)\) independent of a. Then, a+m is uniformly distributed. It means that the distribution of a+m is independent of a.
This follows the Lemma 1 in [16]. This lemma implies that any values can be random values when it combines with a random value with arithmetics. Thus, the value \(a+m\) doesn’t depend on a. Furthermore, even though it sums more \(a_{i}+m_{i}\) values, it keeps the security which is described in the next Lemma 2.
Lemma 2
Let \(a_{i} \in GF(2^n)\) be arbitrary. Let \(m_{i} \in GF(2^n)\) be uniformly distributed in \(GF(2^n)\) independent of \(a_{i}\). Then, the distribution of \(\sum _{i} a_{i}+\sum _{i} m_{i}\) is independent of \(a_{i}\).
Lemma 2 shows that a sum of values is important for secure implementation such as the order of XOR operations and independent masks [17]. Thus, Some operations of formulas (5) to (9) can be independent of important information. And we have to prove the security of our three tables. but it also follows the same Lemmas. we reuse the Lemma 3 of [18] for the security of \(T_{m_1}\) which is multiplication table in \(GF(2^4)\).
Lemma 3
Let \(a_{1},a_{2} \in GF(2^n)\) be arbitrary. Let \(m_{1},m_{2} \in GF(2^n)\) be independently and uniformly distributed in \(GF(2^n)\). Then, the probability distribution of \( T_{m_1}(a_{1}+m_{1},a_{2}+m_{2})=(a_{1}+m_{1}) \times (a_{2}+m_{2})\) is
Therefore, the distribution of \((a_{1}+m_{1}) \times (a_{2}+m_{2})\) is independent of \(a_{1} and ~a_{2}\).
We also reuse the Lemma 4 of [17] the security of \(T_{m_2}\) which is multiplication and square table in \(GF(2^4)\). We fix a constant value as {e} in \(GF(2^4)\).
Lemma 4
Let \(a \in GF(2^n)\) be arbitrary and \(0xE \in GF(2^n)\) a constant. Let \(m \in GF(2^n)\) be independently and uniformly distributed in \(GF(2^n)\) Then, the distribution of \((a+m)^{2}\) and \({e} \times (a+m)^{2}\) is independent of a.
And \(T_{m_3}\) is a table for inverse operations which is bijective and input value of this table is \(a+m\) which is independent of a. Thus, it is clearly independent from the input values. The mapping from \(GF(2^8)\) to \(GF(2^4) \times GF(2^4)\) and the combination of inverse mapping and affine function are bijective. Therefore, the masked output values are statistically independent of the unmasked input values.
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Ahn, S., Choi, D. (2016). An Improved Masking Scheme for S-Box Software Implementations. In: Kim, Hw., Choi, D. (eds) Information Security Applications. WISA 2015. Lecture Notes in Computer Science(), vol 9503. Springer, Cham. https://doi.org/10.1007/978-3-319-31875-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-31875-2_17
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31874-5
Online ISBN: 978-3-319-31875-2
eBook Packages: Computer ScienceComputer Science (R0)