On Masked Galois-Field Multiplication for Authenticated Encryption Resistant to Side Channel Analysis

  • Hirokazu Oshida
  • Rei Ueno
  • Naofumi Homma
  • Takafumi Aoki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10815)


This paper presents a side-channel attack on masked Galois-field (GF) multiplication used in authenticated encryptions including AES-GCM and a new countermeasure against the proposed attack. While the previous side-channel attack is likely to recover the full key of GHASH in AES-GCM, no countermeasure has been discussed and evaluated until now. In this paper, we first apply a straightforward masking countermeasure to GF multiplication for GHASH and show that the masked GF multiplication is resistant to the previous attack. We then show the straightforward masked GHASH can be defeated by a new attack utilizing the variance of power trace. The feasibility of the new attack is demonstrated by an experiment with power traces measured from a smart card operating the masked GHASH. Finally, we propose a new masking countermeasure against the proposed attack.


Galois-field multiplication AES-GCM Masking Side-channel attack Authenticated encryption 



We would like to show our greatest appreciation to Dr. S. Belaïd, and Dr. B. Gérard for their valuable and insightful comments. This work has been supported by JSPS KAKENHI Grants No. 17H00729.


  1. 1.
    Side-channel attack standard evaluation board (sasebo). http://www.rcis.aist.go.jp/special/SASEBO
  2. 2.
    Belaïd, S., Coron, J.-S., Fouque, P.-A., Gérard, B., Kammerer, J.-G., Prouff, E.: Improved side-channel analysis of finite-field multiplication. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 395–415. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48324-4_20CrossRefGoogle Scholar
  3. 3.
    Belaïd, S., Fouque, P.-A., Gérard, B.: Side-channel analysis of multiplications in GF(2128). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 306–325. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45608-8_17CrossRefMATHGoogle Scholar
  4. 4.
    Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: Trade-offs for threshold implementations illustrated on AES. IEEE Trans. Comput. Aided Des. Integr. Syst. 34(7), 1188–1200 (2015)CrossRefGoogle Scholar
  5. 5.
    Böck, H., Zauner, A., Devlin, S., Somorovsky, J., Jovanovic, P.: Nonce-disrespecting adversaries: practical forgeny attacks on GCM in TLS. In: 10th USENIX Workshop on Offensive Technologies (WOOT 16), pp. 1–13. USENIX Association (2016)Google Scholar
  6. 6.
    De Cnudde, T., Reparaz, O., Bilgin, B., Nikova, S., Nikov, V., Rijmen, V.: Masking AES with \(d+1\) shares in hardware. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 194–212. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53140-2_10CrossRefGoogle Scholar
  7. 7.
    Cryptographic competitions: Caesar: competition for authenticated encryption: security, applicability, and robustness (2016). https://competitions.cr.yp.to/caesar.html
  8. 8.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_27CrossRefGoogle Scholar
  9. 9.
    Jaffe, J.: A first-order DPA attack against AES in counter mode with unknown initial counter. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 1–13. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74735-2_1CrossRefGoogle Scholar
  10. 10.
  11. 11.
    Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 1–17. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-04138-9_1CrossRefGoogle Scholar
  12. 12.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_25CrossRefGoogle Scholar
  13. 13.
    Mangard, S., Pramstaller, N., Oswald, E.: Successfully attacking masked AES hardware implementations. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 157–171. Springer, Heidelberg (2005).  https://doi.org/10.1007/11545262_12CrossRefGoogle Scholar
  14. 14.
    McGrew, D.A., Viega, J.: The Galois/Counter Mode of operation (GCM) (2005). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/gcm-revised-spec.pdf
  15. 15.
    Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptol. 24, 292–321 (2011)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Oswald, E., Mangard, S., Pramstaller, N., Rijmen, V.: A side-channel analysis resistant description of the AES S-box. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 413–423. Springer, Heidelberg (2005).  https://doi.org/10.1007/11502760_28CrossRefGoogle Scholar
  17. 17.
    Pessl, P., Mangard, S.: Enhancing side-channel analysis of binary-field multiplication with bit reliability. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 255–270. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-29485-8_15CrossRefGoogle Scholar
  18. 18.
    Poschmann, A., Moradi, A., Khoo, K., Lim, C.W., Wang, H., Ling, S.: Side-channel resistant crypto for less than 2,300 GE. J. Cryptol. 24, 322–334 (2011)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Reparaz, O., Bilgin, B., Nikova, S., Gierlichs, B., Verbauwhede, I.: Consolidating masking schemes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 764–783. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_37CrossRefGoogle Scholar
  20. 20.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-0-387-38162-6CrossRefMATHGoogle Scholar
  21. 21.
    Tiri, K., Verbauwhede, I.: A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation. In: Design, Automation and Test in Europe Conference and Exhibition (DATE), vol. 1, pp. 246–251 (2004)Google Scholar
  22. 22.
    Trichina, E.: Combinational logic design for AES SubBytes transformation on masked data. Cryptology ePrint Archive, Report 2003/236 (2003). http://eprint.iacr.org/2003/236
  23. 23.
    Ueno, R., Homma, N., Aoki, T.: Toward more efficient DPA-resistant AES hardware architecture based on threshold implementation. In: Guilley, S. (ed.) COSADE 2017. LNCS, vol. 10348, pp. 50–64. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-64647-3_4CrossRefGoogle Scholar
  24. 24.
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45708-9_19CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Hirokazu Oshida
    • 1
  • Rei Ueno
    • 1
  • Naofumi Homma
    • 1
  • Takafumi Aoki
    • 1
  1. 1.Tohoku UniversitySendai-shiJapan

Personalised recommendations