On Masked Galois-Field Multiplication for Authenticated Encryption Resistant to Side Channel Analysis

  • Hirokazu OshidaEmail author
  • Rei Ueno
  • Naofumi Homma
  • Takafumi Aoki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10815)


This paper presents a side-channel attack on masked Galois-field (GF) multiplication used in authenticated encryptions including AES-GCM and a new countermeasure against the proposed attack. While the previous side-channel attack is likely to recover the full key of GHASH in AES-GCM, no countermeasure has been discussed and evaluated until now. In this paper, we first apply a straightforward masking countermeasure to GF multiplication for GHASH and show that the masked GF multiplication is resistant to the previous attack. We then show the straightforward masked GHASH can be defeated by a new attack utilizing the variance of power trace. The feasibility of the new attack is demonstrated by an experiment with power traces measured from a smart card operating the masked GHASH. Finally, we propose a new masking countermeasure against the proposed attack.


Galois-field multiplication AES-GCM Masking Side-channel attack Authenticated encryption 



We would like to show our greatest appreciation to Dr. S. Belaïd, and Dr. B. Gérard for their valuable and insightful comments. This work has been supported by JSPS KAKENHI Grants No. 17H00729.


  1. 1.
    Side-channel attack standard evaluation board (sasebo).
  2. 2.
    Belaïd, S., Coron, J.-S., Fouque, P.-A., Gérard, B., Kammerer, J.-G., Prouff, E.: Improved side-channel analysis of finite-field multiplication. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 395–415. Springer, Heidelberg (2015). Scholar
  3. 3.
    Belaïd, S., Fouque, P.-A., Gérard, B.: Side-channel analysis of multiplications in GF(2128). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 306–325. Springer, Heidelberg (2014). Scholar
  4. 4.
    Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: Trade-offs for threshold implementations illustrated on AES. IEEE Trans. Comput. Aided Des. Integr. Syst. 34(7), 1188–1200 (2015)CrossRefGoogle Scholar
  5. 5.
    Böck, H., Zauner, A., Devlin, S., Somorovsky, J., Jovanovic, P.: Nonce-disrespecting adversaries: practical forgeny attacks on GCM in TLS. In: 10th USENIX Workshop on Offensive Technologies (WOOT 16), pp. 1–13. USENIX Association (2016)Google Scholar
  6. 6.
    De Cnudde, T., Reparaz, O., Bilgin, B., Nikova, S., Nikov, V., Rijmen, V.: Masking AES with \(d+1\) shares in hardware. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 194–212. Springer, Heidelberg (2016). Scholar
  7. 7.
    Cryptographic competitions: Caesar: competition for authenticated encryption: security, applicability, and robustness (2016).
  8. 8.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). Scholar
  9. 9.
    Jaffe, J.: A first-order DPA attack against AES in counter mode with unknown initial counter. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 1–13. Springer, Heidelberg (2007). Scholar
  10. 10.
  11. 11.
    Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 1–17. Springer, Heidelberg (2009). Scholar
  12. 12.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). Scholar
  13. 13.
    Mangard, S., Pramstaller, N., Oswald, E.: Successfully attacking masked AES hardware implementations. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 157–171. Springer, Heidelberg (2005). Scholar
  14. 14.
    McGrew, D.A., Viega, J.: The Galois/Counter Mode of operation (GCM) (2005).
  15. 15.
    Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptol. 24, 292–321 (2011)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Oswald, E., Mangard, S., Pramstaller, N., Rijmen, V.: A side-channel analysis resistant description of the AES S-box. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 413–423. Springer, Heidelberg (2005). Scholar
  17. 17.
    Pessl, P., Mangard, S.: Enhancing side-channel analysis of binary-field multiplication with bit reliability. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 255–270. Springer, Cham (2016). Scholar
  18. 18.
    Poschmann, A., Moradi, A., Khoo, K., Lim, C.W., Wang, H., Ling, S.: Side-channel resistant crypto for less than 2,300 GE. J. Cryptol. 24, 322–334 (2011)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Reparaz, O., Bilgin, B., Nikova, S., Gierlichs, B., Verbauwhede, I.: Consolidating masking schemes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 764–783. Springer, Heidelberg (2015). Scholar
  20. 20.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007). Scholar
  21. 21.
    Tiri, K., Verbauwhede, I.: A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation. In: Design, Automation and Test in Europe Conference and Exhibition (DATE), vol. 1, pp. 246–251 (2004)Google Scholar
  22. 22.
    Trichina, E.: Combinational logic design for AES SubBytes transformation on masked data. Cryptology ePrint Archive, Report 2003/236 (2003).
  23. 23.
    Ueno, R., Homma, N., Aoki, T.: Toward more efficient DPA-resistant AES hardware architecture based on threshold implementation. In: Guilley, S. (ed.) COSADE 2017. LNCS, vol. 10348, pp. 50–64. Springer, Cham (2017). Scholar
  24. 24.
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002). Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Hirokazu Oshida
    • 1
    Email author
  • Rei Ueno
    • 1
  • Naofumi Homma
    • 1
  • Takafumi Aoki
    • 1
  1. 1.Tohoku UniversitySendai-shiJapan

Personalised recommendations