Cryptology ePrint Archive: Report 2005/204

An Algebraic Masking Method to Protect AES Against Power Attacks

Nicolas Courtois and Louis Goubin

Abstract: The central question in constructing a secure and efficient masking method for AES is to address the interaction between additive masking and the inverse S-box of Rijndael. All recently proposed methods to protect AES against power attacks try to avoid this problem and work by decomposing the inverse in terms of simpler operations that are more easily protected against DPA by generic methods.

In this paper, for the first time, we look at the problem in the face, and show that this interaction is not as intricate as it seems. In fact, any operation, even complex, can be directly protected against DPA of any given order, if it can be embedded in a group that has a compact representation. We show that a secure computation of a whole masked inverse can be done directly in this way, using the group of homographic transformations over the projective space (but not exactly, with some non-trivial technicalities). This is used to propose a general high-level algebraic method to protect AES against power attacks of any given order.

Category / Keywords: implementation / DPA, AES, power attacks, smart cards

Date: received 28 Jun 2005, last revised 1 Jul 2005

Contact author: courtois at minrank org

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Version: 20050701:201408 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]