Cryptology ePrint Archive: Report 2009/012

Avoid Mask Re-use in Masked Galois Multipliers

D. Canright

Abstract: This work examines a weakness in re-using masks for masked Galois inversion, specifically in the masked Galois multipliers. Here we show that the mask re-use scheme included in our work[1] cannot result in "perfect masking," regardless of the order in which the terms are added; explicit distributions are derived for each step. The same problem requires new masks in the subfield calculations, not included in [1]. Hence, for resistance to first-order differential attacks, the masked S-box must use distinct, independent masks for input and output bytes of the masked inverter, and new masks in the subfields, resulting in a larger size.

Ref[1]: Canright, D., Batina, L.: A Very Compact "Perfectly Masked" S-Box for AES. In ACNS2008, LNCS 5037, Springer-Verlag (2008), 446-459

Category / Keywords: implementation / AES, S-box, masking, DPA, composite Galois field

Publication Info: unpublished

Date: received 5 Jan 2009, last revised 15 Jan 2009

Contact author: dcanright at nps edu

Available format(s): PDF | BibTeX Citation

Note: This note explains a problem in our previous work; the problem has since been corrected.

Version: 20090115:202133 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]