Paper 2009/012

Avoid Mask Re-use in Masked Galois Multipliers

D. Canright

Abstract

This work examines a weakness in re-using masks for masked Galois inversion, specifically in the masked Galois multipliers. Here we show that the mask re-use scheme included in our work[1] cannot result in "perfect masking," regardless of the order in which the terms are added; explicit distributions are derived for each step. The same problem requires new masks in the subfield calculations, not included in [1]. Hence, for resistance to first-order differential attacks, the masked S-box must use distinct, independent masks for input and output bytes of the masked inverter, and new masks in the subfields, resulting in a larger size. Ref[1]: Canright, D., Batina, L.: A Very Compact "Perfectly Masked" S-Box for AES. In ACNS2008, LNCS 5037, Springer-Verlag (2008), 446-459

Note: This note explains a problem in our previous work; the problem has since been corrected.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. unpublished
Keywords
AESS-boxmaskingDPAcomposite Galois field
Contact author(s)
dcanright @ nps edu
History
2009-01-15: revised
2009-01-12: received
See all versions
Short URL
https://ia.cr/2009/012
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2009/012,
      author = {D.  Canright},
      title = {Avoid Mask Re-use in Masked Galois Multipliers},
      howpublished = {Cryptology {ePrint} Archive, Paper 2009/012},
      year = {2009},
      url = {https://eprint.iacr.org/2009/012}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.