Paper 2009/011

A Very Compact "Perfectly Masked" S-Box for AES (corrected)

D. Canright and Lejla Batina


Implementations of the Advanced Encryption Standard (AES), including hardware applications with limited resources (e.g., smart cards), may be vulnerable to "side-channel attacks" such as differential power analysis. One countermeasure against such attacks is adding a random mask to the data; this randomizes the statistics of the calculation at the cost of computing "mask corrections." The single nonlinear step in each AES round is the "S-box" (involving a Galois inversion), which incurs the majority of the cost for mask corrections. Oswald et al. showed how the "tower field" representation allows maintaining an additive mask throughout the Galois inverse calculation. This work applies a similar masking strategy to the most compact (unmasked) S-box to date. The result is the most compact masked S-box so far, with "perfect masking" (by the definition of Blomer) giving suitable implementations immunity to first-order differential side-channel attacks.

Note: This is a CORRECTED version of previously published work. The correction fixes a serious security flaw in the original.

Available format(s)
Publication info
Published elsewhere. ACNS2008, LNCS 5037, pp.446-459, Springer-Verlag
AESS-boxmaskingDPAcomposite Galois field
Contact author(s)
dcanright @ nps edu
2009-01-15: revised
2009-01-12: received
See all versions
Short URL
Creative Commons Attribution


      author = {D.  Canright and Lejla Batina},
      title = {A Very Compact "Perfectly Masked" S-Box for AES (corrected)},
      howpublished = {Cryptology ePrint Archive, Paper 2009/011},
      year = {2009},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.