CryptoDB
Avoid Mask Re-use in Masked Galois Multipliers
Authors: | |
---|---|
Download: | |
Abstract: | This work examines a weakness in re-using masks for masked Galois inversion, specifically in the masked Galois multipliers. Here we show that the mask re-use scheme included in our work[1] cannot result in "perfect masking," regardless of the order in which the terms are added; explicit distributions are derived for each step. The same problem requires new masks in the subfield calculations, not included in [1]. Hence, for resistance to first-order differential attacks, the masked S-box must use distinct, independent masks for input and output bytes of the masked inverter, and new masks in the subfields, resulting in a larger size. Ref[1]: Canright, D., Batina, L.: A Very Compact "Perfectly Masked" S-Box for AES. In ACNS2008, LNCS 5037, Springer-Verlag (2008), 446-459 |
BibTeX
@misc{eprint-2009-18251, title={Avoid Mask Re-use in Masked Galois Multipliers}, booktitle={IACR Eprint archive}, keywords={implementation / AES, S-box, masking, DPA, composite Galois field}, url={http://eprint.iacr.org/2009/012}, note={unpublished dcanright@nps.edu 14259 received 5 Jan 2009, last revised 15 Jan 2009}, author={D. Canright}, year=2009 }