International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: Avoid Mask Re-use in Masked Galois Multipliers

Authors:
D. Canright
Download:
URL: http://eprint.iacr.org/2009/012
Search ePrint
Search Google
Abstract: This work examines a weakness in re-using masks for masked Galois inversion, specifically in the masked Galois multipliers. Here we show that the mask re-use scheme included in our work[1] cannot result in "perfect masking," regardless of the order in which the terms are added; explicit distributions are derived for each step. The same problem requires new masks in the subfield calculations, not included in [1]. Hence, for resistance to first-order differential attacks, the masked S-box must use distinct, independent masks for input and output bytes of the masked inverter, and new masks in the subfields, resulting in a larger size. Ref[1]: Canright, D., Batina, L.: A Very Compact "Perfectly Masked" S-Box for AES. In ACNS2008, LNCS 5037, Springer-Verlag (2008), 446-459
BibTeX
@misc{eprint-2009-18251,
  title={Avoid Mask Re-use in Masked Galois Multipliers},
  booktitle={IACR Eprint archive},
  keywords={implementation / AES, S-box, masking, DPA, composite Galois field},
  url={http://eprint.iacr.org/2009/012},
  note={unpublished dcanright@nps.edu 14259 received 5 Jan 2009, last revised 15 Jan 2009},
  author={D. Canright},
  year=2009
}