A Very Compact ``Perfectly Masked'' S-Box for AES
Transcript of A Very Compact ``Perfectly Masked'' S-Box for AES
BackgroundCompact Masked S-box
ResultsSummary
A Very Compact “Perfectly Masked” S-Box forAES
D. Canright1 Lejla Batina2
1Applied Math., Naval Postgraduate School, Monterey CA, USA
2K.U. Leuven ESAT/COSIC, Leuven-Heverlee, Belgium
Applied Cryptography and Network Security, 2008
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Goal of Present Work
How small can a Masked S-box be?
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
OOPS!
In preparing this talk, I discovered a subtle error thatoccurred in a few places.
This talk includes the corrections.Please accept my apologies for the errors.
But the subtle error is itself rather interesting; the detailsare available in a hardcopy Corrigendum.
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
OOPS!
In preparing this talk, I discovered a subtle error thatoccurred in a few places.
This talk includes the corrections.Please accept my apologies for the errors.
But the subtle error is itself rather interesting; the detailsare available in a hardcopy Corrigendum.
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
OOPS!
In preparing this talk, I discovered a subtle error thatoccurred in a few places.
This talk includes the corrections.Please accept my apologies for the errors.
But the subtle error is itself rather interesting; the detailsare available in a hardcopy Corrigendum.
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
OOPS!
In preparing this talk, I discovered a subtle error thatoccurred in a few places.
This talk includes the corrections.Please accept my apologies for the errors.
But the subtle error is itself rather interesting; the detailsare available in a hardcopy Corrigendum.
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Outline
1 BackgroundPrevious WorkAdvanced Encryption Standard
2 Compact Masked S-boxAlgebraic Description of Masked InversionSecurity of MaskingOptimizations
3 Results
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
Previous WorkDifferent applications have different constraints & goals.
speed : throughput and/or latency (by parallelism,pipelining)Morioka & Satoh, 2002Weaver & Wawrzynek, 2002Jarvinen et al., 2003
low power : e.g., for smart cardsMorioka & Satoh, 2003Feldhofer et al., 2005
small size : for limited ciruitry, e.g., also smart cardsRudra et al., 2001Satoh et al., 2001Wolkerstorfer et al., 2002Chodowiec & Gaj, 2003Feldhofer et al., 2005
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
Compact S-boxPrior Work
benchmark: Satoh et al. (2001), used composite fields forS-boxsome improvement: Mentens et al. (2005), consideredother isomorphisms (64); estimated 5% smaller than Satohbenchmarkmore improvement: Canright (2005)
considered more isomorphisms (432), incl. normal basesfully optimized basis-change matriceslogic-gate substitution (NOR for NAND and XORs)
result is 20% smaller S-box than Satoh benchmark
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
Compact S-boxPrior Work
benchmark: Satoh et al. (2001), used composite fields forS-boxsome improvement: Mentens et al. (2005), consideredother isomorphisms (64); estimated 5% smaller than Satohbenchmarkmore improvement: Canright (2005)
considered more isomorphisms (432), incl. normal basesfully optimized basis-change matriceslogic-gate substitution (NOR for NAND and XORs)
result is 20% smaller S-box than Satoh benchmark
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
Compact S-boxPrior Work
benchmark: Satoh et al. (2001), used composite fields forS-boxsome improvement: Mentens et al. (2005), consideredother isomorphisms (64); estimated 5% smaller than Satohbenchmarkmore improvement: Canright (2005)
considered more isomorphisms (432), incl. normal basesfully optimized basis-change matriceslogic-gate substitution (NOR for NAND and XORs)
result is 20% smaller S-box than Satoh benchmark
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
Masked S-box
Akkar & Giraud, 2001 — some vulnerabilitiesGolic & Tymen, 2002 — some vulnerabilitiesBlömer et al., 2004 — “provably secure”Oswald et al., 2005 — “provably secure”Mangard, Pramstaller & Oswald, 2005 — broken!Mangard & Schramm, 2006 — glitch problem solved!
Problem: glitches in specific XORsSolution: timing constraints
insert delaysor use enable signals
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
Masked S-box
Akkar & Giraud, 2001 — some vulnerabilitiesGolic & Tymen, 2002 — some vulnerabilitiesBlömer et al., 2004 — “provably secure”Oswald et al., 2005 — “provably secure”Mangard, Pramstaller & Oswald, 2005 — broken!Mangard & Schramm, 2006 — glitch problem solved!
Problem: glitches in specific XORsSolution: timing constraints
insert delaysor use enable signals
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
Masked S-box
Akkar & Giraud, 2001 — some vulnerabilitiesGolic & Tymen, 2002 — some vulnerabilitiesBlömer et al., 2004 — “provably secure”Oswald et al., 2005 — “provably secure”Mangard, Pramstaller & Oswald, 2005 — broken!Mangard & Schramm, 2006 — glitch problem solved!
Problem: glitches in specific XORsSolution: timing constraints
insert delaysor use enable signals
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
Masked S-box
Akkar & Giraud, 2001 — some vulnerabilitiesGolic & Tymen, 2002 — some vulnerabilitiesBlömer et al., 2004 — “provably secure”Oswald et al., 2005 — “provably secure”Mangard, Pramstaller & Oswald, 2005 — broken!Mangard & Schramm, 2006 — glitch problem solved!
Problem: glitches in specific XORsSolution: timing constraints
insert delaysor use enable signals
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
AES Algorithm
AES is symmetric block (128-bit) cipherfrom key (128, 192, or 256 bits), a different round key(128-bit) generated for each of n (10, 12, or 14) roundseach block processed by rounds
round 0 : Add Round Key.1 to n − 1 : S-Box;
Shift Rows;Mix Columns;Add Round Key.
round n : S-Box;Shift Rows;Add Round Key.
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
step1: Add Round Key
for whole 128-bit block:
in⊕ key → out
where ⊕ is bitwise exclusive-or (XOR), same as addition inGalois Field.
(For decryption, inverse operation is identical.)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
step2: S-Box (Byte Substitution)
for each 8-bit byte a:1 Inverse: Let c = a−1, the inverse in GF(28)
2 Affine: The output s is M c⊕ b:
s7s6s5s4s3s2s1s0
=
1 1 1 1 1 0 0 00 1 1 1 1 1 0 00 0 1 1 1 1 1 00 0 0 1 1 1 1 11 0 0 0 1 1 1 11 1 0 0 0 1 1 11 1 1 0 0 0 1 11 1 1 1 0 0 0 1
c7c6c5c4c3c2c1c0
⊕
01100011
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
step3: Shift Rows
for 4× 4 byte matrix, rotate rows 0–3 left accordingly:a b c de f g hi j k lm n o p
→
a b c df g h ek l i jp m n o
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
step4: Mix Columns
for each 4-byte column C of 4× 4 byte matrix:2 3 1 11 2 3 11 1 2 33 1 1 2
C0C1C2C3
→
D0D1D2D3
where byte multiplication and addition is in GF(28)
Similar for decryption, but with matrix
0BB@
E B D 99 E B DD 9 E BB D 9 E
1CCA
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
Nonlinearity/Complexity
of the four steps:the steps Shift Rows, Mix Columns, & Add Round Key arelinear operations (and easy)the S-box function is nonlinear due to the inverse operationin GF(28), and is complicated to compute
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
GF(28) Representation
standardfor GF(28) = GF(2)8: A = a7x7 + · · ·+ a1x + a0,where ai ∈ GF(2) = {0, 1} and x8 + x4 + x3 + x + 1 = 0.
subfieldfor GF(28) = GF(24)2: A = a1x + a0 or A = a1x1 + a0x0,where ai , T , N ∈ GF(24) and x2 + Tx + N = 0;then for GF(24) = GF(22)2: A = a1x + a0 orA = a1x1 + a0x0,where ai , T , N ∈ GF(22) and x2 + Tx + N = 0;then for GF(22) = GF(2)2: A = a1x + a0 orA = a1x1 + a0x0,where ai ∈ GF(2) and x2 + x + 1 = 0.
(note: T is trace and N is norm, over subfield)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
GF(28) Representation
standardfor GF(28) = GF(2)8: A = a7x7 + · · ·+ a1x + a0,where ai ∈ GF(2) = {0, 1} and x8 + x4 + x3 + x + 1 = 0.
subfieldfor GF(28) = GF(24)2: A = a1x + a0 or A = a1x1 + a0x0,where ai , T , N ∈ GF(24) and x2 + Tx + N = 0;then for GF(24) = GF(22)2: A = a1x + a0 orA = a1x1 + a0x0,where ai , T , N ∈ GF(22) and x2 + Tx + N = 0;then for GF(22) = GF(2)2: A = a1x + a0 orA = a1x1 + a0x0,where ai ∈ GF(2) and x2 + x + 1 = 0.
(note: T is trace and N is norm, over subfield)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Previous WorkAES
GF(28) Representation
standardfor GF(28) = GF(2)8: A = a7x7 + · · ·+ a1x + a0,where ai ∈ GF(2) = {0, 1} and x8 + x4 + x3 + x + 1 = 0.
subfieldfor GF(28) = GF(24)2: A = a1x + a0 or A = a1x1 + a0x0,where ai , T , N ∈ GF(24) and x2 + Tx + N = 0;then for GF(24) = GF(22)2: A = a1x + a0 orA = a1x1 + a0x0,where ai , T , N ∈ GF(22) and x2 + Tx + N = 0;then for GF(22) = GF(2)2: A = a1x + a0 orA = a1x1 + a0x0,where ai ∈ GF(2) and x2 + x + 1 = 0.
(note: T is trace and N is norm, over subfield)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Algebraic Description of Inversionwithout masking
Notation: A ∈ GF(28); A ∈ GF(24); a ∈ GF(22); a ∈ GF(2)
Inversion in GF(28) = GF(24)2 mod Y2 + Y + NGiven: A = A1 Y16 + A0 Y
let B = N⊗(A1 ⊕ A0)2 ⊕ A1⊗A0
Result: A−1 =(A0⊗B−1) Y16 +
(A1⊗B−1) Y
Inversion in GF(24) = GF(22)2 mod Z 2 + Z + nGiven: B = b1 Z 4 + b0 Z
let c = n⊗(b1 ⊕ b0)2 ⊕ b1⊗b0
Result: B−1 =(b0⊗c−1) Z 4 +
(b1⊗c−1) Z
Inversion in GF(22) = GF(2)2 mod w2 + w + 1Given: c = c1 w2 + c0 wResult: c−1 = c0 w2 + c1 w
Note: Inversion in GF(22) is linearD. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Algebraic Description of Inversionwithout masking
Notation: A ∈ GF(28); A ∈ GF(24); a ∈ GF(22); a ∈ GF(2)
Inversion in GF(28) = GF(24)2 mod Y2 + Y + NGiven: A = A1 Y16 + A0 Y
let B = N⊗(A1 ⊕ A0)2 ⊕ A1⊗A0
Result: A−1 =(A0⊗B−1) Y16 +
(A1⊗B−1) Y
Inversion in GF(24) = GF(22)2 mod Z 2 + Z + nGiven: B = b1 Z 4 + b0 Z
let c = n⊗(b1 ⊕ b0)2 ⊕ b1⊗b0
Result: B−1 =(b0⊗c−1) Z 4 +
(b1⊗c−1) Z
Inversion in GF(22) = GF(2)2 mod w2 + w + 1Given: c = c1 w2 + c0 wResult: c−1 = c0 w2 + c1 w
Note: Inversion in GF(22) is linearD. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Algebraic Description of Inversionwithout masking
Notation: A ∈ GF(28); A ∈ GF(24); a ∈ GF(22); a ∈ GF(2)
Inversion in GF(28) = GF(24)2 mod Y2 + Y + NGiven: A = A1 Y16 + A0 Y
let B = N⊗(A1 ⊕ A0)2 ⊕ A1⊗A0
Result: A−1 =(A0⊗B−1) Y16 +
(A1⊗B−1) Y
Inversion in GF(24) = GF(22)2 mod Z 2 + Z + nGiven: B = b1 Z 4 + b0 Z
let c = n⊗(b1 ⊕ b0)2 ⊕ b1⊗b0
Result: B−1 =(b0⊗c−1) Z 4 +
(b1⊗c−1) Z
Inversion in GF(22) = GF(2)2 mod w2 + w + 1Given: c = c1 w2 + c0 wResult: c−1 = c0 w2 + c1 w
Note: Inversion in GF(22) is linearD. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Algebraic Description of Inversionwithout masking
Notation: A ∈ GF(28); A ∈ GF(24); a ∈ GF(22); a ∈ GF(2)
Inversion in GF(28) = GF(24)2 mod Y2 + Y + NGiven: A = A1 Y16 + A0 Y
let B = N⊗(A1 ⊕ A0)2 ⊕ A1⊗A0
Result: A−1 =(A0⊗B−1) Y16 +
(A1⊗B−1) Y
Inversion in GF(24) = GF(22)2 mod Z 2 + Z + nGiven: B = b1 Z 4 + b0 Z
let c = n⊗(b1 ⊕ b0)2 ⊕ b1⊗b0
Result: B−1 =(b0⊗c−1) Z 4 +
(b1⊗c−1) Z
Inversion in GF(22) = GF(2)2 mod w2 + w + 1Given: c = c1 w2 + c0 wResult: c−1 = c0 w2 + c1 w
Note: Inversion in GF(22) is linearD. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Algebraic Description of Inversionwithout masking
Notation: A ∈ GF(28); A ∈ GF(24); a ∈ GF(22); a ∈ GF(2)
Inversion in GF(28) = GF(24)2 mod Y2 + Y + NGiven: A = A1 Y16 + A0 Y
let B = N⊗(A1 ⊕ A0)2 ⊕ A1⊗A0
Result: A−1 =(A0⊗B−1) Y16 +
(A1⊗B−1) Y
Inversion in GF(24) = GF(22)2 mod Z 2 + Z + nGiven: B = b1 Z 4 + b0 Z
let c = n⊗(b1 ⊕ b0)2 ⊕ b1⊗b0
Result: B−1 =(b0⊗c−1) Z 4 +
(b1⊗c−1) Z
Inversion in GF(22) = GF(2)2 mod w2 + w + 1Given: c = c1 w2 + c0 wResult: c−1 = c0 w2 + c1 w
Note: Inversion in GF(22) is linearD. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Algebraic Description of Masked Inversionpart 1
Masked Inversion in GF(28)Given: A = (A⊕M) = A1 Y16 + A0 Y ,
M = M1 Y16 + M0 Y
let B = Q⊕N⊗(
A1 ⊕ A0
)2⊕ A1⊗A0 ⊕ A1⊗M0 ⊕
A0⊗M1 ⊕ M1⊗M0 , M2 = Q⊕N⊗(M1 ⊕M0)2
Masked Inversion in GF(24)Given: B = b1 Z 4 + b0 Z , M2 = m1 Z 4 + m0 Z
let c = q⊕n⊗(
b1 ⊕ b0
)2⊕ b1⊗b0 ⊕ b1⊗m0 ⊕
b0⊗m1 ⊕ m1⊗m0 , m∗2 = q⊕n⊗(m1 ⊕m0)
2
Masked Inversion in GF(22)Given: c = c1 w2 + c0 wResult: c−1 = c0 w2+c1 w , m2 = q2⊕n2⊗(m1 ⊕m0)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Algebraic Description of Masked Inversionpart 1
Masked Inversion in GF(28)Given: A = (A⊕M) = A1 Y16 + A0 Y ,
M = M1 Y16 + M0 Y
let B = Q⊕N⊗(
A1 ⊕ A0
)2⊕ A1⊗A0 ⊕ A1⊗M0 ⊕
A0⊗M1 ⊕ M1⊗M0 , M2 = Q⊕N⊗(M1 ⊕M0)2
Masked Inversion in GF(24)Given: B = b1 Z 4 + b0 Z , M2 = m1 Z 4 + m0 Z
let c = q⊕n⊗(
b1 ⊕ b0
)2⊕ b1⊗b0 ⊕ b1⊗m0 ⊕
b0⊗m1 ⊕ m1⊗m0 , m∗2 = q⊕n⊗(m1 ⊕m0)
2
Masked Inversion in GF(22)Given: c = c1 w2 + c0 wResult: c−1 = c0 w2+c1 w , m2 = q2⊕n2⊗(m1 ⊕m0)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Algebraic Description of Masked Inversionpart 1
Masked Inversion in GF(28)Given: A = (A⊕M) = A1 Y16 + A0 Y ,
M = M1 Y16 + M0 Y
let B = Q⊕N⊗(
A1 ⊕ A0
)2⊕ A1⊗A0 ⊕ A1⊗M0 ⊕
A0⊗M1 ⊕ M1⊗M0 , M2 = Q⊕N⊗(M1 ⊕M0)2
Masked Inversion in GF(24)Given: B = b1 Z 4 + b0 Z , M2 = m1 Z 4 + m0 Z
let c = q⊕n⊗(
b1 ⊕ b0
)2⊕ b1⊗b0 ⊕ b1⊗m0 ⊕
b0⊗m1 ⊕ m1⊗m0 , m∗2 = q⊕n⊗(m1 ⊕m0)
2
Masked Inversion in GF(22)Given: c = c1 w2 + c0 wResult: c−1 = c0 w2+c1 w , m2 = q2⊕n2⊗(m1 ⊕m0)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Algebraic Description of Masked Inversionpart 2
back up to GF(24)
Given: a new (temporary) mask T = t1 Z 4 + t0 Zlet b−1
1 =
t1 ⊕ b0⊗c−1 ⊕ b0⊗m2 ⊕ m0⊗c−1 ⊕ m0⊗m2b−1
0 =
t0 ⊕ b1⊗c−1 ⊕ b1⊗m2 ⊕ m1⊗c−1 ⊕ m1⊗m2Result: B−1 = b−1
1 Z 4 + b−10 Z (masked by T )
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Algebraic Description of Masked Inversionpart 3
back up to GF(28)
Given: a new mask S = S1 Y16 + S0 Ylet A−1
1 =
S1 ⊕ A0⊗B−1 ⊕ A0⊗T ⊕ M0⊗B−1 ⊕ M0⊗TA−1
0 =
S0 ⊕ A1⊗B−1 ⊕ A1⊗T ⊕ M1⊗B−1 ⊕ M1⊗TResult: A−1 = A−1
1 Y16 + A−10 Y (masked by S)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Re-using Masks in Masked Inversionpart 2
Re-Masked Inversion in GF(22)
Result: c−1 =[c0 w2 + c1 w
]⊕ (m1 ⊕m2)
(masked by m1)back up to GF(24)
let b−11 = m11 ⊕ b0⊗c−1 ⊕ b0⊗m1 ⊕ m0⊗
c−1 ⊕ m0⊗m1
remask c−12 = c−1 ⊕ (m0 ⊕m1)
let b−10 = m10 ⊕ b1⊗c−1
2 ⊕ b1⊗m0 ⊕ m1⊗c−1
2 ⊕ m1⊗m0
Result: B−1 = b−11 Z 4 + b−1
0 Z(masked by M1 = m11 Z 4 + m10 Z )
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Re-using Masks in Masked Inversionpart 2
Re-Masked Inversion in GF(22)
Result: c−1 =[c0 w2 + c1 w
]⊕ (m1 ⊕m2)
(masked by m1)back up to GF(24)
let b−11 = m11 ⊕ b0⊗c−1 ⊕ b0⊗m1 ⊕ m0⊗
c−1 ⊕ m0⊗m1
remask c−12 = c−1 ⊕ (m0 ⊕m1)
let b−10 = m10 ⊕ b1⊗c−1
2 ⊕ b1⊗m0 ⊕ m1⊗c−1
2 ⊕ m1⊗m0
Result: B−1 = b−11 Z 4 + b−1
0 Z(masked by M1 = m11 Z 4 + m10 Z )
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Re-using Masks in Masked Inversionpart 3
back up to GF(28)
Given: B−1 (masked by M1)let A−1
1 =
S1 ⊕ A0⊗B−1 ⊕ A0⊗M1 ⊕ M0⊗B−1 ⊕ M0⊗M1
remask B−12 = B−1 ⊕ (M0 ⊕M1)
let A−10 =
S0 ⊕ A1⊗B−12 ⊕ A1⊗M0 ⊕ M1⊗B−1
2 ⊕ M1⊗M0
Result: A−1 = A−11 Y16 + A−1
0 Y (masked by S)
Note: S cannot be original M
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Re-using Masks in Masked Inversionpart 3
back up to GF(28)
Given: B−1 (masked by M1)let A−1
1 =
S1 ⊕ A0⊗B−1 ⊕ A0⊗M1 ⊕ M0⊗B−1 ⊕ M0⊗M1
remask B−12 = B−1 ⊕ (M0 ⊕M1)
let A−10 =
S0 ⊕ A1⊗B−12 ⊕ A1⊗M0 ⊕ M1⊗B−1
2 ⊕ M1⊗M0
Result: A−1 = A−11 Y16 + A−1
0 Y (masked by S)
Note: S cannot be original M
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Re-using Masks between Rounds
What if re-use masks between rounds?Pick inversion output mask Si for each byte iConvert from tower field, apply affine part of S-box, thenShiftRows; result is mask after last round: Mlast
Apply MixColumns; result is input mask for initial databefore Round 0: Minit
Convert to tower field; result is input mask for inversionstep: Mi for each byte iCompute terms such as M1⊗M0, M2, m1⊗m0, and m2
Re-use those terms each round for inversion; also needdata-dependent correctionsNo correction terms for MixColumns or ShiftRows
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Re-using Masks between Rounds
What if re-use masks between rounds?Pick inversion output mask Si for each byte iConvert from tower field, apply affine part of S-box, thenShiftRows; result is mask after last round: Mlast
Apply MixColumns; result is input mask for initial databefore Round 0: Minit
Convert to tower field; result is input mask for inversionstep: Mi for each byte iCompute terms such as M1⊗M0, M2, m1⊗m0, and m2
Re-use those terms each round for inversion; also needdata-dependent correctionsNo correction terms for MixColumns or ShiftRows
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Re-using Masks between Rounds
What if re-use masks between rounds?Pick inversion output mask Si for each byte iConvert from tower field, apply affine part of S-box, thenShiftRows; result is mask after last round: Mlast
Apply MixColumns; result is input mask for initial databefore Round 0: Minit
Convert to tower field; result is input mask for inversionstep: Mi for each byte iCompute terms such as M1⊗M0, M2, m1⊗m0, and m2
Re-use those terms each round for inversion; also needdata-dependent correctionsNo correction terms for MixColumns or ShiftRows
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Re-using Masks between Rounds
What if re-use masks between rounds?Pick inversion output mask Si for each byte iConvert from tower field, apply affine part of S-box, thenShiftRows; result is mask after last round: Mlast
Apply MixColumns; result is input mask for initial databefore Round 0: Minit
Convert to tower field; result is input mask for inversionstep: Mi for each byte iCompute terms such as M1⊗M0, M2, m1⊗m0, and m2
Re-use those terms each round for inversion; also needdata-dependent correctionsNo correction terms for MixColumns or ShiftRows
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Re-using Masks between Rounds
What if re-use masks between rounds?Pick inversion output mask Si for each byte iConvert from tower field, apply affine part of S-box, thenShiftRows; result is mask after last round: Mlast
Apply MixColumns; result is input mask for initial databefore Round 0: Minit
Convert to tower field; result is input mask for inversionstep: Mi for each byte iCompute terms such as M1⊗M0, M2, m1⊗m0, and m2
Re-use those terms each round for inversion; also needdata-dependent correctionsNo correction terms for MixColumns or ShiftRows
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Re-using Masks between Rounds
What if re-use masks between rounds?Pick inversion output mask Si for each byte iConvert from tower field, apply affine part of S-box, thenShiftRows; result is mask after last round: Mlast
Apply MixColumns; result is input mask for initial databefore Round 0: Minit
Convert to tower field; result is input mask for inversionstep: Mi for each byte iCompute terms such as M1⊗M0, M2, m1⊗m0, and m2
Re-use those terms each round for inversion; also needdata-dependent correctionsNo correction terms for MixColumns or ShiftRows
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Re-using Masks between Rounds
What if re-use masks between rounds?Pick inversion output mask Si for each byte iConvert from tower field, apply affine part of S-box, thenShiftRows; result is mask after last round: Mlast
Apply MixColumns; result is input mask for initial databefore Round 0: Minit
Convert to tower field; result is input mask for inversionstep: Mi for each byte iCompute terms such as M1⊗M0, M2, m1⊗m0, and m2
Re-use those terms each round for inversion; also needdata-dependent correctionsNo correction terms for MixColumns or ShiftRows
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Re-using Masks between Rounds
What if re-use masks between rounds?Pick inversion output mask Si for each byte iConvert from tower field, apply affine part of S-box, thenShiftRows; result is mask after last round: Mlast
Apply MixColumns; result is input mask for initial databefore Round 0: Minit
Convert to tower field; result is input mask for inversionstep: Mi for each byte iCompute terms such as M1⊗M0, M2, m1⊗m0, and m2
Re-use those terms each round for inversion; also needdata-dependent correctionsNo correction terms for MixColumns or ShiftRows
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Security of Masking
Assume a source of truly random uniformly distributed masks.1 Given any y ∈ F and independent uniform x ∈ F, then
z = x ⊕ y is also uniform and independent of y .2 Given x and y independent and uniform over Fq, then
z = x ⊗ y has the “random product distribution”:
Pr(z = i) =
{(2q − 1)/q2 , i = 0(q − 1)/q2 , i 6= 0
3 Given uniform x ∈ F, and one-to-one mapping f : F → F,then y = f (x) is also uniform.
4 Given ~x = [x1, x2, · · · , x2n] uniform over F2n, then the twohalves ~y1 = [x1, x2, · · · , xn] and ~y2 = [xn+1, xn+2, · · · , x2n]are independent and uniform over Fn.
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
“Perfect Masking”with care
In our masking method (with constraints on order of addition):each intermediate operand has either uniform or randomproduct distributionbut masked multipliers cannot re-use input mask for outputmaskand products must be added to masked sum (cannot addtwo products, since not independent)for CMOS implementations, must satisfy timing constraintsfor glitches (use delays or enable signals)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
“Perfect Masking”with care
In our masking method (with constraints on order of addition):each intermediate operand has either uniform or randomproduct distributionbut masked multipliers cannot re-use input mask for outputmaskand products must be added to masked sum (cannot addtwo products, since not independent)for CMOS implementations, must satisfy timing constraintsfor glitches (use delays or enable signals)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
“Perfect Masking”with care
In our masking method (with constraints on order of addition):each intermediate operand has either uniform or randomproduct distributionbut masked multipliers cannot re-use input mask for outputmaskand products must be added to masked sum (cannot addtwo products, since not independent)for CMOS implementations, must satisfy timing constraintsfor glitches (use delays or enable signals)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
“Perfect Masking”with care
In our masking method (with constraints on order of addition):each intermediate operand has either uniform or randomproduct distributionbut masked multipliers cannot re-use input mask for outputmaskand products must be added to masked sum (cannot addtwo products, since not independent)for CMOS implementations, must satisfy timing constraintsfor glitches (use delays or enable signals)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Merged Architectureof Satoh et al.
basis
2:1 mux
GF(28)inverter
affine-1,basis
basis-1,affine
basis-1
2:1 mux
in
out
Satoh architectureshares inverterbetween S-box and S-box−1
(left pathways for encryptionright pathways for decryption)This also allows pairs oftransformations (input and output)to be optimized together
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Optimizing Mask Corrections
use normal bases &optimal basis-changematricescombine operations(e.g. 4-bit square-scalein 3 XORs)re-use bit sums (handoptimized)logic gate substitutions(e.g. 1 NOR for 1NAND & 2 XORs)
Compare Masking Schemesby 4-bit operations
(adapted from Oswald et al.)method Mul Scl Sq SqSclS-Akkar 18 6 4 0S-Blömer 12 1 2 0MS-IAIK 9 2 2 0this work 8 0 0 2
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
AlgebraSecurity of MaskingOptimizations
Optimizing Mask Corrections
use normal bases &optimal basis-changematricescombine operations(e.g. 4-bit square-scalein 3 XORs)re-use bit sums (handoptimized)logic gate substitutions(e.g. 1 NOR for 1NAND & 2 XORs)
Compare Masking Schemesby 4-bit operations
(adapted from Oswald et al.)method Mul Scl Sq SqSclS-Akkar 18 6 4 0S-Blömer 12 1 2 0MS-IAIK 9 2 2 0this work 8 0 0 2
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Results
Galois Inverter OnlyInverter gate counts total gatesmasked 229 XOR, 94 NAND, 6 NOR 501
unmasked 56 XOR, 34 NAND, 6 NOR 138
Basis Change (& Affine) OnlyBasis Change merged S-box (S-box)−1
masked 78 XOR, 4 NOT, 32 MUX = 196 49 XOR = 86 50 XOR = 88unmasked 38 XOR, 2 NOT, 16 MUX = 96 24 XOR = 42 25 XOR = 44
Complete S-box & Re-using Masks Between Roundsmasking merged S-box (S-box)−1
masked 696 587 588re-use 527 473 475unmasked 234 180 182
standard 0.13-µ CMOS cell library:XOR/XNOR = 7/4 NAND, NOR = 1 NAND, NOT = 3/4 NAND, MUX21I = 7/4 NAND
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Results
Galois Inverter OnlyInverter gate counts total gatesmasked 229 XOR, 94 NAND, 6 NOR 501
unmasked 56 XOR, 34 NAND, 6 NOR 138
Basis Change (& Affine) OnlyBasis Change merged S-box (S-box)−1
masked 78 XOR, 4 NOT, 32 MUX = 196 49 XOR = 86 50 XOR = 88unmasked 38 XOR, 2 NOT, 16 MUX = 96 24 XOR = 42 25 XOR = 44
Complete S-box & Re-using Masks Between Roundsmasking merged S-box (S-box)−1
masked 696 587 588re-use 527 473 475unmasked 234 180 182
standard 0.13-µ CMOS cell library:XOR/XNOR = 7/4 NAND, NOR = 1 NAND, NOT = 3/4 NAND, MUX21I = 7/4 NAND
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Summary
A masked S-box can be as small as 696 gatesMasking triples size of compact S-box (298%)Re-using masks between rounds reduces that to overdouble (225%)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Summary
A masked S-box can be as small as 696 gatesMasking triples size of compact S-box (298%)Re-using masks between rounds reduces that to overdouble (225%)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Summary
A masked S-box can be as small as 696 gatesMasking triples size of compact S-box (298%)Re-using masks between rounds reduces that to overdouble (225%)
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Addendum: Masked Multiplierscannot re-use masks
To mask a Galois multiplication:
ab = c
1 either P2 + ma or P4 + ma
2 either (P2 + ma) + P1 or (P4 + ma) + P3
3 nothing works!
4
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Addendum: Masked Multiplierscannot re-use masks
need three masks:
am = a + ma , bm = b + mb , cm = c + mc
1 either P2 + ma or P4 + ma
2 either (P2 + ma) + P1 or (P4 + ma) + P3
3 nothing works!
4
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Addendum: Masked Multiplierscannot re-use masks
correctly masked multiply:
ambm + (mabm + (ammb + (mamb + mc)))
1 either P2 + ma or P4 + ma
2 either (P2 + ma) + P1 or (P4 + ma) + P3
3 nothing works!4 Get c + mc
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Addendum: Masked Multiplierscannot re-use masks
What if re-use input mask?
ambm + mabm + ammb + mamb + ma
1 either P2 + ma or P4 + ma
2 either (P2 + ma) + P1 or (P4 + ma) + P3
3 nothing works!4 Want c + ma
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Addendum: Masked Multiplierscannot re-use masks
What if re-use input mask?
P1 + P2 + P3 + P4 + ma
1 either P2 + ma or P4 + ma
2 either (P2 + ma) + P1 or (P4 + ma) + P3
3 nothing works!4 Want c + ma
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Addendum: Masked Multiplierscannot re-use masks
What if re-use input mask?
P1 + P2 + P3 + P4 + ma
1 either P2 + ma or P4 + ma
2 either (P2 + ma) + P1 or (P4 + ma) + P3
3 nothing works!4 Want c + ma
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Addendum: Masked Multiplierscannot re-use masks
What if re-use input mask?
P1 + P2 + P3 + P4 + ma
1 either P2 + ma or P4 + ma
2 either (P2 + ma) + P1 or (P4 + ma) + P3
3 nothing works!4 Want c + ma
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
Addendum: Masked Multiplierscannot re-use masks
What if re-use input mask?
P1 + P2 + P3 + P4 + ma
1 either P2 + ma or P4 + ma
2 either (P2 + ma) + P1 or (P4 + ma) + P3
3 nothing works!4 Want c + ma
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box
BackgroundCompact Masked S-box
ResultsSummary
That’s All, Folks!
Thanks!
D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box