Masking a Compact AES S-box

摘要

When the Advanced Encryption Standard (AES) is implemented in hardware or software, it may be vulnerable to side-channel attacks such as differential power analysis. One countermeasure against such attacks is adding a random mask to the data; this randomizes the statistics of the calculation at the cost of computing mask corrections. The single nonlinear step in each round of the AES algorithm is called the S-box, which involves the greatest computational cost in a round (to find the inverse in the Galois field), as well as the greatest cost for mask corrections. Oswald et al. 9) showed how the tower field representation allows maintaining an additive mask throughout the Galois inverse calculation. This work combines that masking approach with the compact S-box of Canright, to give a masked Sbox that requires minimal circuitry, and hence the chip area.