Masking a compact AES S-box

摘要

When the Advanced Encryption Standard (AES) is implemented in hardware or software, it may be vulnerable to side-channel attacks such as differential power analysis. One countermeasure against such attacks is adding a random mask to the data; this randomizes the statistics of the calculation at the cost of computing mask corrections. The single nonlinear step in each round of the AES algorithm is called the S-box, which involves the greatest computational cost in a round (to find the inverse in the Galois field), as well as the greatest cost for mask corrections. Oswald et al.[9] showed how the tower field representation allows maintaining an additive mask throughout the Galois inverse calculation. This work combines that masking approach with the compact S-box of Canright, to give a masked Sbox that requires minimal circuitry, and hence the chip area.