A very compact 'perfectly masked' S-Box for AES (corrected)

摘要

Implementations of the Advanced Encryption Standard (AES), including hardware applications with limited resources (e.g., smart cards), may be vunerable to "side-channel attacks" such as differential power analysis. One countermeasure against such attacks is adding a random mask to the data; this rendomizes the statistics of the calculation at the cost of computing "mask corrections." The single nonlinear step in each AES round is the "S-box" (involving a Galois inversion), which incurs the majority of the cost for mark corrections. Oswald et al.(1) showed how the "tower field" representation allows maintaining an additive mask throughout the Galois inverse calculation. This work applies a similar masking strategy to the most compact Iunmasked) S-box to date (2). The result is the most compact S-box so far, with "perfect modeling" (by the definition of Blomer (3) giving suitable implementations immunity to first-order differential side-channel attacks.