【 摘 要 】

In this paper, we propose efficient masking methods for ARIA and AES. In general, a masked S-box (MS) block can be constructed in different ways depending on the implementation platform, such as hardware and software. However, the other components of ARIA and AES have less impact on the implementation cost. We first propose an efficient masking structure by minimizing the number of mask corrections under the assumption that we have an MS block. Second, to make a secure and efficient MS block for ARIA and AES, we propose novel methods to solve the table size problem for the MS block in a software implementation and to reduce the cost of a masked inversion which is the main part of the MS block in the hardware implementation.

【 授权许可】

   

【 预 览 】

附件列表

Files	Size	Format	View
20150520115905913.pdf	464KB	PDF	download

【 参考文献 】

• [1]P. Kocher, J. Jaffe, and B. Jun, "Differential Power Analysis," Int. Conf. Cryptology, 1999, pp. 388-397.
• [2]J. Ha et al., "Differential Power Analysis on Block Cipher ARIA," HPCC, LNCS, vol. 3726, 2005, pp. 541-548.
• [3]J.D. Golic and C. Tymen, "Multiplicative Masking and Power Analysis of AES," CHES, LNCS, vol. 2523, 2002, pp. 198-212.
• [4]C. Kim, M. Schläffer, and S. Moon, "Differential Side Channel Analysis Attacks on FPGA Implementations of ARIA," ETRI J., vol. 30, no.2, Apr. 2008, pp. 315-325.
• [5]F.X. Standaert, S.B. Örs, and B. Preneel, "Power Analysis of an FPGA Implementation of Rijndael: Is Pipelining a DPA Countermeasure?" CHES, LNCS, vol. 3156, 2004, pp. 30-44.
• [6]T. Messerges, "Using Second-Order Power Analysis to Attack DPA Resistant Software," CHES, LNCS, vol. 1965, 2000, pp. 238-251.
• [7]T. Messerges, "Securing the AES Finalists Against Power Analysis Attacks," FSE, LNCS, vol. 1978, 2000, pp. 150-164.
• [8]E. Trichina, D.S. Seta, and L. Germani, "Simplified Adaptive Multiplicative Masking for AES," CHES, LNCS, vol. 2523, 2002, pp. 187-197.
• [9]K. Schramm and C. Paar, "Higher Order Masking of the AES," LNCS, vol. 3860, 2006, pp. 208-225.
• [10]M. L. Akkar and C. Giraud, "An Implementation of DES and AES, Secure Against Some Attacks," CHES, LNCS, vol. 2162, 2001, pp. 309-318.
• [11]J. Blömer, J. Guajardo, and V. Krummel. "Provably Secure Masking of AES," SAC, LNCS, vol. 3357, 2005, pp. 69-83.
• [12]E. Oswald et al., "A Side-Channel Analysis Resistant Description of the AES S-Box," FSE, LNCS, vol. 3557, 2005, pp. 413-423.
• [13]B. Zakeri et al., "Compact and Secure Design of Masked AES S-Box," Lecture Notes in Computer Science, vol. 4861, 2007, pp. 216-229.
• [14]S. Mangard, N. Pramstaller, and E. Oswald, "Successfully Attacking Masked AES Hardware Implementations," CHES, LNCS, vol. 3659, 2005, pp. 157-171.
• [15]D. Kwon et al.,"New Block Cipher: ARIA," ICISC, LNCS, vol. 2971, 2004, pp. 432-445.
• [16]J. Daemen and V. Rijmen, The Design of Rijndael: AES - The Advanced Encryption Standard, Springer, 2002.
• [17]C. Adams and S. Tavares, "The Structured Design of Cryptographically Good SBoxes," J. of Cryptology, vol. 3, no. 1, 1990, pp. 27-42.
• [18]L. O’Connor, "On the Distribution of Characteristics in Bijective Mappings," Eurocrypt, LNCS, vol. 765, 1994, pp. 360-370.
• [19]A. Satoh et al., "A Compact Rijndael Hardware Architecture with S-Box Optimization," ASIACRYPT, LNCS, vol. 2248, 2001, pp. 239-254.
• [20]Atmel Corporation. Datasheet: ATmega128(L). http://www.atmel. com/products/avr/.
• [21]C. Herbst, E. Oswald, and S. Mangard, "An AES Smart Card Implementation Resistant to Power Analysis Attacks," ACNS, LNCS, vol. 3989, 2006, pp. 239-252.
• [22]E. Oswald and K. Schramm. "An Efficient Masking Scheme for AES Software Implementations," WISA, LNCS, vol. 3786, 2006, pp. 292-305.
• [23]B. Koo et al., "Design and Implementation of Unified Hardware for 128-Bit Block Ciphers ARIA and AES," ETRI J., vol. 29, no. 6, Dec. 2007, pp. 80-82.
• [24]J. Wolkerstorfer, E. Oswald, and M. Lamberger, "An ASIC Implementation of the AES SBoxes," CT-RSA, LNCS, vol. 2271, 2002, pp. 67-78.