a very compact ``perfectly masked'' s-box for aes

BackgroundCompact Masked S-box

ResultsSummary

A Very Compact “Perfectly Masked” S-Box forAES

D. Canright1 Lejla Batina2

1Applied Math., Naval Postgraduate School, Monterey CA, USA

2K.U. Leuven ESAT/COSIC, Leuven-Heverlee, Belgium

Applied Cryptography and Network Security, 2008

D. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box

ResultsSummary

Goal of Present Work

How small can a Masked S-box be?

ResultsSummary

In preparing this talk, I discovered a subtle error thatoccurred in a few places.

This talk includes the corrections.Please accept my apologies for the errors.

But the subtle error is itself rather interesting; the detailsare available in a hardcopy Corrigendum.

ResultsSummary

Outline

1 BackgroundPrevious WorkAdvanced Encryption Standard

2 Compact Masked S-boxAlgebraic Description of Masked InversionSecurity of MaskingOptimizations

3 Results

ResultsSummary

Previous WorkAES

Previous WorkDifferent applications have different constraints & goals.

speed : throughput and/or latency (by parallelism,pipelining)Morioka & Satoh, 2002Weaver & Wawrzynek, 2002Jarvinen et al., 2003

low power : e.g., for smart cardsMorioka & Satoh, 2003Feldhofer et al., 2005

small size : for limited ciruitry, e.g., also smart cardsRudra et al., 2001Satoh et al., 2001Wolkerstorfer et al., 2002Chodowiec & Gaj, 2003Feldhofer et al., 2005

ResultsSummary

Previous WorkAES

Compact S-boxPrior Work

benchmark: Satoh et al. (2001), used composite fields forS-boxsome improvement: Mentens et al. (2005), consideredother isomorphisms (64); estimated 5% smaller than Satohbenchmarkmore improvement: Canright (2005)

considered more isomorphisms (432), incl. normal basesfully optimized basis-change matriceslogic-gate substitution (NOR for NAND and XORs)

result is 20% smaller S-box than Satoh benchmark

ResultsSummary

Previous WorkAES

ResultsSummary

Previous WorkAES

ResultsSummary

Previous WorkAES

Masked S-box

Akkar & Giraud, 2001 — some vulnerabilitiesGolic & Tymen, 2002 — some vulnerabilitiesBlömer et al., 2004 — “provably secure”Oswald et al., 2005 — “provably secure”Mangard, Pramstaller & Oswald, 2005 — broken!Mangard & Schramm, 2006 — glitch problem solved!

Problem: glitches in specific XORsSolution: timing constraints

insert delaysor use enable signals

ResultsSummary

Previous WorkAES

Masked S-box

ResultsSummary

Previous WorkAES

Masked S-box

ResultsSummary

Previous WorkAES

Masked S-box

ResultsSummary

Previous WorkAES

AES Algorithm

AES is symmetric block (128-bit) cipherfrom key (128, 192, or 256 bits), a different round key(128-bit) generated for each of n (10, 12, or 14) roundseach block processed by rounds

round 0 : Add Round Key.1 to n − 1 : S-Box;

Shift Rows;Mix Columns;Add Round Key.

round n : S-Box;Shift Rows;Add Round Key.

ResultsSummary

Previous WorkAES

step1: Add Round Key

for whole 128-bit block:

in⊕ key → out

where ⊕ is bitwise exclusive-or (XOR), same as addition inGalois Field.

(For decryption, inverse operation is identical.)

ResultsSummary

Previous WorkAES

step2: S-Box (Byte Substitution)

for each 8-bit byte a:1 Inverse: Let c = a−1, the inverse in GF(28)

2 Affine: The output s is M c⊕ b:

s7s6s5s4s3s2s1s0

1 1 1 1 1 0 0 00 1 1 1 1 1 0 00 0 1 1 1 1 1 00 0 0 1 1 1 1 11 0 0 0 1 1 1 11 1 0 0 0 1 1 11 1 1 0 0 0 1 11 1 1 1 0 0 0 1

c7c6c5c4c3c2c1c0

01100011

ResultsSummary

Previous WorkAES

step3: Shift Rows

for 4× 4 byte matrix, rotate rows 0–3 left accordingly:a b c de f g hi j k lm n o p

a b c df g h ek l i jp m n o

ResultsSummary

Previous WorkAES

step4: Mix Columns

for each 4-byte column C of 4× 4 byte matrix:2 3 1 11 2 3 11 1 2 33 1 1 2

C0C1C2C3

D0D1D2D3

where byte multiplication and addition is in GF(28)

Similar for decryption, but with matrix

E B D 99 E B DD 9 E BB D 9 E

ResultsSummary

Previous WorkAES

Nonlinearity/Complexity

of the four steps:the steps Shift Rows, Mix Columns, & Add Round Key arelinear operations (and easy)the S-box function is nonlinear due to the inverse operationin GF(28), and is complicated to compute

ResultsSummary

Previous WorkAES

GF(28) Representation

standardfor GF(28) = GF(2)8: A = a7x7 + · · ·+ a1x + a0,where ai ∈ GF(2) = {0, 1} and x8 + x4 + x3 + x + 1 = 0.

subfieldfor GF(28) = GF(24)2: A = a1x + a0 or A = a1x1 + a0x0,where ai , T , N ∈ GF(24) and x2 + Tx + N = 0;then for GF(24) = GF(22)2: A = a1x + a0 orA = a1x1 + a0x0,where ai , T , N ∈ GF(22) and x2 + Tx + N = 0;then for GF(22) = GF(2)2: A = a1x + a0 orA = a1x1 + a0x0,where ai ∈ GF(2) and x2 + x + 1 = 0.

(note: T is trace and N is norm, over subfield)

ResultsSummary

Previous WorkAES

ResultsSummary

Previous WorkAES

ResultsSummary

AlgebraSecurity of MaskingOptimizations

Algebraic Description of Inversionwithout masking

Notation: A ∈ GF(28); A ∈ GF(24); a ∈ GF(22); a ∈ GF(2)

Inversion in GF(28) = GF(24)2 mod Y2 + Y + NGiven: A = A1 Y16 + A0 Y

let B = N⊗(A1 ⊕ A0)2 ⊕ A1⊗A0

Result: A−1 =(A0⊗B−1) Y16 +

(A1⊗B−1) Y

Inversion in GF(24) = GF(22)2 mod Z 2 + Z + nGiven: B = b1 Z 4 + b0 Z

let c = n⊗(b1 ⊕ b0)2 ⊕ b1⊗b0

Result: B−1 =(b0⊗c−1) Z 4 +

(b1⊗c−1) Z

Inversion in GF(22) = GF(2)2 mod w2 + w + 1Given: c = c1 w2 + c0 wResult: c−1 = c0 w2 + c1 w

Note: Inversion in GF(22) is linearD. Canright, Lejla Batina Very Compact “Perfectly Masked” AES S-Box

ResultsSummary

let B = N⊗(A1 ⊕ A0)2 ⊕ A1⊗A0

Result: A−1 =(A0⊗B−1) Y16 +

(A1⊗B−1) Y

let c = n⊗(b1 ⊕ b0)2 ⊕ b1⊗b0

Result: B−1 =(b0⊗c−1) Z 4 +

(b1⊗c−1) Z

ResultsSummary

let B = N⊗(A1 ⊕ A0)2 ⊕ A1⊗A0

Result: A−1 =(A0⊗B−1) Y16 +

(A1⊗B−1) Y

let c = n⊗(b1 ⊕ b0)2 ⊕ b1⊗b0

Result: B−1 =(b0⊗c−1) Z 4 +

(b1⊗c−1) Z

ResultsSummary

let B = N⊗(A1 ⊕ A0)2 ⊕ A1⊗A0

Result: A−1 =(A0⊗B−1) Y16 +

(A1⊗B−1) Y

let c = n⊗(b1 ⊕ b0)2 ⊕ b1⊗b0

Result: B−1 =(b0⊗c−1) Z 4 +

(b1⊗c−1) Z

ResultsSummary

let B = N⊗(A1 ⊕ A0)2 ⊕ A1⊗A0

Result: A−1 =(A0⊗B−1) Y16 +

(A1⊗B−1) Y

let c = n⊗(b1 ⊕ b0)2 ⊕ b1⊗b0

Result: B−1 =(b0⊗c−1) Z 4 +

(b1⊗c−1) Z

ResultsSummary

Algebraic Description of Masked Inversionpart 1

Masked Inversion in GF(28)Given: A = (A⊕M) = A1 Y16 + A0 Y ,

M = M1 Y16 + M0 Y

let B = Q⊕N⊗(

A1 ⊕ A0

)2⊕ A1⊗A0 ⊕ A1⊗M0 ⊕

A0⊗M1 ⊕ M1⊗M0 , M2 = Q⊕N⊗(M1 ⊕M0)2

Masked Inversion in GF(24)Given: B = b1 Z 4 + b0 Z , M2 = m1 Z 4 + m0 Z

let c = q⊕n⊗(

b1 ⊕ b0

)2⊕ b1⊗b0 ⊕ b1⊗m0 ⊕

b0⊗m1 ⊕ m1⊗m0 , m∗2 = q⊕n⊗(m1 ⊕m0)

Masked Inversion in GF(22)Given: c = c1 w2 + c0 wResult: c−1 = c0 w2+c1 w , m2 = q2⊕n2⊗(m1 ⊕m0)

ResultsSummary

M = M1 Y16 + M0 Y

let B = Q⊕N⊗(

A1 ⊕ A0

)2⊕ A1⊗A0 ⊕ A1⊗M0 ⊕

A0⊗M1 ⊕ M1⊗M0 , M2 = Q⊕N⊗(M1 ⊕M0)2

let c = q⊕n⊗(

b1 ⊕ b0

)2⊕ b1⊗b0 ⊕ b1⊗m0 ⊕

b0⊗m1 ⊕ m1⊗m0 , m∗2 = q⊕n⊗(m1 ⊕m0)

ResultsSummary

M = M1 Y16 + M0 Y

let B = Q⊕N⊗(

A1 ⊕ A0

)2⊕ A1⊗A0 ⊕ A1⊗M0 ⊕

A0⊗M1 ⊕ M1⊗M0 , M2 = Q⊕N⊗(M1 ⊕M0)2

let c = q⊕n⊗(

b1 ⊕ b0

)2⊕ b1⊗b0 ⊕ b1⊗m0 ⊕

b0⊗m1 ⊕ m1⊗m0 , m∗2 = q⊕n⊗(m1 ⊕m0)

ResultsSummary

back up to GF(24)

Given: a new (temporary) mask T = t1 Z 4 + t0 Zlet b−1

t1 ⊕ b0⊗c−1 ⊕ b0⊗m2 ⊕ m0⊗c−1 ⊕ m0⊗m2b−1

t0 ⊕ b1⊗c−1 ⊕ b1⊗m2 ⊕ m1⊗c−1 ⊕ m1⊗m2Result: B−1 = b−1

1 Z 4 + b−10 Z (masked by T )

ResultsSummary

back up to GF(28)

Given: a new mask S = S1 Y16 + S0 Ylet A−1

S1 ⊕ A0⊗B−1 ⊕ A0⊗T ⊕ M0⊗B−1 ⊕ M0⊗TA−1

S0 ⊕ A1⊗B−1 ⊕ A1⊗T ⊕ M1⊗B−1 ⊕ M1⊗TResult: A−1 = A−1

1 Y16 + A−10 Y (masked by S)

ResultsSummary

Re-using Masks in Masked Inversionpart 2

Re-Masked Inversion in GF(22)

Result: c−1 =[c0 w2 + c1 w

]⊕ (m1 ⊕m2)

(masked by m1)back up to GF(24)

let b−11 = m11 ⊕ b0⊗c−1 ⊕ b0⊗m1 ⊕ m0⊗

c−1 ⊕ m0⊗m1

remask c−12 = c−1 ⊕ (m0 ⊕m1)

let b−10 = m10 ⊕ b1⊗c−1

2 ⊕ b1⊗m0 ⊕ m1⊗c−1

2 ⊕ m1⊗m0

Result: B−1 = b−11 Z 4 + b−1

0 Z(masked by M1 = m11 Z 4 + m10 Z )

ResultsSummary

Re-Masked Inversion in GF(22)

Result: c−1 =[c0 w2 + c1 w

]⊕ (m1 ⊕m2)

(masked by m1)back up to GF(24)

let b−11 = m11 ⊕ b0⊗c−1 ⊕ b0⊗m1 ⊕ m0⊗

c−1 ⊕ m0⊗m1

remask c−12 = c−1 ⊕ (m0 ⊕m1)

let b−10 = m10 ⊕ b1⊗c−1

2 ⊕ b1⊗m0 ⊕ m1⊗c−1

2 ⊕ m1⊗m0

Result: B−1 = b−11 Z 4 + b−1

0 Z(masked by M1 = m11 Z 4 + m10 Z )

ResultsSummary

back up to GF(28)

Given: B−1 (masked by M1)let A−1

S1 ⊕ A0⊗B−1 ⊕ A0⊗M1 ⊕ M0⊗B−1 ⊕ M0⊗M1

remask B−12 = B−1 ⊕ (M0 ⊕M1)

let A−10 =

S0 ⊕ A1⊗B−12 ⊕ A1⊗M0 ⊕ M1⊗B−1

2 ⊕ M1⊗M0

Result: A−1 = A−11 Y16 + A−1

0 Y (masked by S)

Note: S cannot be original M

ResultsSummary

back up to GF(28)

Given: B−1 (masked by M1)let A−1

S1 ⊕ A0⊗B−1 ⊕ A0⊗M1 ⊕ M0⊗B−1 ⊕ M0⊗M1

remask B−12 = B−1 ⊕ (M0 ⊕M1)

let A−10 =

S0 ⊕ A1⊗B−12 ⊕ A1⊗M0 ⊕ M1⊗B−1

2 ⊕ M1⊗M0

Result: A−1 = A−11 Y16 + A−1

0 Y (masked by S)

Note: S cannot be original M

ResultsSummary

Re-using Masks between Rounds

What if re-use masks between rounds?Pick inversion output mask Si for each byte iConvert from tower field, apply affine part of S-box, thenShiftRows; result is mask after last round: Mlast

Apply MixColumns; result is input mask for initial databefore Round 0: Minit

Convert to tower field; result is input mask for inversionstep: Mi for each byte iCompute terms such as M1⊗M0, M2, m1⊗m0, and m2

Re-use those terms each round for inversion; also needdata-dependent correctionsNo correction terms for MixColumns or ShiftRows

ResultsSummary

Security of Masking

Assume a source of truly random uniformly distributed masks.1 Given any y ∈ F and independent uniform x ∈ F, then

z = x ⊕ y is also uniform and independent of y .2 Given x and y independent and uniform over Fq, then

z = x ⊗ y has the “random product distribution”:

Pr(z = i) =

{(2q − 1)/q2 , i = 0(q − 1)/q2 , i 6= 0

3 Given uniform x ∈ F, and one-to-one mapping f : F → F,then y = f (x) is also uniform.

4 Given ~x = [x1, x2, · · · , x2n] uniform over F2n, then the twohalves ~y1 = [x1, x2, · · · , xn] and ~y2 = [xn+1, xn+2, · · · , x2n]are independent and uniform over Fn.

ResultsSummary

“Perfect Masking”with care

In our masking method (with constraints on order of addition):each intermediate operand has either uniform or randomproduct distributionbut masked multipliers cannot re-use input mask for outputmaskand products must be added to masked sum (cannot addtwo products, since not independent)for CMOS implementations, must satisfy timing constraintsfor glitches (use delays or enable signals)

ResultsSummary

Merged Architectureof Satoh et al.

2:1 mux

GF(28)inverter

affine-1,basis

basis-1,affine

basis-1

2:1 mux

Satoh architectureshares inverterbetween S-box and S-box−1

(left pathways for encryptionright pathways for decryption)This also allows pairs oftransformations (input and output)to be optimized together

ResultsSummary

Optimizing Mask Corrections

use normal bases &optimal basis-changematricescombine operations(e.g. 4-bit square-scalein 3 XORs)re-use bit sums (handoptimized)logic gate substitutions(e.g. 1 NOR for 1NAND & 2 XORs)

Compare Masking Schemesby 4-bit operations

(adapted from Oswald et al.)method Mul Scl Sq SqSclS-Akkar 18 6 4 0S-Blömer 12 1 2 0MS-IAIK 9 2 2 0this work 8 0 0 2

ResultsSummary

Optimizing Mask Corrections

use normal bases &optimal basis-changematricescombine operations(e.g. 4-bit square-scalein 3 XORs)re-use bit sums (handoptimized)logic gate substitutions(e.g. 1 NOR for 1NAND & 2 XORs)

Compare Masking Schemesby 4-bit operations

(adapted from Oswald et al.)method Mul Scl Sq SqSclS-Akkar 18 6 4 0S-Blömer 12 1 2 0MS-IAIK 9 2 2 0this work 8 0 0 2

ResultsSummary

Results

Galois Inverter OnlyInverter gate counts total gatesmasked 229 XOR, 94 NAND, 6 NOR 501

unmasked 56 XOR, 34 NAND, 6 NOR 138

Basis Change (& Affine) OnlyBasis Change merged S-box (S-box)−1

masked 78 XOR, 4 NOT, 32 MUX = 196 49 XOR = 86 50 XOR = 88unmasked 38 XOR, 2 NOT, 16 MUX = 96 24 XOR = 42 25 XOR = 44

Complete S-box & Re-using Masks Between Roundsmasking merged S-box (S-box)−1

masked 696 587 588re-use 527 473 475unmasked 234 180 182

standard 0.13-µ CMOS cell library:XOR/XNOR = 7/4 NAND, NOR = 1 NAND, NOT = 3/4 NAND, MUX21I = 7/4 NAND

ResultsSummary

Results

Galois Inverter OnlyInverter gate counts total gatesmasked 229 XOR, 94 NAND, 6 NOR 501

unmasked 56 XOR, 34 NAND, 6 NOR 138

Basis Change (& Affine) OnlyBasis Change merged S-box (S-box)−1

masked 78 XOR, 4 NOT, 32 MUX = 196 49 XOR = 86 50 XOR = 88unmasked 38 XOR, 2 NOT, 16 MUX = 96 24 XOR = 42 25 XOR = 44

Complete S-box & Re-using Masks Between Roundsmasking merged S-box (S-box)−1

masked 696 587 588re-use 527 473 475unmasked 234 180 182

standard 0.13-µ CMOS cell library:XOR/XNOR = 7/4 NAND, NOR = 1 NAND, NOT = 3/4 NAND, MUX21I = 7/4 NAND

ResultsSummary

Summary

A masked S-box can be as small as 696 gatesMasking triples size of compact S-box (298%)Re-using masks between rounds reduces that to overdouble (225%)

ResultsSummary

Summary

ResultsSummary

Summary

ResultsSummary

Addendum: Masked Multiplierscannot re-use masks

To mask a Galois multiplication:

ab = c

1 either P2 + ma or P4 + ma

2 either (P2 + ma) + P1 or (P4 + ma) + P3

3 nothing works!

ResultsSummary

need three masks:

am = a + ma , bm = b + mb , cm = c + mc

3 nothing works!

ResultsSummary

correctly masked multiply:

ambm + (mabm + (ammb + (mamb + mc)))

3 nothing works!4 Get c + mc

ResultsSummary

What if re-use input mask?

ambm + mabm + ammb + mamb + ma

3 nothing works!4 Want c + ma

ResultsSummary

P1 + P2 + P3 + P4 + ma

ResultsSummary

P1 + P2 + P3 + P4 + ma

ResultsSummary

P1 + P2 + P3 + P4 + ma

ResultsSummary

P1 + P2 + P3 + P4 + ma

ResultsSummary

That’s All, Folks!

Thanks!

a very compact ``perfectly masked'' s-box for aes

Documents