The art of computer programming, volume 2 (3rd ed.): seminumerical algorithms
The art of computer programming, volume 2 (3rd ed.): seminumerical algorithms
Exponentiation in Finite Fields: Theory and Practice
AAECC-12 Proceedings of the 12th International Symposium on Applied Algebra, Algebraic Algorithms and Error-Correcting Codes
Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis
SAC '00 Proceedings of the 7th Annual International Workshop on Selected Areas in Cryptography
Towards Sound Approaches to Counteract Power-Analysis Attacks
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
A Compact Rijndael Hardware Architecture with S-Box Optimization
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Securing the AES Finalists Against Power Analysis Attacks
FSE '00 Proceedings of the 7th International Workshop on Fast Software Encryption
DES and Differential Power Analysis (The "Duplication" Method)
CHES '99 Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems
An Implementation of DES and AES, Secure against Some Attacks
CHES '01 Proceedings of the Third International Workshop on Cryptographic Hardware and Embedded Systems
Side Channel Cryptanalysis of a Higher Order Masking Scheme
CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis
Fast Software Encryption
Algebraic immunity of S-boxes based on power mappings: analysis and construction
IEEE Transactions on Information Theory
Provably secure higher-order masking of AES
CHES'10 Proceedings of the 12th international conference on Cryptographic hardware and embedded systems
A fast and provably secure higher-order masking of AES S-box
CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
Higher order masking of the AES
CT-RSA'06 Proceedings of the 2006 The Cryptographers' Track at the RSA conference on Topics in Cryptology
The 128-bit blockcipher CLEFIA
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Higher-Order masking schemes for s-boxes
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
| Hi-index | 0.00 |
Masking is a well-known technique used to prevent block cipher implementations from side-channel attacks. Higher-order side channel attacks (e.g. higher-order DPA attack) on widely used block cipher like AES have motivated the design of efficient higher-order masking schemes. Indeed, it is known that as the masking order increases, the difficulty of side-channel attack increases exponentially. However, the main problem in higher-order masking is to design an efficient and secure technique for S-box computations in block cipher implementations. At FSE 2012, Carlet et al. proposed a generic masking scheme that can be applied to any S-box at any order. This is the first generic scheme for efficient software implementations. Analysis of the running time, or masking complexity, of this scheme is related to a variant of the well-known problem of efficient exponentiation (addition chain), and evaluation of polynomials. In this paper we investigate optimal methods for exponentiation in $\mathbb{F}_{2^{n}}$ by studying a variant of addition chain, which we call cyclotomic-class addition chain, or CC-addition chain. Among several interesting properties, we prove lower bounds on min-length CC-addition chains. We define the notion of $\mathbb{F}_{2^n}$-polynomial chain, and use it to count the number of non-linear multiplications required while evaluating polynomials over $\mathbb{F}_{2^{n}}$. We also give a lower bound on the length of such a chain for any polynomial. As a consequence, we show that a lower bound for the masking complexity of DES S-boxes is three, and that of PRESENT S-box is two. We disprove a claim previously made by Carlet et al. regarding min-length CC-addition chains. Finally, we give a polynomial evaluation method, which results into an improved masking scheme (compared to the technique of Carlet et al.) for DES S-boxes. As an illustration we apply this method to several other S-boxes and show significant improvement for them.