An Algebraic Masking Method to Protect AES Against Power Attacks

IEEE Transactions on Information Theory, 2009

The algebraic immunity of an S-box depends on the number and type of linearly independent multivariate equations it satisfies. In this paper techniques are developed to find the number of linearly independent, multivariate, bi-affine and quadratic equations for S-boxes based on power mappings. These techniques can be used to prove the exact number of equations for any class of power mappings. Two algorithms to calculate the number of bi-affine and quadratic equations for any (n, n) S-box based on power mapping are also presented. The time complexity of both algorithms is only O(n 2). To design algebraically immune S-boxes four new classes of S-boxes that guarantee zero bi-affine equations and one class of S-boxes that guarantees zero quadratic equations are presented. The algebraic immunity of power mappings based on Kasami, Niho, Dobbertin, Gold, Welch and Inverse exponents are discussed along with other cryptographic properties and several cryptographically strong S-boxes are identified. It is conjectured that a known Kasami like APN power mapping is maximally nonlinear and a known Kasami like maximally nonlinear power mapping is differentially 4-uniform. Finally an open problem to find an (n, n) bijective nonlinear S-box with more than 5n quadratic equations is solved and it is conjectured that the upper bound on this number is n(n−1

Cryptologia, 2009

Simplified AES was developed in 2003 as a teaching tool to help students understand AES. It was designed so that the two primary attacks on symmetric-key block ciphers of that time, differential cryptanalysis and linear cryptanalysis, are not trivial on simplified AES. Algebraic cryptanalysis is a technique that uses modern equation solvers to attack cryptographic algorithms. There have been some claims that AES is threatened by algebraic cryptanalysis. We will use algebraic cryptanalysis to attack simplified AES.

Advanced Encryption Standard–AES, 2005

This paper is about the design of multivariate public key schemes, as well as block and stream ciphers, in relation to recent attacks that exploit various types of multivariate algebraic relations. We survey these attacks focusing on their common fundamental principles and on how to avoid them. From this we derive new very general design criteria, applicable for very different cryptographic components. These amount to avoiding (if possible) the existence of, in some sense "too simple" algebraic relations. Though many ciphers that do not satisfy this new paradigm probably still remain secure, the design of ciphers will never be the same again.

Lecture Notes in Computer Science, 2000

Since the announcement of the Differential Power Analysis (DPA) by Paul Kocher and al., several countermeasures were proposed in order to protect software implementations of cryptographic algorithms. In an attempt to reduce the resulting memory and execution time overhead, Thomas Messerges recently proposed a general method that "masks" all the intermediate data. This masking strategy is possible if all the fundamental operations used in a given algorithm can be rewritten with masked input data, giving masked output data. This is easily seen to be the case in classical algorithms such as DES or RSA. However, for algorithms that combine Boolean and arithmetic functions, such as IDEA or several of the AES candidates, two different kinds of masking have to be used. There is thus a need for a method to convert back and forth between Boolean masking and arithmetic masking. In the present paper, we show that the 'BooleanToArithmetic' algorithm proposed by T. Messerges is not sufficient to prevent Differential Power Analysis. In a similar way, the 'ArithmeticToBoolean' algorithm is not secure either.

2004

Since being officially selected as the new Advanced Encryption Standard (AES), Rijndael has continued to receive great attention and has had its security continuously evaluated by the cryptographic community. Rijndael is a cipher with a simple, elegant and highly algebraic structure. Its selection as the AES has led to a growing interest in the study of algebraic properties of block ciphers, and in particular algebraic techniques that can be used in their cryptanalysis. In these notes we will examine some algebraic aspects of the AES and consider a number of algebraic techniques that could be used in the analysis of the cipher. In particular, we will focus on the large, though surprisingly simple, systems of multivariate quadratic equations derived from the encryption operation, and consider some approaches that could be used when attempting to solve these systems. These notes refer to an invited talk given at the Fourth Conference on the Advanced Encryption Standard (AES4) in May 2004, and are largely based on[4].

Lecture Notes in Computer Science, 2001

Since Power Analysis on smart cards was introduced by Paul Kocher [7], many countermeasures have been proposed to protect implementations of cryptographic algorithms. In this paper we propose a new protection principle: the transformed masking method. We apply this method to protect two of the most popular block ciphers: DES and the AES Rijndael. To this end we introduce some transformed S-boxes for DES and a new masking method and its applications to the non-linear part of Rijndael.

AES 4 Conference, Bonn May 10-12 2004, LNCS 3373, 2005

CiteSeerX - Document Details (Isaac Councill, Lee Giles): Abstract. This paper is about the design of multivariate public key schemes, as well as block and stream ciphers, in relation to recent attacks that exploit various types of multivariate algebraic relations. We survey these attacks ...

Lecture Notes in Computer Science, 2004

In order to protect a cryptographic algorithm against Power Analysis attacks, a well-known method consists in hiding all the internal data with randomly chosen masks. Following this idea, an AES implementation can be protected against Differential Power Analysis (DPA) by the "Transformed Masking Method", proposed by Akkar and Giraud at CHES'2001, requiring two distinct masks. At CHES'2002, Trichina, De Seta and Germani suggested the use of a single mask to improve the performances of the protected implementation. We show here that their countermeasure can still be defeated by usual first-order DPA techniques. In another direction, Akkar and Goubin introduced at FSE'2003 a new countermeasure for protecting secret-key cryptographic algorithms against high-order differential power analysis (HO-DPA). As particular case, the "Unique Masking Method" is particularly well suited to the protection of DES implementations. However, we prove in this paper that this method is not sufficient, by exhibiting a (first-order) enhanced differential power analysis attack. We also show how to avoid this new attack.

Lecture Notes in Computer Science, 2006

In this paper we are interested in algebraic immunity of several well known highly-nonlinear vectorial Boolean functions (or Sboxes), designed for block and stream ciphers. Unfortunately, ciphers that use such S-boxes may still be vulnerable to so called "algebraic attacks" proposed recently by Courtois, Pieprzyk, Meier, Armknecht, et al. These attacks are not always feasible in practice but are in general very powerful. They become possible, if we regard the S-boxes, no longer as highly-nonlinear functions of their inputs, but rather exhibit (and exploit) much simpler algebraic equations, that involve both input and the output bits. Instead of complex and "explicit" Boolean functions we have then simple and "implicit" algebraic relations that can be combined to fully describe the secret key of the system. In this paper we look at the number and the type of relations that do exist for several well known components. We wish to correct or/and complete several inexact results on this topic that were presented at FSE 2004. We also wish to bring a theoretical contribution. One of the main problems in the area of algebraic attacks is to prove that some systems of equations (derived from some more fundamental equations), are still linearly independent. We give a complete proof that the number of linearly independent equations for the Rijndael S-box (derived from the basic equation XY = 1) is indeed as reported by Courtois and Pieprzyk. It seems that nobody has so far proven this fundamental statement.

2003

Software counter measures against side channel attacks considerably hinder performance of cryptographic algorithms in terms of memory or execution time or both. The challenge is to achieve secure implementation with as little extra cost as possible. In this paper we optimize a counter measure for the AES block cipher consisting in transforming a boolean mask to a multiplicative mask prior to a non-linear Byte Substitution operation (thus, avoiding S-box re-computations for every run or storing multiple S-box tables in RAM), while preserving a boolean mask everywhere else. We demonstrate that it is possible to achieve such transformation for a cost of two additional multiplications in the field. However, due to an inherent vulnerability of multiplicative masking to so-called zero attack, an additional care must be taken to securize its implementation. We describe one possible, although not perfect, approach to such an implementation which combines algebraic techniques and partial re-computation of S-boxes. This adds one more multiplication operation, and either occasional S-box re-computations or extra 528 bytes of memory to the total price of the counter measure.