Paper 2003/236

Combinational Logic Design for AES SubByte Transformation on Masked Data

Elena Trichina

Abstract

Low power consumption, low gate count and high throughput used to be standard design criteria for cryptographic coprocessors designated for smart cards and related embedded devices. Not anymore. With the advent of side channel attacks, the first and foremost concern is device resistance to such attacks. This paper describes how to to embed data masking technique at a hardware level for an AES coprocessor. We concentrate on inversion in the field since it is the only non-linear operation that was assumed to require complex transformations on masked data and on masks. Our paper demonstares that it is possible to compute inverses directly on masked data, without ever revealing unmasked intermediate results in the process. Our approach consists in transition to composite fields, where inversion can be efficiently implemented in combinational logic using only bitwise XOR and AND operations. A breakthrough idea is to replace these operations on masked data by simple combinational circuits operating on bits of masked data and on bits of a mask in such a manner that a proper "mask correction" is computed on-the fly. Combining these elementary building blocks, we obtain a complete hardware solution for a "masked AES", thus effectively resolving the problem of a secure AES co-processor.

Note: I paln to submit a revised and extended version with details of an actual hardware design into an IEEE Journal.