By Edwin Anderson,2014-05-27 14:59
14 views 0



     Secure DES Implementation Against High-Order Di?erential Power Analysis

     by Louiza Papachristodoulou Technische Universiteit Eindhoven Department of Mathematics and Computer Science Eindhoven, The Netherlands, P.O. Box 513, 5600 MB Email:

    l.p.papachristodoulou@student.tue.nl 22nd March 2009


     Di?erential Power Analysis (DPA) is a powerful cryptanalytic technique for extracting data from a cryptographic device. The implementation of DPA relies mainly on collecting power consumption traces and applying statistical methods, in order to average over them and obtain the secret key. Information leakage of this kind can be prevented by using masking methods. However, most of these methods are e?cient only in preventing ?rst-order DPA attacks and they fail to defense against High-Order DPA (HODPA) attacks, even of second-order. This paper presents an overview of High-Order DPA attacks focusing mainly on DES algorithm, which is still vulnerable to this kind of attacks. After analyzing the Unique Masking Method, introduced by Akkar and Goubin, and its weak points, we describe an enhancement of this implementation, which requires three random 32-bit masks and six S-boxes, in order to secure the outputs against any order DPA type attacks. Key words: DES; Simple Power Analysis (SPA); Di?erential Power Analysis (DPA); High-Order DPA; Boolean masking.



     Di?erential Power Analysis is a type of passive sidechannel attack introduced by Kocher et. al. in 1998 [1]. In cryptography, a side channel attack is any at1

     tack based on obtaining information from the physical implementation of a cryptosystem. A hardware device can leak useful information about secrets in the system when running a cryptographic algorithm, such as the cryptographic key, partial state information, full or partial plaintext. Apart from DPA, other examples of side-channel attacks are electromagnetic radiation leaks, timing and sound attacks. The basic idea of DPA attacks is that the power consumption of a device, such as a smartcard, is statistically correlated to the operation it performs. By monitoring the power usage during cryptographic operations and averaging over the acquired power traces, it is possible to obtain information related to the key. Symmetrical cryptosystems such as DES and AES, as well as public key

    cryptosystems, like RSA, are vulnerable to DPA attacks. The commonly suggested method against DPA attacks is random masking, also known as data whitening, wherein intermediate computations are handled under a probabilistic form to defeat statistical correlation [2]. M.-L.Akkar and C.Giraud introduced an interesting method, called ??Transformed Masking Method??, which has as main idea the performance of all the computations, in a way that all data are XORed with a random mask [3]. Although this method failed to defense e?ciently against HighOrder DPA attacks, it is still interesting, because the ??Unique Masking Method??, introduced by M.L.Akkar and L.Goubin, is based on it [4]. The ??Unique Masking Method?? was implemented on DES and has proven to be secure against n-th order DPA attacks. However, in 2005 J.Lv and Y.Han proved

     that the former implementation is still vulnerable to High-Order DPA attacks and proposed an enhancement of ??Unique Masking Method?? [6]. In this paper, after brie?y describing the DES algorithm in Section 2 and DPA and High-Order DPA attacks in Section 3, we present in Section 4 a HighOrder DPA attack on the improved DES implementation and the enhancement of ??Unique Masking Method??, in order to secure DES against this kind of attacks. Finally, conclusions on the e?ciency of this method and future proposals are made in Section 5.

     where Ki stand for a well-de?ned subsequence of bits from the key K and f is a function of the previous right-half and this subkey Ki . This function is de?ned by means of a collection of ?xed tables, called substitution tables. The outcome is added coordinatewise modulo 2 to Li?1 . We shall describe in the next paragraph more precisely what happens when the f -function is applied [7].


     Data Encryption Standard

     Block ciphers are conventional cryptosystems that typically handle a ?xed number of symbols at a time under a given key and perform this encryption/decryption independent of past input blocks. For the encryption process, the plaintext enters the block cipher from the left and leaves it on the right as ciphertext. For the decryption, exactly the inverse process takes place. The Data Encryption Standard is a secret key encryption scheme adopted as standard in the USA in 1977. DES is a block cipher operating on 64 bits simultaneously (Figure 1 ). The key consists of 8 groups of 8 bits. One bit in each group is a parity check bit that makes the overall parity in each block odd. So the e?ective key size used for the encryption process is actually 56 bits instead of 64.

     Figure 2: A Typical Round of DES Figure 2 depicts a typical round of DES. One can see that the inverse algorithm of DES can be computed from the same scheme by simply going from the bottom to the top. From the input key sixteen 48-bit keys are generated, one for each round.

    In each round eight S-boxes are used, which are ?xed in the speci?cation of the standard. S-boxes are transformation functions, which take as input 6 bits and map them to 4 bits. They play a signi?cant role in the calculation taking place inside the f -function. As we mentioned before, the f -function takes as input the previous right-half part Ri?1 and the subkey Ki . The 32 rightmost bits are expanded to 48 bits using an expanding permutation E. The result is combined with the subkey Ki for the i-th round using the XOR operation. These combined 6 ?Á 8 = 48 bits are the input of the S-boxes and they are transformed to 4 ?Á 8 = 32 bits, which are subsequently permutated again using another ?xed table, called P. The whole calculation procedure inside the f -function is depicted in Figure 3. The output of this procedure XORed with the left half gives the ?nal shu?ed 64 bits, which are then again divided into two halves [8]. The unpublished design criteria of the tables and the S-boxes used in the f -function caused a sharp criticism in the decision to make DES a standard. 2

     Figure 1: DES The encryption process of DES consists of 16 identical rounds. The 64 input bits are divided into two halves: the 32 leftmost bits form L0 and the 32 rightmost bits form R0 . The new L and R in each round are de?ned by: Li = Ri?1 , 1 ?Ü i ?Ü 16, Ri = Li?1 ?’ f (Ri?1 , Ki ), 1 ?Ü i ?Ü 16,

     statistical techniques to retrieve secret information. Using the previous relation, we can calculate the power consumption traces for certain time periods, average over these traces and ?nally obtain the potential secret data s from the corresponding DPA peak. Since this paper focuses on attacking DES, we need to approach this situation in a di?erent way. The idea of averaging over electric consumption traces remains the same, but the implementation in DES is slightly di?erent. Therefore, in the following subsections we shall present DPA and High-Order DPA attacks applied on DES.


     Figure 3: S-boxes inside the function f(Ri?1 , Ki ) of DES

     DPA attacks on DES

     DPA attacks on DES rely on the following fundamental hypothesis [4]:

     Fundamental Hypothesis (Order 1): There exists an intermediate variable, that appears during the computation of the algorithm, such that knowing a few key bits (in practice less than 32 bits) allows to The basic idea behind power analysis, and di?erential decide whether two inputs (respectively two outputs) power analysis in particular, is exploiting the di?er- give or not the same value for a known function of ences in power consumption during transitions. The this variable. power consumption of a cryptographic device can be monitored and the di?erences in the power consump- Let I(x, s) denote the intermediate value, which tion traces, which depend on the manipulated data depends

    only on known data x and on a small and the operations that take place, can leak useful portion of secret data s (i.e. small enough so that secret information about the system. For example, all possible values for s can be found by exhaustive 0 ??ú 1 transitions consume more power than 1 ??ú 0 search). Then, for each possible value s for s, the ? transitions. attacker creates two sets, S0 (?) and S1 (?), de?ned s s A simple model for power leakage is the General- as: ized Hamming-weight model, which assumes that the Sb (?) = {x|g(I(x, s)) = b} for b ?Ê {0, 1} s ? processor will leak information about the Hamming weight H(x) of the data being processed. Moreover, we assume that processing data with higher Ham- where g is an appropriate Boolean selection function. ming weight will consume more power than process- The following 5-steps procedure describes how a DPA ing data with lower Hamming weight. Tests made attack on DES can be implemented (cited from [6]): on smartcard processors have shown that this relaStep 1: We measure the power consumptionship is roughly linear [9]. However, we present a tion on the ?rst round for 1000 (for example) simpli?ed Hamming weight model, which ignores the DES computations and we compute the mean produced noise, and assumes the power consumption curve MC of those 1000 consumption curves, P(t) is linearly related to the Hamming weight: where M , . . . , M denote the input values


     Di?erential Power Analysis attacks



     P(t) = H(w) + L, where denotes the amount of power for each extra ??1?? in the Hamming weight, L is an additive constant portion of the total power and w is the n-bit word manipulated at time period t [10]. In DPA attacks the adversary collects several power consumption traces for di?erent inputs and applies 3

     and C1 , . . .1000 denote the consumption curves. Step 2: At ?rst, we focus on the ?rst output bit (as the target bit) of the ?rst S-Box during the ?rst round. Let b denote the value of that bit. It is easy to see that b depends on only 6 bits of the secret key. Applying the Fundamental Hypothesis, we compute the expected (theoretical) values

     I(x, s) for b from those 6 bits and from the Mi masking method that has been applied to defense ? (i = 1, dots, 1000). This enables us to separate against HODPA attacks. the 1000 inputs into two categories: those giving b = 0 and those giving b = 1. Step 3: We now compute the mean curve M C0 of the curves corresponding to inputs of the ?rst category. If M C and M C0 show an appreciable di?erence much greater than the standard deviation of the measured noise in a statistical meaning, we consider that the chosen values for the 6 bits are correct. If M C and M C0 do not show any sensible di?erence, we repeat step 2 with another

choice for the 6 bits.


     Securing DES against HighOrder DPA attacks

     Unique Masking Method


     Masking is the most e?cient countermeasure, which was suggested against DPA attacks. The basic idea of masking consists of XORing the initial input (plaintext) of the cryptographic algorithm with a random mask, performing the computation and the masked Step 4: We repeat steps 2 and 3 with a ??target transformation of the data and ?nally obtaining the bit?? b in the each of the following 7 S-Boxes and output by unmasking the masked ciphertext. This procedure is depicted in Figure 4. in this way we obtain 48 bits of the secret key. Step 5: The remaining 8 bits can be found by exhaustive search.


     High-Order DPA attacks on DES

     High-Order DPA attacks (HODPA) generalize DPA attacks, in the sense that the attacker now computes statistical correlations between the electrical consumptions considered at several instants. More precisely, a n ? th order DPA attack uses n values of the computation signal, which correspond to n intermediate values Ii (x, s), (i = 1, . . . , n) occurring during the computation. These attacks rely on the modi?ed Fundamental Hypothesis for samples of order n: Fundamental Hypothesis (Order n): There exists a set of n intermediate variables, that appear during the computation of the algorithm, such that Figure 4: Masking Procedure knowing a few key bits (in practice less than 32 bits) allows to decide whether two inputs (respectively two The Unique Masking Method, introduced by Akkar outputs) give or not the same value for a known and Goubin in [4], is based on this idea and aims function of these n variables. at providing a generic protection against any order DPA attack. The two principles of this method are Most of the proposed countermeasures against the following: DPA attacks manage to secure the systems only against ?rst-order DPA attacks. However, most ? It is essential to mask the values that depend on of these methods can be defeated, if the attacker less than 36 bits of the key, in order to prevent knows how to correlate power consumption more DPA. than once per computation. This kind of attacks are more complex to be implemented, since they usually ? Intermediate independent variables depending require the attacker to have a deeper knowledge of on less than 36 bits of the key should not be the device [10]. We shall describe such an attack in masked by the same value, in order to thwart the next section, after presenting the most e?ective High-Order DPA. 4

     In the following subsections we are going to give a more accurate description of how this method works, in order to understand the way

    to construct a complete secure DES implementation. 4.1.1 Masked Rounds

     Round of Type B: Both parts of the input are ? unmasked and function f2 is used. Therefore, the left part of the output will be unmasked, while the right part will be masked. ? Round of Type C: The left part of the input is unmasked, but the right part is masked, and the ? function is f1 , which is involved in the computation of the right part and gives an unmasked value from a masked one. Therefore, the left part of the output will be masked, while the right part will be unmasked. ? Round of Type D: The left part of the input is masked, but the right part is unmasked and the function is f . Therefore, the left part of the output will be unmasked, while the right part will be masked.

     According to [4], given any 32 bits value ?Á of the key, ? ? we can de?ne two functions S1 and S2 based on the original S-Boxes function S: ?x ?Ê {0, 1}48 ?x ?Ê {0, 1}48 ? S1 (x) = S(x ?’ E(?Á)) ? S2 (x) = S(x) ?’ P ?1 (?Á)

     where E is the expansion permutation and P ?1 is the inverse of the permutation, which calculates the unmasked values of the computations that take place in the S-Boxes. ? Round of Type E: The left part of the input is Furthermore, Akkar et. al. de?ned the function fKi masked, the right part is unmasked and the functo be the composition of E, the XOR with the i-th ? tion is f2 , which a?ects the computation of the round subkey Ki the S-Box and the permutation P . ? ? right part. Therefore, both parts of the output Finally, they de?ned f1,Ki and f2,Ki by replacing S will be unmasked. ? ? in fKi with S1 and S2 , respectively. ? At this point, it is important to remark that f1 gives an unmasked value from a ?Á-masked one, and that 4.1.2 Securing DES with Masked Rounds ? f2 gives an ?Á-masked value from an unmasked one. In this section we shall consider that the modi?ed SBoxes are already constructed and that the mask ?Á changes at each DES computation. There are some requirements that should be ful?lled, in order to have compatible DES rounds. The input states should have unmasked input values, so each round should start with types A or B. The output states are the rounds, where the output values are unmasked, which restricts our decision about output rounds only to types A and E. It is easy to see that one could obtain a 16-round complete DES with these requirements. For example, IP(initial permutation)-BCDCDCEBCDCDCDCEFP(?nal permutation) is a compatible DES implementation. We de?ne Li (respectively Ri ) as the left part (respectively the right part) of the message at the end Figure 5: 5 Possibilities of DES rounds of the i?th round. To get a secure DES implementation, we considered that the critical data are the ones In Figure 5 we can see that using the functions where the bits depend on less than 36 bits of the key. ? ? f, f1 , f2 one can obtain 5 di?erent rounds of DES, Therefore, only two parts have to be protected: the depending on whether the input is masked or un- one connecting R2 and

    L3 and the one connecting R15 masked: and L16 . Therefore, these values must be masked and make it necessary for the ?rst three rounds to be of ? Round of Type A: Both parts of the input are the form: unmasked and function f is used, so we obtain unmasked output. BCD or BCE 5

     We can see that they used two di?erent masks a1 and a2 in the ?rst and last round of DES. The switch from ?Á1 to ?Á2 is possible during the 7th and 8th round, where the structure of E-round and B-round leave their output, respectively input, unmasked. BCE or DCE In addition, they pointed out that, if one wants It is possible to show that these are the only ac- the mask never to appear several times, even on cepted cases by following the exact proving procedure values depending on more than 36 bits of the key, one can use the following combination: IP ? as above. This simple security analysis is depicted in Figure 6. B?Á1 C?Á1 D?Á1 AAAAAAAAAAB?Á2 C?Á2 E?Á2 ? F P . It is even possible to add two new masks and to mask every value depending on less than 56 bits of the key. However, Akkar, Bevan and Goubin pointed out in [5] that for all the proposed sequences of rounds above, the second round is always a ??C-type?? round and the output of the S-Box of this second round is: S(E(P (S(K1 ?’ E(IP (M )32?63 ))) ?’ IP (M )0?31 ?’ ?Á1 ) ?’ K2 ?’ E(?Á1 )) = S(E(P (S(K1 ?’ E(IP (M )32?63 )))) ?’ K2 ?’ E(IP (M )0?31 )) The output of the second round is unmasked and stays unmasked after being XORed with the left part of the message, which will still be vulnerable to the attack shown above. [5] A ?nal improvement on DES implementation that Akkar et. al. suggested in [4] is by masking the output of the second round, either with a di?erent mask Figure 6: Number of key-bits per bits of data or even with ?Á1 , since the value depends on 42 bits of ? the key. They de?ned one more function f3,Ki with This countermeasure protects the DES implemen? the modi?ed S-Box S3 , such that tation of ?rst-order DPA attacks, since it secures the ?rst and last values of DES, which depend on less ? ?x ?Ê [0, 1]48 : S3 = (x ?’ E(?Á1 )) = S(x) ?’ P ?1 (?Á1 ). than 36 bits of the key, with a random mask that is used only once. However, it is vulnerable against So the output of the improved DES implementation High-Order DPA attacks. The attack would consist during the ?rst round will be: of correlating several values to get the power consumption of an important value, which in our case is S(K1 ?’ E(IP (M )32?63 )) ?’ P ?1 (?Á1 ). (1) the value that could be guessed with less than 36 bits of the key. It is not su?cient to mask the ?rst and last And the output of the second round will be: 6

     The above cases are the only ones that ful?ll the security and compatibility requirements of the DES algorithm. The input values, which depend on 0 bits of the key, are unmasked, but we want to continue with masked values and the only way we can achieve it is by using the type-B round. So we obtain a masked right part, which leads to the need

    of using type-C for the second round, since it is the only case where we can have a masked right-part input. Then, we can use either type-D or type-E rounds, which accept a masked left-part input and give unmasked outputs. After this procedure we have successfully secured the parts that depend on less than 36 bits of the key and we can continue by choosing just the compatible types of rounds in each case. At the last three rounds, the security problem arises again, so the last three rounds must be of the form:

     values with the same mask, because the correlation between them can still leak important information. If we mask them with di?erent random masks, then the outputs will be completely random. Each mask would appear only once in each computation and even with high order correlation it would be impossible to get any information about the masked value. Akkar et. al. gave the following example of a secure and compatible 16 round DES implementation [4]: IP ? B?Á1 C?Á1 D?Á1 C?Á1 D?Á1 C?Á1 E?Á1 B?Á2 C?Á2 D?Á2 C?Á2 D?Á2 C?Á2 D?Á2 C?Á2 E?Á2 ? F P .

     S(E(P (S(K1 ?’ E(IP (M )32?63 ))) ?’ IP (M )0?31 ?’ ?Á1 ) ?’ K2 ) = S(E(P(S(K1 ?’ E(IP (M )32?63 )))) ?’ K2 ?’ E(IP (M )0?31 ) ?’ E(?Á1 )) = S(E(P(S(K1 ?’ E(IP (M )32?63 )))) ?’ K2 ?’ E(IP (M )0?31 )) ?’ P ?1 (?Á1 ). (2)

     Following, after ?xing the right 32 bits to another constant value MB , such that MB = MA , we can perform again another DPA attack with some other chosen messages to acquire a similar value ?ÈB = K2 ?’ E(P

    (S(K1 ?’ E(MB )))) (5).

     The only unknown value in the above equations is In this way the above mentioned attack fails, be- K , so by taking XOR of the two acquired values ?È 2 A cause the value P ?1 (?Á1 ) will be di?erent and ran- and ?È , we get the following: B dom for every encryption. Therefore, the attacker ?ÈA ?’ ?ÈB = K2 ?’ E(P (S(K1 ?’ E(MA )))) ?’ K2 ?’ cannot classify the message correctly anymore into E(P (S(K1 ?’ E(MB )))) ? two groups. ?ÈA ?’ ?ÈB = E(P (S(K1 ?’ E(MA )) ?’ S(K1 ?’ E(MB )))) ? 4.2 Attacking the Unique Masking P ?1 (E ?1 (?ÈA ?’ ?ÈB )) = Method S(K1 ?’ E(MA )) ?’ S(K1 ?’ E(MB ) (6), The attack described by Lv and Han in [6] is based on the fact that there is the same mask in the output of the S-Boxes of the ?rst two rounds in the improved Unique Masking Method. According to Akkar et. al.??s improved DES implementation using Unique Masking Method, which was described in the previous section, the only parameter that prevents us from implementing a DPA attack is P ?1 . One can see that by XORing the output of the S-Boxes of the ?rst two rounds, we get the trace ? consumption T of the following value: ? (1)?’ (2) := T = S(E(P (S(K1 ?’ E(IP (M )32?63 ))))?’ K2 ?’ E(IP (M )0?31 )) ?’ S(K1 ?’ E(IP (M )32?63 )). (3) where E ?1 is the inverse

    permutation of E. The di?erential properties of S will give us about 4 possibilities for each subkey. Since there are 8 subkeys and the 8

    bits, which are not in K1 , need also to be found, this gives us 48 ?? 28 = 224 possibilities on the key, which can be calculated on several seconds on a PC.


     Enhanced DES implementation Secure Against HODPA

     The attack presented in section 4.2 exploits the outcomes of the two ?rst and two last rounds of DES. For a secure DES implementation against High-Order DPA attacks, Lv and Han proposed that the following ?1 In the equation (3) the value P (?Á1 ) vanishes, so we requirements should be met: can perform an attack at the system. ? Every crucial intermediate value should be After making a hypothesis on the subkey K1 , if masked by a random integer. IP (M )32?63 is set to some ?xed, arbitrary value, then ? The XOR value of all the possible combinations S(K1 ?’ E(IP (M )32?63 )) will also be ?xed. Then, if between the outcomes of the S-Boxes of the two we classify the 1000 electric consumption curves cor?rst and the two last rounds of DES implementaresponding to some 1000 inputs, according to some tion should be masked by some random integer. ?, we can also classify them correctly to target bit in T the same two groups according to the corresponding The second requirement implies that we should XOR bit in the value of the ?rst and the last round, the second round and the last round, the two ?rst with the last round etc. Therefore, to defense High-Order DPA attacks for a DES implementation with all the outputs Therefore, by ?xing the right 32 bits of each message of the S-Boxes of the 16 rounds masked, the minimal after the initial permutation to some constant MA number of the required random masks is 3. and letting the left part change to get enough inputs, After generating three di?erent random 32-bit values we can perform a High-Order DPA attack with some X1 , X2 and X3 , we should de?ne 6 additional S-Boxes based on the original DES S-Boxes function S. In chosen messages to acquire the value ?? the proposed enhancement, the S-Box S(x) of every 48 ?ÈA = K2 ?’ E(P (S(K1 ?’ E(MA )))) (4). round ?x ?Ê [0, 1] is as follows: S(E(P (S(K1 ?’ E(IP (M )32?63 )))) ?’ K2 ?’ E(IP (M )0?31 )). 7

     ? Round 1, 6, 11, 12 : ? ? ?? ? S(x) = S(x) ?’ P ?1 (X1 ) ? ? ? ?? ? Round 2, 5, 10, 13 : S(x) such that ? ? ? ?? ?’ E(X1 )) = S(x) ?’ P ?1 (X2 ) ? S(x ? ? ? ?? ? Round 3, 4 : S(x) such that ? ? ? ?? ?’ E(X2 )) = S(x) ?’ P ?1 (X1 ?’ X2 ) S(x ? Round 7, 16 : ? ? ?? ? S(x) = S(x) ?’ P ?1 (X3 ) ? ? ? ?? ? Round 8, 15 : S(x) such that ? ? ? ?? ?’ E(X3 )) = S(x) ?’ P ?1 (X2 ) ? S(x ? ? ? ?? ? Round 9, 14 : S(x) such that ? ? ? ?? ?’ E(X2 )) = S(x) ?’ P ?1 (X1 ?’ X3 ) S(x Then, we de?ne fj,Kj by replacing S in fKj with the S-Box of the j-th round, for j = 1, ?? ?? ?? , 16. By replacing the original Feistel function with the new one fj,Kj in the j-th round of Akkar et. al.??s DES implementation, we can obtain the ?nal enhanced DES implementation. A extended proof that the

    enhanced DES implementation meets all the security requirements is presented in [6], but a complete reference to it is out of the scope of this paper.

     dition, the XORed value of the all the possible combinations of the outputs of the S-Boxes during the ?rst two and the last two rounds of DES should be masked by some random integer. Actually, di?erent integers should be used for masking in each case. So far, this method is the only known way to secure a cryptographic system against HODPA. However, further research should be made on which of the 16 DES-rounds is enough to mask, in order to prevent HODPA attacks. In this way, we could determine the minimal cost for a secure DES implementation, and therefore, a more e?ective and realistic masking technique.


     [1] P. Kocher, J. Ja?e, B. Jun, ??Introduction to Di?erential Power Analysis and Related Attacks??, Technical Report, Cryptography Research Inc., 1998. Available from http://www.cryptography.com/ dpa/technical/index.html, Accessed: 14 ? 03 ? 2009.



     The Unique Masking Method seemed to be the most e?cient countermeasure against any order DPA attacks, since it

    provided ?exibility and it could be implemented in real applications. The fact that, the part where the masking is appearing, depends neither on the key nor on the message, made the security of this method higher than similar ones. However, we showed that there is a weak point in this method, which makes it unsecure against High-Order DPA. This paper presented the attack on the Unique Masking Method applied on DES, which was initially implemented by Lv and Han in [6]. This attack shows that HODPA is indeed a powerful cryptanalytic technique, which can be used to attack almost every cryptographic algorithm. It is really di?cult to secure the known cryptographic algorithms against n-th order DPA attacks. The HODPA attack that we described, exploits the fact that useful information may leak from the outputs of the two ?rst and the two last rounds of the complete 16-round DES implementation, when the same random mask is used. In order to prevent HODPA and provide a secure DES implementation using masking methods, every critical intermediate value should be masked by a random integer. In ad8

     [2] J.-S. Coron and L. Goubin, ??On Boolean and arithmetic masking against di?erential power analysis??, In Cryptographic Hardware and Embedded Systems, CHES 2000, LNCS 1965, pp. 231-237,

    Springer-Verlag,2000. [3] M. Akkar and C. Giraud, ??An implementation of DES and AES Secure against Some Attacks??, Proceedings of CHES 2001, LNCS 2162, pp.309318, Springer-Verlag, 2001. [4] M. Akkar and L.Goubin, ??A Generic Protection against High-Order Di?erential Power Analysis??,

Report this document

For any questions or suggestions please email