As several intermediate values are used as sentive data for side channel analysis (DPA), I don't understand why sbox input ^ sbox output is also wide-used and effective. This value does not applied in AES algorithm.
Asked
Active
Viewed 80 times
2
-
1Some early papers about protecting against DPA suggested the use of randomized RAM-tables S'(x) = S(x^r)^r with the same random r for in- and output mask of the S-box S. One possible problem with having the input mask equal the output mask is described in poncho's answer (but I don't remember ever seeing it, despite always worrying about it), the other is simply that the S-box output might overwrite the input stored in a register (leaking their Hamming distance - which cancels out the mask r), if you for example try to implement DPA-resistant SW in C. – j.p. Mar 01 '23 at 07:31
1 Answers
1
I don't understand why sbox input ^ sbox output is also wide-used
Well, one reason it may be often used is that it is often available.
For some side channel attacks (e.g. EMR based), it is the transitions that give a stronger signal than the actual electrical level. And, if the circuit sends the input to the sbox over a bus at cycle $N$, and gets the output from the sbox over that same bus, well, a specific bus line will transition if the sbox input ^ the sbox output for that bit is a 1, and will stay constant of the xor is 0. That may be easier to detect than the actual bit values.
poncho
- 147,019
- 11
- 229
- 360
-
Practically I always see this as a target for DPA (current based) on a masked hardware implementation. In that case, if the masking does not implement carefully, it may still works. But in this case, sbox always be implemented in several-cycle design.. So sbox-in and sbox-out doesn't updated in same cycle and would not present on the same bus. I can't find an answer to this case.. – ramenpeddler Mar 01 '23 at 06:50