Cryptography Reference
In-Depth Information
Δ
(
r
)
σ
0
Δ
(
r
)
σ
1
Δ
(
r
)
σ
2
Δ
(
r
)
σ
3
x
0
x
1
x
2
x
4
x
5
x
6
x
7
x
8
x
9
x
10
x
11
x
12
x
13
x
14
x
15
x
3
round r
Q
0
,j
×
MB
−
1
Q
1
,j
×
MB
−
1
Q
2
,j
×
MB
−
1
Q
3
,j
×
MB
−
1
y
0
y
1
y
2
y
3
y
4
y
5
y
6
y
7
y
8
y
9
y
10
y
11
y
12
y
13
y
14
y
15
P
r
+1
0
,j
P
r
+1
1
,j
P
r
+1
2
,j
P
r
+1
3
,j
(
Δ
(
r
)
σ
0
)
−
1
(
Δ
(
r
)
σ
1
)
−
1
(
Δ
(
r
)
σ
2
)
−
1
(
Δ
(
r
)
σ
3
)
−
1
(
Δ
(
r
)
σ
0
)
−
1
(
Δ
(
r
)
σ
1
)
−
1
(
Δ
(
r
)
σ
2
)
−
1
(
Δ
(
r
)
σ
3
)
−
1
(
Δ
(
r
)
σ
0
)
−
1
(
Δ
(
r
)
σ
1
)
−
1
(
Δ
(
r
)
σ
2
)
−
1
(
Δ
(
r
)
σ
3
)
−
1
(
Δ
(
r
)
σ
0
)
−
1
(
Δ
(
r
)
σ
1
)
−
1
(
Δ
(
r
)
σ
2
)
−
1
(
Δ
(
r
)
σ
3
)
−
1
Δ
(
r
+1)
σ
0
Δ
(
r
+1)
σ
1
Δ
(
r
+1)
σ
2
Δ
(
r
+1)
σ
3
z
3
z
0
z
1
z
2
z
4
z
5
z
6
z
7
z
8
z
9
z
10
z
11
z
12
z
13
z
14
z
15
round r+1
Fig. 4.
4-byte Encoding Method
6Con lu on
This paper proposed a new white-box implementation for AES. The implementa-
tion shares many features with that of Chow et al. when considering the hiding of
the key using random bijections. However, and contrary to Chow et al. our con-
struction makes
operations variable by using
further sets of coecients. These coecients are taken from dual representations
of AES.
We illustrated two different ways for modifying the mixing bijections; the
one which involves the minimal changes to the Chow et al. implementation was
fully detailed. The modifications apply to type I and II tables. The way these
tables are constructed better protects the white-box implementations against
known attacks. Remarkably, the proposed implementation does not impact the
code size. Further, the overall performance is unchanged compared to previously
proposed implementations. Yet it raises the expected security level from 2
30
to
2
91
, offering a good security margin for practical applications.
and
InvSubBytes
InvMixColumns
Acknowledgment.
IamverygratefultoAmael Grevin for his implementation
of an earlier solution and to Marc Joye for helpful discussions. I am also grateful
to Eric Diehl and the anonymous referees for their insightful comments on pre-
vious versions of this article. Finally, I wish to thank Alain Durand and Davide
Alessio for some useful suggestions.
References
1. Barkan, E., Biham, E.: The topic of Rijndaels. Cryptology ePrint Archive, Report
2002/158 (2002),
http://eprint.iacr.org/2002/158
2. Barkan, E., Biham, E.: In how many ways can you write Rijndael? In: Zheng,
Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 160-175. Springer, Heidelberg
(2002)
Search WWH ::
Custom Search