Abstract

Introduced in 1999, differential power-analysis (DPA) attacks pose a serious threat for cryptographic devices. Several countermeasures have been proposed during the last years. However, none of them leads to implementations that are provably resistant against DPA. A promising class of DPA countermeasures is masking. In this article we discuss implementations of three existing masking schemes for the Advanced Encryption Standard (AES). We present an ASIC that has been implemented and manufactured. This test chip is used to investigate the countermeasures in practice. With this test chip we have also determined the costs of masking in terms of area and execution time. Compared to an unmasked AES implementation the best masking scheme shows a performance loss about 40-50%. To the best of the authors knowledge it is the first ASIC that implements masking for AES. 1.