attack and improvement of a secure s box calculation
play

Attack and Improvement of a Secure S-box Calculation Based on the - PowerPoint PPT Presentation

Dec 27, 2023 •157 likes •718 views

8 + Attack and Improvement of a Secure S-box Calculation Based on the Fourier Transform ebastien Coron 1 , Christophe Giraud 2 , Emmanuel Prouff 2 , and Jean-S Matthieu Rivain 1 , 2 1 University of Luxembourg 2 Oberthur Technologies August 11,

  1. 8 + Attack and Improvement of a Secure S-box Calculation Based on the Fourier Transform ebastien Coron 1 , Christophe Giraud 2 , Emmanuel Prouff 2 , and Jean-S´ Matthieu Rivain 1 , 2 1 University of Luxembourg 2 Oberthur Technologies August 11, 2008 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  2. Outline 8 + Preliminaries 1 S-box Masking Based on the Fourier Transform 2 Differential Power Analysis vs. Biased Masking 3 DPA against the FT-Based S-box Masking 4 Improved FT-Based S-box Masking 5 Conclusion 6 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  3. Outline 8 + Preliminaries 1 S-box Masking Based on the Fourier Transform 2 Differential Power Analysis vs. Biased Masking 3 DPA against the FT-Based S-box Masking 4 Improved FT-Based S-box Masking 5 Conclusion 6 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  4. Differential Power Analysis (DPA) 8 + DPA Basics Physical leakage dependent on intermediate variables Sensitive variable depends on both the input plaintext and on a guessable part of the secret key DPA exploits the physical leakage on a sensitive variable for key recovery J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  5. Differential Power Analysis (DPA) 8 + DPA Basics Physical leakage dependent on intermediate variables Sensitive variable depends on both the input plaintext and on a guessable part of the secret key DPA exploits the physical leakage on a sensitive variable for key recovery DPA Security Every intermediate variable is independent of any sensitive variable. J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  6. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  7. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R Masking a block cipher requires the masking of: ◮ the key additions ◮ the linear transformations ◮ the substitution boxes (S-boxes) J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  8. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R Masking a block cipher requires the masking of: ◮ the key additions ◮ the linear transformations ◮ the substitution boxes (S-boxes) Key addition Masked Var. Mask Z ⊕ R ⊕ R = Z J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  9. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R Masking a block cipher requires the masking of: ◮ the key additions ◮ the linear transformations ◮ the substitution boxes (S-boxes) Key addition Masked Var. Mask Z ⊕ R ⊕ K ⊕ R = Z ⊕ K J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  10. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R Masking a block cipher requires the masking of: ◮ the key additions ◮ the linear transformations ◮ the substitution boxes (S-boxes) Linear transformation Masked Var. Mask Z ⊕ R ⊕ R = Z J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  11. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R Masking a block cipher requires the masking of: ◮ the key additions ◮ the linear transformations ◮ the substitution boxes (S-boxes) Linear transformation Masked Var. Mask L ( Z ⊕ R ) ⊕ L ( R ) = L ( Z ) J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  12. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R Masking a block cipher requires the masking of: ◮ the key additions ◮ the linear transformations ◮ the substitution boxes (S-boxes) Substitution box Issue: From Z ⊕ R and R , compute F ( Z ) ⊕ R ′ . All intermediate var. must be independent of Z . J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  13. Outline 8 + Preliminaries 1 S-box Masking Based on the Fourier Transform 2 Differential Power Analysis vs. Biased Masking 3 DPA against the FT-Based S-box Masking 4 Improved FT-Based S-box Masking 5 Conclusion 6 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  14. S-box Masking Based on the Fourier Transform 8 + Prouff, Giraud, and Aumonier in CHES 2006 : Provably Secure S-Box Implementation Based on Fourier Transform J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  15. S-box Masking Based on the Fourier Transform 8 + Prouff, Giraud, and Aumonier in CHES 2006 : Provably Secure S-Box Implementation Based on Fourier Transform The Fourier Transform of a ( n × n ) S-box F is defined by: � F ( a )( − 1) a · Z . � F ( Z ) = a ∈ F n 2 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  16. S-box Masking Based on the Fourier Transform 8 + Prouff, Giraud, and Aumonier in CHES 2006 : Provably Secure S-Box Implementation Based on Fourier Transform The Fourier Transform of a ( n × n ) S-box F is defined by: � F ( a )( − 1) a · Z . � F ( Z ) = a ∈ F n 2 It satisfies � � F = 2 n F , that is: � F ( Z ) = 1 F ( Z ) = 1 � � F ( a )( − 1) a · Z � 2 n 2 n a ∈ F n 2 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  17. S-box Masking Based on the Fourier Transform 8 + S-box Masking Based on the Fourier Transform Inputs: a masked var. � Z = Z ⊕ R 1 , a mask R 1 , a look-up table � F Outputs: a masked output F ( Z ) ⊕ R 3 , a mask R 3 � F ( Z ) = 1 � F ( a )( − 1) a · Z 2 n a ∈ F n 2 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  18. S-box Masking Based on the Fourier Transform 8 + S-box Masking Based on the Fourier Transform Inputs: a masked var. � Z = Z ⊕ R 1 , a mask R 1 , a look-up table � F Outputs: a masked output F ( Z ) ⊕ R 3 , a mask R 3 � Z · R 1 F ( Z ) = 1 � F ( a )( − 1) a · � Z ⊕ R 1 · ( a ⊕ � � Z ) ( − 1) 2 n a ∈ F n 2 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  19. S-box Masking Based on the Fourier Transform 8 + S-box Masking Based on the Fourier Transform Inputs: a masked var. � Z = Z ⊕ R 1 , a mask R 1 , a look-up table � F Outputs: a masked output F ( Z ) ⊕ R 3 , a mask R 3 � Z ⊕ R 2 ) · R 1 F ( Z ) = 1 ( − 1) ( � F ( a )( − 1) a · � Z ⊕ R 1 · ( a ⊕ � � Z ⊕ R 2 ) 2 n a ∈ F n 2 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  20. S-box Masking Based on the Fourier Transform 8 + S-box Masking Based on the Fourier Transform Inputs: a masked var. � Z = Z ⊕ R 1 , a mask R 1 , a look-up table � F Outputs: a masked output F ( Z ) ⊕ R 3 , a mask R 3 ( − 1) ( � Z ⊕ R 2 ) · R 1 F ( Z )+ R 3 mod 2 n = � Z ⊕ R 2 ) mod2 2 n � � 1 F ( a )( − 1) a · � Z ⊕ R 1 · ( a ⊕ � � 2 n R 3 + R 4 + 2 n a ∈ F n 2 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure Metering Issues and Extensions Real World Other Directions Metering for General Access Structures Understanding the model Audit Agency

480 views • 35 slides
Presentation of the ITN Rating Calculation for the largest percentage climbers on the improvement

Presentation of the ITN Rating Calculation for the largest percentage climbers on the improvement

Presentation of the ITN Rating Calculation for the largest percentage climbers on the improvement ladder between 23 and 30 January 2016. No explanations are given. However, the ITN Rating Calculation for each player is presented. The ITN

427 views • 4 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice Mallory Bob Can achieve this with publc-key cryptography as well. g a a First example: Schnorr Signature g m m a 1024 bit

283 views • 3 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g m m g ma g ma g n n g b b g nb g nb g ma g ma , g nb g nb Eike Ritter Cryptography 2014/15 106

417 views • 9 slides
Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 15th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 15th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 15th November 2019 Orientation This is the fourth Laboratory Session for Secure Programming It is convened by Arthur, Henry and David. The handout and

556 views • 8 slides
Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th March 2019 Orientation This is the fourth Laboratory Session for Secure Programming It is convened by Arthur and David. The handout and other

441 views • 8 slides
Evolving Secure Information Systems through Attack Simulation Elmar Kiesling, Andreas Ekelhart,

Evolving Secure Information Systems through Attack Simulation Elmar Kiesling, Andreas Ekelhart,

Evolving Secure Information Systems through Attack Simulation Elmar Kiesling, Andreas Ekelhart, Bernhard Grill, Christine Strau, Christian Stummer January 7, 2014; Waikoloa, Big Island, Hawaii Funded by the Austrian Science Fund under project

1.13k views • 87 slides
Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de>

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de>

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de> Wed Apr 18, 2012 University of the German Federal Armed Forces, Munich Slide 1 Outline History Design Goals SSL/TLS Stack

439 views • 15 slides
6/4/2020 State of Michigan Lean Process Improvement (LPI) Fast, Accurate, and Secure Using Lean

6/4/2020 State of Michigan Lean Process Improvement (LPI) Fast, Accurate, and Secure Using Lean

6/4/2020 State of Michigan Lean Process Improvement (LPI) Fast, Accurate, and Secure Using Lean Principles to Improve your Election Process Anne Cram and Matt Casby , Office of Continuous Improvement MAMC Annual Convention 6/11/20 1 WELCOME!

351 views • 11 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
Calculation of Periodic Travelling Wave Stability: A Users Guide Jonathan A. Sherratt

Calculation of Periodic Travelling Wave Stability: A Users Guide Jonathan A. Sherratt

Case Study: Mussel Bed Patterns in the Wadden Sea Calculation of Wavetrain Existence Applications of Wavetrains Calculation of Wavetrain Stability Objective of Talk Calculation of Stability Boundaries in Parameter Space Conclusions

959 views • 50 slides
A Design Of Secure Preferential E-Voting Kun Peng and Feng Bao { dr.kun.peng } @gmail.com

A Design Of Secure Preferential E-Voting Kun Peng and Feng Bao { dr.kun.peng } @gmail.com

A Design Of Secure Preferential E-Voting Kun Peng and Feng Bao { dr.kun.peng } @gmail.com Institute for Inforcomm Research (I 2 R), Singapore 1 Agenda 1. Preferential E-Voting 2. Coercion attack and coercion resistent 3. Italian attack

229 views • 21 slides
On On Secure Pos osition oning (P (Proj oject CSP: SP: Cros oss-La Layer D Desig ign o

On On Secure Pos osition oning (P (Proj oject CSP: SP: Cros oss-La Layer D Desig ign o

On On Secure Pos osition oning (P (Proj oject CSP: SP: Cros oss-La Layer D Desig ign o of Se f Secure Po Positioning) Sr Srdjan a apkun Relay attack only takes a couple of seconds si signal stre rength d we need se

402 views • 39 slides
Leakage Resilient Masking Schemes Sebastian Faust Ruhr University Bochum 1 Modern cryptography

Leakage Resilient Masking Schemes Sebastian Faust Ruhr University Bochum 1 Modern cryptography

Leakage Resilient Masking Schemes Sebastian Faust Ruhr University Bochum 1 Modern cryptography Until 1970s: Design crypto algorithm secure against one attack Find attack C Find attack B Crypto Crypto algorithm A algorithm B secure against

631 views • 51 slides
Physical Attack Protection with Human-Secure Virtualization in Data Centers Jakub Szefer ,

Physical Attack Protection with Human-Secure Virtualization in Data Centers Jakub Szefer ,

Physical Attack Protection with Human-Secure Virtualization in Data Centers Jakub Szefer , Pramod Jamkhedkar, Yu-Yuan Chen and Ruby B. Lee Princeton University WORCS 2012 July 25, 2012 contact: szefer@princeton.edu Data Centers as

686 views • 36 slides
Systems IEEE 754 Format Shankar Balachandran* Associate Professor, CSE Department Indian

Systems IEEE 754 Format Shankar Balachandran* Associate Professor, CSE Department Indian

Spring 2015 Week 9 Additional Module Digital Circuits and Systems IEEE 754 Format Shankar Balachandran* Associate Professor, CSE Department Indian Institute of Technology Madras *Currently a Visiting Professor at IIT Bombay There is no

112 views • 10 slides
Floating Point CSE 238/2038/2138: Systems Programming Instructor: Fatma CORUT ERGN Slides

Floating Point CSE 238/2038/2138: Systems Programming Instructor: Fatma CORUT ERGN Slides

Floating Point CSE 238/2038/2138: Systems Programming Instructor: Fatma CORUT ERGN Slides adapted from Bryant & OHallarons slides Today: Floating Point Background: Fractional binary numbers IEEE floating point standard:

803 views • 52 slides
CPE 335 CPE 335 Computer Organization MIPS Arithmetic Part II Dr. Iyad Jafar Adapted from

CPE 335 CPE 335 Computer Organization MIPS Arithmetic Part II Dr. Iyad Jafar Adapted from

CPE 335 CPE 335 Computer Organization MIPS Arithmetic Part II Dr. Iyad Jafar Adapted from Dr. Gheith Abandah slides http://www.abandah.com/gheith/Courses/CPE335_S08/index.html CPE 232 MIPS Arithmetic 1 Shift Operations Shifts move

397 views • 28 slides
Numeric Programming Examples Thomas Hahn Max-Planck-Institut fr Physik Mnchen T. Hahn,

Numeric Programming Examples Thomas Hahn Max-Planck-Institut fr Physik Mnchen T. Hahn,

Numeric Programming Examples Thomas Hahn Max-Planck-Institut fr Physik Mnchen T. Hahn, Numeric Programming Examples p.1 Mixing Fortran and C Most Fortran compilers add an underscore to all symbols. Fortran passes all arguments by

373 views • 21 slides
Warm up Using the phrase "an honors student" as the hypothesis: 1) Create a true

Warm up Using the phrase "an honors student" as the hypothesis: 1) Create a true

Warm up Using the phrase "an honors student" as the hypothesis: 1) Create a true conditional 2) Write its converse 3) Determine the truth value of the converse Bonus for coming up w/a true conditional & converse! Biconditional

471 views • 8 slides
Announcements Homework 1, Due January 16 th Reading: sections 1.1, 1.2, 1.3 CSE 321

Announcements Homework 1, Due January 16 th Reading: sections 1.1, 1.2, 1.3 CSE 321

Announcements Homework 1, Due January 16 th Reading: sections 1.1, 1.2, 1.3 CSE 321 Discrete Structures Quiz section Thursday 12:30-1:20 or 1:30 2:20 CSE 305 Winter 2008 Office hours Lecture 2 Richard

580 views • 3 slides
CPSC 121: Models of Computation Instructor: Bob Woodham woodham@cs.ubc.ca Department of Computer

CPSC 121: Models of Computation Instructor: Bob Woodham woodham@cs.ubc.ca Department of Computer

CPSC 121: Models of Computation Instructor: Bob Woodham woodham@cs.ubc.ca Department of Computer Science University of British Columbia Lecture Notes 2008/2009, Section 203 CPSC 121: Models of Computation Menu January 9, 2009 Topics:

881 views • 53 slides
Logic 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 1 of 1 08/26/2003 03:33 PM 1 of 1

Logic 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 1 of 1 08/26/2003 03:33 PM 1 of 1

Logic http://localhost/~senning/courses/ma229/slides/logic/slide01.html Logic http://localhost/~senning/courses/ma229/slides/logic/slide02.html Logic prev | slides | next prev | slides | next Propositions A proposition is a statement that is

655 views • 5 slides

More recommend