Changing of the Guards . Joan Daemen CHES 2017 Taipei, September - - PowerPoint PPT Presentation

Changing of the Guards

.

Joan Daemen CHES 2017 Taipei, September 26, 2017

Radboud University STMicroelectronics 1 / 18

Disclaimer . This is not a talk about higher-order countermeasures

2 / 18

Iterative cryptographic permutation .

3 / 18

Three-stage round function: wide trail .

4 / 18

Nonlinear layer χ . X[i] ^= (~X[i+1]) & X[i+2]

xi xi xi

1

1 xi

2

Invertible for odd length n Used in Ketje, Keyak, Keccak (n 5)

RadioGatun (n 19), Panama (n 17), BaseKing, 3-Way (n 3), Subterranean, Cellhash (n 257)

[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]

5 / 18

Nonlinear layer χ . X[i] ^= (~X[i+1]) & X[i+2]

xi xi xi

1

1 xi

2

Invertible for odd length n Used in Ketje, Keyak, Keccak (n 5)

RadioGatun (n 19), Panama (n 17), BaseKing, 3-Way (n 3), Subterranean, Cellhash (n 257)

[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]

5 / 18

Nonlinear layer χ . X[i] ^= (~X[i+1]) & X[i+2]

xi xi xi

1

1 xi

2

Invertible for odd length n Used in Ketje, Keyak, Keccak (n 5)

RadioGatun (n 19), Panama (n 17), BaseKing, 3-Way (n 3), Subterranean, Cellhash (n 257)

[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]

5 / 18

Nonlinear layer χ . X[i] ^= (~X[i+1]) & X[i+2]

xi xi xi

1

1 xi

2

Invertible for odd length n Used in Ketje, Keyak, Keccak (n 5)

RadioGatun (n 19), Panama (n 17), BaseKing, 3-Way (n 3), Subterranean, Cellhash (n 257)

[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]

5 / 18

Nonlinear layer χ . X[i] ^= (~X[i+1]) & X[i+2]

xi xi xi

1

1 xi

2

Invertible for odd length n Used in Ketje, Keyak, Keccak (n 5)

RadioGatun (n 19), Panama (n 17), BaseKing, 3-Way (n 3), Subterranean, Cellhash (n 257)

[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]

5 / 18

Nonlinear layer χ . X[i] ^= (~X[i+1]) & X[i+2]

xi ← xi + (xi+1 + 1)xi+2

Invertible for odd length n Used in Ketje, Keyak, Keccak (n 5)

RadioGatun (n 19), Panama (n 17), BaseKing, 3-Way (n 3), Subterranean, Cellhash (n 257)

[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]

5 / 18

Nonlinear layer χ . X[i] ^= (~X[i+1]) & X[i+2]

xi ← xi + (xi+1 + 1)xi+2

Invertible for odd length n Used in Ketje, Keyak, Keccak (n 5)

RadioGatun (n 19), Panama (n 17), BaseKing, 3-Way (n 3), Subterranean, Cellhash (n 257)

[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]

5 / 18

Nonlinear layer χ . X[i] ^= (~X[i+1]) & X[i+2]

xi ← xi + (xi+1 + 1)xi+2

Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5)

RadioGatun (n 19), Panama (n 17), BaseKing, 3-Way (n 3), Subterranean, Cellhash (n 257)

[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]

5 / 18

Nonlinear layer χ . X[i] ^= (~X[i+1]) & X[i+2]

xi ← xi + (xi+1 + 1)xi+2

Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5)

RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257)

[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]

5 / 18

Masking of χ as DPA/DEMA countermeasure . x0 ← x0 + (x1 + 1)x2 ai bi xi with ai random a0 a0 a1 1 a2 a1b2 b0 b0 b1 1 b2 b1a2

[Daemen, Peeters, Van Assche, FSE 2000]

6 / 18

Masking of χ as DPA/DEMA countermeasure . x0 ← x0 + (x1 + 1)x2 ai + bi = xi with ai random a0 a0 a1 1 a2 a1b2 b0 b0 b1 1 b2 b1a2

[Daemen, Peeters, Van Assche, FSE 2000]

6 / 18

Masking of χ as DPA/DEMA countermeasure . x0 ← x0 + (x1 + 1)x2 ai + bi = xi with ai random a0 ←a0 + (a1 + 1)a2 + a1b2 b0 ←b0 + (b1 + 1)b2 + b1a2

[Daemen, Peeters, Van Assche, FSE 2000]

6 / 18

χ′: a three-share masking of χ . x0 ← x0 + (x1 + 1)x2 ai + bi + ci = xi with ai and bi random a0 b0 b1 1 b2 b1c2 b2c1 b0 c0 c1 1 c2 c1a2 c2a1 c0 a0 a1 1 a2 a1b2 a2b1

[Bertoni, Daemen, Peeters, Van Assche, 2nd SHA-3, 2010]

7 / 18

χ′: a three-share masking of χ . x0 ← x0 + (x1 + 1)x2 ai + bi + ci = xi with ai and bi random a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1

[Bertoni, Daemen, Peeters, Van Assche, 2nd SHA-3, 2010]

7 / 18

Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] .

x = f y = xa + fa ya + xb + fb yb + xc fc yc

Scheme at the right computes f securely against 1st order DPA if: fa fb fc is a correct sharing of f fa fb fc is incomplete: requires shares d 1 xa xb xc is a uniform sharing of x: all values xa xb xc with xa xb xc x equiprobable x xa xb xc 0 0 0 1 1 0 1 0 1 0 1 1 x 1 xa xb xc 1 1 1 0 0 1 0 1 0 1 0 0

8 / 18

Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] .

x = f y = xa + fa ya + xb + fb yb + xc fc yc

Scheme at the right computes f securely against 1st order DPA if: ◮ (fa, fb, fc) is a correct sharing of f fa fb fc is incomplete: requires shares d 1 xa xb xc is a uniform sharing of x: all values xa xb xc with xa xb xc x equiprobable x xa xb xc 0 0 0 1 1 0 1 0 1 0 1 1 x 1 xa xb xc 1 1 1 0 0 1 0 1 0 1 0 0

8 / 18

Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] .

x = f y = xa + fa ya + xb + fb yb + xc fc yc

Scheme at the right computes f securely against 1st order DPA if: ◮ (fa, fb, fc) is a correct sharing of f ◮ (fa, fb, fc) is incomplete: requires # shares ≥ d + 1 xa xb xc is a uniform sharing of x: all values xa xb xc with xa xb xc x equiprobable x xa xb xc 0 0 0 1 1 0 1 0 1 0 1 1 x 1 xa xb xc 1 1 1 0 0 1 0 1 0 1 0 0

8 / 18

Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] .

x = f y = xa + fa ya + xb + fb yb + xc fc yc

Scheme at the right computes f securely against 1st order DPA if: ◮ (fa, fb, fc) is a correct sharing of f ◮ (fa, fb, fc) is incomplete: requires # shares ≥ d + 1 ◮ (xa, xb, xc) is a uniform sharing of x:

• all values (xa, xb, xc) with xa + xb + xc = x equiprobable

x xa xb xc 0 0 0 1 1 0 1 0 1 0 1 1 x 1 xa xb xc 1 1 1 0 0 1 0 1 0 1 0 0

8 / 18

Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] .

x = f y = xa + fa ya + xb + fb yb + xc fc yc

Scheme at the right computes f securely against 1st order DPA if: ◮ (fa, fb, fc) is a correct sharing of f ◮ (fa, fb, fc) is incomplete: requires # shares ≥ d + 1 ◮ (xa, xb, xc) is a uniform sharing of x:

• all values (xa, xb, xc) with xa + xb + xc = x equiprobable
• x = 0 : (xa, xb, xc) ∈ {(0, 0, 0)(1, 1, 0)(1, 0, 1)(0, 1, 1)}
• x = 1 : (xa, xb, xc) ∈ {(1, 1, 1)(0, 0, 1)(0, 1, 0)(1, 0, 0)}

8 / 18

Uniformity of a threshold masking scheme .

x f y f z xa fa ya xb fb yb xc fc yc fa za fb zb fc zc

◮ Sharing (fa, fb, fc) of f is called uniform if it preserves uniformity If f is invertible, for fa fb fc uniformity invertibility

9 / 18

Uniformity of a threshold masking scheme .

x f y f z xa fa ya xb fb yb xc fc yc fa za fb zb fc zc

◮ Sharing (fa, fb, fc) of f is called uniform if it preserves uniformity ◮ If f is invertible, for (fa, fb, fc) uniformity = invertibility

9 / 18

Back to χ′ . a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1

Is this a secure threshold masking scheme of χ? Correct? Yes! Incomplete? Yes! Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise

10 / 18

Back to χ′ . a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1

Is this a secure threshold masking scheme of χ? ◮ Correct? Yes! Incomplete? Yes! Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise

10 / 18

Back to χ′ . a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1

Is this a secure threshold masking scheme of χ? ◮ Correct? Yes! Incomplete? Yes! Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise

10 / 18

Back to χ′ . a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1

Is this a secure threshold masking scheme of χ? ◮ Correct? Yes! ◮ Incomplete? Yes! Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise

10 / 18

Back to χ′ . a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1

Is this a secure threshold masking scheme of χ? ◮ Correct? Yes! ◮ Incomplete? Yes! Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise

10 / 18

Back to χ′ . a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1

Is this a secure threshold masking scheme of χ? ◮ Correct? Yes! ◮ Incomplete? Yes! ◮ Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise

10 / 18

Back to χ′ . a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1

Is this a secure threshold masking scheme of χ? ◮ Correct? Yes! ◮ Incomplete? Yes! ◮ Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise

10 / 18

Back to χ′ . a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1

Is this a secure threshold masking scheme of χ? ◮ Correct? Yes! ◮ Incomplete? Yes! ◮ Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise

10 / 18

Back to χ′ . a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1

Is this a secure threshold masking scheme of χ? ◮ Correct? Yes! ◮ Incomplete? Yes! ◮ Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise

10 / 18

Back to χ′ . a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1

Is this a secure threshold masking scheme of χ? ◮ Correct? Yes! ◮ Incomplete? Yes! ◮ Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise

10 / 18

Back to χ′ . a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1

Is this a secure threshold masking scheme of χ? ◮ Correct? Yes! ◮ Incomplete? Yes! ◮ Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: ◮ no uniform d + 1-share threshold schemes are known ◮ it is an active research area to find the best compromise

10 / 18

An out-of-the-box approach to achieving uniformity .

xa Sa ya rb rc xb Sb yb Rb xc Sc yc Rc

(1) Build (Sa, Sb, Sc): a correct and incomplete sharing of S

• straightforward and generalizes to d + 1 shares for d > 2

(2) Mask output with rb rc that has uniform distribution correctness and incompleteness are preserved

• utput ya yb yc becomes uniform sharing of y

(3) Chain this But where does leftmost rb rc come from?

11 / 18

An out-of-the-box approach to achieving uniformity .

xa Sa ya rb rc xb Sb yb Rb xc Sc yc Rc

(1) Build (Sa, Sb, Sc): a correct and incomplete sharing of S

• straightforward and generalizes to d + 1 shares for d > 2

(2) Mask output with (rb, rc) that has uniform distribution correctness and incompleteness are preserved

• utput ya yb yc becomes uniform sharing of y

(3) Chain this But where does leftmost rb rc come from?

11 / 18

An out-of-the-box approach to achieving uniformity .

xa Sa ya rb rc xb Sb yb Rb xc Sc yc Rc

(1) Build (Sa, Sb, Sc): a correct and incomplete sharing of S

• straightforward and generalizes to d + 1 shares for d > 2

(2) Mask output with (rb, rc) that has uniform distribution

• correctness and incompleteness are preserved
• utput ya yb yc becomes uniform sharing of y

(3) Chain this But where does leftmost rb rc come from?

11 / 18

An out-of-the-box approach to achieving uniformity .

xa Sa ya rb rc xb Sb yb Rb xc Sc yc Rc

(1) Build (Sa, Sb, Sc): a correct and incomplete sharing of S

• straightforward and generalizes to d + 1 shares for d > 2

(2) Mask output with (rb, rc) that has uniform distribution

• correctness and incompleteness are preserved
• output (ya, yb, yc) becomes uniform sharing of y

(3) Chain this But where does leftmost rb rc come from?

11 / 18

An out-of-the-box approach to achieving uniformity .

a0 Sa A0 rb rc b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2

(1) Build (Sa, Sb, Sc): a correct and incomplete sharing of S

• straightforward and generalizes to d + 1 shares for d > 2

(2) Mask output with (rb, rc) that has uniform distribution

• correctness and incompleteness are preserved
• output (ya, yb, yc) becomes uniform sharing of y

(3) Chain this But where does leftmost rb rc come from?

11 / 18

An out-of-the-box approach to achieving uniformity .

a0 Sa A0 rb rc b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2

(1) Build (Sa, Sb, Sc): a correct and incomplete sharing of S

• straightforward and generalizes to d + 1 shares for d > 2

(2) Mask output with (rb, rc) that has uniform distribution

• correctness and incompleteness are preserved
• output (ya, yb, yc) becomes uniform sharing of y

(3) Chain this But where does leftmost (rb, rc) come from?

11 / 18

Attempt 1: injecting fresh randomness .

a0 Sa A0 rb rc b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 c2 Sc C2

rb rc are generated freshly every round For n-bit S-box, this requires 2n random bits per round Downsides: real-world: requires random generation during operation academic: no uniform sharing is obtained

[Bilgin, Daemen, Nikova, Nikov, Rijmen, Van Assche, Cardis ’13]

12 / 18

Attempt 1: injecting fresh randomness .

a0 Sa A0 rb rc b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 c2 Sc C2

◮ (rb, rc) are generated freshly every round For n-bit S-box, this requires 2n random bits per round Downsides: real-world: requires random generation during operation academic: no uniform sharing is obtained

[Bilgin, Daemen, Nikova, Nikov, Rijmen, Van Assche, Cardis ’13]

12 / 18

Attempt 1: injecting fresh randomness .

a0 Sa A0 rb rc b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 c2 Sc C2

◮ (rb, rc) are generated freshly every round ◮ For n-bit S-box, this requires 2n random bits per round Downsides: real-world: requires random generation during operation academic: no uniform sharing is obtained

[Bilgin, Daemen, Nikova, Nikov, Rijmen, Van Assche, Cardis ’13]

12 / 18

Attempt 1: injecting fresh randomness .

a0 Sa A0 rb rc b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 c2 Sc C2

◮ (rb, rc) are generated freshly every round ◮ For n-bit S-box, this requires 2n random bits per round ◮ Downsides:

• real-world: requires random generation during operation
• academic: no uniform sharing is obtained

[Bilgin, Daemen, Nikova, Nikov, Rijmen, Van Assche, Cardis ’13]

12 / 18

Attempt 1: injecting fresh randomness .

a0 Sa A0 rb rc b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 c2 Sc C2

◮ (rb, rc) are generated freshly every round ◮ For n-bit S-box, this requires 2n random bits per round ◮ Downsides:

• real-world: requires random generation during operation
• academic: no uniform sharing is obtained

[Bilgin, Daemen, Nikova, Nikov, Rijmen, Van Assche, Cardis ’13]

12 / 18

Attempt 2: cycling randomness .

a0 Sa A0 b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 c2 Sc C2

◮ S-boxes are arranged in circle: (rb, rc) = (Rb, Rc) No more need for generating randomness during operation The remaining amount of non-uniformity is negligible Downsides: real-world: hard to explain why that is the case … academic: it is simply not uniform! I presented this at [Shonan, Sep.’14] [ESC, Jan.’15] [TI Day, May’15]

13 / 18

Attempt 2: cycling randomness .

a0 Sa A0 b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 c2 Sc C2

◮ S-boxes are arranged in circle: (rb, rc) = (Rb, Rc) ◮ No more need for generating randomness during operation The remaining amount of non-uniformity is negligible Downsides: real-world: hard to explain why that is the case … academic: it is simply not uniform! I presented this at [Shonan, Sep.’14] [ESC, Jan.’15] [TI Day, May’15]

13 / 18

Attempt 2: cycling randomness .

a0 Sa A0 b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 c2 Sc C2

◮ S-boxes are arranged in circle: (rb, rc) = (Rb, Rc) ◮ No more need for generating randomness during operation ◮ The remaining amount of non-uniformity is negligible ◮ Downsides:

• real-world: hard to explain why that is the case …
• academic: it is simply not uniform!

I presented this at [Shonan, Sep.’14] [ESC, Jan.’15] [TI Day, May’15]

13 / 18

Attempt 2: cycling randomness .

a0 Sa A0 b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 c2 Sc C2

◮ S-boxes are arranged in circle: (rb, rc) = (Rb, Rc) ◮ No more need for generating randomness during operation ◮ The remaining amount of non-uniformity is negligible ◮ Downsides:

• real-world: hard to explain why that is the case …
• academic: it is simply not uniform!

I presented this at [Shonan, Sep.’14] [ESC, Jan.’15] [TI Day, May’15]

13 / 18

Attempt 3: recycling randomness .

a0 Sa A0 rb rc b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 Rc c2 Sc C2 Rb

We make Rb Rc part of the shared state: the Guards input Guards rb rc are previous-round output Guards Rb Rc Achieves uniformity if S-box is invertible Cost: 4 additional XORs per native bit shared state extended by 2n additional bits (for n-bit S-box)

14 / 18

Attempt 3: recycling randomness .

a0 Sa A0 rb rc b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 Rc c2 Sc C2 Rb

◮ We make (Rb, Rc) part of the shared state: the Guards ◮ input Guards (rb, rc) are previous-round output Guards (Rb, Rc) Achieves uniformity if S-box is invertible Cost: 4 additional XORs per native bit shared state extended by 2n additional bits (for n-bit S-box)

14 / 18

Attempt 3: recycling randomness .

a0 Sa A0 rb rc b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 Rc c2 Sc C2 Rb

◮ We make (Rb, Rc) part of the shared state: the Guards ◮ input Guards (rb, rc) are previous-round output Guards (Rb, Rc) ◮ Achieves uniformity if S-box is invertible Cost: 4 additional XORs per native bit shared state extended by 2n additional bits (for n-bit S-box)

14 / 18

Attempt 3: recycling randomness .

a0 Sa A0 rb rc b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 Rc c2 Sc C2 Rb

◮ We make (Rb, Rc) part of the shared state: the Guards ◮ input Guards (rb, rc) are previous-round output Guards (Rb, Rc) ◮ Achieves uniformity if S-box is invertible ◮ Cost:

• 4 additional XORs per native bit
• shared state extended by 2n additional bits (for n-bit S-box)

14 / 18

Proof of uniformity .

a0 Sa A0 rb rc b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 Rc c2 Sc C2 Rb

Computing (a, b, c) and (rb, rc) from (A, B, C) and (Rb, Rc) Initial step: b2 Rc and c2 Rb Iteration: compute ai bi

1 ci 1 from Ai Bi Ci and bi ci

ai S

1 Ai

Bi Ci bi ci bi

1

Sc ai bi Ci ci

1

Sb ai bi Bi Final step: rb b

1 and rc

c

1

Invertibility implies uniformity: QED

15 / 18

Proof of uniformity .

a0 Sa A0 rb rc b0 Sb B0 c0 Sc C0 a1 Sa A1 b1 Sb B1 c1 Sc C1 a2 Sa A2 b2 Sb B2 Rc c2 Sc C2 Rb

Computing (a, b, c) and (rb, rc) from (A, B, C) and (Rb, Rc) ◮ Initial step: b2 ← Rc and c2 ← Rb ◮ Iteration: compute (ai, bi−1, ci−1) from (Ai, Bi, Ci) and (bi, ci)

• ai = S−1(Ai + Bi + Ci) + bi + ci
• bi−1 = Sc(ai, bi) + Ci
• ci−1 = Sb(ai, bi) + Bi

◮ Final step: rb ← b−1 and rc ← c−1 ◮ Invertibility implies uniformity: QED

15 / 18

Optimization for χ′ .

Multi-transformation property of χ′: Assume we know bits of a b c with indices 0 and 1 bits of A B C with indices 2 3 m then we can compute bits of a b c with index m, m 1, …2 Am bm b0 1 b1 b0c1 b1c0 Bm cm c0 1 c1 c0a1 c1a0 Cm am a0 1 a1 a0b1 a1b0 This allows us to reduce output masking to bits with indices in 0 and 1 shrink rb and rc to two bits each

16 / 18

Optimization for χ′ .

Multi-transformation property of χ′: ◮ Assume we know

• bits of (a, b, c) with indices 0 and 1
• bits of (A, B, C) with indices 2, 3, . . . m

then we can compute bits of a b c with index m, m 1, …2 Am bm b0 1 b1 b0c1 b1c0 Bm cm c0 1 c1 c0a1 c1a0 Cm am a0 1 a1 a0b1 a1b0 This allows us to reduce output masking to bits with indices in 0 and 1 shrink rb and rc to two bits each

16 / 18

Optimization for χ′ .

Multi-transformation property of χ′: ◮ Assume we know

• bits of (a, b, c) with indices 0 and 1
• bits of (A, B, C) with indices 2, 3, . . . m

◮ then we can compute bits of (a, b, c) with index m, m − 1, …2 Am =bm + (b0 + 1)b1 + b0c1 + b1c0 Bm =cm + (c0 + 1)c1 + c0a1 + c1a0 Cm =am + (a0 + 1)a1 + a0b1 + a1b0 This allows us to reduce output masking to bits with indices in 0 and 1 shrink rb and rc to two bits each

16 / 18

Optimization for χ′ .

Multi-transformation property of χ′: ◮ Assume we know

• bits of (a, b, c) with indices 0 and 1
• bits of (A, B, C) with indices 2, 3, . . . m

◮ then we can compute bits of (a, b, c) with index m, m − 1, …2 Am =bm + (b0 + 1)b1 + b0c1 + b1c0 Bm =cm + (c0 + 1)c1 + c0a1 + c1a0 Cm =am + (a0 + 1)a1 + a0b1 + a1b0 ◮ This allows us to

• reduce output masking to bits with indices in 0 and 1
• shrink rb and rc to two bits each

16 / 18

Generalization for invertible n-bit S-box of degree d .

◮ Guards: d shares of n bits ◮ each guard share of S-box i − 1 is added to 2 shares of S-box i ◮ Total cost (worst case) feedforward: 2d XORs per native bit state expansion by d n bits Cost is reduced if shared S-box has multi-transformation property

17 / 18

Generalization for invertible n-bit S-box of degree d .

◮ Guards: d shares of n bits ◮ each guard share of S-box i − 1 is added to 2 shares of S-box i ◮ Total cost (worst case)

• feedforward: 2d XORs per native bit

state expansion by d n bits Cost is reduced if shared S-box has multi-transformation property

17 / 18

Generalization for invertible n-bit S-box of degree d .

◮ Guards: d shares of n bits ◮ each guard share of S-box i − 1 is added to 2 shares of S-box i ◮ Total cost (worst case)

• feedforward: 2d XORs per native bit
• state expansion by d × n bits

Cost is reduced if shared S-box has multi-transformation property

17 / 18

Generalization for invertible n-bit S-box of degree d .

◮ Guards: d shares of n bits ◮ each guard share of S-box i − 1 is added to 2 shares of S-box i ◮ Total cost (worst case)

• feedforward: 2d XORs per native bit
• state expansion by d × n bits

◮ Cost is reduced if shared S-box has multi-transformation property

17 / 18

Conclusions .

◮ Solution for achieving uniformity for invertible S-box layers

• only d + 1 shares for S-boxes of degree d
• uniformity achieved outside the S-box

Real-world relevance: sharing (Keccak) made uniform at little overhead Academic relevance: non-uniformity problem essentially solved search multi-transformation sharing of low-degree S-boxes Thanks for your attention!

Q?

18 / 18

Conclusions .

◮ Solution for achieving uniformity for invertible S-box layers

• only d + 1 shares for S-boxes of degree d
• uniformity achieved outside the S-box

◮ Real-world relevance:

• sharing χ′ (Keccak) made uniform at little overhead

Academic relevance: non-uniformity problem essentially solved search multi-transformation sharing of low-degree S-boxes Thanks for your attention!

Q?

18 / 18

Conclusions .

◮ Solution for achieving uniformity for invertible S-box layers

• only d + 1 shares for S-boxes of degree d
• uniformity achieved outside the S-box

◮ Real-world relevance:

• sharing χ′ (Keccak) made uniform at little overhead

◮ Academic relevance: non-uniformity problem essentially solved search multi-transformation sharing of low-degree S-boxes Thanks for your attention!

Q?

18 / 18

Conclusions .

◮ Solution for achieving uniformity for invertible S-box layers

• only d + 1 shares for S-boxes of degree d
• uniformity achieved outside the S-box

◮ Real-world relevance:

• sharing χ′ (Keccak) made uniform at little overhead

◮ Academic relevance:

• non-uniformity problem essentially solved

search multi-transformation sharing of low-degree S-boxes Thanks for your attention!

Q?

18 / 18

Conclusions .

◮ Solution for achieving uniformity for invertible S-box layers

• only d + 1 shares for S-boxes of degree d
• uniformity achieved outside the S-box

◮ Real-world relevance:

• sharing χ′ (Keccak) made uniform at little overhead

◮ Academic relevance:

• non-uniformity problem essentially solved
• search multi-transformation sharing of low-degree S-boxes

Thanks for your attention!

Q?

18 / 18

Conclusions .

◮ Solution for achieving uniformity for invertible S-box layers

• only d + 1 shares for S-boxes of degree d
• uniformity achieved outside the S-box

◮ Real-world relevance:

• sharing χ′ (Keccak) made uniform at little overhead

◮ Academic relevance:

• non-uniformity problem essentially solved
• search multi-transformation sharing of low-degree S-boxes

Thanks for your attention!

Q?

18 / 18