constant time this code uses 256 squarings square and
play

Constant-time This code uses 256 squarings, square-and-multiply - PowerPoint PPT Presentation

Dec 14, 2023 •21 likes •381 views

1 2 Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for each bit set in e . D. J. Bernstein Problem when e is secret: time University of Illinois at Chicago; leaks number of bits set in e . Ruhr

  1. 1 2 Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for each bit set in e . D. J. Bernstein Problem when e is secret: time University of Illinois at Chicago; leaks number of bits set in e . Ruhr University Bochum def pow256bit(x,e): y = 1 for i in reversed(range(256)): y = y*y if 1&(e>>i): y = y*x return y

  2. 1 2 Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for each bit set in e . D. J. Bernstein Problem when e is secret: time University of Illinois at Chicago; leaks number of bits set in e . Ruhr University Bochum “I’ll choose secret 256-bit e with exactly 128 bits set. There are def pow256bit(x,e): enough of these e , and then y = 1 there are no more leaks.” for i in reversed(range(256)): y = y*y if 1&(e>>i): y = y*x return y

  3. 1 2 Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for each bit set in e . D. J. Bernstein Problem when e is secret: time University of Illinois at Chicago; leaks number of bits set in e . Ruhr University Bochum “I’ll choose secret 256-bit e with exactly 128 bits set. There are def pow256bit(x,e): enough of these e , and then y = 1 there are no more leaks.” for i in reversed(range(256)): y = y*y — Time still depends on e , if 1&(e>>i): even if each multiplication y = y*x takes time independent of inputs. return y

  4. 1 2 Constant-time This code uses 256 squarings, Hardware re-and-multiply plus 1 extra multiplication is inherently for each bit set in e . Bernstein CPU designers Problem when e is secret: time University of Illinois at Chicago; leaks number of bits set in e . University Bochum “I’ll choose secret 256-bit e with exactly 128 bits set. There are pow256bit(x,e): enough of these e , and then there are no more leaks.” in reversed(range(256)): y*y — Time still depends on e , 1&(e>>i): even if each multiplication = y*x takes time independent of inputs. return y

  5. 1 2 This code uses 256 squarings, Hardware reality: Accessing re-and-multiply plus 1 extra multiplication is inherently expensive for each bit set in e . CPU designers try Problem when e is secret: time Illinois at Chicago; leaks number of bits set in e . Bochum “I’ll choose secret 256-bit e with exactly 128 bits set. There are pow256bit(x,e): enough of these e , and then there are no more leaks.” reversed(range(256)): — Time still depends on e , even if each multiplication takes time independent of inputs.

  6. 1 2 This code uses 256 squarings, Hardware reality: Accessing plus 1 extra multiplication is inherently expensive. for each bit set in e . CPU designers try to reduce Problem when e is secret: time Chicago; leaks number of bits set in e . “I’ll choose secret 256-bit e with exactly 128 bits set. There are enough of these e , and then there are no more leaks.” reversed(range(256)): — Time still depends on e , even if each multiplication takes time independent of inputs.

  7. 2 3 This code uses 256 squarings, Hardware reality: Accessing RAM plus 1 extra multiplication is inherently expensive. for each bit set in e . CPU designers try to reduce cost. Problem when e is secret: time leaks number of bits set in e . “I’ll choose secret 256-bit e with exactly 128 bits set. There are enough of these e , and then there are no more leaks.” — Time still depends on e , even if each multiplication takes time independent of inputs.

  8. 2 3 This code uses 256 squarings, Hardware reality: Accessing RAM plus 1 extra multiplication is inherently expensive. for each bit set in e . CPU designers try to reduce cost. Problem when e is secret: time Example: “L1 cache” typically leaks number of bits set in e . has 32KB of recently used data. “I’ll choose secret 256-bit e with This cache inspects RAM exactly 128 bits set. There are addresses, performs various enough of these e , and then computations on addresses there are no more leaks.” to try to save time. — Time still depends on e , even if each multiplication takes time independent of inputs.

  9. 2 3 This code uses 256 squarings, Hardware reality: Accessing RAM plus 1 extra multiplication is inherently expensive. for each bit set in e . CPU designers try to reduce cost. Problem when e is secret: time Example: “L1 cache” typically leaks number of bits set in e . has 32KB of recently used data. “I’ll choose secret 256-bit e with This cache inspects RAM exactly 128 bits set. There are addresses, performs various enough of these e , and then computations on addresses there are no more leaks.” to try to save time. — Time still depends on e , : : : so time is a function of RAM even if each multiplication addresses. Avoid all data flow takes time independent of inputs. from secrets to RAM addresses.

  10. 2 3 code uses 256 squarings, Hardware reality: Accessing RAM Example: extra multiplication is inherently expensive. from secrets h bit set in e . CPU designers try to reduce cost. Often describ Problem when e is secret: time for softw Example: “L1 cache” typically number of bits set in e . the same has 32KB of recently used data. choose secret 256-bit e with This cache inspects RAM exactly 128 bits set. There are addresses, performs various enough of these e , and then computations on addresses are no more leaks.” to try to save time. Time still depends on e , : : : so time is a function of RAM if each multiplication addresses. Avoid all data flow time independent of inputs. from secrets to RAM addresses.

  11. 2 3 256 squarings, Hardware reality: Accessing RAM Example: Avoid all multiplication is inherently expensive. from secrets to branch in e . CPU designers try to reduce cost. Often described as is secret: time for software, but comes Example: “L1 cache” typically bits set in e . the same hardware has 32KB of recently used data. cret 256-bit e with This cache inspects RAM set. There are addresses, performs various e , and then computations on addresses re leaks.” to try to save time. depends on e , : : : so time is a function of RAM multiplication addresses. Avoid all data flow endent of inputs. from secrets to RAM addresses.

  12. 2 3 rings, Hardware reality: Accessing RAM Example: Avoid all data flow is inherently expensive. from secrets to branch condi CPU designers try to reduce cost. Often described as a separate time for software, but comes from Example: “L1 cache” typically e . the same hardware reality. has 32KB of recently used data. e with This cache inspects RAM There are addresses, performs various then computations on addresses to try to save time. , : : : so time is a function of RAM addresses. Avoid all data flow inputs. from secrets to RAM addresses.

  13. 3 4 Hardware reality: Accessing RAM Example: Avoid all data flow is inherently expensive. from secrets to branch conditions. CPU designers try to reduce cost. Often described as a separate rule for software, but comes from Example: “L1 cache” typically the same hardware reality. has 32KB of recently used data. This cache inspects RAM addresses, performs various computations on addresses to try to save time. : : : so time is a function of RAM addresses. Avoid all data flow from secrets to RAM addresses.

  14. 3 4 Hardware reality: Accessing RAM Example: Avoid all data flow is inherently expensive. from secrets to branch conditions. CPU designers try to reduce cost. Often described as a separate rule for software, but comes from Example: “L1 cache” typically the same hardware reality. has 32KB of recently used data. How CPU runs a program This cache inspects RAM (example of “code = data”): addresses, performs various computations on addresses while True: to try to save time. insn = RAM[state.ip] state = execute(state,insn) : : : so time is a function of RAM addresses. Avoid all data flow ip (“instruction pointer” or from secrets to RAM addresses. “program counter”): address in RAM of next instruction.

  15. 3 4 are reality: Accessing RAM Example: Avoid all data flow Standard inherently expensive. from secrets to branch conditions. to follow Square and designers try to reduce cost. Often described as a separate rule for software, but comes from def pow256bit(x,e): Example: “L1 cache” typically the same hardware reality. y = 1 32KB of recently used data. for i How CPU runs a program cache inspects RAM y = (example of “code = data”): addresses, performs various yx = computations on addresses while True: bit to save time. insn = RAM[state.ip] y = state = execute(state,insn) return time is a function of RAM addresses. Avoid all data flow ip (“instruction pointer” or If bit is secrets to RAM addresses. “program counter”): address an unused in RAM of next instruction.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

746 views • 73 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work

969 views • 94 slides
CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Dan Boneh, Stefan Savage Reminder: Side-channel attacks You saw before how timing

1.37k views • 81 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Supervisors: Author: Lesly-Ann Daniel Sbastien Bardin CEA LIST CEA LIST Tamara Rezk Oct 2018 - Oct 2021 INRIA Sophia Antipolis

777 views • 38 slides
McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands October 13, 2015 Joint work with Daniel J. Bernstein and Peter Schwabe Outline Summary of Our Work Background Main

439 views • 32 slides
Constant-time programming in FaCT What is FaCT? Domain specific language for writing

Constant-time programming in FaCT What is FaCT? Domain specific language for writing

Constant-time programming in FaCT What is FaCT? Domain specific language for writing constant-time code Whats the difference between a DSL and a general- purpose language? How do you use FaCT? Write your program in C Write your

420 views • 38 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Lesly-Ann Daniel Sbastien Bardin Tamara Rezk CEA LIST, France CEA LIST, France INRIA, France IEEE Symposium on Security and Privacy May

464 views • 25 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

823 views • 46 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

625 views • 41 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

643 views • 52 slides
McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter Schwabe Radboud University

902 views • 43 slides
+ - Can be constant or time varying +/- indicates polarity Current Source Can be

+ - Can be constant or time varying +/- indicates polarity Current Source Can be

Review of Circuit Analysis Common Symbols Independent Sources Battery Constant voltage DC voltage source Voltage Source + - Can be constant or time varying +/- indicates polarity Current Source Can be constant or time

388 views • 14 slides
1 of 30 Once Upon a Time... Constant diffusion: J = - D u u

1 of 30 Once Upon a Time... Constant diffusion: J = - D u u

1 of 30 Once Upon a Time... Constant diffusion: J = - D u u t = - J = D D u But is this truly realistic??? 2 of 30 Problems With Constant Diffusion Any initial

458 views • 32 slides
QcBits: constant-time small-key code-based cryptography Tung Chou Technische Universiteit

QcBits: constant-time small-key code-based cryptography Tung Chou Technische Universiteit

QcBits: constant-time small-key code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands Coding theory 2 Coding theory Linear codes 2 Coding theory Linear codes a linear subspace in F N 2 2 Coding theory

1k views • 77 slides
Generating k -independent variables in constant time Tobias Christiani, Rasmus Pagh IT

Generating k -independent variables in constant time Tobias Christiani, Rasmus Pagh IT

Generating k -independent variables in constant time Tobias Christiani, Rasmus Pagh IT University of Copenhagen Generating k -independent variables in constant time 1 Introduction Random seed 11010100 01101101 Generator Pseudorandom output

1k views • 85 slides
1 Dead Code Elimination for SSA Constant Propagation Dead code elimination Goal while a

1 Dead Code Elimination for SSA Constant Propagation Dead code elimination Goal while a

Using Static Single Assignment Form Variable Renaming (cont) Last Time Data Structures Constructing SSA form Stacks[v] v Holds the subscript of most recent definition of variable v, initially empty Counters[v] v Today

224 views • 5 slides
Mathematical Knowledge for Teaching: FoM and IME Conference Notes of Summary by Wayne Harvey I

Mathematical Knowledge for Teaching: FoM and IME Conference Notes of Summary by Wayne Harvey I

Mathematical Knowledge for Teaching: FoM and IME Conference Notes of Summary by Wayne Harvey I want to Poke you a bit. During this session, ask yourself, What might I do in addition to business as usual. Its been a very engaging 2+

223 views • 5 slides
Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort

Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort

Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort of x 1 , x 2 , , x n . For i = 2, 3, , n , insert x i into x 1 , x 2 , , x i 1 such that these i data items are sorted.

509 views • 31 slides
The need for efcient coding I OP TIMIZ IN G P YTH ON CODE W ITH PAN DAS Leonidas Souliotis

The need for efcient coding I OP TIMIZ IN G P YTH ON CODE W ITH PAN DAS Leonidas Souliotis

The need for efcient coding I OP TIMIZ IN G P YTH ON CODE W ITH PAN DAS Leonidas Souliotis PhD Researcher How do we measure time? time.time() : returns current time in seconds since 12:00am, January 1, 1970 import time # record time

346 views • 17 slides
Cyber@UC Meeting 81 Intel Management Engine and Other Coprocessors If Youre New! Join our

Cyber@UC Meeting 81 Intel Management Engine and Other Coprocessors If Youre New! Join our

Cyber@UC Meeting 81 Intel Management Engine and Other Coprocessors If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org SIGN IN! (Slackbot will post the link in #general every Wed@6:30)

168 views • 14 slides
CS 10: Problem solving via Object Oriented Programming Winter

CS 10: Problem solving via Object Oriented Programming Winter

CS 10: Problem solving via Object Oriented Programming Winter 2017 Tim Pierson 260 (255) Sudikoff Day 7 Lists Part 2 Agenda 1. Growing

441 views • 28 slides
Realizing effective non-Hermitian time evolution with superconducting circuits Conference on

Realizing effective non-Hermitian time evolution with superconducting circuits Conference on

Realizing effective non-Hermitian time evolution with superconducting circuits Conference on Quantum Measurement: Fundamentals, Twists, and Applications ICTP 2019 Kater Murch Department of Physics, Washington University in St. Louis Students:

712 views • 33 slides
and Impedance Peeling High Speed Interconnect Analyzer April-2020 Giuseppe Leccia Business

and Impedance Peeling High Speed Interconnect Analyzer April-2020 Giuseppe Leccia Business

WavePulser 40iX Time-Domain Techniques for De-embedding and Impedance Peeling High Speed Interconnect Analyzer April-2020 Giuseppe Leccia Business Development Manager WavePulser 40iX: Testing in frequency and time domain Frequency Domain

441 views • 12 slides
Linux kernel synchronization Don Porter CSE 506 Logical Diagram Binary Memory Threads

Linux kernel synchronization Don Porter CSE 506 Logical Diagram Binary Memory Threads

Linux kernel synchronization Don Porter CSE 506 Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture System Calls Synchronization Kernel in the kernel RCU File System Networking Sync Memory CPU Device

864 views • 42 slides

More recommend