high order masking of look up tables with common shares
play

High Order Masking of Look-up Tables with Common Shares J-S.Coron, - PowerPoint PPT Presentation

Feb 08, 2024 •38 likes •388 views

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th September 2018 Outline Outline 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th

  1. High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th September 2018

  2. Outline Outline 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th September 2018 3 Conclusion 2

  3. Table of Contents Introduction 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th September 2018 3 Conclusion 3

  4. SCA Countermeasure Introduction Sharing Principle • Given a sensitive data x • Given t random values x 1 , . . . , x t • Let x 0 be such that: t � x = x i i =0 12th September 2018 • ( x 0 , . . . , x t ) is a sharing of x secure at order t 4

  5. SBox Evaluation Introduction The problematic • Given sensitive data x • Given a known table S • How to compute securely : x �→ S ( x ) 12th September 2018 5

  6. SBox Evaluation Introduction The problematic • Given sensitive data x • Given a known table S • How to compute securely for ℓ evaluations: x ( ℓ ) �→ S ( x ( ℓ ) ) 12th September 2018 5

  7. 1st Order Introduction Secure at 1st Order The ℓ -th evaluation of S is: x ( ℓ ) = ( x ( ℓ ) 0 , m ) �→ S ( x ( ℓ ) ) = ( y ( ℓ ) 0 , m ) 12th September 2018 6

  8. 1st Order Introduction Masked SBox Construction   S (0 ⊕ m ) ⊕ m   .   . T = . S ((2 k − 1) ⊕ m ) ⊕ m     Masked SBox Evaluation 12th September 2018 S ( x ) = ( T ( x 0 ) , m ) 7

  9. Higher Order Introduction Secure at Higher Order (Coron EUROCRYPT’14) The ℓ -th evaluation of S is: x ( ℓ ) = ( x ( ℓ ) 0 , x ( ℓ ) 1 , . . . , x ( ℓ ) 2 t ) �→ S ( x ( ℓ ) ) = ( y ( ℓ ) 0 , y ( ℓ ) 1 , . . . , y ( ℓ ) 2 t ) 12th September 2018 8

  10. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2)   S (0) 0 0 0     S (1) 0 0 0   S (2) 0 0 0     S (3) 0 0 0   12th September 2018 9

  11. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2 )   S (2) 0 0 0     S (3) 0 0 0   S (0) 0 0 0     S (1) 0 0 0   12th September 2018 9

  12. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2)   S (2) ⊕ 3 1 2 0     S (3) ⊕ 1 0 0 1   S (0) ⊕ 0 2 3 1     S (1) ⊕ 0 0 0 0   12th September 2018 9

  13. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2)     S (2) ⊕ 3 1 2 0 S (3) ⊕ 1 0 0 1         S (3) ⊕ 1 0 0 1 S (2) ⊕ 3 1 2 0     = ⇒ S (0) ⊕ 0 2 3 1 S (1) ⊕ 0 0 0 0         S (1) ⊕ 0 0 0 0 S (0) ⊕ 0 2 3 1     12th September 2018 9

  14. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2)   S (3) ⊕ 1 1 2 2     S (2) ⊕ 1 0 2 3   S (1) ⊕ 3 2 1 0     S (0) ⊕ 0 1 0 1   12th September 2018 9

  15. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2)   S (2) ⊕ 1 0 2 3     S (3) ⊕ 1 1 2 2   S (0) ⊕ 0 1 0 1     S (1) ⊕ 3 2 1 0   12th September 2018 9

  16. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2)   S (2) ⊕ 2 2 2 2     S (3) ⊕ 1 1 2 2   S (0) ⊕ 1 1 1 1     S (1) ⊕ 3 3 3 3   12th September 2018 9

  17. Higher Order Introduction Example at 3rd Order x = 2 = ( 0 , 1 , 1 , 2) S (2) ⊕ 2 2 2 2 12th September 2018 9

  18. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2) S (2) ⊕ 0 1 2 3 12th September 2018 9

  19. Higher Order Introduction Masked SBox Construction (Coron EUROCRYPT’14)  sharing of S (0)    . T (0) =   . . sharing of S (2 k − 1)     12th September 2018 10

  20. Higher Order Introduction Masked SBox Construction (Coron EUROCRYPT’14) new sharing of T (0) (0 ⊕ x 2t )     T (1) = .   . .  new sharing of T (0) ((2 k − 1) ⊕ x 2t )    12th September 2018 10

  21. Higher Order Introduction Masked SBox Construction (Coron EUROCRYPT’14) new sharing of T (1) (0 ⊕ x 2t − 1 )     T (2) = .   . .  new sharing of T (1) ((2 k − 1) ⊕ x 2t − 1 )    12th September 2018 10

  22. Higher Order Introduction Masked SBox Construction (Coron EUROCRYPT’14) new sharing of T (2 t − 1) (0 ⊕ x 1 )     T (2 t ) = .   . .  new sharing of T (2 t − 1) ((2 k − 1) ⊕ x 1 )    12th September 2018 10

  23. Higher Order Introduction Masked SBox Construction (Coron EUROCRYPT’14) new sharing of T (2 t − 1) (0 ⊕ x 1 )     T (2 t ) = .   . .  new sharing of T (2 t − 1) ((2 k − 1) ⊕ x 1 )    Masked SBox Evaluation 12th September 2018 S ( x ) = new sharing of T ( t ) ( x 0 ) 10

  24. Table of Contents Higher Order: Optimizations 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th September 2018 3 Conclusion 11

  25. Contributions Higher Order: Optimizations Our Contributions • Security proof at order t with n = t + 1 shares instead of n = 2 t + 1 shares (t-sni formalism) • Saves a factor 4 (running time) • A variant with increasing number of output shares • Saves a factor 2 (running time) • Adapt the common shares technique for multiple SBox evaluations • Saves a factor 2 (running time) 12th September 2018 12

  26. Common Shares Higher Order: Optimizations Common Shares (CGPZ CHES16) Two values a and b may be securely shared such that at most half of the shares are common: ( a 0 , . . . , a t 2 , m 0 , . . . m t − 1 2 ) ( b 0 , . . . , b t 2 , m 0 , . . . m t − 1 2 ) 12th September 2018 13

  27. Look-Up Tables with Common Shares Higher Order: Optimizations Secure at Higher Order The ℓ -th evaluation of S is: ( x ( ℓ ) 0 , x ( ℓ ) 1 , . . . , x ( ℓ ) 2 ) �→ S ( x ( ℓ ) ) = ( y ( ℓ ) 0 , y ( ℓ ) 1 , . . . , y ( ℓ ) ) 2 , m 0 , . . . , m t − 1 t t 12th September 2018 14

  28. Look-Up Tables with Common Shares Masked SBox Construction (Common Table) Higher Order: Optimizations  sharing of S (0)    . T (0) =   . . sharing of S (2 k − 1)     12th September 2018 15

  29. Look-Up Tables with Common Shares Masked SBox Construction (Common Table) Higher Order: Optimizations new sharing of T (0) (0 ⊕ m 0 )     T (1) = .   . .  new sharing of T (0) ((2 k − 1) ⊕ m 0 )    12th September 2018 15

  30. Look-Up Tables with Common Shares Masked SBox Construction (Common Table) Higher Order: Optimizations new sharing of T (1) (0 ⊕ m 1 )     T (2) = .   . .  new sharing of T (1) ((2 k − 1) ⊕ m 1 )    12th September 2018 15

  31. Look-Up Tables with Common Shares Masked SBox Construction (Common Table) Higher Order: Optimizations new sharing of T ( t − 1  2 ) (0 ⊕ m t − 1  2 )     2 ) =  .  T ( t +1 . .  new sharing of T ( t − 1  2 ) ((2 k − 1) ⊕ m t − 1   2 )   12th September 2018 15

  32. Look-Up Tables with Common Shares Masked SBox Construction (Common Table) Higher Order: Optimizations new sharing of T ( t − 1  2 ) (0 ⊕ m t − 1  2 )     2 ) =  .  T ( t +1 . .  new sharing of T ( t − 1  2 ) ((2 k − 1) ⊕ m t − 1   2 )   Masked SBox Evaluation 2 ) , . . . T ( t ) using shares x 1 , . . . , x t 1 Compute tables T ( t +3 12th September 2018 2 2 Evaluate using table T ( t ) : S ( x ) = new sharing of T ( t ) ( x 0 ) 15

  33. Performances AES Higher Order: Optimizations SBox Implementation 2 3 6 [RP10] 119 185 485 [Cor14] 2104 4413 17136 All optimizations 463 771 2767 Table: Software AES implementation, in thousand of clock cycles DES 12th September 2018 SBox Implementation 2 3 6 [CGP+12]+[CRV14] 219 290 602 [Cor14] 491 907 3075 All optimizations 203 308 764 Table: Software DES implementation, in thousand of clock cycles 16

  34. Table of Contents Conclusion 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th September 2018 3 Conclusion 17

  35. Conclusion Conclusion Conclusion • Generalization of SBox recomputation, proven secure at any order • Reduce the running time of common table by a factor of 2 • Reduce the running time by a factor of 8 (from Coron’14) • Remaining task: build a proof to generalize common shares in outputs ( x ( ℓ ) 0 , x ( ℓ ) 1 , . . . , x ( ℓ ) 2 ) �→ S ( x ( ℓ ) ) = ( y ( ℓ ) 0 , y ( ℓ ) 1 , . . . , y ( ℓ ) 2 ) 2 , m 0 , . . . , m t − 1 2 , m 0 , . . . , m t − 1 t t 12th September 2018 • Correct solution for generic small SBox (e.g. DES) 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2 Rina Zeitoun 1 Jean-S 1 IDEMIA, France 2 University of Luxembourg CHES 2018 Side-channel Attacks Differential Power Analysis [KJJ99] Group by

620 views • 47 slides
Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views • 45 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes Outline 1 Introduction 2

1.33k views • 98 slides
February 2017 Corporate Summary Capital Structure TSX Venture HME Common Shares Outstanding

February 2017 Corporate Summary Capital Structure TSX Venture HME Common Shares Outstanding

February 2017 Corporate Summary Capital Structure TSX Venture HME Common Shares Outstanding 85.7 MM Share Price (Feb 10, 2017) $0.30 Fully Diluted Shares Outstanding 90.1 MM 52 Week High / Low $0.305 / $0.07 Insider Ownership (fully

209 views • 20 slides
How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

824 views • 54 slides
May 2016 Corporate Summary Capital Structure TSX Venture HME Common Shares Outstanding 75.9

May 2016 Corporate Summary Capital Structure TSX Venture HME Common Shares Outstanding 75.9

May 2016 Corporate Summary Capital Structure TSX Venture HME Common Shares Outstanding 75.9 MM Fully Diluted Shares Outstanding 80.9 MM Share Price (May 13, 2016) $0.18 Insider Ownership (fully diluted) 12% 52 Week High / Low $0.33 /

632 views • 23 slides
Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth Oswald March, 2013 Michael Tunstall (University of Bristol) Masking Tables March, 2013 1 / 21 Introduction Differential Power Analysis exploits

249 views • 21 slides
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

1.04k views • 51 slides
How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT 2017, Paris 1 Introduction 2 Field Multiplications 3 Non-Linear Operations 4 Generic Polynomial Methods 5 Polynomial Methods for

873 views • 51 slides
by any person(s) Prima facie evidence A certificate issued of the title of the under common

by any person(s) Prima facie evidence A certificate issued of the title of the under common

Specifies shares held by any person(s) Prima facie evidence A certificate issued of the title of the under common seal person(s) to such of the Company shares Where the shares are held in depository form, the record of What is share

526 views • 8 slides
Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on the spatial attribute type. Proposal part 2 Details of the masking attribute addition. Table 3-13 - S100_GF_SpatialAttributeType Role Name

558 views • 8 slides
Big Data on Small Machines Guy Blelloch with: Aapo Kyrola,

Big Data on Small Machines Guy Blelloch with: Aapo Kyrola,

Big Data on Small Machines Guy Blelloch with: Aapo Kyrola, Julian Shun 6/6/13 BDA 2013 1 QuesDon There has been a lot of emphasis on

520 views • 48 slides
Diagonals of rational functions Main Conference of Chaire J. Morlet Artin approximation and

Diagonals of rational functions Main Conference of Chaire J. Morlet Artin approximation and

Diagonals of rational functions Main Conference of Chaire J. Morlet Artin approximation and infinite dimensional geometry 27 mars 2015 Pierre Lairez TU Berlin . . . . . .. . . . . . . .. . . . . . . .. . . . . . . .. . . .. . . .

502 views • 32 slides
Divide and Couple: Using Monte Carlo Variational Objectives for Posterior Approximation Justin

Divide and Couple: Using Monte Carlo Variational Objectives for Posterior Approximation Justin

Divide and Couple: Using Monte Carlo Variational Objectives for Posterior Approximation Justin Domke and Daniel Sheldon University of Massachusetts Amherst Overview Variational inference gives both a lower-bound on the log-likelihood and an

331 views • 21 slides
A PRIMER ON ARTIFICIAL INTELLIGENCE EXPERT SYSTEMS IN THE PETROLEUM INDUSTRY BY E.R.CRAIN, P.

A PRIMER ON ARTIFICIAL INTELLIGENCE EXPERT SYSTEMS IN THE PETROLEUM INDUSTRY BY E.R.CRAIN, P.

A PRIMER ON ARTIFICIAL INTELLIGENCE EXPERT SYSTEMS IN THE PETROLEUM INDUSTRY BY E.R.CRAIN, P. ENG. D&S PETROPHYSICAL, A DIVISION OF D&S PETROLEUM CONSULTING GROUP LTD. CALGARY, ALBERTA THE INFERENCE ENGINE THE RULE INTERPRETER, OR

518 views • 28 slides
Using Online Ac,vity as Digital Fingerprints to Create a

Using Online Ac,vity as Digital Fingerprints to Create a

Using Online Ac,vity as Digital Fingerprints to Create a Be8er Spear Phisher Joaquim Espinhara & Ulisses Albuquerque JEspinhara@trustwave.com

467 views • 31 slides
Designing and Implementing an Emergency HOME TBRA Program Part 3: Office Hours June 24, 2020 1

Designing and Implementing an Emergency HOME TBRA Program Part 3: Office Hours June 24, 2020 1

Designing and Implementing an Emergency HOME TBRA Program Part 3: Office Hours June 24, 2020 1 Welcome & Introductions Sponsored by HUDs Office of Affordable Housi ng Programs Presenters Stephen Lathom, Sr.

403 views • 27 slides
Overview Multidimensional Databases Cubes: Dimensions, Facts, Measures OLAP queries

Overview Multidimensional Databases Cubes: Dimensions, Facts, Measures OLAP queries

Overview Multidimensional Databases Cubes: Dimensions, Facts, Measures OLAP queries Relational design Redundancy Strengths and weaknesses of the multidimensional model Original slides were written by Torben Bach Pedersen

284 views • 10 slides
Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for

Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for

Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for translation p ( e | f ) Task of decoding: find the translation e best with highest probability e best = argmax e p ( e | f ) Two types of

571 views • 34 slides

More recommend