higher order masking schemes for s boxes
play

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint - PowerPoint PPT Presentation

Nov 16, 2023 •346 likes •1.33k views

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes Outline 1 Introduction 2

  1. Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes

  2. Outline 1 � Introduction 2 � Higher-Order Masking of any S-box � General Method � Optimal Masking of Power Functions � Efficient Heuristics for Random S-Boxes 3 � Implementation Results 4 � Open Issues Higher-Order Masking Schemes for S-boxes

  3. Higher-Order Masking � Countermeasure to side-channel attacks Higher-Order Masking Schemes for S-boxes

  4. Higher-Order Masking � Countermeasure to side-channel attacks � Every key-dependent variable x is shared into d + 1 variables: x = x 0 + x 1 + · · · + x d Higher-Order Masking Schemes for S-boxes

  5. Higher-Order Masking � Countermeasure to side-channel attacks � Every key-dependent variable x is shared into d + 1 variables: x = x 0 + x 1 + · · · + x d � In this work, + is the bitwise addition Higher-Order Masking Schemes for S-boxes

  6. Higher-Order Masking � Countermeasure to side-channel attacks � Every key-dependent variable x is shared into d + 1 variables: x = x 0 + x 1 + · · · + x d � In this work, + is the bitwise addition � Attack complexity increases exponentially with d Higher-Order Masking Schemes for S-boxes

  7. Higher-Order Masking Schemes � Consider a block cipher: c ← E( m, k ) Higher-Order Masking Schemes for S-boxes

  8. Higher-Order Masking Schemes � Consider a block cipher: c ← E( m, k ) � A d th-order masking scheme for E is an algorithm: ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) Higher-Order Masking Schemes for S-boxes

  9. Higher-Order Masking Schemes � Consider a block cipher: c ← E( m, k ) � A d th-order masking scheme for E is an algorithm: ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) � d th-order security : ∀ ( iv 1 , iv 2 , . . . , iv d ) ∈ { intermediate var. of E ′ } d : � � MI ( iv 1 , iv 2 , . . . , iv d ) , ( m, k ) = 0 Higher-Order Masking Schemes for S-boxes

  10. Higher-Order Masking Schemes � Consider a block cipher: c ← E( m, k ) � A d th-order masking scheme for E is an algorithm: ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) � d th-order security : ∀ ( iv 1 , iv 2 , . . . , iv d ) ∈ { intermediate var. of E ′ } d : � � MI ( iv 1 , iv 2 , . . . , iv d ) , ( m, k ) = 0 � The main issue is masking the S-box Higher-Order Masking Schemes for S-boxes

  11. Literature � Software masking schemes: d = 1 d = 2 any d AES Many works x [RP10,KHL11,GPQ11] any s-box Many works [SP06,RDP08] This work [SP06] = [Schramm-Paar CT-RSA’06] [RPD08] = [Rivain-Dottax-Prouff FSE’08] [RP10] = [Rivain-Prouff CHES’10] [KHL11] = [Kim-Hong-Lim CHES’11] [GPQ11] = [Genelle-Prouff-Quisquater CHES’11] Higher-Order Masking Schemes for S-boxes

  12. Literature � Software masking schemes: d = 1 d = 2 any d AES Many works x [RP10,KHL11,GPQ11] any s-box Many works [SP06,RDP08] This work [SP06] = [Schramm-Paar CT-RSA’06] [RPD08] = [Rivain-Dottax-Prouff FSE’08] [RP10] = [Rivain-Prouff CHES’10] [KHL11] = [Kim-Hong-Lim CHES’11] [GPQ11] = [Genelle-Prouff-Quisquater CHES’11] � Hardware masking schemes: ◮ d = 1 ⇒ many works Higher-Order Masking Schemes for S-boxes

  13. Literature � Software masking schemes: d = 1 d = 2 any d AES Many works x [RP10,KHL11,GPQ11] any s-box Many works [SP06,RDP08] This work [SP06] = [Schramm-Paar CT-RSA’06] [RPD08] = [Rivain-Dottax-Prouff FSE’08] [RP10] = [Rivain-Prouff CHES’10] [KHL11] = [Kim-Hong-Lim CHES’11] [GPQ11] = [Genelle-Prouff-Quisquater CHES’11] � Hardware masking schemes: ◮ d = 1 ⇒ many works ◮ [Ishai-Sahai-Wagner CRYPTO’03] � any circuit, any order d Higher-Order Masking Schemes for S-boxes

  14. Literature � Software masking schemes: d = 1 d = 2 any d AES Many works x [RP10,KHL11,GPQ11] any s-box Many works [SP06,RDP08] This work [SP06] = [Schramm-Paar CT-RSA’06] [RPD08] = [Rivain-Dottax-Prouff FSE’08] [RP10] = [Rivain-Prouff CHES’10] [KHL11] = [Kim-Hong-Lim CHES’11] [GPQ11] = [Genelle-Prouff-Quisquater CHES’11] � Hardware masking schemes: ◮ d = 1 ⇒ many works ◮ [Ishai-Sahai-Wagner CRYPTO’03] � any circuit, any order d ◮ [Faust et al. EUROCRYPT’10] � generalization to further security models Higher-Order Masking Schemes for S-boxes

  15. Ishai-Sahai-Wagner (ISW) Scheme � Probing model: intermediate variable = wire � Any circuits composed of NOT and AND gates Higher-Order Masking Schemes for S-boxes

  16. Ishai-Sahai-Wagner (ISW) Scheme � Probing model: intermediate variable = wire � Any circuits composed of NOT and AND gates � NOT gate encoding: NOT( x ) = NOT( x 0 ) ⊕ x 1 · · · ⊕ x d Higher-Order Masking Schemes for S-boxes

  17. Ishai-Sahai-Wagner (ISW) Scheme � Probing model: intermediate variable = wire � Any circuits composed of NOT and AND gates � NOT gate encoding: NOT( x ) = NOT( x 0 ) ⊕ x 1 · · · ⊕ x d � AND gate encoding: �� ��� � AND( x, y ) = xy = i x i j y j � � = i,j x i y j = i z i Higher-Order Masking Schemes for S-boxes

  18. Ishai-Sahai-Wagner (ISW) Scheme � Probing model: intermediate variable = wire � Any circuits composed of NOT and AND gates � NOT gate encoding: NOT( x ) = NOT( x 0 ) ⊕ x 1 · · · ⊕ x d � AND gate encoding: �� ��� � AND( x, y ) = xy = i x i j y j � � = i,j x i y j = i z i ◮ ( d + 1) 2 ANDs + 2 d ( d + 1) XORs + d ( d + 1) / 2 random bits Higher-Order Masking Schemes for S-boxes

  19. Application to AES in Software � [Rivain-Prouff CHES 2010] Higher-Order Masking Schemes for S-boxes

  20. Application to AES in Software � [Rivain-Prouff CHES 2010] � AES S-box: S = Exp ◦ Af ◮ Af: affine transformation over GF(2) 8 ◮ Exp : x �→ x 254 over GF(2 8 ) Higher-Order Masking Schemes for S-boxes

  21. Application to AES in Software � [Rivain-Prouff CHES 2010] � AES S-box: S = Exp ◦ Af ◮ Af: affine transformation over GF(2) 8 ◮ Exp : x �→ x 254 over GF(2 8 ) � Masking Af is efficient: Af ( x ) = Af ( x 0 ) + Af ( x 1 ) + · · · + Af ( x d ) (+ 0x63 iff d is odd ) Higher-Order Masking Schemes for S-boxes

  22. Application to AES in Software � [Rivain-Prouff CHES 2010] � AES S-box: S = Exp ◦ Af ◮ Af: affine transformation over GF(2) 8 ◮ Exp : x �→ x 254 over GF(2 8 ) � Masking Af is efficient: Af ( x ) = Af ( x 0 ) + Af ( x 1 ) + · · · + Af ( x d ) (+ 0x63 iff d is odd ) � Masking Exp ◮ masked square: x 2 0 + x 2 1 + · · · + x 2 d = x 2 Higher-Order Masking Schemes for S-boxes

  23. Application to AES in Software � [Rivain-Prouff CHES 2010] � AES S-box: S = Exp ◦ Af ◮ Af: affine transformation over GF(2) 8 ◮ Exp : x �→ x 254 over GF(2 8 ) � Masking Af is efficient: Af ( x ) = Af ( x 0 ) + Af ( x 1 ) + · · · + Af ( x d ) (+ 0x63 iff d is odd ) � Masking Exp ◮ masked square: x 2 0 + x 2 1 + · · · + x 2 d = x 2 ◮ masked multiplications : ISW on GF(2 8 ) Higher-Order Masking Schemes for S-boxes

  24. Application to AES in Software � [Rivain-Prouff CHES 2010] � AES S-box: S = Exp ◦ Af ◮ Af: affine transformation over GF(2) 8 ◮ Exp : x �→ x 254 over GF(2 8 ) � Masking Af is efficient: Af ( x ) = Af ( x 0 ) + Af ( x 1 ) + · · · + Af ( x d ) (+ 0x63 iff d is odd ) � Masking Exp ◮ masked square: x 2 0 + x 2 1 + · · · + x 2 d = x 2 ◮ masked multiplications : ISW on GF(2 8 ) ◮ addition chain for 254 with only 4 multiplications (and 7 squares) Higher-Order Masking Schemes for S-boxes

  25. Outline 1 � Introduction 2 � Higher-Order Masking of any S-box � General Method � Optimal Masking of Power Functions � Efficient Heuristics for Random S-Boxes 3 � Implementation Results 4 � Open Issues Higher-Order Masking Schemes for S-boxes

  26. General Method � Generalization of Rivain-Prouff scheme Higher-Order Masking Schemes for S-boxes

  27. General Method � Generalization of Rivain-Prouff scheme � We consider an s-box S : { 0 , 1 } n → { 0 , 1 } m as a polynomial function over GF(2 n ) : S( x ) = a 0 + a 1 x + a 2 x 2 + · · · + a 2 n − 1 x 2 n − 1 Higher-Order Masking Schemes for S-boxes

  28. General Method � Generalization of Rivain-Prouff scheme � We consider an s-box S : { 0 , 1 } n → { 0 , 1 } m as a polynomial function over GF(2 n ) : S( x ) = a 0 + a 1 x + a 2 x 2 + · · · + a 2 n − 1 x 2 n − 1 � We evaluate this polynomial on the shared input ( x i ) i Higher-Order Masking Schemes for S-boxes

  29. General Method � Four kinds of operations over GF(2 n ) : 1 . additions 2 . scalar multiplications ( i.e. by constants) 3 . squares 4 . regular multiplications Higher-Order Masking Schemes for S-boxes

  30. General Method � Four kinds of operations over GF(2 n ) : 1 . additions 2 . scalar multiplications ( i.e. by constants) 3 . squares 4 . regular multiplications � Masking is efficient for the 3 first kinds Higher-Order Masking Schemes for S-boxes

  31. General Method � Four kinds of operations over GF(2 n ) : 1 . additions 2 . scalar multiplications ( i.e. by constants) 3 . squares 4 . regular multiplications � Masking is efficient for the 3 first kinds ◮ ( x + y ) = ( x 0 + y 0 ) + ( x 1 + y 1 ) + · · · + ( x d + y d ) Higher-Order Masking Schemes for S-boxes

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th September 2018 Outline Outline 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th

388 views • 35 slides
Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views • 45 slides
How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT 2017, Paris 1 Introduction 2 Field Multiplications 3 Non-Linear Operations 4 Generic Polynomial Methods 5 Polynomial Methods for

873 views • 51 slides
Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

First Order Haskell Neil Mitchell York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order: functions are values Can be passed around Stored in data structure Harder for reasoning and analysis More

483 views • 15 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Static Power SCA of Sub-100 nm CMOS ASICs and the Insecurity of Masking Schemes in Low-Noise

Static Power SCA of Sub-100 nm CMOS ASICs and the Insecurity of Masking Schemes in Low-Noise

RUHR-UNIVERSITT BOCHUM Static Power SCA of Sub-100 nm CMOS ASICs and the Insecurity of Masking Schemes in Low-Noise Environments Thorben Moos Ruhr University Bochum, Horst Grtz Institute for IT Security, Germany August 28th, 2019 Section 1

735 views • 56 slides
Higher-Order Model Checking and Program Verification Naoki Kobayashi University of Tokyo

Higher-Order Model Checking and Program Verification Naoki Kobayashi University of Tokyo

Higher-Order Model Checking and Program Verification Naoki Kobayashi University of Tokyo Whats This Talk About? Introduction to higher-order model checking (model checking of higher- order recursion schemes) and its applications to

641 views • 40 slides
How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

824 views • 54 slides
Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Extending SMT solvers to higher-order logic Haniel Barbosa Andrew Reynolds Daniel El Ouraoui Clark Barrett Cesare Tinelli SMT 2019 20190707, Lisbon, PT To be published in the proceedings of CADE 2019 Why higher-order logic?

569 views • 25 slides
Higher-Order Model Checking: Principles and Applications to Program Verification and Security

Higher-Order Model Checking: Principles and Applications to Program Verification and Security

Higher-Order Model Checking: Principles and Applications to Program Verification and Security Part I: Types and Recursion Schemes for Higher-Order Program Verification Part II: Higher-Order Program Verification and Language-Based Security

836 views • 54 slides
Image Masking Schemes for Local Manifold Learning Methods Marco F. Duarte Joint work with

Image Masking Schemes for Local Manifold Learning Methods Marco F. Duarte Joint work with

Image Masking Schemes for Local Manifold Learning Methods Marco F. Duarte Joint work with Hamid Dadkhahi IEEE ICASSP - April 23 2015 Manifold Learning Given training points in , learn the mapping to the underlying K -dimensional

404 views • 22 slides
Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order

Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order

Background & motivation Higher order strategies Higher order Turing machines Computable analysis Conclusion Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order complexity 1/12 Background &

383 views • 15 slides
T15: 402.8.3 Off Detector Electronics Colin Jessop, University of Notre Dame US-MTD Technical

T15: 402.8.3 Off Detector Electronics Colin Jessop, University of Notre Dame US-MTD Technical

T15: 402.8.3 Off Detector Electronics Colin Jessop, University of Notre Dame US-MTD Technical Review 15-16 November 2018 Outline Requirements Design R&D and prototyping plan, maturity, milestones Production-era: QA and QC

317 views • 17 slides
Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T.

Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T.

Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T. Roche thomas.roche@ssi.gouv.fr FSE 2013 March 2013 T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing Side Channel Analysis

1.14k views • 75 slides
Spacing Integers and strings Unplugged activity: Use Mentos and bottle caps to

Spacing Integers and strings Unplugged activity: Use Mentos and bottle caps to

Spacing Integers and strings Unplugged activity: Use Mentos and bottle caps to demonstrate variables Decision Maker (js) CHALLENGE Could you make a magic 8 ball game? Flowchart Decision Maker (no branching) Flowchart

342 views • 32 slides
NADA Algorithm Update and Test Case Evalua9ons

NADA Algorithm Update and Test Case Evalua9ons

NADA Algorithm Update and Test Case Evalua9ons dra:-zhu-rmcat-nada Xiaoqing Zhu, Rong Pan, Michael Ramalho, Sergio Mena, Charles Ganzhorn, Paul

602 views • 36 slides
On the (im-) possibility of cold to warm distillation Henning Struchtrup University of Victoria,

On the (im-) possibility of cold to warm distillation Henning Struchtrup University of Victoria,

xxxx On the (im-) possibility of cold to warm distillation Henning Struchtrup University of Victoria, Canada Signe Kjelstrup & Dick Bedeaux NTNU Trondheim Non-eq. condensation/evaporation [e.g., Kjelstrup & Bedeaux 2010] mass flux j ,

560 views • 17 slides
Decentralized Dynamic Scheduling across Heterogeneous Multi core across Heterogeneous Multi

Decentralized Dynamic Scheduling across Heterogeneous Multi core across Heterogeneous Multi

Decentralized Dynamic Scheduling across Heterogeneous Multi core across Heterogeneous Multi core Desktop Grids J Jaehwan Lee , Pete Keleher, Alan Sussman h L P t K l h Al S Department of Computer Science University of Maryland Multi

357 views • 25 slides
Topological Hyperplane Arrangements David Forge, LRI, Universit e Paris-Sud and Thomas

Topological Hyperplane Arrangements David Forge, LRI, Universit e Paris-Sud and Thomas

Topological Hyperplane Arrangements David Forge, LRI, Universit e Paris-Sud and Thomas Zaslavsky, Binghamton University (SUNY) Conference in Honour of Peter Orlik Fields Institute, Toronto 19 August 2008

203 views • 17 slides
Lecture 5 The Big Picture/Language Modeling Michael Picheny, Bhuvana Ramabhadran, Stanley F .

Lecture 5 The Big Picture/Language Modeling Michael Picheny, Bhuvana Ramabhadran, Stanley F .

Lecture 5 The Big Picture/Language Modeling Michael Picheny, Bhuvana Ramabhadran, Stanley F . Chen, Markus Nussbaum-Thom Watson Group IBM T.J. Watson Research Center Yorktown Heights, New York, USA

1.04k views • 99 slides

More recommend