how fast can higher order masking be in software
play

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi - PowerPoint PPT Presentation

Nov 13, 2023 •356 likes •873 views

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT 2017, Paris 1 Introduction 2 Field Multiplications 3 Non-Linear Operations 4 Generic Polynomial Methods 5 Polynomial Methods for

  1. How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT 2017, Paris

  2. 1 � Introduction 2 � Field Multiplications 3 � Non-Linear Operations 4 � Generic Polynomial Methods 5 � Polynomial Methods for AES 6 � The Bitslice Strategy 2/32

  3. Higher-Order Masking x = x 1 + x 2 + · · · + x d 3/32

  4. Higher-Order Masking x = x 1 + x 2 + · · · + x d � Linear operations: O ( d ) 3/32

  5. Higher-Order Masking x = x 1 + x 2 + · · · + x d � Linear operations: O ( d ) � Non-linear operations: O ( d 2 ) 3/32

  6. Higher-Order Masking x = x 1 + x 2 + · · · + x d � Linear operations: O ( d ) � Non-linear operations: O ( d 2 ) � Challenge for blockciphers: S-boxes 3/32

  7. Ishai-Sahai-Wagner Multiplication � c i = � � × � � � � � a i b i = a i × b j i i i i,j       a 1 b 1 a 1 b 2 . . . a 1 b d 0 0 . . . 0 0 r 1 , 2 . . . r 1 ,d . . . . . . 0 a 2 b 2 . . . . a 2 b 1 0 . . . . r 1 , 2 0 . . . .        +  +       . . . . . . ... . . . . . .       . . . . . . r d,d − 1     0 0 . . . a d b d a d b 1 a d b 2 . . . 0 r 1 ,d r d,d − 1 0 4/32

  8. The Polynomial Methods � Sbox seen as a polynomial over GF (2 n ) n � a i x i S ( x ) = i =0 5/32

  9. The Polynomial Methods � Sbox seen as a polynomial over GF (2 n ) n � a i x i S ( x ) = � i =0 Generic Methods � S ( x ) = ( p i ⋆ q i )( x ) i � CRV decomposition, ⋆ = × (CHES 2014) � Algebraic decomposition, ⋆ = ◦ (CRYPTO 2015) 5/32

  10. The Polynomial Methods � Sbox seen as a polynomial over GF (2 n ) n � a i x i S ( x ) = � i =0 � Generic Methods AES Specific Methods � S AES ( x ) = Aff ( x 254 ) S ( x ) = ( p i ⋆ q i )( x ) i � CRV decomposition, ⋆ = × (CHES 2014) � RP multiplication chain (CHES 2010) � Algebraic decomposition, ⋆ = ◦ (CRYPTO 2015) � KHL multiplication chain (CHES 2011) 5/32

  11. Our results � Optimized implementations of state of the art higher-order masking techniques � Bottom-up approach: ◮ base field multiplication ◮ ISW/CPRR ◮ polynomial methods � Finely tuned ARM assembly (parallelization) � Alternative strategy: bitslice method (new AES and PRESENT speed records) 6/32

  12. ARM � 32-bit architecture with 16 registers (13 user accessible register) � Barrelshifter: shifts and rotates virtually free � Example: x -times and add on GF(2)[ x ] in 1 cycle EOR $acc , $var , $acc , LSL #1 7/32

  13. 1 � Introduction 2 � Field Multiplications 3 � Non-Linear Operations 4 � Generic Polynomial Methods 5 � Polynomial Methods for AES 6 � The Bitslice Strategy 8/32

  14. Field Multiplication � Goal: efficient implementation of multiplication over GF(2 n ) � Fastest method: precomputed look-up table � Limitation: constrained memory on embedded system n 4 5 6 7 8 9 10 Table size 0.25 kiB 1 kiB 4 kiB 16 kiB 64 kiB 512 kiB 2048 kiB 9/32

  15. Field Multiplication bin mult v1 bin mult v2 exp-log v1 exp-log v2 kara. half-tab full-tab clock cycles 10 n + 3 7 n + 3 18 16 19 10 4 registers 5 5 5 5 6 5 5 2 n − 1 + 48 2 n +1 + 48 3 · 2 n + 40 3 · 2 n + 42 2 +1 + 24 2 2 n + 12 3 n code size 52 2 10/32

  16. Field Multiplication bin mult v1 bin mult v2 exp-log v1 exp-log v2 kara. half-tab full-tab clock cycles 10 n + 3 7 n + 3 18 16 19 10 4 registers 5 5 5 5 6 5 5 2 n − 1 + 48 2 n +1 + 48 3 · 2 n + 40 3 · 2 n + 42 2 +1 + 24 2 2 n + 12 3 n code size 52 2 n 2 + a ℓ ) × ( b h x n 2 + b ℓ ) a × b = ( a h x Karatsuba = T1[ a h | b h ] + T2[ a ℓ | b ℓ ] + T3[ a h + a ℓ | b h + b ℓ ] 10/32

  17. Field Multiplication bin mult v1 bin mult v2 exp-log v1 exp-log v2 kara. half-tab full-tab clock cycles 10 n + 3 7 n + 3 18 16 19 10 4 registers 5 5 5 5 6 5 5 2 n − 1 + 48 2 n +1 + 48 3 · 2 n + 40 3 · 2 n + 42 2 +1 + 24 2 2 n + 12 3 n code size 52 2 n 2 + a ℓ ) × ( b h x n 2 + b ℓ ) a × b = ( a h x Half table = T1[ a h | a ℓ | b h ] + T2[ a h | a ℓ | b ℓ ] 10/32

  18. Field Multiplication bin mult v1 bin mult v2 exp-log v1 exp-log v2 kara. half-tab full-tab clock cycles 10 n + 3 7 n + 3 18 16 19 10 4 registers 5 5 5 5 6 5 5 code size 52 56 B 80 B 88 B 90 B 152 B 268 B � For n = 4 : full table ◮ Fastest multiplication: 4 clock cycles ◮ Low code size: 268 B 10/32

  19. Field Multiplication bin mult v1 bin mult v2 exp-log v1 exp-log v2 kara. half-tab full-tab clock cycles 10 n + 3 7 n + 3 18 16 19 10 4 registers 5 5 5 5 6 5 5 code size 52 176 B 560 B 808 B 810 B 8216 B 64 kiB � For n = 8 : exp-log or half-tab ◮ tradeoff between clock cycles and code size 10/32

  20. 1 � Introduction 2 � Field Multiplications 3 � Non-Linear Operations 4 � Generic Polynomial Methods 5 � Polynomial Methods for AES 6 � The Bitslice Strategy 11/32

  21. Quadratic Operations � ISW ◮ Secure GF-mult of 2 operands ◮ Might need refreshing (see paper for details) � CPRR ◮ Evaluation of quadratic functions in 1 operand ◮ Similar to ISW: GF-mult � lookup tables ◮ Twice more random 12/32

  22. Performances Comparisons 3 , 500 ISW-FT ISW-HT 3 , 000 ISW-EL 2 , 500 CPRR Clock Cycles 2 , 000 1 , 500 1 , 000 500 0 d = 3 d = 5 d = 10 � ISW < CPRR when table too huge � Asymptotical comp: 1 CPRR � 1.16 ISW-FT, 0.88 ISW-HT, 0.75 ISW-EL 13/32

  23. Parallelization � 32-bit register filled with only n -bit elements � Perform several ISW/CPRR in parallel: ◮ n = 4 � 8 elements/register ◮ n = 8 � 4 elements/register � Consequence: ◮ Parallel: load, store, xor, loops ◮ Sequential: GF mult, CPRR lookups 14/32

  24. Performances Gain of Parallelization � n = 8 (4 elements) � n = 4 (8 elements) ISW-HT ISW-FT ISW-EL CPRR 15 , 000 15 , 000 CPRR sequential Clock Cycles Clock Cycles sequential parallel parallel 10 , 000 10 , 000 5 , 000 5 , 000 0 0 d = 3 d = 5 d = 10 d = 3 d = 5 d = 10 � Asympt. ratio: CPRR 54% . � Asympt. ratio: ISW 42% . 15/32

  25. 1 � Introduction 2 � Field Multiplications 3 � Non-Linear Operations 4 � Generic Polynomial Methods 5 � Polynomial Methods for AES 6 � The Bitslice Strategy 16/32

  26. Polynomial Decomposition S ( x ) = � i q i ( x ) ⋆ p i ( x ) 17/32

  27. Polynomial Decomposition S ( x ) = � i q i ( x ) ⋆ p i ( x ) � q i : random linear combinations from a basis B 17/32

  28. Polynomial Decomposition S ( x ) = � i q i ( x ) ⋆ p i ( x ) � q i : random linear combinations from a basis B � find p i by solving a linear system 17/32

  29. Polynomial Decomposition S ( x ) = � i q i ( x ) ⋆ p i ( x ) � q i : random linear combinations from a basis B � find p i by solving a linear system � CRV vs AD: ◮ CRV [CRV14]: ⋆ = GF-multiplication � ISW multiplication ◮ AD [CPRR15]: ⋆ = composition � CPRR evaluation 17/32

  30. CRV Improvement � Use CPRR for the basis computation � Example for n = 8 : This paper CRV x 3 = x 3 x 3 = x · x 2 x 9 = ( x 3 ) 3 x 7 = x · ( x 3 ) 2 x 5 = x 5 x 29 = x · ( x 7 ) 4 x 25 = ( x 5 ) 5 x 87 = x 3 · x 29 x 125 = ( x 25 ) 5 x 251 = ( x 6 ) 16 · ( x 87 ) 128 x 115 = ( x 125 ) 5 5 ISW 6 CPRR 18/32

  31. Implementation Results � n = 4 (8 s-boxes in / � n = 8 (4 s-boxes in / / ) / ) 3 , 000 Alge. dec. Alge. dec. 800 CRV-FT CRV-HT 2 , 500 CRV-EL Clock Cycles × 10 2 Clock Cycles × 10 600 2 , 000 1 , 500 400 1 , 000 200 500 0 0 d = 3 d = 5 d = 10 d = 3 d = 5 d = 10 19/32

  32. 1 � Introduction 2 � Field Multiplications 3 � Non-Linear Operations 4 � Generic Polynomial Methods 5 � Polynomial Methods for AES 6 � The Bitslice Strategy 20/32

  33. Polynomial Methods for AES � Based on the specific algebraic structure of the AES: S ( x ) = Aff( x 254 ) � RP10 method : 4 ISW mult � Security flaw due to refreshing � Patch [CPRR13]: 1 CPRR + 3 ISW � Improvement [GPS14]: 3 CPRR + 1 ISW � KHL11 method: 5 ISW mult on GF(16) � Patch [this paper]: 1 CPRR + 4 ISW 21/32

  34. Implementation Results � 16 s-boxes in / / KHL 100 RP-HT RP-EL Clock Cycles × 10 3 80 60 40 20 0 d = 3 d = 5 d = 10 � KHL < RP- ∗ : smaller elements � higher parallelization degree 22/32

  35. 1 � Introduction 2 � Field Multiplications 3 � Non-Linear Operations 4 � Generic Polynomial Methods 5 � Polynomial Methods for AES 6 � The Bitslice Strategy 23/32

  36. Bitslice for the AES � Sbox seen as boolean circuit X 1 X 2 X n x 1 x 2 . . . x n . . . . . . . . . � + + CPU CPU XOR XOR . . . . . . + CPU AND � 16 S-boxes in / / 24/32

  37. Application for AES S-boxes � Circuit for the AES S-box [BMP13] ◮ 83 XOR gates ◮ 32 AND gates � Bitslice (16 s-boxes) ◮ 83 XOR instructions ◮ 32 AND instructions � Masking at the order d : ◮ 83 × d XOR instructions ◮ 32 ISW-AND 25/32

  38. Improvement 2 16-bit ISW-AND � 1 32-bit ISW-AND � Goal: grouping AND gates per pairs � Validation on BMP circuit � 16 s-boxes = 16 ISW-AND � 1 ISW-AND per s-box 26/32

  39. Performance Comparison of ISW 8 , 000 ISW-AND (32 / / AND) ISW-FT (8 / / GF(16)-mult) ISW-HT (4 / / GF(256)-mult) 6 , 000 Clock Cycles 4 , 000 2 , 000 0 d = 3 d = 5 d = 10 27/32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes Outline 1 Introduction 2

1.33k views • 98 slides
High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th September 2018 Outline Outline 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th

388 views • 35 slides
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

1.04k views • 51 slides
Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

First Order Haskell Neil Mitchell York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order: functions are values Can be passed around Stored in data structure Harder for reasoning and analysis More

483 views • 15 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Extending SMT solvers to higher-order logic Haniel Barbosa Andrew Reynolds Daniel El Ouraoui Clark Barrett Cesare Tinelli SMT 2019 20190707, Lisbon, PT To be published in the proceedings of CADE 2019 Why higher-order logic?

569 views • 25 slides
Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order

Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order

Background &amp; motivation Higher order strategies Higher order Turing machines Computable analysis Conclusion Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order complexity 1/12 Background &amp;

383 views • 15 slides
Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry &amp; Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry &amp; Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry &amp; Romain Pchoux DICE-FOPARA, 22-23 april 2017 CNRS, INRIA, Universit de Lorraine &amp; LORIA, Nancy, France 1 Introduction First-order computability and

801 views • 46 slides
Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry &amp; Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry &amp; Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry &amp; Romain Pchoux LPAR, 11 may 2017 CNRS, INRIA, Universit de Lorraine &amp; LORIA, Nancy, France 1 Introduction First-order computability and complexity

665 views • 39 slides
Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal

Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal

Towards Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal Fontaine Stephan Schulz Uwe Waldmann Vision: Take the Hard Labor out of Vision: Interactive Verification Push button automation for

263 views • 14 slides
Outline Higher Order Statistics First, second and higher-order statistics Matthias Hennig

Outline Higher Order Statistics First, second and higher-order statistics Matthias Hennig

Outline Higher Order Statistics First, second and higher-order statistics Matthias Hennig Generative models, recognition models Neural Information Processing Sparse Coding School of Informatics, University of Edinburgh Independent Components

358 views • 9 slides
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2 Rina Zeitoun 1 Jean-S 1 IDEMIA, France 2 University of Luxembourg CHES 2018 Side-channel Attacks Differential Power Analysis [KJJ99] Group by

620 views • 47 slides
De-biasing arbitrary convex regularizers and asymptotic normality Pierre C Bellec, Rutgers

De-biasing arbitrary convex regularizers and asymptotic normality Pierre C Bellec, Rutgers

De-biasing arbitrary convex regularizers and asymptotic normality Pierre C Bellec, Rutgers University Mathematical Methods of Modern Statistics 2, June 2020 Joint work with Cun-Hui Zhang (Rutgers). Second order Poincar inequalities and

1.05k views • 35 slides
IEEE IAS Technical Books Coordinating Committee (IAS/TBCC) 2013 I&amp;CPS Lisa Perry IEEE-SA

IEEE IAS Technical Books Coordinating Committee (IAS/TBCC) 2013 I&amp;CPS Lisa Perry IEEE-SA

IEEE IAS Technical Books Coordinating Committee (IAS/TBCC) 2013 I&amp;CPS Lisa Perry IEEE-SA Staff Liaison 30 April 2013 Overview Approved 3000 Standards PARs to Expire in 2013 Looking Ahead - PARs to Expire in 2014 PAR

208 views • 19 slides
New matrix norms for structured matrix estimation Jean-Philippe Vert Optimization and Statistical

New matrix norms for structured matrix estimation Jean-Philippe Vert Optimization and Statistical

New matrix norms for structured matrix estimation Jean-Philippe Vert Optimization and Statistical Learning workshop Les Houches, France, Jan 11-16, 2015 Outline Atomic norms 1 Sparse matrices with disjoint column supports 2 Low-rank

638 views • 46 slides
Lattice Points in Polytopes Richard P. Stanley U. Miami &amp; M.I.T. A lattice polygon Georg

Lattice Points in Polytopes Richard P. Stanley U. Miami &amp; M.I.T. A lattice polygon Georg

Lattice Points in Polytopes Richard P. Stanley U. Miami &amp; M.I.T. A lattice polygon Georg Alexander Pick (18591942) P : lattice polygon in R 2 (vertices Z 2 , no self-intersections) Boundary and interior lattice points Picks

1.4k views • 120 slides
Theoretical Analysis of Adversarial Learning: A Minimax Approach Zhuozhuo Tu 1 , Jingwei Zhang 2,1

Theoretical Analysis of Adversarial Learning: A Minimax Approach Zhuozhuo Tu 1 , Jingwei Zhang 2,1

Theoretical Analysis of Adversarial Learning: A Minimax Approach Zhuozhuo Tu 1 , Jingwei Zhang 2,1 , Dacheng Tao 1 1 The University of Sydney 2 The Hong Kong University of Science and Technology NeurIPS 2019

469 views • 17 slides
IPv6 Multicast Over TEIN Pujan Srivastava | pujan@ait.asia Asian Institute of Technology

IPv6 Multicast Over TEIN Pujan Srivastava | pujan@ait.asia Asian Institute of Technology

Report: IPv6 Multicast Over TEIN Pujan Srivastava | pujan@ait.asia Asian Institute of Technology 02/10/10 IPv6 Multicast over TEIN 1 Event: The 20 th Asian School on Computer Science 2009 (TEIN) IPv6 Multicast Video Transmission 02/10/10

569 views • 35 slides
Cool gas inside early-type galaxies galaxies Timothy A.

Cool gas inside early-type galaxies galaxies Timothy A.

Cool gas inside early-type Cool gas inside early-type galaxies galaxies Timothy A. Davis ESO Fellow M. Bureau, K. Alatalo, L. Young,

516 views • 24 slides
Asteroid color photometry with Gaia and synergies with other space missions Marco Delbo

Asteroid color photometry with Gaia and synergies with other space missions Marco Delbo

Asteroid color photometry with Gaia and synergies with other space missions Marco Delbo UNS-CNRS-Observatoire de la C ote dAzur &amp; Gaia DPAC Coordination Unit 4 (Solar System Objects) May 23, 2011 Pisa, Italy Collaborators Philippe

439 views • 21 slides

More recommend