how to mask s boxes of a block cipher against side
play

How to mask S-Boxes of a block cipher against side channel attacks. - PowerPoint PPT Presentation

Oct 17, 2023 •270 likes •824 views

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

  1. Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on ”Square and Multiply” and addition chains Method based on the tower field representation Conclusion How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha¨ el Quisquater University of Versailles (UVSQ), France July 4th, 2013 Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  2. Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on ”Square and Multiply” and addition chains Method based on the tower field representation Conclusion Introduction 1 Block Cipher Logical Attacks Side Channel Attacks SPA DPA Masking Masking based on Look-up tables 2 How to mask (additively) basic operations? 3 Masking linear transformation Masking translation Masking multiplication Method based on multiplicative masking 4 Multiplicative masking Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  3. Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on ”Square and Multiply” and addition chains Method based on the tower field representation Conclusion Akkar and Giraud Zero-attack Trichina, De Seta and Germani Attacks by Akkar, B´ evan and Goubin Genelle, Prouff and Q. Extension at order d: Genelle, Prouff and Q. Method based on ”Square and Multiply” and addition chains 5 ”Square & Multiply”: BMK and addition chains 6 Method based on the tower field representation Finite Fields Oswald, Mangard, Pramstaller and Rijmen Kim, Hong and Lim Conclusion 7 Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  4. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Block Cipher Key scheduling Rounds Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  5. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Block cipher: SP network Addition of the key S-Boxes LT: Linear transformation Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  6. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Logical Attacks Available data : plaintexts and/or ciphertexts Goal : estimation of the key used to generate the data. Exemples: Exhaustive search Linear and differential cryptanalysis Slide attack Algebraic attack ... Counter-measure : use components with good cryptographic properties in the design of the algorithm Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  7. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Side Channel Attacks Available data : plaintexts and/or ciphertexts + physical measures corresponding to the execution of the algorithm on those data. Goal : estimation of the key used to generate the data. Examples: Timing attacks Acoustical attacks Electromagnetic attacks (Differential) Power attacks ... Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  8. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Power attacks Computation = modification of the state of a logical gate. Logical gate = transistor circuit. Consumption of a transistor depends on its state (or the transition between states). CCL: consumption of the execution of an algorithm depends on the values of the data, instructions (logical gates) and noise. Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  9. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion SPA (Simple Power Analysis) Example: execution of the RSA Instructions that are executed depend on the value of the key (exponent): 1 ⇒ ”square and multiply” 0 ⇒ ”square” Correlation between the shape of the electrical consumption signal and the value of the key bits of the exponent Example above : (0, 1, 0, 1 ,1 ,0). Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  10. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion DPA (Differential power analysis) Let us apply the SPA to the DES: Clear distinction of the computation of IP , the 16 rounds and IPinv. Dependency between the signal and the used key seems less obvious comparing to the case of RSA ⇒ other method = Differential Power Analysis. Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  11. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Principle of the DPA The evaluation of a block cipher A K ( x ) (encryption or decryption) may be considered as a sequence of intermediate results: I 1 ( x , k ) , I 2 ( x , k ) , . . . , I t ( x , k ) The DPA focus on the power consumption related to some of these intermediated (target) values. Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  12. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Principle of the DPA (cont.) Idea of the DPA (order 1) : For each guess ˆ K on a part K of the key, build two subsets, i.e. S 0 ( ˆ K ) et S 1 ( ˆ K ) , from the available data (plaintext, ciphertext or parts of them) such that: If ˆ K = K , the average of the power consumption related to 1 the target value taken on the data S 0 ( ˆ K ) is greater than the one taken on the data S 1 ( ˆ K ) ⇒ Right Guess If ˆ K � = K the averages are indistinguable ⇒ Wrong Guess 2 Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  13. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Counter-measure against DPA: Masking (cont.) Counter-measures: to thwart the ability to build the sets ( S 1 ( ˆ K ) , S 2 ( ˆ K )) with the required properties. ⇒ Masking = introduce randomness in the targets. Examples based on the one time pad : Additive masking: replace I ( x , s ) by I ( x , s ) ⊕ r ( r is random) if I ( x , s ) belongs to an additive group. Multiplicative masking: replace I ( x , s ) by I ( x , s ) ⊗ r ( r is random) if I ( x , s ) belongs to a multiplicative group. Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m (stream) Enc One-time Encryption with a stream-cipher: SC K Generate a one-time pad from a short seed Can share just the seed as the key Mask

1.33k views • 102 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

CSS441 Block Cipher Operation Modes ECB Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn International Institute of Technology XTS-AES Thammasat University Prepared by Steven Gordon on 20

871 views • 32 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the

512 views • 35 slides
Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous

143 views • 13 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key recovery. But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure. We want to answer the

920 views • 88 slides
Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Modes of Operation of Block Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Electronic Code Book Cipher Block Chaining

183 views • 16 slides
Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E untrusted communicaGon link Alice Bob E D #%AR3Xf34^$ A?ack at Dawn!! decrypGon encrypGon (ciphertext) message A?ack at Dawn!!

1.71k views • 143 slides
Analytical Inductive Programming as a Cognitive Rule Acquisition Devise Ute Schmid, Martin

Analytical Inductive Programming as a Cognitive Rule Acquisition Devise Ute Schmid, Martin

Analytical Inductive Programming as a Cognitive Rule Acquisition Devise Ute Schmid, Martin Hofmann, Emanuel Kitzelmann Cognitive Systems Group University of Bamberg AGI 2009 CogSys Group (Univ. of Bamberg) IP as Rule Acquisition Device AGI

384 views • 11 slides
Union-Find Part I Lecture 21 November 6, 2014 Union Find 1/45 2/45 Requirements from the

Union-Find Part I Lecture 21 November 6, 2014 Union Find 1/45 2/45 Requirements from the

CS 573: Algorithms, Fall 2014 Union-Find Part I Lecture 21 November 6, 2014 Union Find 1/45 2/45 Requirements from the data-structure Amortized Analysis 1. Maintain a collection of sets. 1. Use data-structure as a black-box inside

493 views • 10 slides
DAQ architecture - networking J.MARTEAU IPNL, Universit de Lyon, CNRS-IN2P3, UMR 5822 DUNE DAQ

DAQ architecture - networking J.MARTEAU IPNL, Universit de Lyon, CNRS-IN2P3, UMR 5822 DUNE DAQ

DAQ architecture - networking J.MARTEAU IPNL, Universit de Lyon, CNRS-IN2P3, UMR 5822 DUNE DAQ WG October 19, 2015 WA105 data network processing) Storage : Processing : (storage/ 15 disks servers R730 16 lames M630 B/E 2 metadata

374 views • 11 slides
Software Design & Architecture Mei Nagappan (material adapted from Reid Holmes) Lecture

Software Design & Architecture Mei Nagappan (material adapted from Reid Holmes) Lecture

Software Design & Architecture Mei Nagappan (material adapted from Reid Holmes) Lecture Summary Administrative details Expectations Project Assessment MEI NAGAPPAN - SE2: SOFTWARE DESIGN & ARCHITECTURE Dates and Times

241 views • 22 slides
pump tower function tests Shuoxing Wu WA105-3x1x1 bi-weekly meeting 27.07.2016 LAr pump tower

pump tower function tests Shuoxing Wu WA105-3x1x1 bi-weekly meeting 27.07.2016 LAr pump tower

pump tower function tests Shuoxing Wu WA105-3x1x1 bi-weekly meeting 27.07.2016 LAr pump tower Shuoxing Wu ETHZ 2 LAr pump tower function test self-recirculation to simulate outer LAr bath real operation condition h valves open pump

57 views • 5 slides
Chapter 23 Union-Find CS 573: Algorithms, Fall 2013 November 14, 2013 23.1 Union Find 23.2

Chapter 23 Union-Find CS 573: Algorithms, Fall 2013 November 14, 2013 23.1 Union Find 23.2

Chapter 23 Union-Find CS 573: Algorithms, Fall 2013 November 14, 2013 23.1 Union Find 23.2 Union-Find 23.2.1 Requirements from the data-structure 23.2.1.1 Requirements from the data-structure (A) Maintain a collection of sets. (B)

288 views • 9 slides
1 Regret Video of Demo Q-learning Explora*on Func*on

1 Regret Video of Demo Q-learning Explora*on Func*on

Explora*on vs. Exploita*on CS 473: Ar*ficial Intelligence Reinforcement Learning II Dieter Fox / University of Washington [Most slides were taken from

74 views • 6 slides
CREATING, ACQUIRING AND INTEGRATING REUSABLE IP Prof. Don Bouldin, Ph.D. Electrical &

CREATING, ACQUIRING AND INTEGRATING REUSABLE IP Prof. Don Bouldin, Ph.D. Electrical &

CREATING, ACQUIRING AND INTEGRATING REUSABLE IP Prof. Don Bouldin, Ph.D. Electrical & Computer Engineering University of Tennessee Knoxville, TN 37996-2100 dbouldin@tennessee.edu IEEE Boston 14 November 2007

564 views • 32 slides

More recommend