improved high order conversion from boolean to arithmetic
play

Improved High-Order Conversion From Boolean to Arithmetic Masking - PowerPoint PPT Presentation

Mar 10, 2023 •132 likes •620 views

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2 Rina Zeitoun 1 Jean-S 1 IDEMIA, France 2 University of Luxembourg CHES 2018 Side-channel Attacks Differential Power Analysis [KJJ99] Group by

  1. Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2 Rina Zeitoun 1 Jean-S´ 1 IDEMIA, France 2 University of Luxembourg CHES 2018

  2. Side-channel Attacks

  3. Differential Power Analysis [KJJ99] Group by predicted SBox output bit Average trace 111 Differential trace 000

  4. Masking Countermeasure • Let x be some variable in a block-cipher. • Masking countermeasure: generate a random r , and manipulate the masked value x ′ x ′ = x ⊕ r instead of x . • r is random ⇒ x ′ is random ⇒ power consumption of x ′ is random ⇒ no information about x is leaked

  5. Arithmetic Masking • Some algorithms use arithmetic operations, for example IDEA, RC6, XTEA, SPECK, SHA-1. • For these algorithms, we can use arithmetic masking: x = A + r mod 2 k where we manipulate A and r separately. • Problem: how do we convert between Boolean and arithmetic masking ? • Goubin’s algorithm (CHES 01): first-order secure conversion between Boolean and arithmetic masking.

  6. Arithmetic Masking • Some algorithms use arithmetic operations, for example IDEA, RC6, XTEA, SPECK, SHA-1. • For these algorithms, we can use arithmetic masking: x = A + r mod 2 k where we manipulate A and r separately. • Problem: how do we convert between Boolean and arithmetic masking ? • Goubin’s algorithm (CHES 01): first-order secure conversion between Boolean and arithmetic masking.

  7. Second-order Attack • Second-order attack: E ( x ′ ) E ( r ) f ( E ( x ′ ) , E ( r )) correlated with x = x ′ ⊕ r • Requires more curves but can be practical

  8. Higher-order masking • Solution: n shares instead of 2 : x = x 1 ⊕ x 2 ⊕ · · · ⊕ x n • Any subset of n − 1 shares is uniformly and independently distributed • If we probe at most n − 1 shares x i , we learn nothing about x • ⇒ secure against a DPA attack of order n − 1 .

  9. Higher-order masking • Solution: n shares instead of 2 : x = x 1 ⊕ x 2 ⊕ · · · ⊕ x n • Any subset of n − 1 shares is uniformly and independently distributed • If we probe at most n − 1 shares x i , we learn nothing about x • ⇒ secure against a DPA attack of order n − 1 .

  10. Higher-order masking • High-order Boolean masking: x = x 1 ⊕ x 2 ⊕ · · · ⊕ x n • High-order arithmetic masking: x = A 1 + A 2 + . . . + A n mod 2 k • Problem: how do we convert between Boolean and arithmetic masking ? • This talk: high-order Boolean to arithmetic conversion algorithm, simpler and more efficient than [Cor17]. • complexity independent of the register size k • still with a proof of security in the ISW probing model

  11. Higher-order masking • High-order Boolean masking: x = x 1 ⊕ x 2 ⊕ · · · ⊕ x n • High-order arithmetic masking: x = A 1 + A 2 + . . . + A n mod 2 k • Problem: how do we convert between Boolean and arithmetic masking ? • This talk: high-order Boolean to arithmetic conversion algorithm, simpler and more efficient than [Cor17]. • complexity independent of the register size k • still with a proof of security in the ISW probing model

  12. Prior work and this talk n : number of shares k : arithmetic modulo 2 k ( k = 32 for HMAC-SHA-1). First-order High-order Direction complexity complexity Goubin’s algorithm B → A O (1) - [Gou01] A → B O ( k ) - B → A O ( n 2 · k ) [CGV14] - A → B B → A - O ( n 2 · log k ) [CGTV15] A → B O (log k ) 14 · 2 n + O ( n ) [Cor17] B → A - 10 · 2 n + O ( n ) - This talk B → A • Complexity independent of the register size k , as in [Cor17] • Exponential complexity, but one order of magnitude faster than [CGV14] and [CGTV15] for small values of n .

  13. Prior work and this talk n : number of shares k : arithmetic modulo 2 k ( k = 32 for HMAC-SHA-1). First-order High-order Direction complexity complexity Goubin’s algorithm B → A O (1) - [Gou01] A → B O ( k ) - B → A O ( n 2 · k ) [CGV14] - A → B B → A - O ( n 2 · log k ) [CGTV15] A → B O (log k ) 14 · 2 n + O ( n ) [Cor17] B → A - 10 · 2 n + O ( n ) - This talk B → A • Complexity independent of the register size k , as in [Cor17] • Exponential complexity, but one order of magnitude faster than [CGV14] and [CGTV15] for small values of n .

  14. Boolean to arithmetic conversion: comparison with prior work ( k = 32 bits)

  15. Comparison with CHES 2017 algorithm 14 · 2 n + O ( n ) [Cor17] B → A - 10 · 2 n + O ( n ) B → A - This talk • Our new algorithm is roughly 25% faster, and simpler. x ψ + R R F C D [Cor17] R F C x ψ + R C D This talk C

  16. Comparison with CHES 2017 algorithm 14 · 2 n + O ( n ) [Cor17] B → A - 10 · 2 n + O ( n ) B → A - This talk • Our new algorithm is roughly 25% faster, and simpler. x ψ + R R F C D [Cor17] R F C x ψ + R C D This talk C

  17. Our contribution • Our contribution: high-order conversion algorithm from Boolean to arithmetic masking • simplified variant of CHES 2017 algorithm • still with a proof of security in the ISW probing model. • Approach initiated by Hutter and Tunstall [HT16] (eprint) • but no proof of security against high-order attacks was provided by the authors. • 3rd order attack for any number of shares n described in [Cor17] • 3rd order attack against updated Hutter-Tunstall algorithm (see the proceedings)

  18. Our contribution • Our contribution: high-order conversion algorithm from Boolean to arithmetic masking • simplified variant of CHES 2017 algorithm • still with a proof of security in the ISW probing model. • Approach initiated by Hutter and Tunstall [HT16] (eprint) • but no proof of security against high-order attacks was provided by the authors. • 3rd order attack for any number of shares n described in [Cor17] • 3rd order attack against updated Hutter-Tunstall algorithm (see the proceedings)

  19. ISW security model • Simulation framework of [ISW03]: ( sk 1 , sk 2 , . . . , sk n ) m t probes Sim Block cipher c • Show that any t probes can be perfectly simulated from at most n − 1 of the sk i ’s. • Those n − 1 shares sk i are initially uniformly and independently distributed. • ⇒ the adversary learns nothing from the t probes, since he could perfectly simulate those t probes by himself.

  20. ISW security model • Simulation framework of [ISW03]: ( sk 1 , sk 2 , . . . , sk n ) m t probes Sim Block cipher c • Show that any t probes can be perfectly simulated from at most n − 1 of the sk i ’s. • Those n − 1 shares sk i are initially uniformly and independently distributed. • ⇒ the adversary learns nothing from the t probes, since he could perfectly simulate those t probes by himself.

  21. ISW security model • Simulation framework of [ISW03]: ( sk 1 , sk 2 , . . . , sk n ) m t probes Sim Block cipher c • Show that any t probes can be perfectly simulated from at most n − 1 of the sk i ’s. • Those n − 1 shares sk i are initially uniformly and independently distributed. • ⇒ the adversary learns nothing from the t probes, since he could perfectly simulate those t probes by himself.

  22. ISW security model • Simulation framework of [ISW03]: ( sk 1 , sk 2 , . . . , sk n ) m t probes Sim Block cipher c • Show that any t probes can be perfectly simulated from at most n − 1 of the sk i ’s. • Those n − 1 shares sk i are initially uniformly and independently distributed. • ⇒ the adversary learns nothing from the t probes, since he could perfectly simulate those t probes by himself.

  23. ISW security model • Simulation framework of [ISW03]: ( sk 1 , sk 2 , . . . , sk n ) m t probes Sim Block cipher c • Show that any t probes can be perfectly simulated from at most n − 1 of the sk i ’s. • Those n − 1 shares sk i are initially uniformly and independently distributed. • ⇒ the adversary learns nothing from the t probes, since he could perfectly simulate those t probes by himself.

  24. ISW security model • Simulation framework of [ISW03]: ( sk 1 , sk 2 , . . . , sk n ) m t probes Sim Block cipher c • Show that any t probes can be perfectly simulated from at most n − 1 of the sk i ’s. • Those n − 1 shares sk i are initially uniformly and independently distributed. • ⇒ the adversary learns nothing from the t probes, since he could perfectly simulate those t probes by himself.

  25. Security proofs for side-channel countermeasures • Never publish a high-order masking scheme without a proof of security ! • So many things can go wrong. • Many countermeasures without proofs have been broken in the past. • We have a poor intuition of high-order security.

  26. Goubin’s original conversion algorithm • Goubin’s theorem: the function (mod 2 k ) Ψ( x, r ) = ( x ⊕ r ) − r is affine with respect to r over F 2 . • This is surprising but true ! • Goubin’s Boolean to arithmetic conversion algorithm: x = x 1 ⊕ x 2 = ( x 1 ⊕ x 2 − x 2 ) + x 2 = Ψ( x 1 , x 2 ) + x 2 �� � � = x 1 ⊕ Ψ( x 1 , r ⊕ x 2 ) ⊕ Ψ( x 1 , r ) + x 2 (mod 2 k ) = A + x 2 • One can compute A without leaking information about x , thanks to the random r .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ARITHMETIC OPERATIONS WE HAVE THE DATA, WHAT NOW? Operations in C Bit-wise boolean operations

ARITHMETIC OPERATIONS WE HAVE THE DATA, WHAT NOW? Operations in C Bit-wise boolean operations

ARITHMETIC OPERATIONS WE HAVE THE DATA, WHAT NOW? Operations in C Bit-wise boolean operations Logical operation Arithmetic operations 2 BOOLEAN ALGEBRA Algebraic representation of logic Encode True as 1 and False

594 views • 31 slides
CSCI-2500: Computer Organization Boolean Logic & Arithmetic for Computers (Chapter 3 and

CSCI-2500: Computer Organization Boolean Logic & Arithmetic for Computers (Chapter 3 and

CSCI-2500: Computer Organization Boolean Logic & Arithmetic for Computers (Chapter 3 and App. B) Boolean Algebra Developed by George Boole in the 1850s Mathematical theory of logic. Shannon was the first to use Boolean Algebra

1.94k views • 183 slides
Second Order Properties of Models of First Order Arithmetic Roman Kossak City University of New

Second Order Properties of Models of First Order Arithmetic Roman Kossak City University of New

Second Order Properties of Models of First Order Arithmetic Roman Kossak City University of New York RK, James H. Schmerl The Structure of Models of Peano Arithmetic , Oxford Logic Guides, 2006 1 M < Friedmans 14th Problem: Let

203 views • 18 slides
Closure conversion Expressing higher-order functions in first-order function languages Theory of

Closure conversion Expressing higher-order functions in first-order function languages Theory of

Closure Conversion in FOFL Closure Conversion in FOFL+ Closure Conversion in Java Closure conversion Expressing higher-order functions in first-order function languages Theory of Programming Languages Computer Science Department Wellesley

368 views • 7 slides
Operations in C Have the data, what now? Bit-wise boolean operations Logical operations

Operations in C Have the data, what now? Bit-wise boolean operations Logical operations

10/11/2018 Operations in C Have the data, what now? Bit-wise boolean operations Logical operations Operations and Arithmetic Arithmetic operations 2 In C Boolean Algebra Algebraic representation of logic Operators the

360 views • 7 slides
Preliminary Study on Growth, Feed Conversion and Preliminary Study on Growth, Feed Conversion and

Preliminary Study on Growth, Feed Conversion and Preliminary Study on Growth, Feed Conversion and

Preliminary Study on Growth, Feed Conversion and Preliminary Study on Growth, Feed Conversion and Production in Non- -Improved and Improved Strains of the Improved and Improved Strains of the Production in Non Nile tilapia Oreochromis niloticus

343 views • 16 slides
Boolean Arithmetic Foundations of Global Networked Computing: Building a Modern Computer From

Boolean Arithmetic Foundations of Global Networked Computing: Building a Modern Computer From

IWKS 3300: NAND to Tetris Spring 2019 John K. Bennett Boolean Arithmetic Foundations of Global Networked Computing: Building a Modern Computer From First Principles This course is based upon the work of Noam Nisan and Shimon Schocken. More

508 views • 36 slides
CO 2 Fixation by Anaerobic Non- Photosynthetic Mixotrophy for Improved Carbon Conversion Emily

CO 2 Fixation by Anaerobic Non- Photosynthetic Mixotrophy for Improved Carbon Conversion Emily

CO 2 Fixation by Anaerobic Non- Photosynthetic Mixotrophy for Improved Carbon Conversion Emily E. Crawford, John R. Phillips, Pradeep C. Munasinghe, Carrissa A. Wiedel, Biniam Maru, Ilana Aldor, & Shawn W. Jones, Terry Papoutsakis &

812 views • 42 slides
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Leuven, September 10th, 2012 I NTRODUCTION 1 K NOWN TABLE - BASED METHODS 2 C ORON -T CHULKINE METHOD N EISSE -P ULKUS METHOD 3 C

413 views • 28 slides
Nanopowder thermoelectrics: improved energy conversion by nanostructuring Sabine Schlecht

Nanopowder thermoelectrics: improved energy conversion by nanostructuring Sabine Schlecht

Nanopowder thermoelectrics: improved energy conversion by nanostructuring Sabine Schlecht DFG-JST Workshop Kyoto, 20.- 23. January 2009 Thermoelectric effects interconversion of thermal and electrical energy Seebeck 1821: difference in

355 views • 21 slides
Functional lower bounds for arithmetic circuits and connections to boolean circuit complexity

Functional lower bounds for arithmetic circuits and connections to boolean circuit complexity

Functional lower bounds for arithmetic circuits and connections to boolean circuit complexity Michael Forbes Mrinal Kumar Ramprasad Saptharishi Princeton University Rutgers University T el Aviv University Computational Complexity

1.35k views • 107 slides
and utilizing reduction promoters leads to improved conversion and selectivity with Co/silica

and utilizing reduction promoters leads to improved conversion and selectivity with Co/silica

Fischer-Tropsch synthesis: foregoing calcination and utilizing reduction promoters leads to improved conversion and selectivity with Co/silica Mohammad Mehrbod Mechanical Engineering Program, Mechanical Engineering Dept., UTSA Michela

485 views • 25 slides
Logic for Computer Science 04 Boolean algebra Wouter Swierstra University of Utrecht 1

Logic for Computer Science 04 Boolean algebra Wouter Swierstra University of Utrecht 1

Logic for Computer Science 04 Boolean algebra Wouter Swierstra University of Utrecht 1 Last time Naive set theory 2 This lecture Boolean algebra Computer circuits Binary arithmetic 3 Boolean algebra 4 Similarities We have seen the

993 views • 70 slides
On the Impact of Number Representation for High-Order LES F.D. Witherden Department of Ocean

On the Impact of Number Representation for High-Order LES F.D. Witherden Department of Ocean

On the Impact of Number Representation for High-Order LES F.D. Witherden Department of Ocean Engineering Texas A&M University Motivation LES is expensive really expensive. Computer Arithmetic Binary floating point

674 views • 23 slides
Definitions Boolean set: B 0 , 1 Boolean constants: 0, 1 Boolean variable: x 0

Definitions Boolean set: B 0 , 1 Boolean constants: 0, 1 Boolean variable: x 0

Computer Architecture applied computer science 03.01 Boolean algebra urbino worldwide campus 03 Logic networks 03.01 Boolean algebra Definitions Boolean

489 views • 6 slides
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Notes 10 Spring 2005 Clancy/Wagner The next sequence of lectures in on the topic of Arithmetic

Notes 10 Spring 2005 Clancy/Wagner The next sequence of lectures in on the topic of Arithmetic

CS 70 Discrete Mathematics for CS Notes 10 Spring 2005 Clancy/Wagner The next sequence of lectures in on the topic of Arithmetic Algorithms . We shall build up to an understanding of the RSA public-key cryptosystem. Primality and Factoring You

459 views • 7 slides
An Alternative to SAT-based Approaches for Bit-Vectors S ebastien Bardin, Philippe Herrmann,

An Alternative to SAT-based Approaches for Bit-Vectors S ebastien Bardin, Philippe Herrmann,

An Alternative to SAT-based Approaches for Bit-Vectors S ebastien Bardin, Philippe Herrmann, Florian Perroud CEA-LIST, Software Safety Labs (Paris, France) Bardin, S., Herrmann, P., Perroud, F. 1/ 21 Motivation Theory of bit-vectors (BV)

708 views • 21 slides
Implementing real numbers with RZ Andrej Bauer Iztok Kavkler Faculty of mathematics and physics

Implementing real numbers with RZ Andrej Bauer Iztok Kavkler Faculty of mathematics and physics

Implementing real numbers with RZ Andrej Bauer Iztok Kavkler Faculty of mathematics and physics University of Ljubljana Slovenia 18 June 2007 1 / 14 Introduction Currently, there are two kinds of computable real number implementations.

436 views • 14 slides
Efficient and secure modular operations using the Polynomial Modular Number System (Part 1)

Efficient and secure modular operations using the Polynomial Modular Number System (Part 1)

The Polynomial modular number system (PMNS) Randomisation with the PMNS Internal randomisation using the Montgomery-like method Efficient and secure modular operations using the Polynomial Modular Number System (Part 1) ephane Didier 1 , Fangan

757 views • 26 slides
Operators C emphasizes expressions rather than statements. Expressions are built from

Operators C emphasizes expressions rather than statements. Expressions are built from

1/28/14 Operators C emphasizes expressions rather than statements. Expressions are built from variables, constants, and Expressions operators. C has a rich collection of operators, including o arithmetic operators o relational

946 views • 6 slides
Lecture 04 Expressions Prof. Katherine Gibson Prof. Jeremy Dixon Based on slides by Shawn

Lecture 04 Expressions Prof. Katherine Gibson Prof. Jeremy Dixon Based on slides by Shawn

CMSC201 Computer Science I for Majors Lecture 04 Expressions Prof. Katherine Gibson Prof. Jeremy Dixon Based on slides by Shawn Lupoli and Max Morawski at UMBC www.umbc.edu Last Class We Covered Variables Rules for naming

649 views • 40 slides
ECE 2574: Data Structures and Algorithms - Operator Overloading C. L. Wyatt Today we will look

ECE 2574: Data Structures and Algorithms - Operator Overloading C. L. Wyatt Today we will look

ECE 2574: Data Structures and Algorithms - Operator Overloading C. L. Wyatt Today we will look at how to overload operators. The primary use of this is to define comparisons for types in ordered containers, to define the stream extraction

535 views • 14 slides
Expressions and Arithmetic Chapters 4 1 2 CPTR 124 Checklist Type Conversions Read the

Expressions and Arithmetic Chapters 4 1 2 CPTR 124 Checklist Type Conversions Read the

1/28/2011 For Next Time Read Chapter 4 Expressions and Arithmetic Chapters 4 1 2 CPTR 124 Checklist Type Conversions Read the appropriate chapter(s) Re-read the appropriate chapter(s) int double, is this OK Download

58 views • 4 slides

More recommend