ls designs
play

LS-Designs Bitslice Encryption for Efficient Masked Software - PowerPoint PPT Presentation

Apr 20, 2023 •354 likes •638 views

1 / 20 Conclusion FSE 2014 LS-Designs G. Leurent (UCL,Inria) Motivation LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security Analysis LS-Designs . . . . . . . . . . . . . . . . . . Vincent

  1. 1 / 20 Conclusion FSE 2014 LS-Designs G. Leurent (UCL,Inria) Motivation LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security Analysis LS-Designs . . . . . . . . . . . . . . . . . . Vincent Grosso 1 Gaëtan Leurent 1 , 2 FrançoisXavier Standert 1 Kerem Varici 1 1 UCL, Belgium  2 Inria, France FSE 2014

  2. 2 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Secure communications . . . . . . . . . . . . . . . . . . ▶ Cryptography aims to provide secure communications in the presence of an adversary. ▶ Classical model: adversary controls the communication channel: . . . . . . . . . . . E D P C P Alice Bob ▶ Recovering the plaintext without the key should be hard. ▶ Mathematical properties of the cipher E .

  3. 3 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Side-channel analysis . . . . . . . . . . . . . . . . . . ▶ In practice, the cryptography is implemented by a physical system ▶ Smart card (credit card, SIM), computer, mechanical machine ... ▶ The adversary can measure physical properties of the system ▶ Time to encrypt data ▶ Power consumption ▶ Electromagnetic radiations ▶ Sound ▶ ... ▶ Information about values during the computation can break the system even if the algorithm is good. .

  4. 4 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Side-channel protection . . . . . . . . . . . . . . . . . . ▶ Implement crypto carefully: ▶ Constant time operations (avoid SPA attacks) ▶ No secret branches ▶ No secret table access (avoid cache timing) ▶ Power consumption depend on the value of the operands ▶ Correlated with Hamming weight/distance of values in bus/registers/... ▶ Exploited in DPA attacks ▶ Masking ▶ Best understood countermeasure

  5. 4 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Side-channel protection . . . . . . . . . . . . . . . . . . ▶ Implement crypto carefully: ▶ Constant time operations (avoid SPA attacks) ▶ No secret branches ▶ No secret table access (avoid cache timing) ▶ Power consumption depend on the value of the operands ▶ Correlated with Hamming weight/distance of values in bus/registers/... ▶ Exploited in DPA attacks ▶ Masking ▶ Best understood countermeasure

  6. 4 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Side-channel protection . . . . . . . . . . . . . . . . . . ▶ Implement crypto carefully: ▶ Constant time operations (avoid SPA attacks) ▶ No secret branches ▶ No secret table access (avoid cache timing) ▶ Power consumption depend on the value of the operands ▶ Correlated with Hamming weight/distance of values in bus/registers/... ▶ Exploited in DPA attacks ▶ Masking ▶ Best understood countermeasure

  7. 5 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Masking . . . . . . . . . . . . . . . . . . ▶ Split the sensitive data in r shares (secret sharing) ▶ k 1 ← $ , ... ▶ k r − 1 ← $ ▶ k r ← k − ∑ k i ▶ Use MPClike techniques to avoid manipulating the secret itself ▶ Linear operations are easy ▶ Perform operation on each share ▶ Nonlinear operations are expansive ▶ Need interaction, and randomness ▶ Cost increase with r 2 ▶ Sidechannel adversary must combine r measures (for an ideal implementation...) ▶ Data complexity is exponential in r : (𝜏 2 n ) r

  8. 6 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Motivation Main question . . . . . . . . . . . . . . . . . . How to have secure crypto on 8bit microcontrollers? ▶ Sidechannel resistance necessary in many lightweight settings ▶ Avoid your car keys / credit card being cloned ▶ Usual approach: 1 Design a secure cipher (AES, PRESENT, Noekeon, ...) 2 Implement with sidechannel countermeasures ▶ Can we reverse the problem? 1 Use operations that are easy to mask 2 In order to design a secure cipher ▶ Previous work: Zorro, PICARO

  9. 7 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Choice of operations Important remark . . . . . . . . . . . . . . . . . . Logic gates are easier to mask than tablebased Sboxes (If we target Boolean masking) ▶ Use bitsliced Sboxes (SERPENT, Noekeon, ...) ▶ One word contains the msb (resp. 2 nd bit, ...) of every Sbox ▶ Bitwise operations: 8 Sboxes in parallel using 8bit words ▶ Use a small number of nonlinear gates ▶ We can use tables for the diffusion layer! ▶ Efficient, good diffusion ▶ Easy to mask (linear)

  10. 7 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Choice of operations Important remark . . . . . . . . . . . . . . . . . . Logic gates are easier to mask than tablebased Sboxes (If we target Boolean masking) ▶ Use bitsliced Sboxes (SERPENT, Noekeon, ...) ▶ One word contains the msb (resp. 2 nd bit, ...) of every Sbox ▶ Bitwise operations: 8 Sboxes in parallel using 8bit words ▶ Use a small number of nonlinear gates ▶ We can use tables for the diffusion layer! ▶ Efficient, good diffusion ▶ Easy to mask (linear)

  11. 8 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion LS-designs . . . . . . . . . . . . . . . . . . ▶ Mathematical description: SPN network ▶ Sboxes (with simple gate representation) ▶ Linear diffusion layer (binary matrix) ▶ Good design criterion: widetrail S S S S S S S S S L . . . . . . . . . . . . . . . . . . . . . S S S S S S S S S L ▶ Bitslice implementation: ▶ Sbox as a series of bitwise operations ▶ Lbox tables for diffusion layer ▶ Easy to mask (simple nonlinear ops., complex linear ops.)

  12. 8 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion LS-designs . . . . . . . . . . . . . . . . . . . . . . x ← P ⊕ K State as a bitmatrix for 0 ≤ r < N r do ▷ Sbox layer: for 0 ≤ i < l do x [ i , ⋆] = 𝘛[ x [ i , ⋆]] Sbox layer ▷ Lbox layer: for 0 ≤ j < s do x [⋆, j ] = 𝘔[ x [⋆, j ]] Lbox layer ▷ Key addition: x ← x ⊕ k r return x

  13. 9 / 20 Class13 from [UCIKMP11] FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion S-box: 4-bit Involution with same prob. Motivation . . . . . . . . . . . . . . . . . . ▶ Exhaustive search possible for 4bit Sbox [UCIKMP11] ▶ Optimal Sbox with 4 nonlinear gates: Pr lin = 2 − 1 , Pr diff = 2 − 2 . . . .

  14. 10 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion S-box: 8-bit MISTY-like Feistel Whirlpool-like . . . . . . . . . . . . . . . . . . ▶ Exhaustive search not possible ▶ Use constructions from a 4bit Sbox: S 1 S 1 S 2 S 1 L S 2 S 2 S 3 S 4 S 3 S 3 . . . . . . . . . . . . . . . . ▶ Test properties

  15. 11 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Best S-Boxes . . . . . . . . . . . . . . . . . . size # AND # XOR Invol. deg (𝘛) Pr diff Pr lin 2 − 2 2 − 1 NOEKEON 4 4 7 Yes 3 2 − 2 2 − 1 Class 13 4 4 No 3 2 − 2 2 − 1 Figure (b) 4 4 Yes 3 2 − 6 2 − 3 AES 8 32 83 No 7 2 − 4 . 68 2 − 2 Whirlpool + Class 13 16 41 No 6 2 − 4 . 68 2 − 2 Whirlpool + Figure (b) 16 42 No 6 2 − 4 2 − 2 Feistel + Class13 12 24 Yes 6 2 − 4 2 − 2 Feistel + Figure (b) 12 24 Yes 5 2 − 4 2 − 2 MISTY + 3/5bit 11 25 No 5 Feistel 2 + Class13 2 − 8 2 − 4 16 36 96 Yes 13

  16. 11 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Best S-Boxes . . . . . . . . . . . . . . . . . . size # AND # XOR Invol. deg (𝘛) Pr diff Pr lin 2 − 2 2 − 1 NOEKEON 4 4 7 Yes 3 2 − 2 2 − 1 Class 13 4 4 No 3 2 − 2 2 − 1 Figure (b) 4 4 Yes 3 2 − 6 2 − 3 AES 8 32 83 No 7 2 − 4 . 68 2 − 2 Whirlpool + Class 13 16 41 No 6 2 − 4 . 68 2 − 2 Whirlpool + Figure (b) 16 42 No 6 2 − 4 2 − 2 Feistel + Class13 12 24 Yes 6 2 − 4 2 − 2 Feistel + Figure (b) 12 24 Yes 5 2 − 4 2 − 2 MISTY + 3/5bit 11 25 No 5 Feistel 2 + Class13 2 − 8 2 − 4 16 36 96 Yes 13

  17. 12 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion L-box choice . . . . . . . . . . . . . . . . . . ▶ Wide trail strategy: maximum branch number ▶ At least B active Sboxes every two rounds ▶ Use coding theory results 8-bit Exhaustive search possible ▶ Maximum branch number is 5 ▶ Reachable with involutions 16-bit Optimal codes known ▶ Optimal distance is 8 ▶ ReedMuller(2,5) gives an involution 32-bit Optimal codes not known ▶ Best known code have a distance 12 ▶ Upper bound is 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE 140 Lecture 14 System Designs CK Cheng CSE Dept. UC San Diego 1 System Designs

CSE 140 Lecture 14 System Designs CK Cheng CSE Dept. UC San Diego 1 System Designs

CSE 140 Lecture 14 System Designs CK Cheng CSE Dept. UC San Diego 1 System Designs Introduction Components Spec Implementation 2 Digital Designs vs Computer Architectures Instruction Set (H.Chapter 6, CSE141)

503 views • 18 slides
Go 2 Draft Designs Hello everyone, Im here to talk about the draft designs that the Go team

Go 2 Draft Designs Hello everyone, Im here to talk about the draft designs that the Go team

Go 2 Draft Designs Hello everyone, Im here to talk about the draft designs that the Go team recently released for possible future additions to Go, specifically about two areas: improved error handling and parametric polymorphism (AKA generics),

411 views • 29 slides
Group Sequential and Adaptive Designs Part II: Adaptive Designs May 2, 2015 Cyrus Mehta, Ph.D.

Group Sequential and Adaptive Designs Part II: Adaptive Designs May 2, 2015 Cyrus Mehta, Ph.D.

Group Sequential and Adaptive Designs Part II: Adaptive Designs May 2, 2015 Cyrus Mehta, Ph.D. Cytel Inc. Adaptive Designs Adaptive designs are defined as: changes in design or analyses guided by examination of the accumulated

1.11k views • 64 slides
Designs Learning designs Learning objectives Learners will be able to Provide a

Designs Learning designs Learning objectives Learners will be able to Provide a

Learning Designs Learning designs Learning objectives Learners will be able to Provide a rationale for using multiple learning designs. Identify at least five to seven learning designs appropriate for one of their professional

274 views • 14 slides
D-optimal Designs and Equidistant Designs for Stationary Processes Milan Stehl k

D-optimal Designs and Equidistant Designs for Stationary Processes Milan Stehl k

D-optimal Designs and Equidistant Designs for Stationary Processes Milan Stehl k Department of Applied Statistics Johannes Kepler University in Linz Austria 1 This work was supported by WTZ project Nr. 04/2006. Outlook 1. Correlated

435 views • 29 slides
Single-Case Designs (SCD) I. Use of SCD in SW II. Requirements for SCD 1. Target problem (DV) 2.

Single-Case Designs (SCD) I. Use of SCD in SW II. Requirements for SCD 1. Target problem (DV) 2.

1 Single-Case Designs (SCD) I. Use of SCD in SW II. Requirements for SCD 1. Target problem (DV) 2. Quantification of data 3. Obtaining baseline 4. Graphic display of data III. Designs(AB, ABAB. ABC/ABCD) and Examples IV. Time Series Designs

667 views • 19 slides
Single Subject Designs ScWk 240 Week 8 Slides 1 Group vs. Single Subject Designs There are two

Single Subject Designs ScWk 240 Week 8 Slides 1 Group vs. Single Subject Designs There are two

Single Subject Designs ScWk 240 Week 8 Slides 1 Group vs. Single Subject Designs There are two broadly defined approaches to experimental research: group designs &amp; single-subject designs Both approaches apply components of the scientific

348 views • 24 slides
A number of steps are required in solving design problems. The steps should be carried out

A number of steps are required in solving design problems. The steps should be carried out

D AY 147 S QUARE AND RECTANGULAR DESIGNS I NTRODUCTION Geometry can be used in modeling of wonderful designs like designs of rectangular house roofs, a rectangular table top, a rectangular field, a rectangular window frame, among other

759 views • 17 slides
15. Scientific Foundations A MERICAN P SYCHOLOGICAL A SSOCIATION Research Designs for Recovery

15. Scientific Foundations A MERICAN P SYCHOLOGICAL A SSOCIATION Research Designs for Recovery

15. Scientific Foundations A MERICAN P SYCHOLOGICAL A SSOCIATION Research Designs for Recovery Oriented Mental Health Services Quantitative Studies: Experimental designs Quasi-experimental designs Non-experimental quantitative designs

74 views • 5 slides
Evaluating Interface Designs Evaluating Interface Designs SE3830 SE3830 - Jay Urbain J U b i

Evaluating Interface Designs Evaluating Interface Designs SE3830 SE3830 - Jay Urbain J U b i

Evaluating Interface Designs Evaluating Interface Designs SE3830 SE3830 - Jay Urbain J U b i Credits: Ben Shneiderman, Catherine Plaisant, Roger J. Chapman This graph depicts the relationships between 2367 people How to evaluate Interface

1.2k views • 47 slides
Leveraging Open Source Designs Creating a component search engine for reference designs used in

Leveraging Open Source Designs Creating a component search engine for reference designs used in

Leveraging Open Source Designs Creating a component search engine for reference designs used in practice WHOAMI Lasse Mnch M.Sc. Student at RWTH Aachen University Electronics Hobbyist Creating PCBs Choose Components Create Schematics

342 views • 11 slides
Session 6 - Innovative designs, pharmacometrics and optimal designs Joe Standing

Session 6 - Innovative designs, pharmacometrics and optimal designs Joe Standing

Session 6 - Innovative designs, pharmacometrics and optimal designs Joe Standing j.standing@ucl.ac.uk MRC Fellow: UCL Great Ormond Street Institute of Child Health Antimicrobial Pharmacist: Great Ormond Street Hospital for Children Honorary

689 views • 12 slides
Symmetric Designs Lucia Moura School of Electrical Engineering and Computer Science University

Symmetric Designs Lucia Moura School of Electrical Engineering and Computer Science University

Symmetric designs Projective Planes and Geometries Symmetric Designs Lucia Moura School of Electrical Engineering and Computer Science University of Ottawa lucia@eecs.uottawa.ca Winter 2017 Symmetric Designs Lucia Moura Symmetric designs

574 views • 20 slides
Search for systems of linked symmetric 2 (36 , 15 , 6) designs Matan Ziv-Av Ben-Gurion

Search for systems of linked symmetric 2 (36 , 15 , 6) designs Matan Ziv-Av Ben-Gurion

Search for systems of linked symmetric 2 (36 , 15 , 6) designs Matan Ziv-Av Ben-Gurion University of the Negev AGT16, Plze n, October 2016. Outline Symmetric 2-designs 1 Systems of linked symmetric designs 2 Parameters (36 , 15 , 6)

564 views • 30 slides
Wayfinding Sign Designs Northfield Historic District Preliminary designs prepared for the City of

Wayfinding Sign Designs Northfield Historic District Preliminary designs prepared for the City of

Wayfinding Sign Designs Northfield Historic District Preliminary designs prepared for the City of Northfield Presented to the Northfield Downtown Development Corporation Forum February 6, 2007 Scope of the Project: Design a wayfinding graphic

566 views • 21 slides
Tonights 8 Greenway Designs Tonight s 8 Greenway Designs Commonwealth Ave. Summer St / L St Ch

Tonights 8 Greenway Designs Tonight s 8 Greenway Designs Commonwealth Ave. Summer St / L St Ch

Tonights 8 Greenway Designs Tonight s 8 Greenway Designs Commonwealth Ave. Summer St / L St Ch Charlesgate l Dartmouth St. Route 9 Crossing Route 9 Crossing World Series Path Arborway 2008 Charlesgate Connection Northeastern

920 views • 44 slides
Triple/Quadruple Patterning Layout Decomposition via Novel Linear Programming and Iterative

Triple/Quadruple Patterning Layout Decomposition via Novel Linear Programming and Iterative

The picture can't be displayed. Triple/Quadruple Patterning Layout Decomposition via Novel Linear Programming and Iterative Rounding Yibo Lin 1 , Xiaoqing Xu 1 , Bei Yu 2 , Ross Baldick 1 , David Z. Pan 1 1 ECE Department, University of Texas at

621 views • 25 slides
Mastering the DMA and IOMMU APIs Embedded Linux Conference Europe 2014 Dsseldorf Laurent

Mastering the DMA and IOMMU APIs Embedded Linux Conference Europe 2014 Dsseldorf Laurent

Mastering the DMA and IOMMU APIs Embedded Linux Conference Europe 2014 Dsseldorf Laurent Pinchart laurent.pinchart@ideasonboard.com DMA != DMA DMA != DMA (mapping) (engine) The topic we will focus on is how to manage system

1.45k views • 102 slides
Exploring image processing pipelines with scikit-image, joblib, ipywidgets and dash A bag of

Exploring image processing pipelines with scikit-image, joblib, ipywidgets and dash A bag of

Exploring image processing pipelines with scikit-image, joblib, ipywidgets and dash A bag of tricks for processing images faster Emmanuelle Gouillart joint Unit CNRS/Saint-Gobain SVI and the scikit-image team @EGouillart From images to science

446 views • 22 slides
ProtoDUNE Trigger Proposal Jonathon Sensenig Josh Klein, Nuno Barros, David Rivera 0 Trigger

ProtoDUNE Trigger Proposal Jonathon Sensenig Josh Klein, Nuno Barros, David Rivera 0 Trigger

ProtoDUNE Trigger Proposal Jonathon Sensenig Josh Klein, Nuno Barros, David Rivera 0 Trigger Generation and Distribution Triggers come primarily from 3 sub-systems SubSystem Triggers Trigger Beam Instrumentation (BI) Monitor CRT

314 views • 8 slides
Accurate Object Localization with Shape Masks Marcin Marszaek Cordelia Schmid LEAR, INRIA /

Accurate Object Localization with Shape Masks Marcin Marszaek Cordelia Schmid LEAR, INRIA /

Introduction Method description Experiments Summary Accurate Object Localization with Shape Masks Marcin Marszaek Cordelia Schmid LEAR, INRIA / LJK, Grenoble, France CVPR 2007 Marcin Marszaek, Cordelia Schmid Accurate Object

561 views • 34 slides
Building Chips Chips are made of silicon Aka sand The most adundant element in

Building Chips Chips are made of silicon Aka sand The most adundant element in

Building Chips Chips are made of silicon Aka sand The most adundant element in the earths crust. Extremely pure (&lt;1 part per billion) This is the purest stuff people make Building Chips Silicon wafers

345 views • 16 slides
HowFOSScanhelphuman tokeeptheirsanityduringa pandemiccrisis? Building better open source

HowFOSScanhelphuman tokeeptheirsanityduringa pandemiccrisis? Building better open source

HowFOSScanhelphuman tokeeptheirsanityduringa pandemiccrisis? Building better open source projects by Pauline Bourmeau (@Ko97551819) - Alexandre Dulaunoy (@adulau) June 29, 2020 Background During the lockdown, should we work on an obscure

617 views • 14 slides
Bit Manipulations Comp 1402/1002 Octal and Hex Constants Octal constant Nos. : Preceeded by 0

Bit Manipulations Comp 1402/1002 Octal and Hex Constants Octal constant Nos. : Preceeded by 0

Bit Manipulations Comp 1402/1002 Octal and Hex Constants Octal constant Nos. : Preceeded by 0 (zero) Hexadecimal constants : Preceeded by 0x int octalNum = 077; int decNum = 77; int hexNum = 0x77; 1 Bitwise Operators Name Operator

398 views • 18 slides

More recommend