mixing additive and multiplicative masking for probing
play

Mixing Additive and Multiplicative Masking for Probing Secure - PowerPoint PPT Presentation

Jul 18, 2023 •180 likes •534 views

Introduction GPQ t-NI GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion Mixing Additive and Multiplicative Masking for Probing Secure Polynomial Evaluation Methods Axel Mathieu-Mahias and Michal Quisquater

  1. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion Mixing Additive and Multiplicative Masking for Probing Secure Polynomial Evaluation Methods Axel Mathieu-Mahias and Michaël Quisquater University of Versailles (UVSQ) CHES’18 September . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 / 36

  2. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion The Concept of Masking Side-channel analysis Information leak through physical leakages Data and physical leakages are dependent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2/16 2 / 36

  3. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion The Concept of Masking Side-channel analysis Information leak through physical leakages Data and physical leakages are dependent The masking countermeasure Randomly split every variable into several shares 1 Secure the processing through internal operations 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2/16 3 / 36

  4. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion The Concept of Masking Side-channel analysis Information leak through physical leakages Data and physical leakages are dependent The masking countermeasure Randomly split every variable into several shares 1 Secure the processing through internal operations 2 Higher-order masking More than 2 shares Sound countermeasure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2/16 4 / 36

  5. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion About security The Probing Model [ISW03] ( x 1 , . . . , x d ) ( y 1 , . . . , y d ) Adversary observations Inputs Sec- Op 1 Ω = ( I 1 , I 2 , . . . I t ) Sec-Op 2 Internals Sec-Op 3 Probe Outputs ( z 1 , . . . , z d ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/16 5 / 36

  6. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion About security The Probing Model [ISW03] ( x 1 , . . . , x d ) ( y 1 , . . . , y d ) Adversary observations Inputs Sec- Op 1 Ω = ( I 1 , I 2 , . . . I t ) Sec-Op 2 Internals t -probing security Sec-Op 3 Probe Is any set of t observations Outputs independent of sensitive variables ? ( z 1 , . . . , z d ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/16 6 / 36

  7. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion About security The Probing Model [ISW03] ( x 1 , . . . , x d ) ( y 1 , . . . , y d ) Adversary observations Inputs Sec- Op 1 Ω = ( I 1 , I 2 , . . . I t ) Sec-Op 2 Internals t -probing security Sec-Op 3 Probe Is any set of t observations Outputs independent of sensitive variables ? ( z 1 , . . . , z d ) Two security notions : t-NI and t-SNI [BBDFG15] → t-SNI transformations can be composed safely ֒ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/16 7 / 36

  8. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion State of the Art of Masking S-boxes (Additive Masking) Split every variable x into d = t + 1 shares such that x 1 ⊕ x 2 ⊕ . . . ⊕ x d = x Processing of linear transformations : very efficient Processing of multiplications : much more expensive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4/16 8 / 36

  9. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion State of the Art of Masking S-boxes (Additive Masking) Split every variable x into d = t + 1 shares such that x 1 ⊕ x 2 ⊕ . . . ⊕ x d = x Processing of linear transformations : very efficient Processing of multiplications : much more expensive AES : [RP10] S AES ( x ) : x �→ x 254 over F 2 8 Generic case : [CGPQR12] 2 n − 1 a i x i over F 2 n ∑ S ( x ) : x �→ i = 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4/16 9 / 36

  10. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion State of the Art of Masking S-boxes Masking schemes in additive encoding FSE’12 : Carlet et al. CHES’13 : Roy and Vivek CHES’14 : Coron et al. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5/16 10 / 36

  11. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion State of the Art of Masking S-boxes Masking schemes in additive encoding FSE’12 : Carlet et al. CHES’13 : Roy and Vivek CHES’14 : Coron et al. Masking schemes in other encodings CHES’11 : Prouff and Roche CRYPTO’15 : Carlet et al. EUROCRYPT’14 : Coron EUROCRYPT’15 : Balasch et al. CHES’16 : Goudarzi and Rivain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5/16 11 / 36

  12. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion The use of several encodings simultaneously GPQ : masking scheme for power functions [GPQ11] Mixes additive and multiplicative masking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6/16 12 / 36

  13. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion The use of several encodings simultaneously GPQ : masking scheme for power functions [GPQ11] Mixes additive and multiplicative masking The idea Linear transformations : efficient in additive masking Multiplications : efficient in multiplicative masking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6/16 13 / 36

  14. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion The use of several encodings simultaneously GPQ : masking scheme for power functions [GPQ11] Mixes additive and multiplicative masking The idea Linear transformations : efficient in additive masking Multiplications : efficient in multiplicative masking The scheme Secure processing of a Dirac function ( Secure-dirac ) Transformations to switch from additive into multiplicative masking ( AMtoMM ) and conversely ( MMtoAM ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6/16 14 / 36

  15. b Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion GPQ : Masking Scheme for Power Functions x Sec-dirac ⊕ AMtoMM ( x + δ ( x )) α x α ⊕ MMtoAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7/16 15 / 36

  16. b Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion GPQ : Masking Scheme for Power Functions x Sec-dirac ⊕ AMtoMM ( x + δ ( x )) α x α ⊕ MMtoAM Our first contribution GPQ t-NI → GPQ t-SNI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7/16 16 / 36

  17. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion Our approach and results Our Issue and Our Proposals How to extend GPQ to evaluate polynomials ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8/16 17 / 36

  18. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion Our approach and results Our Issue and Our Proposals How to extend GPQ to evaluate polynomials ? Our issues Adding monomials : not efficient in multiplicative masking Converting every monomials back in additive masking before adding them : not efficient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8/16 18 / 36

  19. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion Our approach and results Our Issue and Our Proposals How to extend GPQ to evaluate polynomials ? Our issues Adding monomials : not efficient in multiplicative masking Converting every monomials back in additive masking before adding them : not efficient Our t-SNI proposals One method based on the cyclotomic method [CGPQR12] 1 One method based on our first proposal and the CRV 2 method [CRV14] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8/16 19 / 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
USING ARRAYS TO HELP CHILDREN MOVE FROM ADDITIVE TO MULTIPLICATIVE THINKING Sen Delaney

USING ARRAYS TO HELP CHILDREN MOVE FROM ADDITIVE TO MULTIPLICATIVE THINKING Sen Delaney

USING ARRAYS TO HELP CHILDREN MOVE FROM ADDITIVE TO MULTIPLICATIVE THINKING Sen Delaney American Educational Research Association New York City, 14 April 2018 2-D ARRAYS & MULTIPLICATION MATHEMATICS PROBLEM Our local cinema has 26 rows

369 views • 18 slides
Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl Bilgin P ROBLEM : SIDE - CHANNEL ANALYSIS 2 S OLUTION : M ASKING 3 E XTRA P ROBLEM : G LITCHES ! 4 B OOLEAN M ASKING ! = # $ , # & , , # (

473 views • 43 slides
Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben

Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben

Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben Moos 1 , Amir Moradi 1 , Tobias Schneider 2 and Franois-Xavier Standaert 2 Horst Grtz Institute for IT Security, Ruhr-Universitt Bochum,

694 views • 46 slides
Set covering with ordered replacement: Additive and Multiplicative gaps Laura Sanit` a

Set covering with ordered replacement: Additive and Multiplicative gaps Laura Sanit` a

Set covering with ordered replacement: Additive and Multiplicative gaps Laura Sanit` a Institute of Mathematics, EPFL, Lausanne, Switzerland Joint work with: F. Eisenbrand, N. Kakimura, T. Rothvo Aussois, 2011 General Set covering problem

1.07k views • 77 slides
Topic Bandwidth allocation models Additive Increase Multiplicative Decrease (AIMD) control

Topic Bandwidth allocation models Additive Increase Multiplicative Decrease (AIMD) control

Topic Bandwidth allocation models Additive Increase Multiplicative Decrease (AIMD) control law AIMD! Sawtooth CSE 461 University of Washington 1 Recall Want to allocate capacity to senders Network layer provides feedback

578 views • 56 slides
How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

824 views • 54 slides
Privacy preserving data mining multiplicative perturbation techniques Li Xiong CS573 Data

Privacy preserving data mining multiplicative perturbation techniques Li Xiong CS573 Data

Privacy preserving data mining multiplicative perturbation techniques Li Xiong CS573 Data Privacy and Anonymity Outline Review and critique of randomization approaches (additive noise) Multiplicative data perturbations Rotation

526 views • 39 slides
Subgroups of the multiplicative group Greg Martin University of British Columbia joint work with

Subgroups of the multiplicative group Greg Martin University of British Columbia joint work with

Background, ( -)additive functions Results on I ( n ) and G ( n ) Outline of the proofs Subgroups of the multiplicative group Greg Martin University of British Columbia joint work with Lee Troupe Analytic Number Theory 2017 CMS Winter

841 views • 61 slides
Physical Defaults & the Robust Probing Model Sebastian Faust, Vincent Grosso, Santos Merino

Physical Defaults & the Robust Probing Model Sebastian Faust, Vincent Grosso, Santos Merino

Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, Franois-Xavier Standaert TU Darmstadt (Germany), Radbout University

774 views • 39 slides
Local Fourier Uniformity July 9, 2019 The main question Question: Is the multiplicative and

Local Fourier Uniformity July 9, 2019 The main question Question: Is the multiplicative and

Local Fourier Uniformity July 9, 2019 The main question Question: Is the multiplicative and additive structure of the integers independent? Conjectural answer: Yes, up to minor local obstructions. The precise form of this answer is due to Chowla

869 views • 28 slides
Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid,

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid,

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid, Dahmun Goudarzi, and Matthieu Rivain dahmun.goudarzi@pqshield.com 1 Side-Channel Attacks and Higher-Order Masking in 1 in 2 in 3

655 views • 52 slides
Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on the spatial attribute type. Proposal part 2 Details of the masking attribute addition. Table 3-13 - S100_GF_SpatialAttributeType Role Name

558 views • 8 slides
Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation

Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation

Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation techniques Additive perturbation Multiplicative perturbation Privacy metrics Privacy metrics Summary Definition of dataset Column

280 views • 23 slides
Occultations for Probing for Probing Occultations Atmosphere and Climate: Atmosphere and

Occultations for Probing for Probing Occultations Atmosphere and Climate: Atmosphere and

I nstitute for G eophysics, A strophysics, and M eteorology / U niversity of G raz A tmospheric R emote S ensing and Cli mate Sys tem Research Group ARSCliSys on the art of understanding the climate system Occultations for Probing for Probing

570 views • 12 slides
Weighted boundedness of multilinear maximal function using Dirac deltas Abhishek Ghosh (Joint

Weighted boundedness of multilinear maximal function using Dirac deltas Abhishek Ghosh (Joint

Weighted boundedness of multilinear maximal function using Dirac deltas Abhishek Ghosh (Joint work with Prof. Saurabh Shrivastava and Kalachand Shuin) Indian Institute of Technology Kanpur, India May 20-24, 2019 Abhishek Ghosh (Joint work with

387 views • 36 slides
Outline Scheidegger Networks Networks Scheidegger NetworksA Bonus First return First

Outline Scheidegger Networks Networks Scheidegger NetworksA Bonus First return First

Scheidegger Outline Scheidegger Networks Networks Scheidegger NetworksA Bonus First return First return random walk random walk Calculation References References Complex Networks, Course 295A, Spring, 2008 First return random walk

468 views • 3 slides
CS480/680 Machine Learning Lecture 6: January 23 st , 2020 Maximum A posteriori & Maximum

CS480/680 Machine Learning Lecture 6: January 23 st , 2020 Maximum A posteriori & Maximum

CS480/680 Machine Learning Lecture 6: January 23 st , 2020 Maximum A posteriori & Maximum Likelihood Zahra Sheikhbahaee Sources: A Tutorial on Energy Based Learning University of Waterloo CS480/680 Winter 2020 Zahra Sheikhbahaee Outline

702 views • 17 slides
DIFFRACTION at the LHC Lszl Jenkovszky, Kiev, jenk@bitp.kiev.ua Some open questions: 0)

DIFFRACTION at the LHC Lszl Jenkovszky, Kiev, jenk@bitp.kiev.ua Some open questions: 0)

LISHEP, March 2013, Rio de Janeiro DIFFRACTION at the LHC Lszl Jenkovszky, Kiev, jenk@bitp.kiev.ua Some open questions: 0) Definition of diffraction: rapidity gap vs. P exchange; 1) The ratio between SD, DD and CD? 2) Integrated cross

606 views • 41 slides
Chapter 17 Network Flow VI - Min-Cost Flow Applications CS 573: Algorithms, Fall 2013 October

Chapter 17 Network Flow VI - Min-Cost Flow Applications CS 573: Algorithms, Fall 2013 October

Chapter 17 Network Flow VI - Min-Cost Flow Applications CS 573: Algorithms, Fall 2013 October 24, 2013 17.0.0.1 Lemma decomposing flow into cycles Lemma 17.0.1. f :a circulation in G . Then, f can be decomposed into m cycles, C 1 , . . . ,

315 views • 9 slides
Dark Matter Experimental Direct Detection Summary Javier Tiffenberg Fermi National Laboratory

Dark Matter Experimental Direct Detection Summary Javier Tiffenberg Fermi National Laboratory

Dark Matter Experimental Direct Detection Summary Javier Tiffenberg Fermi National Laboratory June 20, 2018 1 51st Annual Users Meeting June 20, 2018 Fermilab DM - Direct Detection landscape for 2018+ Standard WIMP Nuclear recoil CDMS, LZ

183 views • 15 slides
ADVANCED TOPICS ON VIDEO PROCESSING Image Spatial Processing Image Spatial Processing FILTERING

ADVANCED TOPICS ON VIDEO PROCESSING Image Spatial Processing Image Spatial Processing FILTERING

ADVANCED TOPICS ON VIDEO PROCESSING Image Spatial Processing Image Spatial Processing FILTERING EXAMPLES FILTERING EXAMPLES FOURIER INTERPRETATION FOURIER INTERPRETATION FILTERING EXAMPLES FILTERING EXAMPLES FOURIER INTERPRETATION FOURIER

925 views • 67 slides
Convolutional Neural Networs for Image Classification Marcello Pelillo University of Venice,

Convolutional Neural Networs for Image Classification Marcello Pelillo University of Venice,

Convolutional Neural Networs for Image Classification Marcello Pelillo University of Venice, Italy Image and Video Understanding a.y. 2018/19 The Age of Deep Learning The Deep Learning Philosophy Learn a feature hierarchy all

1.14k views • 54 slides

More recommend