Multiplicative Masking for AES in Hardware CHES 2018 Lauren De - - PowerPoint PPT Presentation

▶

Apr 09, 2023 43 likes •479 views

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl Bilgin P ROBLEM : SIDE - CHANNEL ANALYSIS 2 S OLUTION : M ASKING 3 E XTRA P ROBLEM : G LITCHES ! 4 B OOLEAN M ASKING ! = # $ , # & , , # (

SLIDE 1

Multiplicative Masking for AES in Hardware

CHES 2018 Lauren De Meyer, Oscar Reparaz, Begül Bilgin

SLIDE 2

PROBLEM: SIDE-CHANNEL ANALYSIS

2

SLIDE 3

SOLUTION: MASKING

3

SLIDE 4

EXTRA PROBLEM: GLITCHES!

4

SLIDE 5

BOOLEAN MASKING

5

! = #$, #&, … , #( ⇔ # = *

+

#+

Tricky: Nonlinear functions

SLIDE 6

MUSEUM OF CRYPTO ART

6

Bilgin et al. De Cnudde et al. Gross et al. Moradi et al.

SLIDE 7

OUR RESULT:

7

1st order S-box:
2nd order S-box:

2348 GE 2432 GE 1685 GE De Cnudde et al. 2016 Gross et al. 2017 This Work 2018 4744 GE 4759 GE 3891 GE

0.71x 0.82x

SLIDE 8

HOW?

SLIDE 9

BACK TO THE BEGINNING

9

SubBytes ShiftRows MixColumns AddRoundKey

SLIDE 10

BACK TO THE BEGINNING

10

SubBytes ShiftRows MixColumns AddRoundKey Boolean → Multiplicative Multiplicative → Boolean Akkar-Giraud 2001 Genelle et al. 2010

SLIDE 11

PROBLEM

11

Akkar-Giraud 2001 Golić-Tymen 2002

The Zero Problem

! = #$, #&, … , #( ⇔ 0 = +

,

#, #, = 0

SLIDE 12

SOLUTION

12

Damgård-Keller 2010 Genelle et al. 2010

! " = $1 if " = 0 if " ≠ 0 1 1

GF Inversion !(") Akkar-Giraud 2001 Golić-Tymen 2002

SLIDE 13

MASKED GF INVERSION

13

! "

Boolean to Multiplicative Multiplicative to Boolean

Local Inversion

SLIDE 14

MASKED GF INVERSION

14

! "

Boolean to Multiplicative Multiplicative to Boolean

Local Inversion

SLIDE 15

FIRST-ORDER MASKED CONVERSIONS

15

!" #" #$ %$ %" !

'$ '$

( ( ( (

! = # ⊕ %

% #

SLIDE 16

FIRST-ORDER MASKED CONVERSIONS

16

!" #" #$ %$ %" !

'$ '$

( ( ( (

! = #$% ⋅ (( ⊕ *)

* ( #

1. Expansion

SLIDE 17

FIRST-ORDER MASKED CONVERSIONS

17

! " #

$ = #&' ⋅ (" ⊕ !)

2. Synchronization

SLIDE 18

FIRST-ORDER MASKED CONVERSIONS

18

! "

# = "%& ⋅ !

3. Compression

SLIDE 19

FIRST-ORDER MASKED CONVERSIONS

19

! "

# = "%& ⋅ ! #%& = " ⋅ !%&

⇔

3. Compression

SLIDE 20

FIRST-ORDER MASKED CONVERSIONS

20

!"# $

% = $"# ⋅ ! %"# = $ ⋅ !"#

⇔

SLIDE 21

FIRST-ORDER MASKED CONVERSIONS

21

! "

#$% = " ⋅ (! ⊕ *)

*

1. Expansion

SLIDE 22

FIRST-ORDER MASKED CONVERSIONS

22

! "

#$% = " ⋅ (! ⊕ *)

*

2. Synchronization

SLIDE 23

FIRST-ORDER MASKED CONVERSIONS

23

!

"#$ = ! ⊕ '

'

3. Compression

SLIDE 24

SECOND-ORDER MASKED CONVERSIONS

24

1 2 3 1 2 3 1 2 3 1 2 3

SLIDE 25

SECOND-ORDER MASKED CONVERSIONS

25

Extra Remasking Required 1 2 3 1 2 3 1 2 3 1 2 3

SLIDE 26

SECOND-ORDER MASKED CONVERSIONS

26

Extra Remasking Required Still only 1 inversion! 1 2 3 1 2 3 1 2 3 1 2 3

SLIDE 27

MASKED GF INVERSION

27

! "

Boolean to Multiplicative Multiplicative to Boolean

Local Inversion

SLIDE 28

MASKED KRONECKER DELTA

28 ! "# ! "$ ! "% ! "& ! "' ! "( ! ") ! "* +(") .

.0 .1 .

.3 .4 .5

6 7 = 79 7/ 70 71 72 73 74 75

SLIDE 29

AN INTERESTING OBSERVATION

29

Gross et al. 2016

!" = $"%" ⊕ $"%' ⊕ ( = $"% ⊕ ( !' = $'% ⊕ ( $" %" ( %' $'

× × × ×

!" !'

SLIDE 30

MASKED KRONECKER DELTA

30 ! "# ! "$ ! "% ! "& ! "' ! "( ! ") ! "* +(") .

.0 .1 .

.3 .4 .5

Independent of . Independent of .

SLIDE 31

MASKED KRONECKER DELTA

31 ! "# ! "$ ! "% ! "& ! "' ! "( ! ") ! "* +(") .

.0 .

.0 .1 .1 ⊕ .0 .

SLIDE 32

MASKED KRONECKER DELTA

32 ! "# ! "$ ! "% ! "& ! "' ! "( ! ") ! "* +(") .

/, .1, .2

.

3, .4, .5

.6, .7, .8 .

/9, . //, . /1

.6, .

//, .8 ⊕ . /1

.

/, .4, .2 ⊕ .5

.1 ⊕ .7, .

3 ⊕ . /9, . /2

SLIDE 33

MASKED GF INVERSION

33

! "

Boolean to Multiplicative Multiplicative to Boolean

Local Inversion No registers Precompute

SLIDE 34

RESULTS

SLIDE 35

S-BOX AREA

1st order:
2nd order:

2348 GE 2432 GE 1685 GE De Cnudde et al. 2016 Gross et al. 2017 This Work 2018 4744 GE 4759 GE 3891 GE

0.71x 0.82x

SLIDE 36

AES AREA

1st order:
2nd order:

7682 GE 7337 GE 6557 GE De Cnudde et al. 2016 Gross et al. 2017 This Work 2018 12640 GE 12024 GE 10931 GE

0.89x 0.91x

SLIDE 37

RANDOMNESS PER S-BOX

1st order:
2nd order:

De Cnudde et al. 2016 Gross et al. 2017 This Work 2018 ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅ 54 ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ 18 ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ 19 ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ 54 ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ 53 ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ 162

SLIDE 38

LATENCY PER ENCRYPTION

De Cnudde et al. 2016 Gross et al. 2017 This Work 2018 # clock cycles 276 246 256

SLIDE 39

TVLA: 1ST ORDER AES

39 First Order Second Order

SLIDE 40

TVLA: 2ND ORDER AES

40 First Order Third Order

SLIDE 41

TVLA: BIVARIATE

41

200 400 600 800 1000 200 400 600 800 1000 5 10 15 20 25 30 35 40 45 200 400 600 800 1000 200 400 600 800 1000 5 10 15 20 25 30 35 40 45

SLIDE 42

ü Keep it Simple J ü Find inspiration in early works ü Push the limits:

ü Reuse Randomness ü Customize!

TAKE-AWAY

SLIDE 43