Multiplicative Masking for AES in Hardware CHES 2018 Lauren De - PowerPoint PPT Presentation

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begül Bilgin

P ROBLEM : SIDE - CHANNEL ANALYSIS 2

S OLUTION : M ASKING 3

E XTRA P ROBLEM : G LITCHES ! 4

B OOLEAN M ASKING ! = # $ , # & , … , # ( ⇔ # = * # + + Tricky: Nonlinear functions 5

M USEUM OF C RYPTO A RT Moradi et al. Bilgin et al. De Cnudde et al. 6 Gross et al.

O UR R ESULT : De Cnudde et al. Gross et al. This Work 2016 2017 2018 • 1 st order S-box: 2348 GE 2432 GE 1685 GE 0.71x • 2 nd order S-box: 0.82x 4744 GE 3891 GE 4759 GE 7

H OW ?

B ACK TO THE B EGINNING SubBytes ShiftRows MixColumns AddRoundKey 9

B ACK TO THE B EGINNING Akkar-Giraud 2001 SubBytes Multiplicative Boolean → Multiplicative → Boolean ShiftRows MixColumns AddRoundKey Genelle et al. 2010 10

P ROBLEM Akkar-Giraud 2001 Golić-Tymen 2002 The Zero Problem ! = # $ , # & , … , # ( ⇔ 0 = + # , , # , = 0 11

S OLUTION Damgård-Keller 2010 Akkar-Giraud 2001 Golić-Tymen 2002 Genelle et al. 2010 ! " = $1 if " = 0 0 if " ≠ 0 !(") 1 1 0 0 GF Inversion 12

M ASKED GF I NVERSION Boolean to Multiplicative Local Inversion Multiplicative to Boolean ! " 13

M ASKED GF I NVERSION Boolean to Multiplicative Local Inversion Multiplicative to Boolean ! " 14

F IRST -O RDER M ASKED C ONVERSIONS ! = # ⊕ % % " ! " '$ % $ % $ % '$ & # " # $ # & # $ ! # " $ ( ( ( ( 15

F IRST -O RDER M ASKED C ONVERSIONS ! = # $% ⋅ (( ⊕ *) % " # ! " '$ % $ % $ * '$ & # " # $ ( & # $ ! # " $ ( ( ( ( 1. Expansion 16

F IRST -O RDER M ASKED C ONVERSIONS $ = # &' ⋅ (" ⊕ !) # ! " 2. Synchronization 17

F IRST -O RDER M ASKED C ONVERSIONS # = " %& ⋅ ! " ! 3. Compression 18

F IRST -O RDER M ASKED C ONVERSIONS # = " %& ⋅ ! # %& = " ⋅ ! %& ⇔ " ! 3. Compression 19

F IRST -O RDER M ASKED C ONVERSIONS % = $ "# ⋅ ! % "# = $ ⋅ ! "# ⇔ $ ! "# 20

F IRST -O RDER M ASKED C ONVERSIONS # $% = " ⋅ (! ⊕ *) " ! * 1. Expansion 21

F IRST -O RDER M ASKED C ONVERSIONS # $% = " ⋅ (! ⊕ *) " ! * 2. Synchronization 22

F IRST -O RDER M ASKED C ONVERSIONS " #$ = ! ⊕ ' ! ' 3. Compression 23

S ECOND -O RDER M ASKED C ONVERSIONS 3 1 2 1 2 3 1 2 1 2 3 3 24

S ECOND -O RDER M ASKED C ONVERSIONS 3 1 2 1 2 3 1 2 1 2 3 3 Extra Remasking Required 25

S ECOND -O RDER M ASKED C ONVERSIONS 3 1 2 1 2 3 1 2 1 2 3 3 Still only 1 inversion! Extra Remasking Required 26

M ASKED GF I NVERSION Boolean to Multiplicative Local Inversion Multiplicative to Boolean ! " 27

M ASKED K RONECKER D ELTA . / ! " # . 3 ! " $ . 0 ! " % . 5 ! " & . 1 +(") ! " ' . 4 " ( ! . 2 ! " ) " * ! 6 7 = 7 9 7 / 7 0 7 1 7 2 7 3 7 4 7 5 28

A N I NTERESTING O BSERVATION $ " % " ( % ' $ ' ! " = $ " % " ⊕ $ " % ' ⊕ ( = $ " % ⊕ ( × × × × ! ' = $ ' % ⊕ ( ! " ! ' Gross et al. 2016 29

M ASKED K RONECKER D ELTA . / ! " # Independent of . . 3 0 ! " $ . 0 ! " % . 5 " & ! . 1 +(") " ' ! . 4 " ( ! . 2 ! " ) Independent of . ! " * 2 30

M ASKED K RONECKER D ELTA . / ! " # . 1 ! " $ . 0 ! " % . / ! " & . +(") / " ' ! . 1 ⊕ . 0 " ( ! . 0 ! " ) ! " * 31

M ASKED K RONECKER D ELTA . / , . 1 , . 2 " # ! . 6 , . // , . 8 ⊕ . /1 ! " $ . 3 , . 4 , . 5 ! " % . 1 ⊕ . 7 , . 3 ⊕ . /9 , . /2 ! " & . 6 , . 7 , . 8 +(") ! " ' . / , . 4 , . 2 ⊕ . 5 " ( ! . /9 , . // , . /1 ! " ) " * ! 32

M ASKED GF I NVERSION No registers Boolean to Multiplicative Local Inversion Multiplicative to Boolean ! " Precompute 33

R ESULTS

S- BOX A REA De Cnudde et al. Gross et al. This Work 2016 2017 2018 • 1 st order: 2348 GE 2432 GE 1685 GE 0.71x • 2 nd order: 0.82x 4744 GE 3891 GE 4759 GE 35

AES A REA De Cnudde et al. Gross et al. This Work 2016 2017 2018 • 1 st order: 7682 GE 7337 GE 6557 GE 0.89x • 2 nd order: 0.91x 10931 GE 12640 GE 12024 GE 36

R ANDOMNESS P ER S- BOX De Cnudde et al. Gross et al. This Work 2016 2017 2018 ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ • 1 st order: ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅ 54 18 19 ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ • 2 nd order: ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ 162 54 53 37

L ATENCY P ER E NCRYPTION De Cnudde et al. Gross et al. This Work 2016 2017 2018 246 256 276 # clock cycles 38

TVLA: 1 ST ORDER AES First Order Second Order 39

TVLA: 2 ND ORDER AES First Order Third Order 40

TVLA: B IVARIATE 1000 45 1000 45 40 40 800 800 35 35 30 30 600 600 25 25 20 20 400 400 15 15 10 10 200 200 5 5 0 0 200 400 600 800 1000 200 400 600 800 1000 41

T AKE -A WAY ü Keep it Simple J ü Find inspiration in early works ü Push the limits: ü Reuse Randomness ü Customize! 42

Thank You