protecting aes with shamir s secret sharing scheme
play

Protecting AES with Shamirs Secret Sharing Scheme Louis Goubin and - PowerPoint PPT Presentation

Mar 02, 2023 •289 likes •647 views

Introduction Description of the scheme Complexity analysis Security analysis Conclusion Protecting AES with Shamirs Secret Sharing Scheme Louis Goubin and Ange Martinelli CHES 2011, September 29, Nara Japan 1/26 grid Introduction

  1. Introduction Description of the scheme Complexity analysis Security analysis Conclusion Protecting AES with Shamir’s Secret Sharing Scheme Louis Goubin and Ange Martinelli CHES 2011, September 29, Nara Japan 1/26

  2. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 2/26

  3. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 3/26

  4. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Context Block ciphers are vulnerable to SCA. � d -th order boolean masking is the most implemented. � Improve security of masking schemes against SCA: � 4/26

  5. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Context Block ciphers are vulnerable to SCA. � d -th order boolean masking is the most implemented. � Improve security of masking schemes against SCA: � Increase the order d of the masking. ∗ + : Security of d O-masking grows exponentially with d due to intrinsic leakage noise [ChariJutlaRaoRohatgi99] ∗ – : Efficiency of d O-masking quickly decreases with d 4/26

  6. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Context Block ciphers are vulnerable to SCA. � d -th order boolean masking is the most implemented. � Improve security of masking schemes against SCA: � Increase the order d of the masking. ∗ + : Security of d O-masking grows exponentially with d due to intrinsic leakage noise [ChariJutlaRaoRohatgi99] ∗ – : Efficiency of d O-masking quickly decreases with d Complicate the relation between the masks and the masked variable. ⇒ this work 4/26

  7. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Shamir’s secret sharing scheme a 0 secret. � P is a polynomial s.t. � P ( x ) = a d · x d + a d − 1 · x d − 1 + · · · + a 1 · x + a 0 Each user i has ( x i , y i = P ( x i )) x i � =0 � Reconstruction: � d � a 0 = y i · β i 0 d − x j � where β i = . x i − x j j =0 , j � = i 5/26

  8. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 6/26

  9. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion d -th order masking scheme Each sensitive variable b is shared as � ( x i , y i ) i =0 .. d We only manipulate pairs ( x i , y i ) � The cipher text c verifies: � d � y final c = · β i i 0 where ( x i , y final ) is the output of the last round. i 7/26

  10. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � 8/26

  11. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � → ( x ′ i , y ′ b ⊕ v i ) = ( x i , y i ⊕ v ) 8/26

  12. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � → ( x ′ i , y ′ b ⊕ v i ) = ( x i , y i ⊕ v ) → ( x ′ i , y ′ b ⊕ u i ) = ( x i , y i ⊕ u i ) 8/26

  13. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � → ( x ′ i , y ′ b ⊕ v i ) = ( x i , y i ⊕ v ) → ( x ′ i , y ′ b ⊕ u i ) = ( x i , y i ⊕ u i ) → ( x ′ i , y ′ b · v i ) = ( x i , y i · v ) 8/26

  14. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking AES Sbox SubByte can be derived from [RivainProuff10] using � x − 1 = x 254 . Secure square: linear over GF(256): � b 2 → ( x ′ i , y ′ i ) = ( x 2 i , y i 2 ) x ′ i � = x i ⇒ need a RefreshMasks operation. � � Secure multiplication: product of 2 degree d polynomials ⇒ polynomial of degree 2 d 9/26

  15. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion RefreshMasks operation Derived from [Ben-OrGoldwasserWigderson88] � Sharing each share Reconstructing original value Algorithm 1 RefreshMasks Input: Shared representation of b , ( α i , y i ) i =0 .. d , chosen ( x i ) i =0 .. d , t such that α i = x 2 t i Output: Shared representation of b , ( x i , y ′ i ) i =0 .. d 1. for i = 0 to d do i ← β 2 t β ′ 2. i 3. Share y i in ( x j , z i j ) j =0 .. d 4. for i = 0 to d do   d � ( x i , y ′ β ′ 5. i ) ←  x i , j · z j i  j =0 6. return ( x i , y ′ i ) i =0 .. d 10/26

  16. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Two possibilities: � Adapt SMC algorithm of [Ben-OrGoldwasserWigderson88] 1 ⇒ huge complexity Provide a new algorithm exploiting the SCA context ⇒ loss of known security proof 1 see full version at http://eprint.iacr.org/2011/516.pdf 11/26

  17. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Two possibilities: � Adapt SMC algorithm of [Ben-OrGoldwasserWigderson88] 1 ⇒ huge complexity Provide a new algorithm exploiting the SCA context ⇒ loss of known security proof ⇒ our choice. Idea : truncate the degree 2 d polynomial to degree d � 1 see full version at http://eprint.iacr.org/2011/516.pdf 11/26

  18. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Let β j , k ( x ) be defined as: � d x − x l � β j ( x ) = . x j − x l l =0 , l � = j β j ( x ) · β k ( x ) = α 2 d x 2 d + · · · + α d x d + · · · + α 1 x + α 0 Then β j , k ( x ) = β k , j ( x ) = α d x d + · · · + α 1 x + α 0 . d d � � P ( x ) = y j · u k · β j , k ( x ) verifies: � j =0 k =0 degree ( P ) = d P (0) = b · u ∀ x ∈ { x i } i =0 .. d , P ( x i ) = y ′ i 12/26

  19. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Algorithm 2 Share multiplication SecMult Input: Shared representation of b , ( x i , y i ) i =0 .. d and u , ( x i , u i ) i =0 .. d Output: Shares ( x i , y ′ i ) i =0 .. d representing the product of b and u 1. for j = 0 to d do 2. for k = 0 to d do 3. z j , k ← y j · u k 4. for i = 0 to d do     d d � � � ( x i , y ′  + 5. i ) ←  x i , ( z j , k ⊕ z k , j ) · β j , k ( x i ) z j , j · β j , j ( x i )   j =1 0 ≤ k < j j =0 6. return ( x i , y ′ i ) i =0 .. d 13/26

  20. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Intuition of security Intuitively we have � One needs at least d + 1 shares to define a polynomial of degree d , β j , k ( x i ) is independent of any secret, y j · u k does not leak more information on b (resp. u ) than the knowledge of y j (resp. u k ), No easy security proof for SecMult a order d : open work. � 14/26

  21. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 15/26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last time (n,t) secret-sharing (n,n) via additive secret-sharing Shamir secret-sharing for general (n,t) Shamir secret-sharing is a linear

611 views • 14 slides
Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp. 612613 Eli Biham - May 3, 2005 c 497 Secret Sharing (17) How to Keep a Secret Key Securely Information can be secured by encryption under a

597 views • 23 slides
Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views • 62 slides
Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013

Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013

Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013 Outline 1. Introduction 2. Shamir Secret Sharing and Habeeb-Kahrobaei-Shpilrain secret sharing 3. Adjustments to HKS secret sharing and analysis

444 views • 27 slides
A Latin square autotopism secret sharing scheme Talk by Rebecca J. Stones Co-authors: Ming Su,

A Latin square autotopism secret sharing scheme Talk by Rebecca J. Stones Co-authors: Ming Su,

A Latin square autotopism secret sharing scheme Talk by Rebecca J. Stones Co-authors: Ming Su, Xiaoguang Liu, Gang Wang, (Nankai University) and Sheng Lin (Tianjin University of Technology). September 12, 2014 Secret sharing schemes Secret

1.43k views • 86 slides
Vector Space Secret Sharing Scheme Mustafa Atici Western Kentucky University Department of

Vector Space Secret Sharing Scheme Mustafa Atici Western Kentucky University Department of

Vector Space Secret Sharing Scheme Mustafa Atici Western Kentucky University Department of Mathematics and Computer Science 52 MIGHTY Conference, Indiana State University, Terre Haute IN. April 27-28, 2012 Mustafa Atici Secret Sharing Scheme

461 views • 21 slides
Homomorphic Secret Sharing for Low Degree Polynomials Russell W. F. Lai, Giulio Malavolta , and

Homomorphic Secret Sharing for Low Degree Polynomials Russell W. F. Lai, Giulio Malavolta , and

Homomorphic Secret Sharing for Low Degree Polynomials Russell W. F. Lai, Giulio Malavolta , and Dominique Schrder Friedrich-Alexander University Erlangen-Nrnberg Homomorphic Secret Sharing A secret-sharing scheme allows a client to share his

247 views • 14 slides
Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini Vasudevan UC Berkeley Secret Sharing [Shamir 79, Blakley 79] Share 1 , , Reconstruction: Given at least

1.45k views • 20 slides
Adi Shamir, How to Share a Secret, CACM November 1979 CACM , November 1979. 2/23/2017

Adi Shamir, How to Share a Secret, CACM November 1979 CACM , November 1979. 2/23/2017

2/23/2017 Adi Shamir, How to Share a Secret, CACM November 1979 CACM , November 1979. 2/23/2017 Secret shares (S. S. Lam) 1 1 2/23/2017 How to share a secret [Shamir 1979] ( K N ) th ( K , N ) threshold scheme h ld h Secret D is

570 views • 8 slides
Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e Boyle Niv Gilboa Yuval Ishai IDC BGU Technion &amp; UCLA Secure ComputaGon Approaches Classical

342 views • 33 slides
Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT 50th ACM Symposium on Theory of Computing June 27, 2018 Secret Sharing [Blakley79,Shamir79,Ito-Saito-Nishizeki87] Secret Secret Sharing

790 views • 75 slides
Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is it? Any one of you knows nothing! Any two of you can figure it out! Example Applications: Nuclear launch: need at least 3 out of 5 people to

513 views • 23 slides
Towards Breaking the Exponential Barrier for General Secret Sharing Tianren Liu Vinod

Towards Breaking the Exponential Barrier for General Secret Sharing Tianren Liu Vinod

Towards Breaking the Exponential Barrier for General Secret Sharing Tianren Liu Vinod Vaikuntanathan Hoeteck Wee MIT MIT CNRS and ENS May 6, 2018 Secret Sharing [Blakley79,Shamir79,Ito-Saito-Nishizeki87] Secret s { 0 , 1 }

1.02k views • 85 slides
CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom

CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom

CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom Austin San Jos State University Secret Sharing: Motivation Goal: make secret available, but make it hard to peek. Divide secret among

731 views • 48 slides
On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes

On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes

On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes Akshay Degwekar (MIT) Joint with Fabrice Benhamouda (IBM Research), Yuval Ishai (Technion) and Tal Rabin (IBM Research) Leakage attacks can be

547 views • 30 slides
Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with

Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with

Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with Vipul Goyal, Raghu Meka, and Amit Sahai Secret Sharing secret s n s 1 s i Correctness: Any out of parties can

1.72k views • 144 slides
Smart Technologies for Urban Resilience Samantha StrattonShort International Development Arup

Smart Technologies for Urban Resilience Samantha StrattonShort International Development Arup

Means of Implementation for accelerating local governance progress towards resilience Smart Technologies for Urban Resilience Samantha StrattonShort International Development Arup Smart | Cities | Resilience Digital Technology (data and

331 views • 14 slides
Presentation April 9, 2019 2 Cautionary statement Forward-Looking Information This presentation

Presentation April 9, 2019 2 Cautionary statement Forward-Looking Information This presentation

Investor Presentation April 9, 2019 2 Cautionary statement Forward-Looking Information This presentation contains forward-looking information about Dollaramas results, levels of activity, performance, goals or achievements which is based on

486 views • 30 slides
EARNINGS PRESENTATION SECOND QUARTER 2013 July 30, 2013 This material was prepared solely for

EARNINGS PRESENTATION SECOND QUARTER 2013 July 30, 2013 This material was prepared solely for

EARNINGS PRESENTATION SECOND QUARTER 2013 July 30, 2013 This material was prepared solely for informational purposes and is not to be construed as a solicitation or an offer to buy or sell any securities. This presentation may include

308 views • 9 slides
Utilizing TRIO to Enhance the First-Year Experience Ashyya Robinson &amp; Jazmine Thompson

Utilizing TRIO to Enhance the First-Year Experience Ashyya Robinson &amp; Jazmine Thompson

Utilizing TRIO to Enhance the First-Year Experience Ashyya Robinson &amp; Jazmine Thompson |Berea College National Conference on Students in Transition October 23, 2017 | Costa Mesa, CA Learning Objectives Introduce Berea College's

264 views • 24 slides
Academic Makeover XTREME STRUCTURED SUPPORT FOR GREATER STUDENT ENGAGEMENT North Central Texas

Academic Makeover XTREME STRUCTURED SUPPORT FOR GREATER STUDENT ENGAGEMENT North Central Texas

qep: Project Xtreme Academic Makeover XTREME STRUCTURED SUPPORT FOR GREATER STUDENT ENGAGEMENT North Central Texas College www.nctc.edu North Central Texas College Project Xtreme: Foundation To transform students academic behaviors and

443 views • 23 slides
How to give good seminar presentations some hints Friedemann Mattern , ETH Zurich February

How to give good seminar presentations some hints Friedemann Mattern , ETH Zurich February

How to give good seminar presentations some hints Friedemann Mattern , ETH Zurich February 2018 Good seminar presentations why should we care? Presentation skills are required in professional life Present yourself, your research,

449 views • 30 slides
Excellence in Stakeholder Relations Who is a stakeholder? ...is any person, group or

Excellence in Stakeholder Relations Who is a stakeholder? ...is any person, group or

Excellence in Stakeholder Relations Who is a stakeholder? ...is any person, group or organization who can place a claim on an organizations attention, resources or output, or is affected by that output. He has a stake in the organization.

415 views • 30 slides
WWW.NARCRMS.ORG May 23, 2019 The Economic Impact of Multiple Sclerosis: A Preliminary Look at

WWW.NARCRMS.ORG May 23, 2019 The Economic Impact of Multiple Sclerosis: A Preliminary Look at

WWW.NARCRMS.ORG May 23, 2019 The Economic Impact of Multiple Sclerosis: A Preliminary Look at the North American Registry for Care and Research in Multiple Sclerosis (NARCRMS) May 23, 2019 Terrie Livingston, PharmD, EMD Serono; Yang

111 views • 9 slides

More recommend