provably secure higher order masking of aes
play

Provably Secure Higher-Order Masking of AES Matthieu Rivain - PowerPoint PPT Presentation

Dec 28, 2022 •319 likes •1.1k views

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

  1. Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 – Provably Secure Higher-Order Masking of AES

  2. Outline 1 � Introduction � Higher-Order Masking � ISW Scheme (CRYPTO’03) 2 � Our Scheme � Masking the S-box � Masking the Whole AES � Security � Implementation Results 3 � Conclusion CHES 2010 – Provably Secure Higher-Order Masking of AES

  3. Outline 1 � Introduction � Higher-Order Masking � ISW Scheme (CRYPTO’03) 2 � Our Scheme � Masking the S-box � Masking the Whole AES � Security � Implementation Results 3 � Conclusion CHES 2010 – Provably Secure Higher-Order Masking of AES

  4. Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊥ x 1 ⊥ · · · ⊥ x d = x ⊥ CHES 2010 – Provably Secure Higher-Order Masking of AES

  5. Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ CHES 2010 – Provably Secure Higher-Order Masking of AES

  6. Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ � The masks ( i ≥ 1 ): x i ← $ CHES 2010 – Provably Secure Higher-Order Masking of AES

  7. Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ � The masks ( i ≥ 1 ): x i ← $ � The masked variable : x 0 ← x ⊕ x 1 ⊕ · · · ⊕ x d CHES 2010 – Provably Secure Higher-Order Masking of AES

  8. Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ � The masks ( i ≥ 1 ): x i ← $ � The masked variable : x 0 ← x ⊕ x 1 ⊕ · · · ⊕ x d � Note: equiv. d + 1 out of d + 1 secret sharing of x CHES 2010 – Provably Secure Higher-Order Masking of AES

  9. Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ � The masks ( i ≥ 1 ): x i ← $ � The masked variable : x 0 ← x ⊕ x 1 ⊕ · · · ⊕ x d � Note: equiv. d + 1 out of d + 1 secret sharing of x � Computation carried out by processing the shares separately CHES 2010 – Provably Secure Higher-Order Masking of AES

  10. Higher-Order Masking Soundness [Chari-Jutla-Rao-Rohatgi CRYPTO’99] � Bit x masked �→ x 0 , x 1 , . . . , x d � Leakage : L i ∼ x i + N ( µ, σ 2 ) CHES 2010 – Provably Secure Higher-Order Masking of AES

  11. Higher-Order Masking Soundness [Chari-Jutla-Rao-Rohatgi CRYPTO’99] � Bit x masked �→ x 0 , x 1 , . . . , x d � Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � Number of leakage samples to distinguish ( L i ) i | x = 0 from � � ( L i ) i | x = 1 : q ≥ O (1) σ d CHES 2010 – Provably Secure Higher-Order Masking of AES

  12. Higher-Order Masking Soundness [Chari-Jutla-Rao-Rohatgi CRYPTO’99] � Bit x masked �→ x 0 , x 1 , . . . , x d � Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � Number of leakage samples to distinguish ( L i ) i | x = 0 from � � ( L i ) i | x = 1 : q ≥ O (1) σ d Higher-order masking is sound in the presence of noisy leakage! CHES 2010 – Provably Secure Higher-Order Masking of AES

  13. Higher-Order Masking Schemes Definition A d th-order masking scheme for an encryption algorithm c ← E ( m, k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) CHES 2010 – Provably Secure Higher-Order Masking of AES

  14. Higher-Order Masking Schemes Definition A d th-order masking scheme for an encryption algorithm c ← E ( m, k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) � completeness : � i m i = m and � i k i = k � ⇒ i c i = E ( m, k ) CHES 2010 – Provably Secure Higher-Order Masking of AES

  15. Higher-Order Masking Schemes Definition A d th-order masking scheme for an encryption algorithm c ← E ( m, k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) � completeness : � i m i = m and � i k i = k � ⇒ i c i = E ( m, k ) � security : ∀ ( iv 1 , iv 2 , . . . , iv d ) ∈ { intermediate var. of E ′ } d : � � MI ( iv 1 , iv 2 , . . . , iv d ) , ( m, k ) = 0 CHES 2010 – Provably Secure Higher-Order Masking of AES

  16. Higher-Order Masking Schemes Definition A d th-order masking scheme for an encryption algorithm c ← E ( m, k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) � completeness : � i m i = m and � i k i = k � ⇒ i c i = E ( m, k ) � security : ∀ ( iv 1 , iv 2 , . . . , iv d ) ∈ { intermediate var. of E ′ } d : � � MI ( iv 1 , iv 2 , . . . , iv d ) , ( m, k ) = 0 For SPN ( eg. DES, AES) the main issue is masking the S-box. CHES 2010 – Provably Secure Higher-Order Masking of AES

  17. Higher-Order Masking Schemes Literature Software implementations: � [Schramm-Paar CT-RSA’06] ◮ secure only for d ≤ 2 [Coron-Prouff-Rivain CHES’07] CHES 2010 – Provably Secure Higher-Order Masking of AES

  18. Higher-Order Masking Schemes Literature Software implementations: � [Schramm-Paar CT-RSA’06] ◮ secure only for d ≤ 2 [Coron-Prouff-Rivain CHES’07] � [Rivain-Dottax-Prouff FSE’08] ◮ alternative solutions dedicated to d = 2 CHES 2010 – Provably Secure Higher-Order Masking of AES

  19. Higher-Order Masking Schemes Literature Software implementations: � [Schramm-Paar CT-RSA’06] ◮ secure only for d ≤ 2 [Coron-Prouff-Rivain CHES’07] � [Rivain-Dottax-Prouff FSE’08] ◮ alternative solutions dedicated to d = 2 Hardware implementations: � [Ishai-Sahai-Wagner CRYPTO’03] ◮ every wire/logic gate is masked at an arbitrary order d ◮ wires values ≡ intermediate variables ⇒ d th-order masking scheme CHES 2010 – Provably Secure Higher-Order Masking of AES

  20. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab CHES 2010 – Provably Secure Higher-Order Masking of AES

  21. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j CHES 2010 – Provably Secure Higher-Order Masking of AES

  22. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ):   a 0 b 0 a 0 b 1 a 0 b 2   a 1 b 0 a 1 b 1 a 1 b 2 a 2 b 0 a 2 b 1 a 2 b 2 CHES 2010 – Provably Secure Higher-Order Masking of AES

  23. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ):     a 0 b 0 a 0 b 1 a 0 b 2 0 0 0   ⊕   0 a 1 b 1 a 1 b 2 a 1 b 0 0 0 0 0 a 2 b 2 a 2 b 0 a 2 b 1 0 CHES 2010 – Provably Secure Higher-Order Masking of AES

  24. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ):     a 0 b 0 a 0 b 1 a 0 b 2 0 a 1 b 0 a 2 b 0   ⊕   0 a 1 b 1 a 1 b 2 0 0 a 2 b 1 0 0 a 2 b 2 0 0 0 CHES 2010 – Provably Secure Higher-Order Masking of AES

  25. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ):   a 0 b 1 ⊕ a 1 b 0 a 0 b 2 ⊕ a 2 b 0 a 0 b 0   0 a 1 b 1 a 1 b 2 ⊕ a 2 b 1 0 0 a 2 b 2 CHES 2010 – Provably Secure Higher-Order Masking of AES

  26. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ):   a 0 b 1 ⊕ a 1 b 0 a 0 b 2 ⊕ a 2 b 0 a 0 b 0   0 a 1 b 1 a 1 b 2 ⊕ a 2 b 1 0 0 a 2 b 2 CHES 2010 – Provably Secure Higher-Order Masking of AES

  27. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ):     a 0 b 1 ⊕ a 1 b 0 a 0 b 2 ⊕ a 2 b 0 a 0 b 0 0 r 1 , 2 r 1 , 3   ⊕   0 a 1 b 1 a 1 b 2 ⊕ a 2 b 1 0 0 r 2 , 3 0 0 a 2 b 2 0 0 0 CHES 2010 – Provably Secure Higher-Order Masking of AES

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Leuven, September 10th, 2012 I NTRODUCTION 1 K NOWN TABLE - BASED METHODS 2 C ORON -T CHULKINE METHOD N EISSE -P ULKUS METHOD 3 C

413 views • 28 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes Outline 1 Introduction 2

1.33k views • 98 slides
High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th September 2018 Outline Outline 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th

388 views • 35 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT 2017, Paris 1 Introduction 2 Field Multiplications 3 Non-Linear Operations 4 Generic Polynomial Methods 5 Polynomial Methods for

873 views • 51 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic constant-time Gilles Barthe Benjamin Grgoire Vincent Laporte CSF18, 2018-07-12 Vincent Laporte et alii Provably secure compilation of

501 views • 25 slides
Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Introduction Contributions Conclusion Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J. Rangasamy * D. Stebila * C. Boyd * J.M. Gonzlez Nieto * * Information Security Institute Queensland

943 views • 22 slides
York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

First Order Haskell Neil Mitchell York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order: functions are values Can be passed around Stored in data structure Harder for reasoning and analysis More

483 views • 15 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides
Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute of Technology Thanks to Roberto Guanciale, Musard Balliu, Christoph Baumann, Hamed Nemati, Oliver Schwarz, Victor Do, Christian Gehrmann, Jonas

1.41k views • 114 slides
Greatest Common Divisor The Euclidean Algorithm Let a and b be two integers such that a > 0 and

Greatest Common Divisor The Euclidean Algorithm Let a and b be two integers such that a > 0 and

Greatest Common Divisor The Euclidean Algorithm Let a and b be two integers such that a > 0 and b > 0. Then the following algorithm computes integers x and y such that Definition gcd( a , b ) = x a + b y Let a , b Z with a =

185 views • 3 slides
Covering on a Circle Shiva P Kasiviswanathan Pennsylvania State University University Park

Covering on a Circle Shiva P Kasiviswanathan Pennsylvania State University University Park

Covering on a Circle Shiva P Kasiviswanathan Pennsylvania State University University Park Covering on a Circle p. 1/9 Layout of the Presentation Problem Revisited Covering on a Circle p. 2/9 Layout of the Presentation Problem

550 views • 40 slides
MKT 455 Marketing Strategy Knowledge of customers is essential for most marketing strategy

MKT 455 Marketing Strategy Knowledge of customers is essential for most marketing strategy

Market Analysis and Understanding Customers MKT 455 Marketing Strategy Introductory Comments Markets are groups of customers and potential customers. MKT 455 MKT 455 Marketing Strategy Knowledge of customers is essential for most marketing

596 views • 6 slides
Graphical Tools for the Analysis of Bi-objective Optimization Algorithms nez 1 s Paquete 2 utzle

Graphical Tools for the Analysis of Bi-objective Optimization Algorithms nez 1 s Paquete 2 utzle

Graphical Tools for the Analysis of Bi-objective Optimization Algorithms nez 1 s Paquete 2 utzle 1 Manuel L opez-Ib a Lu Thomas St 1 manuel.lopez-ibanez @ ulb.ac.be 2 paquete @ dei.uc.pt stuetzle @ ulb.ac.be CISUC, Department of

479 views • 18 slides
Understanding Geometry of Encoder-Decoder CNNs (E-D CNNs) Jong Chul Ye & Woon Kyoung Sung

Understanding Geometry of Encoder-Decoder CNNs (E-D CNNs) Jong Chul Ye & Woon Kyoung Sung

Understanding Geometry of Encoder-Decoder CNNs (E-D CNNs) Jong Chul Ye & Woon Kyoung Sung BISPL - BioImaging, Signal Processing and Learning Lab. Dept. Bio & Brain Engineering Dept. of Mathematical Sciences KAIST, Korea E-D CNN

911 views • 26 slides
BI Join the Conversation #OPTECH2016 @apartmentwire Introductions James Davis Scott Pechersky

BI Join the Conversation #OPTECH2016 @apartmentwire Introductions James Davis Scott Pechersky

SCALABLE BI Join the Conversation #OPTECH2016 @apartmentwire Introductions James Davis Scott Pechersky Scott Moore Scott Machado CEO VP, Technology EVP, Strategy Director of IT InfoTycoon Alliance Residential Cortland Partners

99 views • 7 slides
Sum nota)on NEU 466M Instructor: Professor Ila R. Fiete

Sum nota)on NEU 466M Instructor: Professor Ila R. Fiete

Sum nota)on NEU 466M Instructor: Professor Ila R. Fiete Spring 2016 What is sum nota)on? upper limit of index N X a i = ( a 1 + a 2 + a 3 + + a N ) i

225 views • 7 slides
Lily: A Geo-Enhanced Library for Location Intelligence 15th International Conference on Data

Lily: A Geo-Enhanced Library for Location Intelligence 15th International Conference on Data

Lily: A Geo-Enhanced Library for Location Intelligence 15th International Conference on Data Warehousing and Knowledge Discovery (DaWaK'13) August 26, 2013 Matteo Golfarelli Stefano Rizzi Marco Mantovani Federico Ravaldi Agenda Location

345 views • 21 slides

More recommend