second order masked lookup table compression scheme
play

Second-Order Masked Lookup Table Compression Scheme Annapurna - PowerPoint PPT Presentation

Mar 17, 2024 •284 likes •806 views

Second-Order Masked Lookup Table Compression Scheme Annapurna Valiveti , Srinivas Vivek IIIT Bangalore annapurna@iiitb.org, srinivas.vivek@iiitb.ac.in 14-17 September, CHES 2020 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup

  1. Second-Order Masked Lookup Table Compression Scheme Annapurna Valiveti , Srinivas Vivek IIIT Bangalore annapurna@iiitb.org, srinivas.vivek@iiitb.ac.in 14-17 September, CHES 2020 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  2. Introduction Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  3. Side-Channel Attacks Traditionally, cryptosystems were viewed as black boxes Change of view in the crypto research community since mid-90s due to Kocher et al. Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  4. Side-Channel Attacks Figure: Side-channel experiment Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  5. Side-Channel Attacks Figure: Power attack setup Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  6. Masking Countermeasure In this presentation, we only focus on software countermeasures to power analysis attacks Goal is to minimise the effect of side-channel leakage Masking countermeasure against SCA x = x 1 ⊕ . . . ⊕ x d ⊕ x d +1 d ← masking order Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  7. Security Models Loosely speaking, SCA complexity is exponential w.r.t. masking order d Security offered has been relatively well analysed Probing [ ISW’03 ] & noisy leakage model [ CJJR’99, RP’13, DDF’14 ] Figure: Adversary observing using at most d probes Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  8. Masking of Block Ciphers Categories of block cipher operations: Linear functions are straightforward to compute in presence of shares f ( x ) = f ( x 1 ) ⊕ f ( x 2 ) ⊕ . . . ⊕ f ( x d +1 ) Main challenge is to securely compute non-linear functions For block ciphers, this reduces to securing their S-boxes Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  9. Classification of Countermeasures SCA Countermeasures Lookup table- Circuit-based based schemes schemes Figure: Classification of countermeasures Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  10. First-Order Table-Based Masking First-order (1-O) lookup table masking. Originally proposed in [ CJJR’99 ] Input : ( n , m )-S-box Two input shares x 1 , x 2 , s.t. x = x 1 ⊕ x 2 Method : Create a temporary table T in RAM s.t. ∀ a ∈ { 0 , 1 } n T ( a ) = S ( x 1 ⊕ a ) ⊕ y 1 Output shares : y 1 , y 2 = T ( x 2 ), s.t. S( x ) = y 1 ⊕ y 2 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  11. Table-Based vs. Circuit-Based S-Box Masking AES : time overhead factor: 2 to 4 , RAM memory = 256 bytes per S-box function RAM Memory can be expensive for highly resource-constrained environments Alternate approaches exist ( [ PR’07 ] ): O (1) RAM but time overhead factor ≥ 30 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  12. Time vs. Memory Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  13. Time vs. Memory Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  14. Lookup Table Compression Schemes Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  15. Lookup Table Compression A first-order lookup table compression scheme was proposed in [ RRST’02 ] Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  16. Lookup Table Compression A first-order lookup table compression scheme was proposed in [ RRST’02 ] An improved lookup table compression scheme was by Vadnala [ Vad’17 ] Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  17. Lookup Table Compression A first-order lookup table compression scheme was proposed in [ RRST’02 ] An improved lookup table compression scheme was by Vadnala [ Vad’17 ] Figure: Pack entries based on higher-order bits Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  18. [Vad17] 1-O Table Compression Scheme Partition the original table T into T 1 and T 2 using compression parameter, ℓ a = a (1) || a (2) ���� ���� n − ℓ ℓ Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  19. [Vad17] 1-O Table Compression Scheme Partition the original table T into T 1 and T 2 using compression parameter, ℓ a = a (1) || a (2) ���� ���� n − ℓ ℓ Pack 2 ℓ distinct entries of T into each row of T 1 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  20. [Vad17] 1-O Table Compression Scheme Partition the original table T into T 1 and T 2 using compression parameter, ℓ a = a (1) || a (2) ���� ���� n − ℓ ℓ Pack 2 ℓ distinct entries of T into each row of T 1 Unpack one of the entries of T 1 into 2 ℓ rows of T 2 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  21. [Vad17] 1-O Table Compression Scheme Partition the original table T into T 1 and T 2 using compression parameter, ℓ a = a (1) || a (2) ���� ���� n − ℓ ℓ Pack 2 ℓ distinct entries of T into each row of T 1 Unpack one of the entries of T 1 into 2 ℓ rows of T 2 There is a set of shared random values across T 1 and T 2 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  22. 2-O Table Compression Scheme [Vad17] Base scheme used in [ Vad’17 ] is [ RDP’08 ] Three steps of the second-order scheme 1: Create Table T 1 : { 0 , 1 } n − ℓ → { 0 , 1 } m Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  23. 2-O Table Compression Scheme [Vad17] Base scheme used in [ Vad’17 ] is [ RDP’08 ] Three steps of the second-order scheme 1: Create Table T 1 : { 0 , 1 } n − ℓ → { 0 , 1 } m �� � � T 1 ( b (1) :) = i ∈{ 0 , 1 } ℓ S (( x 3(1) ⊕ a (1) ⊕ r i ) || i ) ⊕ ⊕ y 1 ⊕ y 2 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  24. 2-O Table Compression Scheme [Vad17] Base scheme used in [ Vad’17 ] is [ RDP’08 ] Three steps of the second-order scheme 1: Create Table T 1 : { 0 , 1 } n − ℓ → { 0 , 1 } m 2: Create Table T 2 : { 0 , 1 } ℓ → { 0 , 1 } m Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  25. 2-O Table Compression Scheme [Vad17] Base scheme used in [ Vad’17 ] is [ RDP’08 ] Three steps of the second-order scheme 1: Create Table T 1 : { 0 , 1 } n − ℓ → { 0 , 1 } m 2: Create Table T 2 : { 0 , 1 } ℓ → { 0 , 1 } m T 2 ( b (2) ) := T 1 ( v (1) ⊕ r ( x 3(2) ⊕ a (2) ) ) ⊕ j ∈{ 0 , 1 } ℓ , j � = a (2) S ( x 3(2) ⊕ j ) ( x (1) ⊕ r ( x 3(2) ⊕ a (2) ) ⊕ r ( x 3(2) ⊕ j ) ) ⊕ Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  26. 2-O Table Compression Scheme [Vad17] Base scheme used in [ Vad’17 ] is [ RDP’08 ] Three steps of the second-order scheme 1: Create Table T 1 : { 0 , 1 } n − ℓ → { 0 , 1 } m 2: Create Table T 2 : { 0 , 1 } ℓ → { 0 , 1 } m 3: Access Table T 2 to compute the third output share y 3 = T 2 ( v (2) ) Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  27. Attack on 2-O Scheme of [Vad’17] by [Viv’17] First-order scheme is proven to be secure [ Viv’17 ] pointed a second-order attack which show that any pair of entries in Table T 2 jointly leak up to n − ℓ bits of input Lemma Let β 1 , β 2 ∈ { 0 , 1 } l . Then T 2 ( β 1 ) ⊕ T 2 ( β 2 ) = S (x (1) || ( β 1 ⊕ x (2) ⊕ v (2) )) ⊕ S (x (1) || ( β 2 ⊕ x (2) ⊕ v (2) )) Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  28. Our Contribution Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  29. Second-Order Lookup Table Compression Following are the highlights of our scheme Randomise rows of tables T 1 and T 2 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  30. Second-Order Lookup Table Compression Following are the highlights of our scheme Randomise rows of tables T 1 and T 2 Randomness complexity : � (2 ℓ · ( n − ℓ )) + m · (2 ( n − ℓ ) + 2 ℓ ) � -bits Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  31. Second-Order Lookup Table Compression Following are the highlights of our scheme Randomise rows of tables T 1 and T 2 Randomness complexity : � (2 ℓ · ( n − ℓ )) + m · (2 ( n − ℓ ) + 2 ℓ ) � -bits Use three-wise independent PRG [ TS09, IKL + 13 ] to reduce number of true random values Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  32. Second-Order Lookup Table Compression Following are the highlights of our scheme Randomise rows of tables T 1 and T 2 Randomness complexity : � (2 ℓ · ( n − ℓ )) + m · (2 ( n − ℓ ) + 2 ℓ ) � -bits Use three-wise independent PRG [ TS09, IKL + 13 ] to reduce number of true random values Compute masks on-the-fly Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David

Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David

Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David Malone and Josh Tobin. 2008-12-11 1 Hash Table Lookup scheme to avoid cost of searching full list. carrot zuchinni . . . . . . apricot apple

406 views • 16 slides
CS1100: Computer Science and Its Applications Table Lookup and Error Processing Created By

CS1100: Computer Science and Its Applications Table Lookup and Error Processing Created By

CS1100: Computer Science and Its Applications Table Lookup and Error Processing Created By Martin Schedlbauer m.schedlbauer@neu.edu Excel Basics LOOKUP AND MAPPING CS1100 Lookup and Error Processing 2 LOOKUP Tables LOOKUP Tables help

798 views • 32 slides
Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Crypto. group SWORD Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an Explanation Based on Externally-Amplified Couplings Itamar Levi, Davide Bellizia and Franois-Xavier Standaert Aug. 2018 Moti

298 views • 27 slides
Word embeddings Rappel Embeddings ( pas Word Embeddings ) Est une lookup table Formalisme:

Word embeddings Rappel Embeddings ( pas Word Embeddings ) Est une lookup table Formalisme:

Word embeddings Rappel Embeddings ( pas Word Embeddings ) Est une lookup table Formalisme: Index dun mot: w i Table dembeddings (lookup matrix): V Embedding: e i e i = V( w i ) Reprsentation dun mot

780 views • 47 slides
Cache misses for lookup, existing of random ints Cache misses for lookup, non-existing of random

Cache misses for lookup, existing of random ints Cache misses for lookup, non-existing of random

The hash tables Googles dense and sparse hash tables Use open addressing Quadratic probing SGI Is a chained hash table Referred to as gnu in graphs One-table and Two-table Doubly linked: Rather large compartments

645 views • 29 slides
A Novel Scalable IPv6 Lookup Scheme Using Compressed Pipelined Tries Michel Hanna, Sangyeun Cho,

A Novel Scalable IPv6 Lookup Scheme Using Compressed Pipelined Tries Michel Hanna, Sangyeun Cho,

A Novel Scalable IPv6 Lookup Scheme Using Compressed Pipelined Tries Michel Hanna, Sangyeun Cho, and Rami Melhem Computer Science Department, University of Pittsburgh, Pittsburgh, PA, 15260, USA { mhanna,cho,melhem } @cs.pitt.edu Abstract. An

482 views • 14 slides
Development of lookup tables of climate change impact on national water resources Naota Hanasaki

Development of lookup tables of climate change impact on national water resources Naota Hanasaki

Development of lookup tables of climate change impact on national water resources Naota Hanasaki (NIES) hanasaki@nies.go.jp What is lookup table of climate change impact? Typical impact studies Lookup table approach 1. Develop a detailed

479 views • 6 slides
with Dictionaries an alternative to InnoDB table compression Yura Sorokin, Senior Software

with Dictionaries an alternative to InnoDB table compression Yura Sorokin, Senior Software

Percona XtraDB: Compressed Columns with Dictionaries an alternative to InnoDB table compression Yura Sorokin, Senior Software Engineer at Percona Existing compression methods Overview Existing compression methods for MySQL InnoDB Table

1.24k views • 95 slides
hashes Hashes in lisp are basically a lookup table of key-value pairs can create/destroy

hashes Hashes in lisp are basically a lookup table of key-value pairs can create/destroy

hashes Hashes in lisp are basically a lookup table of key-value pairs can create/destroy tables can add/remove key/value pairs can check if key current present in table can update value associated with a key can look up value

416 views • 6 slides
Binary Access Memory: An Optimized Lookup Table for Successive Approximation Applications

Binary Access Memory: An Optimized Lookup Table for Successive Approximation Applications

Binary Access Memory: An Optimized Lookup Table for Successive Approximation Applications Benjamin Hershberg*, Skyler Weaver*, Seiji Takeuchi, Koichi Hamashita , Un -Ku Moon* *School of Electrical Engineering and Computer Science, Oregon

997 views • 41 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
CLUE: achieving fast update over compressed table for parallel lookup with reduced dynamic

CLUE: achieving fast update over compressed table for parallel lookup with reduced dynamic

CLUE: achieving fast update over compressed table for parallel lookup with reduced dynamic redundancy Tong Yang, Ruian Duan, Jianyuan Lu, Shenjiang Zhang, Huichen Dai and Bin Liu Dept. of Computer Science and Technology, Tsinghua University,

437 views • 10 slides
Frugal IP Lookup Based on a Parallel Search Zoran Ci ca and Aleksandra Smiljani c School

Frugal IP Lookup Based on a Parallel Search Zoran Ci ca and Aleksandra Smiljani c School

Frugal IP Lookup Based on a Parallel Search Zoran Ci ca and Aleksandra Smiljani c School of Electrical Engineering, Belgrade University, Serbia Email: cicasyl@etf.rs, aleksandra@etf.rs speed such as the trie compression [5], [6], leaf

222 views • 6 slides
A fourth order accurate finite difference scheme for the elastic wave equation in second order

A fourth order accurate finite difference scheme for the elastic wave equation in second order

A fourth order accurate finite difference scheme for the elastic wave equation in second order formulation 1 B. Sj ogreen and N.A.Petersson Lawrence Livermore National Laboratory October 18, 2011 1Work performed under the auspices of the

343 views • 20 slides
Organizing My I.B. Portfolio Table of Contents The table of contents displays the order of

Organizing My I.B. Portfolio Table of Contents The table of contents displays the order of

Organizing My I.B. Portfolio Table of Contents The table of contents displays the order of the portfolio dividers & work samples . In what place order should the Identities & relationships divider be placed? (select a choice

1.29k views • 50 slides
Lookup Tables 1 Example of Arbitrary Waveform Generator Clock Generator Output Increments a

Lookup Tables 1 Example of Arbitrary Waveform Generator Clock Generator Output Increments a

Lookup Tables 1 Example of Arbitrary Waveform Generator Clock Generator Output Increments a Counter Counter Output used as Memory (lookup table) Address Memory Stores One Period (or portion of period if symmetry is present) of a

233 views • 19 slides
Segmentation of Broadcast News Brecht Desplanques, Kris Demuynck & Jean-Pierre Martens ELIS

Segmentation of Broadcast News Brecht Desplanques, Kris Demuynck & Jean-Pierre Martens ELIS

Soft VAD in Factor Analysis Based Speaker Segmentation of Broadcast News Brecht Desplanques, Kris Demuynck & Jean-Pierre Martens ELIS Data Science Lab Ghent University/iMinds 21 June 2016 Speaker Diarization for Automatic Subtitle

628 views • 17 slides
Ch 5: Marks and Channels Tamara Munzner Department of Computer Science University of British

Ch 5: Marks and Channels Tamara Munzner Department of Computer Science University of British

Ch 5: Marks and Channels Tamara Munzner Department of Computer Science University of British Columbia CPSC 547, Information Visualization Day 5: 17 January 2017 http://www.cs.ubc.ca/~tmm/courses/547-17 News comments marks out for 3/Tasks

300 views • 17 slides
Speech Processing 15-492/18-492 Speech Recognition Acoustic modeling Pronunciation dictionary

Speech Processing 15-492/18-492 Speech Recognition Acoustic modeling Pronunciation dictionary

Speech Processing 15-492/18-492 Speech Recognition Acoustic modeling Pronunciation dictionary Acoustic Modeling Speech and Signal Variability Speech and Signal Variability Measuring Error Measuring Error Pronunciation

574 views • 28 slides
Performance Datacenters HotNets15 Xpander: Unveiling the Secrets of High-Performance

Performance Datacenters HotNets15 Xpander: Unveiling the Secrets of High-Performance

Towards Optimal- Performance Datacenters HotNets15 Xpander: Unveiling the Secrets of High-Performance Datacenters Asaf Valadarsky 3 , Michael Dinitz 1 , Michael Schapira 3 CoNext16 Xpander: Towards Optimal-Performance Datacenters

541 views • 26 slides
Foundations of Chemical Kinetics Lecture 32: Heterogeneous kinetics: Gases and surfaces Marc R.

Foundations of Chemical Kinetics Lecture 32: Heterogeneous kinetics: Gases and surfaces Marc R.

Foundations of Chemical Kinetics Lecture 32: Heterogeneous kinetics: Gases and surfaces Marc R. Roussel Department of Chemistry and Biochemistry Gas-surface reactions Adsorption Adsorption: sticking of molecules to a surface

677 views • 21 slides
Joint Dereverberation and Noise Reduction Using Beamforming and a Single-Channel Speech

Joint Dereverberation and Noise Reduction Using Beamforming and a Single-Channel Speech

Joint Dereverberation and Noise Reduction Using Beamforming and a Single-Channel Speech Enhancement Scheme B. Cauchi, I. Kodrasi, R. Rehr, S. Gerlach, T. Gerkmann, S. Doclo, S. Goetze Fraunhofer IDMT, Project Group Hearing, Speech and Audio

319 views • 16 slides
Sequence to Sequence Video to Text Venugopalan et al. Given a variable-length sequence of

Sequence to Sequence Video to Text Venugopalan et al. Given a variable-length sequence of

Garrett Bingham Sequence to Sequence Video to Text Venugopalan et al. Given a variable-length sequence of video frames, Prev: Title Slide generate a variable-length natural language Problem description of the video. Next: Motivation

850 views • 15 slides
google define: design google define: design the act of working out the form of something

google define: design google define: design the act of working out the form of something

Den Rda Trden KRAV Vi kan vlja utvecklingsmodell DESIGN Vi kan hantera risk och vet varfr behvs IMPLEMENT VISION Vi kan skriva och estimera krav TEST User stories, -ilities, regler DRIFTSTTN

135 views • 9 slides

More recommend