side channel cryptanalysis of a higher order
play

Side Channel Cryptanalysis of a Higher Order Schemes Generic - PowerPoint PPT Presentation

Oct 01, 2023 •116 likes •555 views

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

  1. 8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of Luxembourg 2 Oberthur Card Systems CHES 2007 Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 1 / 23

  2. Contents 8 + Introduction Introduction Higher Order 1 Masking Schemes Generic Higher Order Masking Schemes 2 Scheme Improved Scheme Generic Scheme 3 Experimental Results Conclusion Improved Scheme 4 Experimental Results 5 Conclusion 6 Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 2 / 23

  3. Differential Power Analysis (DPA) 8 + Introduction Higher Order Masking Schemes The physical leakage of the execution of any algorithm Generic Scheme depends on the intermediate variables Improved Scheme DPA exploits leakage on sensitive variables that depends Experimental Results on the secret key Conclusion Common countermeasure: masking ◮ A random value is added to every sensitive variable ◮ ⇒ Instantaneous leakage independent of sensitive variables Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 3 / 23

  4. Higher Order DPA (HO-DPA) Against First Order Masking 8 + Y : sensitive variable, M : mask Introduction ◮ Y ⊕ M processed at t 0 Higher Order Masking ◮ M processed at t 1 Schemes Generic Scheme First order DPA attack not feasible Improved Second order DPA attack feasible Scheme Experimental Results Conclusion Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 4 / 23

  5. Higher Order DPA (HO-DPA) Against d -th Order Masking 8 + Y : sensitive variable, M i ’s: masks Introduction ◮ Y ⊕ M 1 ⊕ · · · ⊕ M d processed at t 0 Higher Order Masking ◮ M i ’s processed at t i Schemes Generic d -th order DPA attack not feasible Scheme Improved ( d + 1) -th order DPA attack feasible Scheme Experimental Results Conclusion Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 5 / 23

  6. Higher Order DPA (HO-DPA) 8 + Introduction Higher Order Masking Schemes Generic The complexity of an HO-DPA is exponential with its Scheme order (Chari et al. in CRYPTO’99) Improved Scheme The order d is a good security parameter Experimental Results Conclusion A generic masking scheme must ◮ involve d random masks per sensitive variable ◮ thwart d -th order DPA Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 6 / 23

  7. Higher Order Masking Schemes 8 + Introduction Higher Order Masking Schemes Formalizing the security: Generic Scheme sensitive variable : depends on both the plaintext and the Improved Scheme secret key Experimental Results Conclusion Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 7 / 23

  8. Higher Order Masking Schemes 8 + Introduction Higher Order Masking Schemes Formalizing the security: Generic Scheme sensitive variable : depends on both the plaintext and the Improved Scheme secret key Experimental Results d -th order flaw : a d -tuple of intermediate variables Conclusion statistically dependent on a sensitive variable Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 7 / 23

  9. Higher Order Masking Schemes 8 + Introduction Higher Order Masking Schemes Formalizing the security: Generic Scheme sensitive variable : depends on both the plaintext and the Improved Scheme secret key Experimental Results d -th order flaw : a d -tuple of intermediate variables Conclusion statistically dependent on a sensitive variable security against d -th order DPA : no d -th order flaw Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 7 / 23

  10. Higher Order Masking Schemes 8 + Introduction Higher Order Masking Each sensitive variable Y is masked with d masks M i ’s Schemes Generic Scheme completeness : the masked variable M V and the masks Improved M i ’s must always satisfy: Scheme Experimental Results M V ⊕ M 1 ⊕ · · · ⊕ M d = Y Conclusion security : M V and all the M i ’s must be processed separately Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 8 / 23

  11. Higher Order Masking Schemes 8 + In network of linear layers and non-linear SBoxes Introduction Higher Order ◮ Propagation through a linear layer Masking Schemes Generic Scheme M V M 1 · · · M d Improved Scheme Experimental Results L L L Conclusion L ( M V ) L ( M 1 ) L ( M d ) · · · Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 9 / 23

  12. Higher Order Masking Schemes 8 + In network of linear layers and non-linear SBoxes Introduction Higher Order ◮ Propagation through a linear layer Masking Schemes Generic Scheme = Y M V M 1 · · · M d Improved Scheme Experimental Results L L L Conclusion L ( M V ) L ( M 1 ) L ( M d ) · · · Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 9 / 23

  13. Higher Order Masking Schemes 8 + In network of linear layers and non-linear SBoxes Introduction Higher Order ◮ Propagation through a linear layer Masking Schemes Generic Scheme = Y M V M 1 · · · M d Improved Scheme Experimental Results L L L Conclusion L ( M V ) L ( M 1 ) L ( M d ) = L ( Y ) · · · Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 9 / 23

  14. Higher Order Masking Schemes 8 + In network of linear layers and non-linear SBoxes Introduction Higher Order ◮ Propagation through a non-linear SBox Masking Schemes Generic Scheme = Y M V M 1 · · · M d Improved Scheme Experimental Results S S S Conclusion S ( M V ) S ( M 1 ) S ( M d ) � = S ( Y ) · · · Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 9 / 23

  15. Higher Order Masking Schemes 8 + In network of linear layers and non-linear SBoxes Introduction Higher Order ◮ Propagation through a non-linear SBox Masking Schemes Generic Scheme = Y M V M 1 · · · M d Improved Scheme Experimental Results ?? ?? ?? Conclusion = S ( Y ) N V N 1 · · · N d Problem How to securely compute ( N V , N ′ i s ) from ( M V , M ′ i s ) ? Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 9 / 23

  16. Higher Order Masking Schemes 8 + Introduction Higher Order Problem widely investigated for 1 -st order masking Masking Schemes ◮ Efficient and widely used method: the table Generic re-computation Scheme Improved Scheme For d -th order masking: one single proposal in the Experimental Literature Results ◮ [SP06] - K. Schramm and C. Paar, “Higher Order Masking Conclusion of the AES” in CT-RSA 2006. ◮ Principle: adapt the table re-computation method to d -th order masking Our paper: [SP06] is broken by 3-rd order DPA for any value of the masking order d Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 10 / 23

  17. Table re-computation method For 1 -st order masking 8 + Introduction = Y M V M 1 Higher Order Masking Schemes Generic Scheme S ∗ S re-computation Improved Scheme Experimental Results N 1 ← rand () Conclusion For all x : S ∗ ( x ) ← S ( x ⊕ M 1 ) ⊕ N 1 Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 11 / 23

  18. Table re-computation method For 1 -st order masking 8 + Introduction = Y M V M 1 Higher Order Masking Schemes Generic Scheme S ∗ Improved Scheme Experimental Results Conclusion N V N 1 For all x : S ∗ ( x ) ← S ( x ⊕ M 1 ) ⊕ N 1 N V ← S ∗ ( M V ) Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 11 / 23

  19. Table re-computation method For 1 -st order masking 8 + Introduction = Y M V M 1 Higher Order Masking Schemes Generic Scheme S ∗ Improved Scheme Experimental Results = S ( Y ) Conclusion N V N 1 For all x : S ∗ ( x ) ← S ( x ⊕ M 1 ) ⊕ N 1 N V ← S ∗ ( M V ) = S ( M V ⊕ M 1 ) ⊕ N 1 = S ( Y ) ⊕ N 1 Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 11 / 23

  20. Table re-computation method For d -th order masking [SP06] 8 + Introduction M V M 1 · · · M d = Y Higher Order Masking Schemes Generic Scheme S ∗ S d-th order re-computation Improved Scheme Experimental Results N 1 · · · N d Conclusion � � x ⊕ � d ⊕ � d For every x : S ∗ ( x ) = S i =1 M i i =1 N i Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 12 / 23

  21. Table re-computation method For d -th order masking [SP06] 8 + Introduction M V M 1 · · · M d = Y Higher Order Masking Schemes Generic Scheme S ∗ Improved Scheme Experimental Results N V N 1 · · · N d = S ( Y ) Conclusion � � x ⊕ � d ⊕ � d For every x : S ∗ ( x ) = S i =1 M i i =1 N i Coron - Prouff - Rivain (UoL, OCS) S.C. Cryptanalysis of a H.O. Masking CHES 2007 12 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T.

Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T.

Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T. Roche thomas.roche@ssi.gouv.fr FSE 2013 March 2013 T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing Side Channel Analysis

1.14k views • 75 slides
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem CRT-RSA CRT-RSA having Low Hamming

403 views • 25 slides
Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X. Standaert UCL Crypto Group, Universit e catholique

355 views • 24 slides
Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures Dahmun Goudarzi, Matthieu Rivain, Srinivas Vivek, and Damien Vergnaud Background 2 Secure Software S-box Implementations Higher-Order

636 views • 25 slides
HO in Coq Guillaume Ambal, Sergue Lenglet and Alan Schmitt Higher-Order -calculus

HO in Coq Guillaume Ambal, Sergue Lenglet and Alan Schmitt Higher-Order -calculus

HO in Coq Guillaume Ambal, Sergue Lenglet and Alan Schmitt Higher-Order -calculus Model of concurrent and communicating systems First-order: inert data (channel names, . . . ) Higher-order: executable processes

866 views • 57 slides
York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

First Order Haskell Neil Mitchell York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order: functions are values Can be passed around Stored in data structure Harder for reasoning and analysis More

483 views • 15 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Link with linear cryptanalysis Standard Differential Power Analysis Noise-based security (is

1.17k views • 92 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Extending SMT solvers to higher-order logic Haniel Barbosa Andrew Reynolds Daniel El Ouraoui Clark Barrett Cesare Tinelli SMT 2019 20190707, Lisbon, PT To be published in the proceedings of CADE 2019 Why higher-order logic?

569 views • 25 slides
FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begl Bilgin, Andrey Bogdanov, Miroslav Kne evi , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago Side Channel Resistance 2 Side

1.29k views • 76 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C

Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C edric Tavernier

625 views • 29 slides
Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order

Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order

Background & motivation Higher order strategies Higher order Turing machines Computable analysis Conclusion Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order complexity 1/12 Background &

383 views • 15 slides
Energy storage in Electric Power Systems Yahia Baghzouz, Ph.D., P.E. Electrical & Computer

Energy storage in Electric Power Systems Yahia Baghzouz, Ph.D., P.E. Electrical & Computer

Energy storage in Electric Power Systems Yahia Baghzouz, Ph.D., P.E. Electrical & Computer Engineering Dept. Overview Impact of variable generation on load curve Energy storage technologies Battery Energy Storage Systems

1.36k views • 38 slides
OKLAHOMA AND THE FUTURE OF THE NATIONS ENERGY INDEPENDENCE The Wind Coalition The Wind

OKLAHOMA AND THE FUTURE OF THE NATIONS ENERGY INDEPENDENCE The Wind Coalition The Wind

OKLAHOMA AND THE FUTURE OF THE NATIONS ENERGY INDEPENDENCE The Wind Coalition The Wind Coalition 1 2 3 4 5 Energy independence National security Price of fuel American way American way Environmental concerns

591 views • 45 slides
Signal Circuit and Transistor Small-Signal Model Lecture notes: Sec. 5 Sedra & Smith (6 th

Signal Circuit and Transistor Small-Signal Model Lecture notes: Sec. 5 Sedra & Smith (6 th

Signal Circuit and Transistor Small-Signal Model Lecture notes: Sec. 5 Sedra & Smith (6 th Ed): Sec. 5.5 & 6.7 Sedra & Smith (5 th Ed): Sec. 4.6 & 5.6 F. Najmabadi, ECE65, Winter 2012 Transistor Amplifier Development Bias &

476 views • 20 slides
Studies on pion/muon capture at MOMENT Nikos Vassilopoulos IHEP, CAS particle production for Hg

Studies on pion/muon capture at MOMENT Nikos Vassilopoulos IHEP, CAS particle production for Hg

Studies on pion/muon capture at MOMENT Nikos Vassilopoulos IHEP, CAS particle production for Hg MOMENT Hg, L =30 cm, R = 0.5 cm: current parameters (mm) + - + - n p + b 1 0.124 0.075 1.8x10 -4 5.3x10 -5 12.4

346 views • 32 slides
s t' ! -,1 oa\ \tF-' U + { ? e.) -t p o -/ s \ \ \) \,^ J Ur/ x' {s ( u1

s t' ! -,1 oa\ \tF-' U + { ? e.) -t p o -/ s \ \ \) \,^ J Ur/ x' {s ( u1

+- + 't- e J a o 'J d -\J --)-- --l (n H ( ! + a nt ] v' ,1 5 5 .)u -- >\C-L- .-t -;-t t s t' ! -,1 oa\ \tF-' U + { ? e.) -t p o -/ s \ \ \) \,^ J Ur/ x' {s ( u1 b*- -J( \ '- t t\ t(- ).

254 views • 23 slides
VT VTQ Re Research: arch: Ge Getti tting ng Te Technical hnical Paul ul E. Newto ton AO

VT VTQ Re Research: arch: Ge Getti tting ng Te Technical hnical Paul ul E. Newto ton AO

VT VTQ Re Research: arch: Ge Getti tting ng Te Technical hnical Paul ul E. Newto ton AO O Foru rum, m, London, don, 14 May 2019 Technical hnical research earch into to GQ- like tests and exams be like Using Hierarchical

550 views • 34 slides
Humber Local Enterprise Partnership Skills Network 19 th January 2016 Iain Elliott Skills

Humber Local Enterprise Partnership Skills Network 19 th January 2016 Iain Elliott Skills

Humber Local Enterprise Partnership Skills Network 19 th January 2016 Iain Elliott Skills Network Chair Dr Cathy Taylor Executive Principal, Sirius Multi Academy Trust Welcome Iain Elliott Skills Network Chair Introduction and Review

523 views • 36 slides
PVMD Delft University of Technology Learning objectives 1. PV module design 2. Electrical

PVMD Delft University of Technology Learning objectives 1. PV module design 2. Electrical

IV Curve from Cell to Module Part 1 Olindo Isabella PVMD Delft University of Technology Learning objectives 1. PV module design 2. Electrical properties 1. IV curve from cell to module Ideal module Non-ideal module

238 views • 5 slides

More recommend