threshold implementations comprehend and apply
play

Threshold Implementations: Comprehend and Apply Svetla Nikova, KU - PowerPoint PPT Presentation

Jan 08, 2024 •307 likes •1.29k views

Outline Preliminaries Comprehend the TI Applying TI Conclusion Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium July 4rd, 2013 1 / 97 Outline Preliminaries Comprehend the TI Applying TI Conclusion

  1. Outline Preliminaries Comprehend the TI Applying TI Conclusion Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium July 4rd, 2013 1 / 97

  2. Outline Preliminaries Comprehend the TI Applying TI Conclusion Preliminaries Side-channel attacks Countermeasures Masking Glitches Comprehend the TI What is TI? Notations, Definitions and Proofs Uniformity Affine Equivalence Classes Applying TI Sharing Techniques Decomposing small S-boxes HW implementations small S-boxes HW implementations AES Conclusion 2 / 97

  3. Outline Preliminaries Comprehend the TI Applying TI Conclusion Preliminaries Side-channel attacks Countermeasures Masking Glitches Comprehend the TI What is TI? Notations, Definitions and Proofs Uniformity Affine Equivalence Classes Applying TI Sharing Techniques Decomposing small S-boxes HW implementations small S-boxes HW implementations AES Conclusion 3 / 97

  4. Outline Preliminaries Comprehend the TI Applying TI Conclusion Side-channel attacks • Normal attacks: c = E ( k , p ) • Known plaintext: equations in the key • High nonlinearity, difficult to solve • Device executing the cryptographic algorithm leaks information on internal state • Instantaneous leakage depends on intermediate variables, which results in equations • That have lower nonlinearity • That may contain noise 4 / 97

  5. Outline Preliminaries Comprehend the TI Applying TI Conclusion Countering power attacks • Ensure constant power consumption • Constant instruction sequence • Use special hardware logic styles • Avoid statistical correlation between secret key and data processed • Masking • Counters attacks that use repeated measurements and statistics to remove the noise 5 / 97

  6. Outline Preliminaries Comprehend the TI Applying TI Conclusion Countermeasures at different levels • Hardware logic style → Relieves cryptographers BUT places burden on hardware designers • Algorithms and implementations → Probably lowest feasible level • Ciphers and Protocols → New standards, takes time 6 / 97

  7. Outline Preliminaries Comprehend the TI Applying TI Conclusion Countermeasures We NEED secure implementations against DPA 7 / 97

  8. Outline Preliminaries Comprehend the TI Applying TI Conclusion Countermeasures We NEED secure implementations against DPA • Hardware countermeasures • Balancing power consumption [Tiri et al., CHES’03] • · · · • Masking • Masking intermediate values [Chari et al., CRYPTO’99; Goubin et al., CHES’99] • Threshold Implementations [Nikova et al., ICISC’08] • Shamir’s Secret Sharing [Goubin et al., CHES’11; Prouff et al., CHES’11] • · · · • Leakage-Resilient Crypto Problem: Unfeasible circuit size, glitches 8 / 97

  9. Outline Preliminaries Comprehend the TI Applying TI Conclusion Countermeasures We NEED secure implementations against DPA • Hardware countermeasures • Balancing power consumption [Tiri et al., CHES’03] • · · · • Masking • Masking intermediate values [Chari et al., CRYPTO’99; Goubin et al., CHES’99] • Threshold Implementations [Nikova et al., ICISC’08] • Shamir’s Secret Sharing [Goubin et al., CHES’11; Prouff et al., CHES’11] • · · · • Leakage-Resilient Crypto Problem: Unfeasible circuit size, glitches 9 / 97

  10. Outline Preliminaries Comprehend the TI Applying TI Conclusion Masking Randomized redundant representation: v → ( v 1 , . . . , v n ) such that v = v 1 ∗ . . . ∗ v n n -th order masking: all n − 1 intermediate variables are independent of v The adversary needs to identify n leakage samples and combine their information Boolean masking: v 1 = v ⊕ m , v 2 = m Multiplicative masking (zero-value problem): v 1 = v ∗ m , v 2 = m Affine Masking: v 1 = v ∗ m ⊕ m 2 , v 2 = m 1 , v 3 = m 2 10 / 97

  11. Outline Preliminaries Comprehend the TI Applying TI Conclusion Masking in Software Masking Table Look-Ups Two tables have to be computed T and T m , where T m ( v ⊕ m ) = T ( v ) ⊕ m Consequences: the computational effort and amount of memory increases. 11 / 97

  12. Outline Preliminaries Comprehend the TI Applying TI Conclusion Problems with masking • Unintentional unmasking, • Glitches HD ( v m , w m ) = HW ( v m ⊕ w m ) = HW ( v ⊕ w ) 12 / 97

  13. Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output 13 / 97

  14. Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output z = x AND y , where x m = x ⊕ m x , y m = y ⊕ m y z m = x m y m ⊕ ( m y x m ⊕ ( m x y m ⊕ ( m x m y ⊕ m z ))) 14 / 97

  15. Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output z = x AND y , where x m = x ⊕ m x , y m = y ⊕ m y z m = x m y m ⊕ ( m y x m ⊕ ( m x y m ⊕ ( m x m y ⊕ m z ))) 15 / 97

  16. Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output z = x AND y , where x m = x ⊕ m x , y m = y ⊕ m y z m = x m y m ⊕ ( m y x m ⊕ ( m x y m ⊕ ( m x m y ⊕ m z ))) 16 / 97

  17. Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output z = x AND y , where x m = x ⊕ m x , y m = y ⊕ m y z m = x m y m ⊕ ( m y x m ⊕ ( m x y m ⊕ ( m x m y ⊕ m z ))) y m y y m AND XOR 0 0 0 0 0 0 1 1 2 2 1 0 1 1 1 1 1 0 1 2 17 / 97

  18. Outline Preliminaries Comprehend the TI Applying TI Conclusion Why TI? Threshold Implementations • Any hardware technology • Realistic size • Provably secure against 1 st order DPA 18 / 97

  19. Outline Preliminaries Comprehend the TI Applying TI Conclusion Why TI? Threshold Implementations • Any hardware technology • Realistic size • Provably secure against 1 st order DPA So far, • Noekeon [Nikova et al., ICISC’08] • Multiplication in GF (4) [Nikova et al., ICISC’08] • Keccak [Bertoni et al., SHA-3 candidates’10] • Present [Poschmann et al., J.Cryptology’11] • AES [Moradi et al., Eurocrypt’11] • All 3 × 3 and 4 × 4 S-boxes [Bilgin et al., CHES’12] • etc. 19 / 97

  20. Outline Preliminaries Comprehend the TI Applying TI Conclusion Preliminaries Side-channel attacks Countermeasures Masking Glitches Comprehend the TI What is TI? Notations, Definitions and Proofs Uniformity Affine Equivalence Classes Applying TI Sharing Techniques Decomposing small S-boxes HW implementations small S-boxes HW implementations AES Conclusion 20 / 97

  21. Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S() ( x, y, z, . . . ) ( a, b, c, . . . ) 21 / 97

  22. Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S 1 ( x 1 , y 1 , z 1 , . . . ) ( a 1 , b 1 , c 1 , . . . ) ( x 2 , y 2 , z 2 , . . . ) ( a 2 , b 2 , c 2 , . . . ) S 2 . . . . . . . . . S s ( x s , y s , z s , . . . ) ( a s , b s , c s , . . . ) 22 / 97

  23. Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S 1 ( x 1 , y 1 , z 1 , . . . ) ( a 1 , b 1 , c 1 , . . . ) ( x 2 , y 2 , z 2 , . . . ) S 2 ( a 2 , b 2 , c 2 , . . . ) . . . . . . . . . S s ( x s , y s , z s , . . . ) ( a s , b s , c s , . . . ) • Non-complete 23 / 97

  24. Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S 1 ( x 1 , y 1 , z 1 , . . . ) ( a 1 , b 1 , c 1 , . . . ) ⊕ ⊕ ( x 2 , y 2 , z 2 , . . . ) S 2 ( a 2 , b 2 , c 2 , . . . ) ⊕ ⊕ . . . . . . . . . ⊕ ⊕ S s ( x s , y s , z s , . . . ) ( a s , b s , c s , . . . ) = = ( a, b, c, . . . ) ( x, y, z, . . . ) • Correct • Non-complete 24 / 97

  25. Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S 1 ( x 1 , y 1 , z 1 , . . . ) ( a 1 , b 1 , c 1 , . . . ) ⊕ ⊕ ( x 2 , y 2 , z 2 , . . . ) S 2 ( a 2 , b 2 , c 2 , . . . ) ⊕ ⊕ . . . . . . . . . ⊕ ⊕ S s ( x s , y s , z s , . . . ) ( a s , b s , c s , . . . ) = = ( a, b, c, . . . ) ( x, y, z, . . . ) • Correct • Non-complete • Uniform 25 / 97

  26. Outline Preliminaries Comprehend the TI Applying TI Conclusion Uniformity • S-boxes: If S ( x ) = a is a bijection, then S ( x 1 , x 2 , x 3 ) = ( a 1 , a 2 , a 3 ) is also a bijection. 26 / 97

  27. Outline Preliminaries Comprehend the TI Applying TI Conclusion Uniformity • S-boxes: If S ( x ) = a is a bijection, then S ( x 1 , x 2 , x 3 ) = ( a 1 , a 2 , a 3 ) is also a bijection. • Multiplication: x y a=x AND y a (0,0,0) (0,0,1) (0,1,0) (0,1,1) (1,0,0) (1,0,1) (1,1,0) (1,1,1) 0 0 0 0 4 0 0 4 0 4 4 0 0 1 0 0 4 0 0 4 0 4 4 0 1 0 0 0 4 0 0 4 0 4 4 0 1 1 1 1 0 4 4 0 4 0 0 4 0 12 0 0 12 0 12 12 0 1 0 4 4 0 4 0 0 4 27 / 97

  28. Outline Preliminaries Comprehend the TI Applying TI Conclusion Uniform Masking and Non-completeness Let x ∈ F m denote the input of the (unshared) function f . Let X be correct and uniform masking of x i.e. X ∈ Sh ( x ), and F be a sharing of f . 28 / 97

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium June 8, 2013

Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium June 8, 2013

Outline Preliminaries Comprehend the TI Applying TI Conclusion Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium June 8, 2013 1 / 112 Outline Preliminaries Comprehend the TI Applying TI Conclusion

1.14k views • 112 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova, Ventzislav Nikov, and Vincent Rijmen Introduction Physical Attacks Active Passive (Fault Attacks) (Observing Attacks) Side Channel Attacks

644 views • 45 slides
A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key Management Implementations Back to ICANN 40 2 Key Management Implementations Needs Zones need to be re-signed PKCS#11 periodically. Keys

507 views • 14 slides
Watershed Below TMDL Threshold At TMDL Threshold Above TMDL Threshold Water Quality Overview

Watershed Below TMDL Threshold At TMDL Threshold Above TMDL Threshold Water Quality Overview

Nantucket Harbor Watershed Below TMDL Threshold At TMDL Threshold Above TMDL Threshold Water Quality Overview Routine monitoring: June-September. Water quality, dissolved oxygen, algae, eelgrass. Work with State agencies to

631 views • 19 slides
Calstate.edu/apply The new way to apply to CSU What Applicants Need to Apply Unofficial

Calstate.edu/apply The new way to apply to CSU What Applicants Need to Apply Unofficial

Calstate.edu/apply The new way to apply to CSU What Applicants Need to Apply Unofficial Transcripts T est Scores Annual Income (parent s if dependent) Social Security Number Citizenship Status (Including paren ts if

472 views • 23 slides
Briefing Slides From Application to Assessment Why should you apply? Who can apply?

Briefing Slides From Application to Assessment Why should you apply? Who can apply?

Briefing Slides From Application to Assessment Why should you apply? Who can apply? When to apply? What is the process? Why should you apply? SPARK Certification Benefits 1. Endorsement of centre quality 2. Information to guide

322 views • 21 slides
Threshold resummation far from threshold GGI, Firenze, September 7 th , 2011 Giovanni Ridolfi

Threshold resummation far from threshold GGI, Firenze, September 7 th , 2011 Giovanni Ridolfi

Threshold resummation far from threshold GGI, Firenze, September 7 th , 2011 Giovanni Ridolfi Universit` a di Genova and INFN Genova, Italy Plan of the talk: 1. When is threshold resummation relevant? 2. Ambiguities in resummed results

939 views • 69 slides
Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1

Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1

Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1 Vladimir V. Podolskii 2 1 Aarhus University 2 Steklov Mathematical Institute MFCS 2013 1 / 27 Boolean Threshold Functions Boolean function f : { a , b } n

927 views • 44 slides
OPT Basics How to Apply When to Apply What to Expect 1 What Is OPT? O ptional P ractical T

OPT Basics How to Apply When to Apply What to Expect 1 What Is OPT? O ptional P ractical T

OPT Basics How to Apply When to Apply What to Expect 1 What Is OPT? O ptional P ractical T raining Experiential learning benefit granted to F-1 students to work in their major field of study You can apply for twelve months of OPT for

1.09k views • 65 slides
Infrequent words are more difficult to comprehend. Shashank Sonkar Computer Sc. &

Infrequent words are more difficult to comprehend. Shashank Sonkar Computer Sc. &

Infrequent words are more difficult to comprehend. Shashank Sonkar Computer Sc. & Engineering, Senior Undergraduate, IIT Kanpur. Saccade Rapid, jerky movement of the eyes Silent Reading Terminology Eye movements & Visual

661 views • 11 slides
Enter the Threshold The NIST Threshold Cryptography Project National Institute of Standards and

Enter the Threshold The NIST Threshold Cryptography Project National Institute of Standards and

Enter the Threshold The NIST Threshold Cryptography Project National Institute of Standards and Technology NIST Threshold Cryptography Workshop 2019 (#NTCW2019) March 11, 2019 @ NIST campus, Gaithersburg MD, USA Contact email:

1.21k views • 80 slides
Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations : inst 1 , inst 2 Contracts vs. Implementations Boolean expressions for Contracts: exp 1 , exp 2 , exp 3 , exp 4 , exp 5 feature -- Commands

231 views • 6 slides
Why use apply? Lore Dirick Instructor, DataCamp Intermediate R for Finance Meet the apply

Why use apply? Lore Dirick Instructor, DataCamp Intermediate R for Finance Meet the apply

INTERMEDIATE R FOR FINANCE Why use apply? Lore Dirick Instructor, DataCamp Intermediate R for Finance Meet the apply family Function Description apply Apply functions over array margins lapply Apply a function over a list or vector

572 views • 14 slides
Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on

Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on

Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on Near-Threshold Computing June 14, 2014 Overview High-level talk summarizing my architectural perspective on near-threshold computing

850 views • 41 slides
Calstate.edu/apply The new way to apply to CSU Please be Patient We are still in the process of

Calstate.edu/apply The new way to apply to CSU Please be Patient We are still in the process of

Calstate.edu/apply The new way to apply to CSU Please be Patient We are still in the process of designing our application with our partner. What we show you today may change between now and our June Go-live. We will continue to update this

592 views • 33 slides
z-Transform Chapter 6 Chapter 6 D I Dr. Iyad Jafar d J f Outline Outline Definition

z-Transform Chapter 6 Chapter 6 D I Dr. Iyad Jafar d J f Outline Outline Definition

z-Transform Chapter 6 Chapter 6 D I Dr. Iyad Jafar d J f Outline Outline Definition Relation Between z Transform and DTFT Relation Between z-Transform and DTFT Region of Convergence g g Common z-Transform Pairs The

1.06k views • 51 slides
Digital System Design for Circuit and Electronics Additional material Intro. VLSI: CMOS inverter

Digital System Design for Circuit and Electronics Additional material Intro. VLSI: CMOS inverter

Digital System Design for Circuit and Electronics Additional material Intro. VLSI: CMOS inverter CMOS inverter: black and white representation A counter layout Rules for design rule checking: basic rules Rules for composition Concept of

605 views • 17 slides
the GLIBv3 + Expansion Board February 2016 M. Fras, Electronics Division, MPI for Physics,

the GLIBv3 + Expansion Board February 2016 M. Fras, Electronics Division, MPI for Physics,

MDT Trigger & Readout Demonstrator using the Kintex-7 or MDT_FPGA_3 Mezzanine Card with the GLIBv3 + Expansion Board February 2016 M. Fras, Electronics Division, MPI for Physics, Munich 08 February 2016 M. Fras MPI for Physics, Munich

277 views • 14 slides
The K Project Descriptor Table Interrupt and Exception Handling Interrupt Request Keyboard

The K Project Descriptor Table Interrupt and Exception Handling Interrupt Request Keyboard

The K Project LSE Team Introduction Interrupt The K Project Descriptor Table Interrupt and Exception Handling Interrupt Request Keyboard Timer LSE Team Conclusion EPITA May 06, 2019 LSE Team (EPITA) The K Project May 06, 2019 1 /

551 views • 37 slides
Multi-Threaded Composition of Finite-State Automata Bryan Jurish Kay-Michael Wrzner

Multi-Threaded Composition of Finite-State Automata Bryan Jurish Kay-Michael Wrzner

Multi-Threaded Composition of Finite-State Automata Bryan Jurish Kay-Michael Wrzner Berlin-Brandenburg Academy of Sciences University of Potsdam jurish@bbaw.de wuerzner@uni-potsdam.de FSMNLP 2013 St. Andrews, 17 th July, 2013 FSMNLP 2013 /

379 views • 25 slides
Data Structures and Models of Computation Gerth Stlting Brodal Inauguration talk, Department

Data Structures and Models of Computation Gerth Stlting Brodal Inauguration talk, Department

Data Structures and Models of Computation Gerth Stlting Brodal Inauguration talk, Department of Computer Science, Aarhus University, February 12, 2016 Looking back... publications since 1994 STACS12 APBC13 ISAAC02 ESA10 NJC96 SWAT96

408 views • 21 slides
Previously Instance recognition Local features: detection and description Window-based

Previously Instance recognition Local features: detection and description Window-based

4/11/2011 Previously Instance recognition Local features: detection and description Window-based models for Local feature matching, scalable indexing Spatial verification generic object detection Intro to generic object

429 views • 11 slides
Efficient implementation of a spectrum scanner on a software-defined radio platform Franois

Efficient implementation of a spectrum scanner on a software-defined radio platform Franois

Efficient implementation of a spectrum scanner on a software-defined radio platform Franois Quitin, Riccardo Pace Universit libre de Bruxelles (ULB), Belgium 1 Context and objectives Regulators need to detect abusive usage of RF spectrum

379 views • 21 slides

More recommend