threshold implementations
play

Threshold Implementations Svetla Nikova Threshold Implementations - PowerPoint PPT Presentation

Feb 05, 2024 •399 likes •990 views

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

  1. Threshold Implementations Svetla Nikova

  2. Threshold Implementations • A provably secure countermeasure • Against (first) order power analysis based on multi party computation and secret sharing 2

  3. Outline • Threshold Implementations (update) • Applications of TI • Higher-order TI 3

  4. Countermeasures • Hardware countermeasures Balancing power consumption [Tiri et al., CHES’03]  • Masking  Randomizing intermediate values [Chari et al., Crypto’99; Goubin et al., CHES’99]  Threshold Implementations [Nikova et al., ICICS’06]  Shamir’s Secret Sharing [Goubin et al,. Prouff et al., CHES’11] • Leakage-Resilient Crypto 4

  5. Threshold Implementations (x, y, z, ...) (a, b, c, ...) S() “Threshold Implementations … ”, S.Nikova, V.Rijmen et al. 2006, 2008, 2010 (JoC). 5

  6. Threshold Implementations (a 1 , b 1 , c 1 , ...) (x 1 , y 1 , z 1 , ...) S 1 () (a 2 , b 2 , c 2 , ...) Shares (x 2 , y 2 , z 2 , ...) S 2 () … (a s , b s , c s , ...) (x s , y s , z s , ...) S s () 6

  7. Threshold Implementations (a 1 , b 1 , c 1 , ...) (x 1 , y 1 , z 1 , ...) S 1 () (a 2 , b 2 , c 2 , ...) (x 2 , y 2 , z 2 , ...) S 2 () … … … (a s , b s , c s , ...) (x s , y s , z s , ...) S s () = = (x, y, z, ...) (a, b, c, ...) Correct, Non-complete, Uniform 7

  8. Threshold Implementations (x 1 , y 1 , z 1 , ...) (a 1 , b 1 , c 1 , ...) S 1 () (x 2 , y 2 , z 2 , ...) (a 2 , b 2 , c 2 , ...) S 2 () … … … (x s , y s , z s , ...) (a s , b s , c s , ...) S s () = = (x, y, z, ...) (a, b, c, ...) Correct, Non-complete, Uniform 8

  9. Threshold Implementations (a 1 , b 1 , c 1 , ...) (x 1 , y 1 , z 1 , ...) S 1 () (a 2 , b 2 , c 2 , ...) (x 2 , y 2 , z 2 , ...) S 2 () … … … (a s , b s , c s , ...) (x s , y s , z s , ...) S s () = = (x, y, z, ...) (a, b, c, ...) Correct, Non-complete, Uniform 9

  10. Threshold Implementations Non-completeness To protect a function with degree d, at least d+1 shares are required 10

  11. Threshold Implementations (a 1 , b 1 , c 1 , ...) (x 1 , y 1 , z 1 , ...) S 1 () (a 2 , b 2 , c 2 , ...) (x 2 , y 2 , z 2 , ...) S 2 () … … … (a s , b s , c s , ...) (x s , y s , z s , ...) S s () = = (x, y, z, ...) (a, b, c, ...) Correct, Non-complete, Uniform 11

  12. Threshold Implementations Uniformity a b f = a AND b f 12

  13. Threshold Implementations Uniformity If unshared function is a permutation, the shared function should also be a permutation 13

  14. Threshold Implementations S i S S No leak even in the presence of glitches! 14

  15. Threshold Implementations Uniformity f 15

  16. Threshold Implementations Uniformity and a remedy • Firstly, we can apply re-masking, i.e. by adding new masks to the shares we make the distribution uniform. • Secondly, we can impose an extra condition on F, such that the distribution of the output is always uniform. • If X, the masking of x is uniform and the circuit F is uniform, then the masking Y = F(X) of y = f (x) is uniform. 16

  17. Threshold Implementations Observations ✓ Linear functions are easy to protect • As the nonlinearity increases x DPA becomes easier x Sharing becomes costly ✓ S-boxes become mathematically stronger Decomposing nonlinear functions 17

  18. Threshold Implementations Decomposing nonlinear functions S = G o F Most of the block ciphers use 4x4 permutations 4x4 permutations have at most degree 3 18

  19. Threshold Implementations Decomposing nonlinear functions S = G o F All n x n affine bijections are in alternating group A 2n All 4x4 quadratic S-boxes belong to A 16 A 4x4 bijection can be decomposed using quadratic bijections IFF it belongs to A 16 19

  20. Threshold Implementations Decomposing nonlinear functions S = G o F 302 affine equivalent classes of 4x4 S-boxes S’=AoSoB half of the 4x4 S-boxes belong to A 16 3 shares 20

  21. Threshold Implementations Decomposing nonlinear functions unshared 3 shares 4 shares 5 shares remark 1 2 3 4 1 2 3 1 affine 1 1 1 1 quadratic 6 5 1 6 6 cubic in A 16 30 28 2 30 30 cubic in A 16 114 113 1 114 114 cubic in S 16 \ A 16 151 4 22 125 151 “Threshold Implementations of All 3 ×3 and 4 ×4 S-Boxes”, B.Bilgin et al., CHES 2012. 21

  22. Threshold Implementations Decomposing nonlinear functions unshare 3 shares 4 shares 5 shares d remark 1 2 3 4 1 2 3 1 affine 1 1 1 1 quadratic 6 5 1 6 6 cubic in A 16 30 28 2 30 30 cubic in A 16 114 113 1 114 114 cubic in S 16 \ A 16 151 4 22 125 151 Uniformity problem 22

  23. Threshold Implementations Decomposing nonlinear functions unshare 3 shares 4 shares 5 shares d remark 1 2 3 4 1 2 3 1 affine 1 1 1 1 quadratic 6 5 1 6 6 cubic in A 16 30 28 2 30 30 cubic in A 16 114 113 1 114 114 cubic in S 16 \ A 16 151 4 22 125 151 Many S-boxes with good cryptographic properties 23

  24. Threshold Implementations Decomposing nonlinear functions unshare 3 shares 4 shares 5 shares d remark 1 2 3 4 1 2 3 1 affine 1 1 1 1 quadratic 6 5 1 6 6 cubic in A 16 30 28 2 30 30 cubic in A 16 114 113 1 114 114 cubic in S 16 \ A 16 151 4 22 125 151 http://homes.esat.kuleuven.be/~snikova/ti_tools.html 24

  25. Outline • Threshold Implementations (update) • Applications of TI • Higher-order TI 25

  26. Applications - Present • “Side-Channel Resistant Crypto for less than 2300 GE”, A.Poschmann et al., JOC 2010. • uses 4x4 S-box with degree 3 • Implemented with 3 shares • 3,3 kGE (1,1 kGE unprotected) • 31×(16+1)+20 = 547 cycles 26

  27. Applications - Present • “On 3-share Threshold Implementations for 4-bit S- boxes”, S.Kutzner et al., COSADE 2013. • Implemented with 3 shares S` = G(G(.)) • G 1 = G 2 = G 3 • 3,0 kGE (-200 GE S-box) • 31×(16× 6 ) + 20 = 2996 cycles 27

  28. Applications • “Enabling 3-share Threshold Implementations for any 4- bit S-box”, S.Kutzner et al., ePrint Archive 2012. • Factorization S(.) = U(.) + V(.) • U(.) contains all the cubic terms, V(.) quadratic • U(.) = F(G(.)) with quadratic F(.) and G(.) 28

  29. Applications - AES • “Pushing the Limits: A Very Compact and a Threshold Implementation of AES”, A.Moradi et al., Eurocrypt 2011. • uses 8x8 S-box with degree 7; 3 shares • Tower field approach down to GF(4); re-sharing (48 random bits per S-box) • 11.1 kGE (2,4 kGE unprotected) • 266 cycles (226 unprotected) 29

  30. Applications - AES GF(2 4 ) GF(2 4 ) square multiplier inv. scaler GF(2 4 ) lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier • “A More Efficient AES Threshold Implementation”, B.Bilgin et al., Africacrypt 2014. • Implemented with n shares • Tower field approach down to GF(16); re-sharing (44 random bits per S-box) • 8,2 kGE (-2,9 kGE) • 246 cycles (-20 cycles) 30

  31. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares 31

  32. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares 32

  33. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares, 2 shares 33

  34. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares, 2 shares, 4 shares 34

  35. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares, 2 shares, 4 shares, 3 shares 35

  36. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares, 2 shares, 4 shares, 3 shares registers after every nonlinear function 36

  37. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares, 2 shares, 4 shares, 3 shares registers after every nonlinear function re-masking to change the number of shares 37

  38. TI on AES Implementation Results State Key Mix cycles rand Array S-box Cont. MUXes Other Total Array Col. bits ** Moradi et al. 2529 2526 4244 1120 166 376 153 11114/11031 266 48 This paper 1698 1890 3708 770 221 746 69 9102 246 44 This paper* 1698 1890 3003 544 221 746 69 8171 246 44 * compile_ultra ** per S-box • Based on plain Canright S-box (233 GE) • Based on plain Moradi et al.’s AES (2.4 GE) • Keeping Hierarchy 38

  39. TI on AES Practical Security Evaluation • PRNG on, first order DPA / correlation collision attack • 10 million traces 39

  40. TI on AES Practical Security Evaluation • PRNG on, second order DPA • HD model at S-box output 40

  41. TI on AES Practical Security Evaluation • PRNG on, second order correlation collision attack 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova, Ventzislav Nikov, and Vincent Rijmen Introduction Physical Attacks Active Passive (Fault Attacks) (Observing Attacks) Side Channel Attacks

644 views • 45 slides
A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key Management Implementations Back to ICANN 40 2 Key Management Implementations Needs Zones need to be re-signed PKCS#11 periodically. Keys

507 views • 14 slides
Watershed Below TMDL Threshold At TMDL Threshold Above TMDL Threshold Water Quality Overview

Watershed Below TMDL Threshold At TMDL Threshold Above TMDL Threshold Water Quality Overview

Nantucket Harbor Watershed Below TMDL Threshold At TMDL Threshold Above TMDL Threshold Water Quality Overview Routine monitoring: June-September. Water quality, dissolved oxygen, algae, eelgrass. Work with State agencies to

631 views • 19 slides
Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium July 4rd, 2013

Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium July 4rd, 2013

Outline Preliminaries Comprehend the TI Applying TI Conclusion Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium July 4rd, 2013 1 / 97 Outline Preliminaries Comprehend the TI Applying TI Conclusion

1.29k views • 97 slides
Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium June 8, 2013

Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium June 8, 2013

Outline Preliminaries Comprehend the TI Applying TI Conclusion Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium June 8, 2013 1 / 112 Outline Preliminaries Comprehend the TI Applying TI Conclusion

1.14k views • 112 slides
Threshold resummation far from threshold GGI, Firenze, September 7 th , 2011 Giovanni Ridolfi

Threshold resummation far from threshold GGI, Firenze, September 7 th , 2011 Giovanni Ridolfi

Threshold resummation far from threshold GGI, Firenze, September 7 th , 2011 Giovanni Ridolfi Universit` a di Genova and INFN Genova, Italy Plan of the talk: 1. When is threshold resummation relevant? 2. Ambiguities in resummed results

939 views • 69 slides
Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1

Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1

Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1 Vladimir V. Podolskii 2 1 Aarhus University 2 Steklov Mathematical Institute MFCS 2013 1 / 27 Boolean Threshold Functions Boolean function f : { a , b } n

927 views • 44 slides
Enter the Threshold The NIST Threshold Cryptography Project National Institute of Standards and

Enter the Threshold The NIST Threshold Cryptography Project National Institute of Standards and

Enter the Threshold The NIST Threshold Cryptography Project National Institute of Standards and Technology NIST Threshold Cryptography Workshop 2019 (#NTCW2019) March 11, 2019 @ NIST campus, Gaithersburg MD, USA Contact email:

1.21k views • 80 slides
Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations : inst 1 , inst 2 Contracts vs. Implementations Boolean expressions for Contracts: exp 1 , exp 2 , exp 3 , exp 4 , exp 5 feature -- Commands

231 views • 6 slides
Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on

Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on

Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on Near-Threshold Computing June 14, 2014 Overview High-level talk summarizing my architectural perspective on near-threshold computing

850 views • 41 slides
Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS:

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS:

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS: DAN BONEH, ROSARIO GENNARO, STEVEN GOLDFEDER, AAYUSH JAIN, SAM KIM, PETER M. R. RASMUSSEN AND AMIT SAHAI Introduction to Characters Thanos: Bad Guy

567 views • 36 slides
Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array Vector Linked Chain 2 Stack ADT #ifndef STACK_H_ #define STACK_H_ template<<typename ItemType> class

1.19k views • 71 slides
Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold Stakeholder Working Group # 3 Stakeholder Working Group # 3 June 19, 2008 SCAQMD Diamond Bar, California GHG Significance Threshold GHG Significance

691 views • 12 slides
Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold Stakeholder Working Group # 8 Stakeholder Working Group # 8 January 28, 2009 SCAQMD Diamond Bar, California Agenda Item #2 Staff s Interim Agenda

226 views • 19 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
Threshold Networks over undirected graphs Universidad Adolfo

Threshold Networks over undirected graphs Universidad Adolfo

Threshold Networks over undirected graphs Universidad Adolfo Ibez, SanHago, Chile Antonio.chacc@gmail.com Threshold networks x {0,1} n n for 1 i n x i = H ( w ij x j

424 views • 41 slides
On optimal threshold defender structures of resharing-based oblivious shuffle protocols for

On optimal threshold defender structures of resharing-based oblivious shuffle protocols for

On optimal threshold defender structures of resharing-based oblivious shuffle protocols for secret-shared secure multi-party computations Jan Willemson Cybernetica Trve Theory Days October 7th-9th, 2011 Secret Shared Databases If we

710 views • 16 slides
A semantically-enhanced grid registry: Work in progress Sylvia Wong, Victor Tan, Weijian Fang,

A semantically-enhanced grid registry: Work in progress Sylvia Wong, Victor Tan, Weijian Fang,

A semantically-enhanced grid registry: Work in progress Sylvia Wong, Victor Tan, Weijian Fang, Simon Miles, Luc Moreau School Electronics and Computer Science University of Southampton, UK 1 www.grimoires.org Grimoires Grid Registry Project

606 views • 13 slides
Q4 2017 Preliminary Earnings February 1, 2018 Results Summary SAFE HARBOR STATEMENT This

Q4 2017 Preliminary Earnings February 1, 2018 Results Summary SAFE HARBOR STATEMENT This

Q4 2017 Preliminary Earnings February 1, 2018 Results Summary SAFE HARBOR STATEMENT This presentation may contain projections or other forward-looking statements within the meaning Section 27A of the Private Securities Litigation Reform Act.

473 views • 13 slides
Secure Multiparty Computation from Graph Colouring Ron Steinfeld Monash University July 2012

Secure Multiparty Computation from Graph Colouring Ron Steinfeld Monash University July 2012

Introduction Secure Multiparty Computation from Graph Colouring Ron Steinfeld Monash University July 2012 Ron Steinfeld Secure Multiparty Computation from Graph Colouring July 2012 1/34 Introduction Acknowledgements Based on joint work

1k views • 62 slides
Concealing Secrets in Embedded Processor Designs A B C Z Hannes Gross , Manuel Jelinek,

Concealing Secrets in Embedded Processor Designs A B C Z Hannes Gross , Manuel Jelinek,

0 Concealing Secrets in Embedded Processor Designs A B C Z Hannes Gross , Manuel Jelinek, Stefan Mangard, Thomas Unterluggauer, and Mario Werner Institute for Applied Information Processing and Communications Graz University of

516 views • 33 slides
Key Exchange With Public Key Cryptography With no trusted arbitrator Alice sends Bob her

Key Exchange With Public Key Cryptography With no trusted arbitrator Alice sends Bob her

Key Exchange With Public Key Cryptography With no trusted arbitrator Alice sends Bob her public key Bob sends Alice his public key Alice generates a session key and sends it to Bob encrypted with his public key, signed with her

654 views • 26 slides
4/13/2008 Test Your Tech Test Your Tech FIT100 FIT100 FIT100 FIT100 FIT100 FIT100

4/13/2008 Test Your Tech Test Your Tech FIT100 FIT100 FIT100 FIT100 FIT100 FIT100

4/13/2008 Test Your Tech Test Your Tech FIT100 FIT100 FIT100 FIT100 FIT100 FIT100 Navigation is: Navigation is: A. Following a series of links to locate A. Following a series of links to locate specific information on the Web. p

338 views • 3 slides
Getting it Together! Instructional Materials Inventory at Seattle University Billie Boyd, MLIS |

Getting it Together! Instructional Materials Inventory at Seattle University Billie Boyd, MLIS |

Getting it Together! Instructional Materials Inventory at Seattle University Billie Boyd, MLIS | billie.boyd42@gmail.com Reilly Curran, MLIS | curranr@seattleu.edu Caitlin Plovnick, LMIS | plovnicc@seattleu.edu Sarah Schroeder, MLIS |

248 views • 21 slides

More recommend