Tight Private Circuits: Achieving Probing Security with the Least - - PowerPoint PPT Presentation

tight private circuits achieving probing security with
SMART_READER_LITE
LIVE PREVIEW

Tight Private Circuits: Achieving Probing Security with the Least - - PowerPoint PPT Presentation

Jan 23, 2024 134 likes •657 views

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid, Dahmun Goudarzi, and Matthieu Rivain dahmun.goudarzi@pqshield.com 1 Side-Channel Attacks and Higher-Order Masking in 1 in 2 in 3

slide-1
SLIDE 1

1

Tight Private Circuits:
 Achieving Probing Security with the Least Refreshing

Sonia Belaid, Dahmun Goudarzi, and Matthieu Rivain dahmun.goudarzi@pqshield.com

slide-2
SLIDE 2

Side-Channel Attacks and Higher-Order Masking

2

in1 in2 in3 ⊕ ⊗ ⊗ ⊕

For each in, in = m1 + m2 + … + md

2

  • Higher-Order Masking:
slide-3
SLIDE 3

Implementation Transformation

3

x y z

⊕ ⊗ ⊗ ⊕

[x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R

⊕ [ ]

[x] d-sharing addition gadget : :

⊗ [ ] R

multiplication gadget refresh gadget : :

3

slide-4
SLIDE 4

Secure Gadgets

4 4

[x] [y] [z] = [x + y] ⊕ [ ] R ⊗ [ ] [x] [y] [z] = [x ⋅ y] [x] [z] = [x]

Addition gadget Multiplication gadget Refresh gadget

  • Addition gadget:
  • Refresh gadget:

[x] + [y] = (x1 + y1, x2 + y2, …, xd + yd) Ref([x]) = [x] [1]

⊗ [ ]

slide-5
SLIDE 5

5 5

ISW Multiplication

  • Ishai, Sahai, Wager. Private Circuits: Securing Hardware against Probing Attacks (Crypto 2003)

  • Compute the cross products
  • Pack the cross products to get output shares
  • Interleave of fresh randomness in the packing


to avoir security flaws d2 d

      c1 c2 . . . cd       =       a1b1 a1b2 . . . a1bd a2b1 a2b2 . . . . . . . . . . . . ... . . . adb1 adb2 . . . adbd       +       r1,2 . . . r1,d r1,2 . . . . . . ... rd,d−1 r1,d rd,d−1      

<latexit sha1_base64="JiY7sU4veOIJlTH5NLjyieyRkY=">AGj3ictVRdb9MwFM1WKN8beORF4uJCokxYrdZkgfQgBd4GxLbkJoqchynteZ8yHamli/iJ/CL+Df4KTt1qR94QFLkU6Oz73Bs7QcaZVKb5Z2e3c+9+98Hew96jx0+ePts/OLyUaS4IvSApT8WPAEvKWUIvFOc/sgExXHA6Vw/bnav7qhQrI0+a7mGR3HeJKwiBGsNOUf7P7yAjphSZHFWAk2K3vEh57X87IpTlQaF95NmCpZEh9VbP0CNCJ+2PNoEt7Fve+1M4Hlwj4MfAj6C4A08Oo0SyKs8t1p0UqLmtq72ivtkumvgbAC27TYD1d5w7YHTbSbebOlGVOLC68e+UhMgnFhnrhoYA7dY/PEGgxcG2qATMuETin8Ah6jsgRrhdrBEDomQjrGrJcGrusgaC2Cw7Ks7f9zxX5tdNvU+uB2RFvsIMt0aheWbdl2BYust1BlTk8Dt/C7Ygsk6hudGFc9vFomy72NC2Xasqdupq+xoMHGS61lqxqpHWV/H3j1Z1wCaAS3BkLNe5Pt6/9SBIHtNEY6lHEzU+MC8UIp2XPyXNMLnGEzrSMExleOitlqCV5oJQZQK/SQK1Ox6RIFjKedxoJXa4VS29ypy294oV5EzLliS5YomZFEoyjlQKajuKAiZoETxuQaYCKa9AjLFAhOlb3KjSpVbyEiW2s3yCkVdENW2/PGXPBm4Sa0lTQuBUqBJ6XoMFNBM6mjMxatGLXP1tUNokyXv2narYScBYILOZFhpWeWiI3u1RpyqUePoh4mop3hDKuv3Ec4yRsaKWKdSIRtprAQc6xmDXZYK5oxCjX4gYvUqV/uMmkRQdxq4/Z4ug1uJpSAS/18Yftw74JLtEJ1Nfy2/DozF1ehD3jhfHSeG1AwzbOjC/GuXFhkM5hx+l87HzqHnTt7ofu2UK6u7OMeW40VvfrX18FG4M=</latexit><latexit sha1_base64="JiY7sU4veOIJlTH5NLjyieyRkY=">AGj3ictVRdb9MwFM1WKN8beORF4uJCokxYrdZkgfQgBd4GxLbkJoqchynteZ8yHamli/iJ/CL+Df4KTt1qR94QFLkU6Oz73Bs7QcaZVKb5Z2e3c+9+98Hew96jx0+ePts/OLyUaS4IvSApT8WPAEvKWUIvFOc/sgExXHA6Vw/bnav7qhQrI0+a7mGR3HeJKwiBGsNOUf7P7yAjphSZHFWAk2K3vEh57X87IpTlQaF95NmCpZEh9VbP0CNCJ+2PNoEt7Fve+1M4Hlwj4MfAj6C4A08Oo0SyKs8t1p0UqLmtq72ivtkumvgbAC27TYD1d5w7YHTbSbebOlGVOLC68e+UhMgnFhnrhoYA7dY/PEGgxcG2qATMuETin8Ah6jsgRrhdrBEDomQjrGrJcGrusgaC2Cw7Ks7f9zxX5tdNvU+uB2RFvsIMt0aheWbdl2BYust1BlTk8Dt/C7Ygsk6hudGFc9vFomy72NC2Xasqdupq+xoMHGS61lqxqpHWV/H3j1Z1wCaAS3BkLNe5Pt6/9SBIHtNEY6lHEzU+MC8UIp2XPyXNMLnGEzrSMExleOitlqCV5oJQZQK/SQK1Ox6RIFjKedxoJXa4VS29ypy294oV5EzLliS5YomZFEoyjlQKajuKAiZoETxuQaYCKa9AjLFAhOlb3KjSpVbyEiW2s3yCkVdENW2/PGXPBm4Sa0lTQuBUqBJ6XoMFNBM6mjMxatGLXP1tUNokyXv2narYScBYILOZFhpWeWiI3u1RpyqUePoh4mop3hDKuv3Ec4yRsaKWKdSIRtprAQc6xmDXZYK5oxCjX4gYvUqV/uMmkRQdxq4/Z4ug1uJpSAS/18Yftw74JLtEJ1Nfy2/DozF1ehD3jhfHSeG1AwzbOjC/GuXFhkM5hx+l87HzqHnTt7ofu2UK6u7OMeW40VvfrX18FG4M=</latexit><latexit sha1_base64="JiY7sU4veOIJlTH5NLjyieyRkY=">AGj3ictVRdb9MwFM1WKN8beORF4uJCokxYrdZkgfQgBd4GxLbkJoqchynteZ8yHamli/iJ/CL+Df4KTt1qR94QFLkU6Oz73Bs7QcaZVKb5Z2e3c+9+98Hew96jx0+ePts/OLyUaS4IvSApT8WPAEvKWUIvFOc/sgExXHA6Vw/bnav7qhQrI0+a7mGR3HeJKwiBGsNOUf7P7yAjphSZHFWAk2K3vEh57X87IpTlQaF95NmCpZEh9VbP0CNCJ+2PNoEt7Fve+1M4Hlwj4MfAj6C4A08Oo0SyKs8t1p0UqLmtq72ivtkumvgbAC27TYD1d5w7YHTbSbebOlGVOLC68e+UhMgnFhnrhoYA7dY/PEGgxcG2qATMuETin8Ah6jsgRrhdrBEDomQjrGrJcGrusgaC2Cw7Ks7f9zxX5tdNvU+uB2RFvsIMt0aheWbdl2BYust1BlTk8Dt/C7Ygsk6hudGFc9vFomy72NC2Xasqdupq+xoMHGS61lqxqpHWV/H3j1Z1wCaAS3BkLNe5Pt6/9SBIHtNEY6lHEzU+MC8UIp2XPyXNMLnGEzrSMExleOitlqCV5oJQZQK/SQK1Ox6RIFjKedxoJXa4VS29ypy294oV5EzLliS5YomZFEoyjlQKajuKAiZoETxuQaYCKa9AjLFAhOlb3KjSpVbyEiW2s3yCkVdENW2/PGXPBm4Sa0lTQuBUqBJ6XoMFNBM6mjMxatGLXP1tUNokyXv2narYScBYILOZFhpWeWiI3u1RpyqUePoh4mop3hDKuv3Ec4yRsaKWKdSIRtprAQc6xmDXZYK5oxCjX4gYvUqV/uMmkRQdxq4/Z4ug1uJpSAS/18Yftw74JLtEJ1Nfy2/DozF1ehD3jhfHSeG1AwzbOjC/GuXFhkM5hx+l87HzqHnTt7ofu2UK6u7OMeW40VvfrX18FG4M=</latexit><latexit sha1_base64="KWKBug961RQMDzCtU06Rjo89n0Y=">AD03ictZNLb9NAEIC3CY8SCrRnLhYVEqdgc4EjEheORSJtpTSqZtfjZJV9WLNjFGP5jrgxM/iF/Bv2Dg5YKdXRlp9M3svHZWlkYHTtM/R6PxvfsPHh4/mjw+mTx5+uz05DL4ihTOlDeriUENrhjDUbvC4JwUqDV3L9YWu/+oIUtHefuS5xYWHpdKEVcEQXt6fn6TtJDlUsr1yLvZyezb6fZN7Vl0rAyEM/SkhcNEGtlsJ3cVAFLUGtY4jyqDiyGRdPV2SYvI8mTwlM8jpO/nujARtCbWX0tMCrMLRt4V2ecXFu0WjXVkxOrVLVFQmYZ9sm05yTajY1FEBRTrWmqgVECiOo+l2camUIT2ztw9uELCA7eu/P8csSLTB7xCT2gHV4mgbpMeWxKUK602A8x6/XWAymVRGs/7qrcORksCqpsSOE7NhcMu2XsT4vCTwnhPrxVqE9/YWnB5zewjYEoHzQBsjJAmz6VNWOh0UTnHifPcYPdcoClHfSx2a1ej3WIpWnj9mfDXT9ULt9Ms3SafUrFsXguXohXIhNvxXvxUVyImVAiF9/Fr7Ecfxv/2P2S0dH+u5yJnox/gWn1K</latexit><latexit sha1_base64="WQkmL3e4vs7hIfA4vQ1lzS30Ckg=">AGhHictVRdb9MwFM1WKM2PbKi8VEhcQYsbsyQNowAuPQ2IfUlNFjuO0Vp0P2c7UEuUX8VP4BfwbnLTdmrQvPGAp0snxvfece2MnyDiTyjT/7Ox2Hj3uPtl72nu2/zFy4PD/WuZ5oLQK5LyVNwGWFLOEnqlmOL0NhMUxwGnN8H0a7V/c0eFZGnyQ80zOorxOGERI1hpyj/c/eUFdMySIouxEmxW9ogPa/nZROcqDQuvLswVbIkPqrY+gVoRPyw59EkfMj72GtXAsuFfRj4EPQXAGng1WRFjVe4hFq1jUjH3QXsUumf4aCuwLRb74apu2PagiXYz7Y0Y+rgwqtHPhTjYFSYpy4amGfuiXlqDQauDTVApmVCpxR+AU9QWYI1oXYyhI6JkM4x6WB6zoIWovksCxr+/+s2K+NbptaH9yPaIsdZJlO7cKyLduwJmLbHdQVQ5PwvdwuyGIrHNobnTh3HexkG2Lndm2a1Vi562r8HAQaZrYlVjbS+in9wvNIBmwAuwbGxXJf6eP/WgyB5TBNFOJZyCM1MjQosFCOclj0vlzTDZIrHdKhgmMqR0VtQRvNBOCKBX6SRSo2fWMAsdSzuNAR2qHE9neq8hte8NcRc6oYEmWK5qQhVCUc6BSUN1REDJBieJzDTARTHsFZIFJkrf5IZKVvISJZbtRvkhAq6EVb/8Vc8GbhJrQVNC4lSoEnpegwY0FziaMzFq0YtOfLSobRxmv/lM1WwVwFgs5kWGlZ5aIje7VGnKpR4+iHiaig+EMq6/cRzjJGzEShXrQiJsNYGDnGMxa7LBXNGIUa6DG7xIlf7hJuMWHcStPmaLo9fgakoFvNTH7YP+ya4RqdQX8vprFnvDJeG28NaNjGhfHNuDSuDNI56jidz50v3cOu3f20uCi7O8sbc2Q0VvfiLwDAGo0=</latexit><latexit sha1_base64="WQkmL3e4vs7hIfA4vQ1lzS30Ckg=">AGhHictVRdb9MwFM1WKM2PbKi8VEhcQYsbsyQNowAuPQ2IfUlNFjuO0Vp0P2c7UEuUX8VP4BfwbnLTdmrQvPGAp0snxvfece2MnyDiTyjT/7Ox2Hj3uPtl72nu2/zFy4PD/WuZ5oLQK5LyVNwGWFLOEnqlmOL0NhMUxwGnN8H0a7V/c0eFZGnyQ80zOorxOGERI1hpyj/c/eUFdMySIouxEmxW9ogPa/nZROcqDQuvLswVbIkPqrY+gVoRPyw59EkfMj72GtXAsuFfRj4EPQXAGng1WRFjVe4hFq1jUjH3QXsUumf4aCuwLRb74apu2PagiXYz7Y0Y+rgwqtHPhTjYFSYpy4amGfuiXlqDQauDTVApmVCpxR+AU9QWYI1oXYyhI6JkM4x6WB6zoIWovksCxr+/+s2K+NbptaH9yPaIsdZJlO7cKyLduwJmLbHdQVQ5PwvdwuyGIrHNobnTh3HexkG2Lndm2a1Vi562r8HAQaZrYlVjbS+in9wvNIBmwAuwbGxXJf6eP/WgyB5TBNFOJZyCM1MjQosFCOclj0vlzTDZIrHdKhgmMqR0VtQRvNBOCKBX6SRSo2fWMAsdSzuNAR2qHE9neq8hte8NcRc6oYEmWK5qQhVCUc6BSUN1REDJBieJzDTARTHsFZIFJkrf5IZKVvISJZbtRvkhAq6EVb/8Vc8GbhJrQVNC4lSoEnpegwY0FziaMzFq0YtOfLSobRxmv/lM1WwVwFgs5kWGlZ5aIje7VGnKpR4+iHiaig+EMq6/cRzjJGzEShXrQiJsNYGDnGMxa7LBXNGIUa6DG7xIlf7hJuMWHcStPmaLo9fgakoFvNTH7YP+ya4RqdQX8vprFnvDJeG28NaNjGhfHNuDSuDNI56jidz50v3cOu3f20uCi7O8sbc2Q0VvfiLwDAGo0=</latexit><latexit sha1_base64="JBRVOVgew73hCqK2GdLyHNC7z60=">AGj3ictVRdb9MwFM1WKN8beORF4uJComx2emyJA+gAS/wNiT2ITV5DhOa835kO1MLVF+ET+FX8C/wUnbrUn7wgOWIp0cn3vuTd2gowzqSD8s7XdefCw+2jnce/J02fPX+zu7V/KNBeEXpCUp+I6wJyltALxRSn15mgOA4vQpuvlT7V7dUSJYmP9Qso6MYjxMWMYKVpvy97V9eQMcsKbIYK8GmZY/4yPN6XjbBiUrjwrsNUyVL4psVW78AjYgf9jyahPdxH3rtTGCxsI8CH4H+HJgaeHWaBRFW+e615lJrNrX3tZfaBdNfAWEFNmxHy7zhm0Pmg3825DM1CLC68e+VCMg1EBj1xzAE/cQ3hkDQaujTQwoQWRUwq/QIdmWYKVQu1ghBxomjoG1ksD13VMZM2Dw7Ks7f9zxX5tdNPU+uBuRBvsmBZ0aheWbdl2BU5c03YHVebwMHyPNhtCpnWK4FoXzl0X87LtYie27VpVsVNX29dg4JjQtVaKVY20voq/e7CsA9YBWoADY7HO9fH+rQdB8pgminAs5RDBTI0KLBQjnJY9L5c0w+QGj+lQwTHVI6K2moJ3mgmBFEq9JMoULOrEQWOpZzFgVZqhxPZ3qvITXvDXEXOqGBJliuakHmhKOdApaC6oyBkghLFZxpgIpj2CsgEC0yUvsmNKlVuISNZbqzdICdU0DVZbf8/Z8wFbxJqQlNB41aoEHhWgY3FjibMDJt0Yrd/GxR2TjKePWfqtlKwFkgsJgVGVZ6aolc71KlKZd6+CDiaSqOCWVcf+M4xknY0EoV60QibDWBg5xjMW2ywUzRiFGuxQ1epEr/cJNxiw7iVh/T+dFrcDWlAl7q4/ah30dXJpHSF/L7/DgzF1chB3jlfHaeGsgwzbOjK/GuXFhkM5+x+l86nzu7nXt7sfu2Vy6vbWIeWk0VvfbX13FG38=</latexit><latexit sha1_base64="JiY7sU4veOIJlTH5NLjyieyRkY=">AGj3ictVRdb9MwFM1WKN8beORF4uJCokxYrdZkgfQgBd4GxLbkJoqchynteZ8yHamli/iJ/CL+Df4KTt1qR94QFLkU6Oz73Bs7QcaZVKb5Z2e3c+9+98Hew96jx0+ePts/OLyUaS4IvSApT8WPAEvKWUIvFOc/sgExXHA6Vw/bnav7qhQrI0+a7mGR3HeJKwiBGsNOUf7P7yAjphSZHFWAk2K3vEh57X87IpTlQaF95NmCpZEh9VbP0CNCJ+2PNoEt7Fve+1M4Hlwj4MfAj6C4A08Oo0SyKs8t1p0UqLmtq72ivtkumvgbAC27TYD1d5w7YHTbSbebOlGVOLC68e+UhMgnFhnrhoYA7dY/PEGgxcG2qATMuETin8Ah6jsgRrhdrBEDomQjrGrJcGrusgaC2Cw7Ks7f9zxX5tdNvU+uB2RFvsIMt0aheWbdl2BYust1BlTk8Dt/C7Ygsk6hudGFc9vFomy72NC2Xasqdupq+xoMHGS61lqxqpHWV/H3j1Z1wCaAS3BkLNe5Pt6/9SBIHtNEY6lHEzU+MC8UIp2XPyXNMLnGEzrSMExleOitlqCV5oJQZQK/SQK1Ox6RIFjKedxoJXa4VS29ypy294oV5EzLliS5YomZFEoyjlQKajuKAiZoETxuQaYCKa9AjLFAhOlb3KjSpVbyEiW2s3yCkVdENW2/PGXPBm4Sa0lTQuBUqBJ6XoMFNBM6mjMxatGLXP1tUNokyXv2narYScBYILOZFhpWeWiI3u1RpyqUePoh4mop3hDKuv3Ec4yRsaKWKdSIRtprAQc6xmDXZYK5oxCjX4gYvUqV/uMmkRQdxq4/Z4ug1uJpSAS/18Yftw74JLtEJ1Nfy2/DozF1ehD3jhfHSeG1AwzbOjC/GuXFhkM5hx+l87HzqHnTt7ofu2UK6u7OMeW40VvfrX18FG4M=</latexit><latexit sha1_base64="JiY7sU4veOIJlTH5NLjyieyRkY=">AGj3ictVRdb9MwFM1WKN8beORF4uJCokxYrdZkgfQgBd4GxLbkJoqchynteZ8yHamli/iJ/CL+Df4KTt1qR94QFLkU6Oz73Bs7QcaZVKb5Z2e3c+9+98Hew96jx0+ePts/OLyUaS4IvSApT8WPAEvKWUIvFOc/sgExXHA6Vw/bnav7qhQrI0+a7mGR3HeJKwiBGsNOUf7P7yAjphSZHFWAk2K3vEh57X87IpTlQaF95NmCpZEh9VbP0CNCJ+2PNoEt7Fve+1M4Hlwj4MfAj6C4A08Oo0SyKs8t1p0UqLmtq72ivtkumvgbAC27TYD1d5w7YHTbSbebOlGVOLC68e+UhMgnFhnrhoYA7dY/PEGgxcG2qATMuETin8Ah6jsgRrhdrBEDomQjrGrJcGrusgaC2Cw7Ks7f9zxX5tdNvU+uB2RFvsIMt0aheWbdl2BYust1BlTk8Dt/C7Ygsk6hudGFc9vFomy72NC2Xasqdupq+xoMHGS61lqxqpHWV/H3j1Z1wCaAS3BkLNe5Pt6/9SBIHtNEY6lHEzU+MC8UIp2XPyXNMLnGEzrSMExleOitlqCV5oJQZQK/SQK1Ox6RIFjKedxoJXa4VS29ypy294oV5EzLliS5YomZFEoyjlQKajuKAiZoETxuQaYCKa9AjLFAhOlb3KjSpVbyEiW2s3yCkVdENW2/PGXPBm4Sa0lTQuBUqBJ6XoMFNBM6mjMxatGLXP1tUNokyXv2narYScBYILOZFhpWeWiI3u1RpyqUePoh4mop3hDKuv3Ec4yRsaKWKdSIRtprAQc6xmDXZYK5oxCjX4gYvUqV/uMmkRQdxq4/Z4ug1uJpSAS/18Yftw74JLtEJ1Nfy2/DozF1ehD3jhfHSeG1AwzbOjC/GuXFhkM5hx+l87HzqHnTt7ofu2UK6u7OMeW40VvfrX18FG4M=</latexit><latexit sha1_base64="JiY7sU4veOIJlTH5NLjyieyRkY=">AGj3ictVRdb9MwFM1WKN8beORF4uJCokxYrdZkgfQgBd4GxLbkJoqchynteZ8yHamli/iJ/CL+Df4KTt1qR94QFLkU6Oz73Bs7QcaZVKb5Z2e3c+9+98Hew96jx0+ePts/OLyUaS4IvSApT8WPAEvKWUIvFOc/sgExXHA6Vw/bnav7qhQrI0+a7mGR3HeJKwiBGsNOUf7P7yAjphSZHFWAk2K3vEh57X87IpTlQaF95NmCpZEh9VbP0CNCJ+2PNoEt7Fve+1M4Hlwj4MfAj6C4A08Oo0SyKs8t1p0UqLmtq72ivtkumvgbAC27TYD1d5w7YHTbSbebOlGVOLC68e+UhMgnFhnrhoYA7dY/PEGgxcG2qATMuETin8Ah6jsgRrhdrBEDomQjrGrJcGrusgaC2Cw7Ks7f9zxX5tdNvU+uB2RFvsIMt0aheWbdl2BYust1BlTk8Dt/C7Ygsk6hudGFc9vFomy72NC2Xasqdupq+xoMHGS61lqxqpHWV/H3j1Z1wCaAS3BkLNe5Pt6/9SBIHtNEY6lHEzU+MC8UIp2XPyXNMLnGEzrSMExleOitlqCV5oJQZQK/SQK1Ox6RIFjKedxoJXa4VS29ypy294oV5EzLliS5YomZFEoyjlQKajuKAiZoETxuQaYCKa9AjLFAhOlb3KjSpVbyEiW2s3yCkVdENW2/PGXPBm4Sa0lTQuBUqBJ6XoMFNBM6mjMxatGLXP1tUNokyXv2narYScBYILOZFhpWeWiI3u1RpyqUePoh4mop3hDKuv3Ec4yRsaKWKdSIRtprAQc6xmDXZYK5oxCjX4gYvUqV/uMmkRQdxq4/Z4ug1uJpSAS/18Yftw74JLtEJ1Nfy2/DozF1ehD3jhfHSeG1AwzbOjC/GuXFhkM5hx+l87HzqHnTt7ofu2UK6u7OMeW40VvfrX18FG4M=</latexit><latexit sha1_base64="JiY7sU4veOIJlTH5NLjyieyRkY=">AGj3ictVRdb9MwFM1WKN8beORF4uJCokxYrdZkgfQgBd4GxLbkJoqchynteZ8yHamli/iJ/CL+Df4KTt1qR94QFLkU6Oz73Bs7QcaZVKb5Z2e3c+9+98Hew96jx0+ePts/OLyUaS4IvSApT8WPAEvKWUIvFOc/sgExXHA6Vw/bnav7qhQrI0+a7mGR3HeJKwiBGsNOUf7P7yAjphSZHFWAk2K3vEh57X87IpTlQaF95NmCpZEh9VbP0CNCJ+2PNoEt7Fve+1M4Hlwj4MfAj6C4A08Oo0SyKs8t1p0UqLmtq72ivtkumvgbAC27TYD1d5w7YHTbSbebOlGVOLC68e+UhMgnFhnrhoYA7dY/PEGgxcG2qATMuETin8Ah6jsgRrhdrBEDomQjrGrJcGrusgaC2Cw7Ks7f9zxX5tdNvU+uB2RFvsIMt0aheWbdl2BYust1BlTk8Dt/C7Ygsk6hudGFc9vFomy72NC2Xasqdupq+xoMHGS61lqxqpHWV/H3j1Z1wCaAS3BkLNe5Pt6/9SBIHtNEY6lHEzU+MC8UIp2XPyXNMLnGEzrSMExleOitlqCV5oJQZQK/SQK1Ox6RIFjKedxoJXa4VS29ypy294oV5EzLliS5YomZFEoyjlQKajuKAiZoETxuQaYCKa9AjLFAhOlb3KjSpVbyEiW2s3yCkVdENW2/PGXPBm4Sa0lTQuBUqBJ6XoMFNBM6mjMxatGLXP1tUNokyXv2narYScBYILOZFhpWeWiI3u1RpyqUePoh4mop3hDKuv3Ec4yRsaKWKdSIRtprAQc6xmDXZYK5oxCjX4gYvUqV/uMmkRQdxq4/Z4ug1uJpSAS/18Yftw74JLtEJ1Nfy2/DozF1ehD3jhfHSeG1AwzbOjC/GuXFhkM5hx+l87HzqHnTt7ofu2UK6u7OMeW40VvfrX18FG4M=</latexit><latexit sha1_base64="JiY7sU4veOIJlTH5NLjyieyRkY=">AGj3ictVRdb9MwFM1WKN8beORF4uJCokxYrdZkgfQgBd4GxLbkJoqchynteZ8yHamli/iJ/CL+Df4KTt1qR94QFLkU6Oz73Bs7QcaZVKb5Z2e3c+9+98Hew96jx0+ePts/OLyUaS4IvSApT8WPAEvKWUIvFOc/sgExXHA6Vw/bnav7qhQrI0+a7mGR3HeJKwiBGsNOUf7P7yAjphSZHFWAk2K3vEh57X87IpTlQaF95NmCpZEh9VbP0CNCJ+2PNoEt7Fve+1M4Hlwj4MfAj6C4A08Oo0SyKs8t1p0UqLmtq72ivtkumvgbAC27TYD1d5w7YHTbSbebOlGVOLC68e+UhMgnFhnrhoYA7dY/PEGgxcG2qATMuETin8Ah6jsgRrhdrBEDomQjrGrJcGrusgaC2Cw7Ks7f9zxX5tdNvU+uB2RFvsIMt0aheWbdl2BYust1BlTk8Dt/C7Ygsk6hudGFc9vFomy72NC2Xasqdupq+xoMHGS61lqxqpHWV/H3j1Z1wCaAS3BkLNe5Pt6/9SBIHtNEY6lHEzU+MC8UIp2XPyXNMLnGEzrSMExleOitlqCV5oJQZQK/SQK1Ox6RIFjKedxoJXa4VS29ypy294oV5EzLliS5YomZFEoyjlQKajuKAiZoETxuQaYCKa9AjLFAhOlb3KjSpVbyEiW2s3yCkVdENW2/PGXPBm4Sa0lTQuBUqBJ6XoMFNBM6mjMxatGLXP1tUNokyXv2narYScBYILOZFhpWeWiI3u1RpyqUePoh4mop3hDKuv3Ec4yRsaKWKdSIRtprAQc6xmDXZYK5oxCjX4gYvUqV/uMmkRQdxq4/Z4ug1uJpSAS/18Yftw74JLtEJ1Nfy2/DozF1ehD3jhfHSeG1AwzbOjC/GuXFhkM5hx+l87HzqHnTt7ofu2UK6u7OMeW40VvfrX18FG4M=</latexit><latexit sha1_base64="JiY7sU4veOIJlTH5NLjyieyRkY=">AGj3ictVRdb9MwFM1WKN8beORF4uJCokxYrdZkgfQgBd4GxLbkJoqchynteZ8yHamli/iJ/CL+Df4KTt1qR94QFLkU6Oz73Bs7QcaZVKb5Z2e3c+9+98Hew96jx0+ePts/OLyUaS4IvSApT8WPAEvKWUIvFOc/sgExXHA6Vw/bnav7qhQrI0+a7mGR3HeJKwiBGsNOUf7P7yAjphSZHFWAk2K3vEh57X87IpTlQaF95NmCpZEh9VbP0CNCJ+2PNoEt7Fve+1M4Hlwj4MfAj6C4A08Oo0SyKs8t1p0UqLmtq72ivtkumvgbAC27TYD1d5w7YHTbSbebOlGVOLC68e+UhMgnFhnrhoYA7dY/PEGgxcG2qATMuETin8Ah6jsgRrhdrBEDomQjrGrJcGrusgaC2Cw7Ks7f9zxX5tdNvU+uB2RFvsIMt0aheWbdl2BYust1BlTk8Dt/C7Ygsk6hudGFc9vFomy72NC2Xasqdupq+xoMHGS61lqxqpHWV/H3j1Z1wCaAS3BkLNe5Pt6/9SBIHtNEY6lHEzU+MC8UIp2XPyXNMLnGEzrSMExleOitlqCV5oJQZQK/SQK1Ox6RIFjKedxoJXa4VS29ypy294oV5EzLliS5YomZFEoyjlQKajuKAiZoETxuQaYCKa9AjLFAhOlb3KjSpVbyEiW2s3yCkVdENW2/PGXPBm4Sa0lTQuBUqBJ6XoMFNBM6mjMxatGLXP1tUNokyXv2narYScBYILOZFhpWeWiI3u1RpyqUePoh4mop3hDKuv3Ec4yRsaKWKdSIRtprAQc6xmDXZYK5oxCjX4gYvUqV/uMmkRQdxq4/Z4ug1uJpSAS/18Yftw74JLtEJ1Nfy2/DozF1ehD3jhfHSeG1AwzbOjC/GuXFhkM5hx+l87HzqHnTt7ofu2UK6u7OMeW40VvfrX18FG4M=</latexit>
slide-6
SLIDE 6

Probing Security

6 6 memory computation leakage

I1

x1 y1 z1 f1(x1, y1)

I2

x2 y2 z2 f2(x2, y2)

Is

xs ys zs fs(xs, ys)

  • The adversary can probe instructions
  • t

Ii f(xi, yi) = (xi, yi) for t instrucRons f(xi, yi) = ⊥ for other instrucRons ISW scheme is t-probing secure for t < d

slide-7
SLIDE 7

Composition Flaws

7

⊕ [ ] ⊗ [ ] [x] [y] ⊗ [ ]

  • placed on
  • placed on
  • d = 3

P1 x1 ⋅ (x3 + y3) P2 x2 ⋅ y3

f (x1, x3 + y3) = (x1, x3 + y3) f (x2, y3) = (x2, y3)

slide-8
SLIDE 8

Composition Flaws

7

⊕ [ ] ⊗ [ ] [x] [y] ⊗ [ ]

  • placed on
  • placed on
  • d = 3

P1 x1 ⋅ (x3 + y3) P2 x2 ⋅ y3

f (x1, x3 + y3) = (x1, x3 + y3) f (x2, y3) = (x2, y3)

x1 x2 (x3 + y3) + y3 = x3

slide-9
SLIDE 9

Refresh Gadget

8

⊕ [ ] ⊗ [ ] [x] [y] ⊗ [ ]

R

  • Add refresh gadget at carefully chosen position
  • Drawback: randomness overhead
  • Challenge: where and how many needed?
  • Solution: formal verification tools !
slide-10
SLIDE 10

Limitation of Existing Tools

  • Adds a refresh but circuit was already probing secure
  • Complexity highly impacted by the masking order

9

⊕ [ ] ⊗ [ ] [x] [y] R ⊕ [ ] ⊗ [ ] [x] [y]

existing tools

slide-11
SLIDE 11

New Proposal

10 t-probing security game-based definition simplified problem formal method

  • Determine exactly whether a circuit is probing secure for any order
slide-12
SLIDE 12

Game Based Probing Security

11

𝒝

(𝒬, x1, …, xn) (𝒬, x1, …, xn)


 
 


[x1] ← Enc(x1) [x2] ← Enc(x2) [xn] ← Enc(xn) ⋮

C([x1], [x2], …, [xn])𝒬

𝒯(𝒬)

𝒝

(v1, v2, …, vt) (v1, v2, …, vt)

Real Ideal 1. 1. 2.

slide-13
SLIDE 13

Game 0 to Game 1

12

𝒝

(𝒬, x1, …, xn) (𝒬, x1, …, xn) [x1] ← Enc(x1) [x2] ← Enc(x2) [xn] ← Enc(xn) ⋮

C([x1], [x2], …, [xn])𝒬

𝒯(𝒬)

𝒝

(v1, v2, …, vt) (v1, v2, …, vt) (𝒬′, x1, …, xn) (𝒬′, x1, …, xn)

C([x1], [x2], …, [xn])𝒬′

(v1, v2, …, vq) (v1, v2, …, vq) 𝒯(𝒬′)

Real Ideal 1. 2. 1.

slide-14
SLIDE 14

Game 0 to Game 1

13

⊕ [ ] ⊗ [ ] [x] [y] ⊕ [ ] ⊗ [ ] [x] [y]

slide-15
SLIDE 15

Game 1 to Game 2

14

𝒝

[x1] ← Enc(x1) [x2] ← Enc(x2) [xn] ← Enc(xn) ⋮

𝒝

(𝒬′, x1, …, xn) (𝒬′, x1, …, xn)

C′([x1], [x2], …, [xn])𝒬′

(v1, v2, …, vq) (v1, v2, …, vq) 𝒯(𝒬′) C′ ← Flatten(C) C′ ← Flatten(C) C C 𝒯′(𝒬′)

Real Ideal 1. 1. 2. 2. 3.

slide-16
SLIDE 16

Flatten Transformation

15

[x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [ f ] [h] [e] [g] [i]

slide-17
SLIDE 17

Flatten Transformation

15

[x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [ f ] [h] [e] [g] [i]

slide-18
SLIDE 18

Flatten Transformation

15

[x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [ f ] [h] [e] [g] [i]

slide-19
SLIDE 19

Flatten Transformation

15

[x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [ f ] [h] [e] [g] [i]

slide-20
SLIDE 20

Flatten Transformation

15

[x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [ f ] [h] [e] [g] [i]

slide-21
SLIDE 21

Flatten Transformation

15

[x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [ f ] [h] [e] [g] [i]

slide-22
SLIDE 22

Game 2 to Game 3

16

𝒝

[x1] ← Enc(x1) [x2] ← Enc(x2) [xn] ← Enc(xn) ⋮

𝒝

(𝒬′, x1, …, xn) (𝒬′, x1, …, xn)

C′([x1], [x2], …, [xn])𝒬′

(v1, v2, …, vq) (v1, v2, …, vq) 𝒯′(𝒬′) C′ ← Flatten(C) C′ ← Flatten(C) (𝒬′′, x1, …, xn) (𝒬′′, x1, …, xn)

C′([x1], [x2], …, [xn])𝒬′′

𝒯′(𝒬′′)

Real Ideal 1. 1. 2. 2. 3.

slide-23
SLIDE 23

Game 2 to Game 3

17

[x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [ f ] [h] [e] [g] [i] [x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [ f ] [h] [e] [g] [i]

slide-24
SLIDE 24

Matrix Representation

18

[x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [ f ] [h] [e] [g] [i] [x] [y] [z] [ f ] [h] [e] [g] [i] 1 1 1

ℳj

for the j-th shares

P1 P2

slide-25
SLIDE 25

Matrix Representation

18

[x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [ f ] [h] [e] [g] [i] [x] [y] [z] [ f ] [h] [e] [g] [i] 1 1 1

ℳj

for the j-th shares

P1 P2

slide-26
SLIDE 26

Matrix Representation

18

[x] [y] [z] ⊗ [ ] ⊕ [ ] ⊗ [ ] ⊗ [ ] ⊗ [ ] R [ f ] [h] [e] [g] [i] [x] [y] [z] [ f ] [h] [e] [g] [i] 1 1 1

ℳj

for the j-th shares

P1 P2

slide-27
SLIDE 27

Game 2 to Game 3

19

Im(ℳT

1) ∩ Im(ℳT 2) ∩ … ∩ Im(ℳT d) = ∅

(v1, …, vq)

uniformly distributed

slide-28
SLIDE 28

Resolution Method

20

⊕ [ ] ⊗ [ ] [x] [y] ⊗ [ ]

d = 3

[x] [y]

Im Im Im

∩ ∩

=

[x]

ℳ1 ℳ2 ℳ3

1 1 1 1 1

slide-29
SLIDE 29

⊕ [ ] ⊗ [ ] [c1] [c2] [c3] ⊕ [ ] ⊗ [ ] ⊗ [ ] [c4] [c5]

21

slide-30
SLIDE 30

⊕ [ ] ⊗ [ ] [c1] [c2] [c3] ⊕ [ ] ⊗ [ ] ⊗ [ ] [c4] [c5]

21

slide-31
SLIDE 31

⊕ [ ] ⊗ [ ] [c1] [c2] [c3] ⊕ [ ] ⊗ [ ] ⊗ [ ] [c4] [c5]

21

slide-32
SLIDE 32

⊕ [ ] ⊗ [ ] [c1] [c2] [c3] ⊕ [ ] ⊗ [ ] ⊗ [ ] [c4] [c5] [c1] ⋅ [c2] [c2]

21

slide-33
SLIDE 33

⊕ [ ] ⊗ [ ] [c1] [c2] [c3] ⊕ [ ] ⊗ [ ] ⊗ [ ] [c4] [c5] [c1] ⋅ [c2] [c2] [c4] ⋅ [c5], [c4] ⋅ [c3] [c5], [c3]

21

slide-34
SLIDE 34

⊕ [ ] ⊗ [ ] [c1] [c2] [c3] ⊕ [ ] ⊗ [ ] ⊗ [ ] [c4] [c5]

21

slide-35
SLIDE 35

⊕ [ ] ⊗ [ ] [c1] [c2] [c3] ⊕ [ ] ⊗ [ ] ⊗ [ ] [c4] [c5] [c2] ⋅ [c1] [c1]

21

slide-36
SLIDE 36

⊕ [ ] ⊗ [ ] [c1] [c2] [c3] ⊕ [ ] ⊗ [ ] ⊗ [ ] [c4] [c5] [c2] ⋅ [c1] [c1] [c4] ⋅ [c5], [c4] ⋅ [c3] [c5], [c3]

21

slide-37
SLIDE 37

⊕ [ ] ⊗ [ ] [c1] [c2] [c3] ⊕ [ ] ⊗ [ ] ⊗ [ ] [c4] [c5] [c2] ⋅ [c1] [c1] [c4] ⋅ [c5], [c4] ⋅ [c3] [c5], [c3]

[c2] = [c3] + [c5] !

21

slide-38
SLIDE 38

⊕ [ ] ⊗ [ ] [c1] [c2] [c3] ⊕ [ ] ⊗ [ ] ⊗ [ ] [c4] [c5] [c2] ⋅ [c1] [c1] [c4] ⋅ [c5], [c4] ⋅ [c3] [c5], [c3]

[c2] = [c3] + [c5] !

𝒣 𝒱

21

slide-39
SLIDE 39

⊕ [ ] ⊗ [ ] [c1] [c2] [c3] ⊕ [ ] ⊗ [ ] ⊗ [ ] [c4] [c5] [c2] ⋅ [c1] [c1] [c4] ⋅ [c5], [c4] ⋅ [c3] [c5], [c3]

[c2] = [c3] + [c5] !

𝒣 𝒱

𝒣1 𝒱1

21

slide-40
SLIDE 40

⊕ [ ] ⊗ [ ] [c1] [c2] [c3] ⊕ [ ] ⊗ [ ] ⊗ [ ] [c4] [c5] [c2] ⋅ [c1] [c1] [c4] ⋅ [c5], [c4] ⋅ [c3] [c5], [c3]

[c2] = [c3] + [c5] !

𝒣 𝒱

𝒣1 𝒱1 𝒣2 𝒱2

21

slide-41
SLIDE 41

tightProve

22

slide-42
SLIDE 42

Bitslice for the AES S-box

23 83 XOR gates 32 AND gates Circuit of Boyer et al.

slide-43
SLIDE 43

Bitslice for the AES S-box

23 83 XOR gates 32 AND gates 83 XOR inst. 32 AND inst. Bitslice transformation

slide-44
SLIDE 44

Bitslice for the AES S-box

23 83 XOR gates 32 AND gates 83 XOR inst. 32 AND inst. Bitslice transformation 83 XORs 32 ISW-and Masking transformation

d

slide-45
SLIDE 45

Bitslice for the AES S-box

23 83 XOR gates 32 AND gates 83 XOR inst. 32 AND inst. Bitslice transformation 83 XORs 32 ISW-and Masking transformation

d

d-shared Boolean circuit

slide-46
SLIDE 46

Application of tightProve

24

d-shared Boolean circuits

slide-47
SLIDE 47

Application of tightProve

24

d-shared Boolean circuits

How many refresh gadgets ?
 Where to insert them ?

Tight d-private Boolean circuits

?

slide-48
SLIDE 48

Application of tightProve

24

d-shared Boolean circuits

Existing tools

+ 32 Refresh gadgets

1 before each mult.

Tight d-private Boolean circuits

slide-49
SLIDE 49

Application of tightProve

24

d-shared Boolean circuits Tight d-private Boolean circuits

tightPROVE

No refresh required !

slide-50
SLIDE 50

Application of tightProve

24

d-shared Boolean circuits Tight d-private Boolean circuits

tightPROVE

No refresh required ! Randomness requirement 2 /

slide-51
SLIDE 51

Performance

25

Randomness consumption 1500 3000 4500 6000 Masking order 2 3 4 5 6 7 8 9 10

Bitslice with tightPROVE Standard (KHL) Standard (RP) Bitslice with refresh

slide-52
SLIDE 52

Thank you!

Questions?

26