3-Share Threshold Implementation of AES S-box without Fresh - PowerPoint PPT Presentation

CHES 2019 3-Share Threshold Implementation of AES S-box without Fresh Randomness Takeshi Sugawara The University of Electro-Communications, Japan University of Michigan, US This work is funded by JSPS KAKENHI Grant Number 17H06681 and JP18H05289 1

Overview Implementation Methodology Threshold implementation Difficulty in realizing (Nicova et al., ICICS2006) 3-share + Uniform TI for AES and Keccak for 10+ years Changing of the guards 3-Share + Uniform Keccak S-box (Daemen, CHES2017) (Daemen, CHES2017) 4-Share + Uniform AES S-box (Wegener & Moradi, COSADE2018) Generalized Changing of the guards 3-Share + Uniform AES S-box (This work) (This work) 2

TI: Threshold Implementation • Implement crypto while keeping shared representation of intermediate variables Input share (" # , " % , " & ) : " # ⊕ " % ⊕ " & = " Sharing * # , * % , * & maps a share to another " x a " # x b " % " & x c x share Correctness: * # , * % , * & gives ψ ψ a ψ b ψ c * * # * % * & the correct result Non-completeness: X X a X b X c + + # + % + & Each map uses only a Output share (+ # , + % , + & ) : proper subset + # ⊕ + % ⊕ + & = + 3

Uniformity Example: • Uniformity about shares 3-share of 1-bit variable • For each (raw) value, all the possible shares should appear Raw Share Prob. equally value • Necessary for security against 0 (0,0,0) 1/16 statistical attack 0 (0,1,1) 1/16 0 (1,0,1) 1/16 • Uniformity about sharing 0 (1,1,0) 1/16 • The sharing preserves the 1 (0,0,1) 3/16 uniformity about shares: 1 (0,1,0) 3/16 Input share is uniform 1 (1,0,0) 3/16 ⟹ output share is uniform 1 (1,1,1) 3/16 4

Uniformity is difficult to satisfy x a x b x c • There had been no 3-share + uniform sharing for Keccak and ψ a ψ b ψ c AES S-boxes until 2017 ! " ! # ! $ X a X b X c • If no uniformity, Fresh Remasking we should add fresh randomness randomness to make the x a x b x c output share uniform again • 1—10 Kbits/AES • 10—50 bits/cycle ψ a ψ b ψ c ! " ! # ! $ X a X b X c 5

CotG: Changing of the Guards (Daemen, CHES2017) • Using a neighboring input share for (pseudo) remasking • Applicable to bijective mapping • Succeeded in making 3-share + uniform Keccak S-box x 1 x 1 x 1 x 2 x 2 x 2 x 2 x 2 x 2 a b c a b c a b c S a S b S c S a S b S c S a S b S c x 0 X 0 c c x 0 X 0 b b X 1 X 1 X 1 X 2 X 2 X 2 X 3 X 3 X 3 a b c a b c a b c 6

Why we can’t use CotG for 3-share AES S-box • We need to decompose S-box to reduce the number of shares, and we get multiplications that are not bijective Canright’s S-box implementation 1st Stage 2nd Stage 3rd Stage 4th Stage GF(2 4 ) 4 4 4 4 Mult. 4 GF(2 2 ) 2 2 Mult. 2 GF(2 4 ) GF(2 2 ) Sq. Sc. Sq. Sc. Inv. GF(2 2 ) Linear Linear 8 Inv. 8 8 4 2 4 Map Map GF(2 2 ) GF(2 4 ) Mult. Mult. GF(2 2 ) Mult. 2 GF(2 4 ) 2 2 Mult. 4 4 4 4 7

Basic idea toward generalization • Transform the target mapping ! into an equivalent mapping ! " that has a uniform sharing ! ! # , ! % , ! & Transform Uniform " , ! & " , ! % " ! " ! # 8

Expansion • Transforming the target ! into a bijective mapping ! " using the (unbalanced) Feistel network % # y x n m ψ ! ψ ! " E n m ! # ⊕ % # 9

Expansion cont. • ! " always has a uniform sharing ! # " , ! # " , ! # " • ∵ The sharing is bijective because the Feistel structure is preserved • ∵ A sharing is bijective ⟹ the sharing is uniform + ) y a y b y c x a x b x c y x ψ ! # ψ a E " ! # ψ ! ψ a ! ' ! " ψ ψ E " b E ! ' ψ b ! ( ψ " ! ( c E c ! ) ⊕ + ) {! # , ! ' , ! ( } is a non-uniform sharing of ! 10

Expansion is not enough • Feeding ! " # to CotG does not make a lot of sense since it outputs ! # ⊕ % instead of ! # • % should be 0 and we need to get it from somewhere % # y x ψ ! ! " ψ E ! # ⊕ % # 11

Restriction • Converting the unnecessary output to zero • Feeding it to a neighboring mapping as a zero input Null mapping ⊥ : ' & & ’ ' maps anything to 0 y x y x ψ ψ " " " # ( ) ψ ψ E E " % ψ ( * ψ R R ⊥ ⊥ " $ ( $ ψ ⊥ ψ ⊥ Y X Y X " & ' " &′ '

Restriction cont. • The null mapping ⊥ has a uniform sharing • # $ , # & , # ' ↦ {# & ⊕ # ' , # & , # ' , } Converting unnecessary share to another one representing 0 y a y b y c x a x b x c y x ψ , $ - , $ ψ a E ψ ψ a , , & , - ψ - ψ b , & E E / ψ b , $ ψ R , ' ψ a c E - , ' ψ , / ψ c / R , & R b ψ R / , ' . , $ ψ ⊥ c ⊥ a , . ψ ψ ⊥ ⊥ . , & b ψ ⊥ . , ' c Y a Y b Y c X a X b X c Y X 13

Chaining 0 x 1 x 2 x 3 m n • For a target map having the same $ ψ input and output sizes ( ! = # ), ⊥ we can easily chain zero outputs 0 and inputs ψ $ • The right figure shows 3-parallel ⊥ mapping given by 0 (&, ( ) , ( * , ( + ) $ ψ ↦ ($(( ) ), $(( * ), $(( + ), &) ⊥ 0 0 X 1 X 2 X 3 14

Chaining cont. • By substituting each ! " with its sharing, we get a uniform sharing of a layer of parallel ! " s Extra input 0 x 1 x 2 x 3 x 1 x 1 x 1 x 2 x 2 x 2 x 3 x 3 x 3 a b c a b c a b c ψ a ψ ψ b ψ c ⊥ ψ a ψ ψ b ψ c ⊥ ψ a ψ ψ b ψ c ⊥ X 1 X 1 X 1 X 2 X 2 X 2 X 3 X 3 X 3 0 X 1 X 2 X 3 a b c a b c a b c Extra output 15

Why it is a generalization of CotG • This sharing is the same as Daemen’s CotG • Now we can also support non-bijective mapping Extra input x 1 x 1 x 1 x 2 x 2 x 2 x 3 x 3 x 3 a b c a b c a b c ψ a ψ b ψ c x 1 x 1 x 1 x 2 x 2 x 2 x 2 x 2 x 2 a b c a b c a b c ψ a ψ = b ψ c S a S b S c S a S b S c S a S b S c x 0 X 0 c c x 0 X 0 b b ψ a ψ X 1 X 1 X 1 X 2 X 2 X 2 X 3 X 3 X 3 a b c a b c a b c b ψ c X 1 X 1 X 1 X 2 X 2 X 2 X 3 X 3 X 3 a b c a b c a b c Extra output 16

A map with different input/output sizes • Input is larger: we get additional zero outputs that we can use later • Output is larger: we need additional zero inputs Additional inputs for the Changing of the Guards x 2 y 2 x 3 y 3 x 2 y 2 x 3 y 3 0 0 z 1 x 1 y 1 z 2 z 3 0 0 z 1 x 1 y 1 z 2 z 3 g a g g b g c g g a g b ⊥ ⊥ ⊥ g c g a g g b g c g g a g b ⊥ ⊥ ⊥ g c g a g g b g c g g a g b ⊥ ⊥ ⊥ g c X 1 Y 1 X 2 Y 2 X 3 Y 3 X 1 Y 1 X 2 Y 2 X 3 Y 3 0 0 0 0 Z 1 Z 2 Z 3 Z 1 Z 2 Z 3 Additional outputs 17

Application S-box input Additional input for GF(2 4 ) Additional input for GF(2 2 ) x a x b x c y a y b y c z a z b z c 8 8 8 4 4 4 2 2 2 Linear Map to AES S-box 8 8 8 t a 1 GF(2 4 ) mult, 1st sq. & sc. Stage t b 1 GF(2 4 ) mult, sq. & sc. t c 1 GF(2 4 ) mult, sq. & sc. 1 X b 1 X c 1 Y b 1 Y c 1 Z b 1 Z c X a 1 Y a 1 Z a 1 8 8 8 4 4 4 2 2 2 • 4-stage Canright’s S-box is t a 2 GF(2 2 ) mult, sq. & sc. t b 2 GF(2 2 ) 2nd mult, sq. & sc. Stage expanded to make all the t c 2 GF(2 2 ) mult, sq. & sc. stages uniform 2 X b 2 X c 2 Y b 2 Y c 2 Z b 2 Z c X a 2 Y a 2 Z a 2 8 bits 8 8 8 4 4 4 2 2 2 GF(2 2 ) Inv. Split • + 6-bit additional input 2 2 2 2 2 2 GF(2 2 ) mult v a v c v b GF(2 2 ) mult • + 6-bit additional output 3rd GF(2 2 ) mult Stage GF(2 2 ) mult GF(2 2 ) mult GF(2 2 ) mult t a 3 t b 3 t c 3 Concatenate • Register overhead 3 X b 3 X c 3 Y b 3 Y c 3 Z b 3 Z c 16 bits X a 3 Y a 3 Z a 3 8 8 8 4 4 4 2 2 2 Split ≒ Initial randomness: 4 4 4 4 4 4 GF(2 4 ) mult w a w c w b GF(2 4 ) • 6 bits * 3 shares *16 S-boxes mult GF(2 4 ) mult 4th Stage GF(2 4 ) mult = 288 bits + some more GF(2 4 ) mult GF(2 4 ) mult t a 4 t b 4 t c 4 Concatenate Inv. Linear Map 8 8 8 4 4 4 2 2 2 4 X b 4 X c 4 Y b 4 Y c 4 Z b 4 Z c X a 4 Y a 4 Z a 4 S-box output Additional output for GF(2 4 ) Additional output for GF(2 2 ) 18

Conclusion • A generalization of the Changing of the Guards that supports non-bijective targets • The first 3-share and uniform threshold implementation of the AES S-box 19