attack and improvement of a secure s box calculation
play

Attack and Improvement of a Secure S-box Calculation Based on the - PowerPoint PPT Presentation

Dec 27, 2023 •157 likes •718 views

8 + Attack and Improvement of a Secure S-box Calculation Based on the Fourier Transform ebastien Coron 1 , Christophe Giraud 2 , Emmanuel Prouff 2 , and Jean-S Matthieu Rivain 1 , 2 1 University of Luxembourg 2 Oberthur Technologies August 11,

  1. 8 + Attack and Improvement of a Secure S-box Calculation Based on the Fourier Transform ebastien Coron 1 , Christophe Giraud 2 , Emmanuel Prouff 2 , and Jean-S´ Matthieu Rivain 1 , 2 1 University of Luxembourg 2 Oberthur Technologies August 11, 2008 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  2. Outline 8 + Preliminaries 1 S-box Masking Based on the Fourier Transform 2 Differential Power Analysis vs. Biased Masking 3 DPA against the FT-Based S-box Masking 4 Improved FT-Based S-box Masking 5 Conclusion 6 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  3. Outline 8 + Preliminaries 1 S-box Masking Based on the Fourier Transform 2 Differential Power Analysis vs. Biased Masking 3 DPA against the FT-Based S-box Masking 4 Improved FT-Based S-box Masking 5 Conclusion 6 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  4. Differential Power Analysis (DPA) 8 + DPA Basics Physical leakage dependent on intermediate variables Sensitive variable depends on both the input plaintext and on a guessable part of the secret key DPA exploits the physical leakage on a sensitive variable for key recovery J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  5. Differential Power Analysis (DPA) 8 + DPA Basics Physical leakage dependent on intermediate variables Sensitive variable depends on both the input plaintext and on a guessable part of the secret key DPA exploits the physical leakage on a sensitive variable for key recovery DPA Security Every intermediate variable is independent of any sensitive variable. J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  6. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  7. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R Masking a block cipher requires the masking of: ◮ the key additions ◮ the linear transformations ◮ the substitution boxes (S-boxes) J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  8. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R Masking a block cipher requires the masking of: ◮ the key additions ◮ the linear transformations ◮ the substitution boxes (S-boxes) Key addition Masked Var. Mask Z ⊕ R ⊕ R = Z J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  9. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R Masking a block cipher requires the masking of: ◮ the key additions ◮ the linear transformations ◮ the substitution boxes (S-boxes) Key addition Masked Var. Mask Z ⊕ R ⊕ K ⊕ R = Z ⊕ K J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  10. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R Masking a block cipher requires the masking of: ◮ the key additions ◮ the linear transformations ◮ the substitution boxes (S-boxes) Linear transformation Masked Var. Mask Z ⊕ R ⊕ R = Z J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  11. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R Masking a block cipher requires the masking of: ◮ the key additions ◮ the linear transformations ◮ the substitution boxes (S-boxes) Linear transformation Masked Var. Mask L ( Z ⊕ R ) ⊕ L ( R ) = L ( Z ) J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  12. Masking & S-box protection issue 8 + Masking Countermeasure Every sensitive variable Z is masked with a random value R masked variable � Z = Z ⊕ R and mask R both independent of Z Masked variables and masks processed separately Completeness: Z = � Z ⊕ R Masking a block cipher requires the masking of: ◮ the key additions ◮ the linear transformations ◮ the substitution boxes (S-boxes) Substitution box Issue: From Z ⊕ R and R , compute F ( Z ) ⊕ R ′ . All intermediate var. must be independent of Z . J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  13. Outline 8 + Preliminaries 1 S-box Masking Based on the Fourier Transform 2 Differential Power Analysis vs. Biased Masking 3 DPA against the FT-Based S-box Masking 4 Improved FT-Based S-box Masking 5 Conclusion 6 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  14. S-box Masking Based on the Fourier Transform 8 + Prouff, Giraud, and Aumonier in CHES 2006 : Provably Secure S-Box Implementation Based on Fourier Transform J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  15. S-box Masking Based on the Fourier Transform 8 + Prouff, Giraud, and Aumonier in CHES 2006 : Provably Secure S-Box Implementation Based on Fourier Transform The Fourier Transform of a ( n × n ) S-box F is defined by: � F ( a )( − 1) a · Z . � F ( Z ) = a ∈ F n 2 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  16. S-box Masking Based on the Fourier Transform 8 + Prouff, Giraud, and Aumonier in CHES 2006 : Provably Secure S-Box Implementation Based on Fourier Transform The Fourier Transform of a ( n × n ) S-box F is defined by: � F ( a )( − 1) a · Z . � F ( Z ) = a ∈ F n 2 It satisfies � � F = 2 n F , that is: � F ( Z ) = 1 F ( Z ) = 1 � � F ( a )( − 1) a · Z � 2 n 2 n a ∈ F n 2 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  17. S-box Masking Based on the Fourier Transform 8 + S-box Masking Based on the Fourier Transform Inputs: a masked var. � Z = Z ⊕ R 1 , a mask R 1 , a look-up table � F Outputs: a masked output F ( Z ) ⊕ R 3 , a mask R 3 � F ( Z ) = 1 � F ( a )( − 1) a · Z 2 n a ∈ F n 2 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  18. S-box Masking Based on the Fourier Transform 8 + S-box Masking Based on the Fourier Transform Inputs: a masked var. � Z = Z ⊕ R 1 , a mask R 1 , a look-up table � F Outputs: a masked output F ( Z ) ⊕ R 3 , a mask R 3 � Z · R 1 F ( Z ) = 1 � F ( a )( − 1) a · � Z ⊕ R 1 · ( a ⊕ � � Z ) ( − 1) 2 n a ∈ F n 2 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  19. S-box Masking Based on the Fourier Transform 8 + S-box Masking Based on the Fourier Transform Inputs: a masked var. � Z = Z ⊕ R 1 , a mask R 1 , a look-up table � F Outputs: a masked output F ( Z ) ⊕ R 3 , a mask R 3 � Z ⊕ R 2 ) · R 1 F ( Z ) = 1 ( − 1) ( � F ( a )( − 1) a · � Z ⊕ R 1 · ( a ⊕ � � Z ⊕ R 2 ) 2 n a ∈ F n 2 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

  20. S-box Masking Based on the Fourier Transform 8 + S-box Masking Based on the Fourier Transform Inputs: a masked var. � Z = Z ⊕ R 1 , a mask R 1 , a look-up table � F Outputs: a masked output F ( Z ) ⊕ R 3 , a mask R 3 ( − 1) ( � Z ⊕ R 2 ) · R 1 F ( Z )+ R 3 mod 2 n = � Z ⊕ R 2 ) mod2 2 n � � 1 F ( a )( − 1) a · � Z ⊕ R 1 · ( a ⊕ � � 2 n R 3 + R 4 + 2 n a ∈ F n 2 J.-S. Coron, C. Giraud, E. Prouff, and M. Rivain Attack and Improvement of the FT-Based S-box Calculation

Recommend

Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure Metering Issues and Extensions Real World Other Directions Metering for General Access Structures Understanding the model Audit Agency

480 views • 35 slides
Presentation of the ITN Rating Calculation for the largest percentage climbers on the improvement

Presentation of the ITN Rating Calculation for the largest percentage climbers on the improvement

Presentation of the ITN Rating Calculation for the largest percentage climbers on the improvement ladder between 23 and 30 January 2016. No explanations are given. However, the ITN Rating Calculation for each player is presented. The ITN

427 views • 4 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice Mallory Bob Can achieve this with publc-key cryptography as well. g a a First example: Schnorr Signature g m m a 1024 bit

283 views • 3 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g m m g ma g ma g n n g b b g nb g nb g ma g ma , g nb g nb Eike Ritter Cryptography 2014/15 106

417 views • 9 slides
Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 15th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 15th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 15th November 2019 Orientation This is the fourth Laboratory Session for Secure Programming It is convened by Arthur, Henry and David. The handout and

556 views • 8 slides
Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th March 2019 Orientation This is the fourth Laboratory Session for Secure Programming It is convened by Arthur and David. The handout and other

441 views • 8 slides
Evolving Secure Information Systems through Attack Simulation Elmar Kiesling, Andreas Ekelhart,

Evolving Secure Information Systems through Attack Simulation Elmar Kiesling, Andreas Ekelhart,

Evolving Secure Information Systems through Attack Simulation Elmar Kiesling, Andreas Ekelhart, Bernhard Grill, Christine Strau, Christian Stummer January 7, 2014; Waikoloa, Big Island, Hawaii Funded by the Austrian Science Fund under project

1.13k views • 87 slides
Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de>

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de>

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de> Wed Apr 18, 2012 University of the German Federal Armed Forces, Munich Slide 1 Outline History Design Goals SSL/TLS Stack

439 views • 15 slides
6/4/2020 State of Michigan Lean Process Improvement (LPI) Fast, Accurate, and Secure Using Lean

6/4/2020 State of Michigan Lean Process Improvement (LPI) Fast, Accurate, and Secure Using Lean

6/4/2020 State of Michigan Lean Process Improvement (LPI) Fast, Accurate, and Secure Using Lean Principles to Improve your Election Process Anne Cram and Matt Casby , Office of Continuous Improvement MAMC Annual Convention 6/11/20 1 WELCOME!

352 views • 11 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
Calculation of Periodic Travelling Wave Stability: A Users Guide Jonathan A. Sherratt

Calculation of Periodic Travelling Wave Stability: A Users Guide Jonathan A. Sherratt

Case Study: Mussel Bed Patterns in the Wadden Sea Calculation of Wavetrain Existence Applications of Wavetrains Calculation of Wavetrain Stability Objective of Talk Calculation of Stability Boundaries in Parameter Space Conclusions

959 views • 50 slides
A Design Of Secure Preferential E-Voting Kun Peng and Feng Bao { dr.kun.peng } @gmail.com

A Design Of Secure Preferential E-Voting Kun Peng and Feng Bao { dr.kun.peng } @gmail.com

A Design Of Secure Preferential E-Voting Kun Peng and Feng Bao { dr.kun.peng } @gmail.com Institute for Inforcomm Research (I 2 R), Singapore 1 Agenda 1. Preferential E-Voting 2. Coercion attack and coercion resistent 3. Italian attack

229 views • 21 slides
On On Secure Pos osition oning (P (Proj oject CSP: SP: Cros oss-La Layer D Desig ign o

On On Secure Pos osition oning (P (Proj oject CSP: SP: Cros oss-La Layer D Desig ign o

On On Secure Pos osition oning (P (Proj oject CSP: SP: Cros oss-La Layer D Desig ign o of Se f Secure Po Positioning) Sr Srdjan a apkun Relay attack only takes a couple of seconds si signal stre rength d we need se

402 views • 39 slides
Leakage Resilient Masking Schemes Sebastian Faust Ruhr University Bochum 1 Modern cryptography

Leakage Resilient Masking Schemes Sebastian Faust Ruhr University Bochum 1 Modern cryptography

Leakage Resilient Masking Schemes Sebastian Faust Ruhr University Bochum 1 Modern cryptography Until 1970s: Design crypto algorithm secure against one attack Find attack C Find attack B Crypto Crypto algorithm A algorithm B secure against

631 views • 51 slides
Physical Attack Protection with Human-Secure Virtualization in Data Centers Jakub Szefer ,

Physical Attack Protection with Human-Secure Virtualization in Data Centers Jakub Szefer ,

Physical Attack Protection with Human-Secure Virtualization in Data Centers Jakub Szefer , Pramod Jamkhedkar, Yu-Yuan Chen and Ruby B. Lee Princeton University WORCS 2012 July 25, 2012 contact: szefer@princeton.edu Data Centers as

686 views • 36 slides
Elementary #30 October 23, 2018 District Improvement Study Safe and Secure Learning Environment

Elementary #30 October 23, 2018 District Improvement Study Safe and Secure Learning Environment

James P. Butler & Elementary #30 October 23, 2018 District Improvement Study Safe and Secure Learning Environment Good Stewards of All Resources Maximize the Use of Existing Facilities Offer Students the Best Education in Comfortable

622 views • 25 slides
October 18, 2018 & November 2, 2018 District Improvement Study Safe and Secure Learning

October 18, 2018 & November 2, 2018 District Improvement Study Safe and Secure Learning

Paso Del Norte October 18, 2018 & November 2, 2018 District Improvement Study Safe and Secure Learning Environment Good Stewards of All Resources Maximize the Use of Existing Facilities Offer Students the Best Education in Comfortable

378 views • 15 slides
Sufficiently Secure Peer-to-Peer Networks Rupert Gatti 1 Stephen Lewis 2 Andy Ozment 2 Thierry

Sufficiently Secure Peer-to-Peer Networks Rupert Gatti 1 Stephen Lewis 2 Andy Ozment 2 Thierry

Outline Introduction The Model Linear Cost of Attack Non-linear Cost of Attack Analysis and Conclusions Sufficiently Secure Peer-to-Peer Networks Rupert Gatti 1 Stephen Lewis 2 Andy Ozment 2 Thierry Rayna 1 Andrei Serjantov 2 1 Faculty of

771 views • 29 slides
Algorand: Scaling Byzantine Agreements for Cryptocurrencies Hyunjin Kim KAIST Introduction

Algorand: Scaling Byzantine Agreements for Cryptocurrencies Hyunjin Kim KAIST Introduction

Algorand: Scaling Byzantine Agreements for Cryptocurrencies Hyunjin Kim KAIST Introduction Previous Presentations: How secure PoW is? -Attack on Bitcoin Mining pool -Attack on Bitcoin Communication -Attack on Bitcoin Consensus

601 views • 46 slides
Regular Board Meeting November 13, 2018 District Improvement Study Safe and Secure Learning

Regular Board Meeting November 13, 2018 District Improvement Study Safe and Secure Learning

Regular Board Meeting November 13, 2018 District Improvement Study Safe and Secure Learning Environment Good Stewards of All Resources Maximize the Use of Existing Facilities Offer Students the Best Education in Comfortable and Top-Notch

696 views • 37 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
October 17, 2018 District Improvement Study Safe and Secure Learning Environment Good Stewards

October 17, 2018 District Improvement Study Safe and Secure Learning Environment Good Stewards

SSG. Manuel R. Puentes October 17, 2018 District Improvement Study Safe and Secure Learning Environment Good Stewards of All Resources Maximize the Use of Existing Facilities Offer Students the Best Education in Comfortable and Top-Notch

548 views • 18 slides
Functions (subprograms) - 1 of 4 Often you would like to do the same calculation in several

Functions (subprograms) - 1 of 4 Often you would like to do the same calculation in several

Functions (subprograms) - 1 of 4 Often you would like to do the same calculation in several different places inside a program, without involving the user. One way is to copy the code. When you update the calculation later you must do it in

334 views • 4 slides

More recommend