block ciphers implementations provably secure against
play

Block Ciphers Implementations Provably Secure Against Second Order - PowerPoint PPT Presentation

Sep 15, 2022 •161 likes •812 views

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

  1. 8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  2. Outline 8 + Introduction to (Second Order) Side Channel Analysis 1 Block Ciphers Implementations Secure Against 2O-SCA 2 S-box Implementations Secure Against 2O-SCA 3 Improvement 4 Comparison & Implementation Results 5 M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  3. Side Channel Analysis 8 + Side Channel Analysis (SCA) is a strong cryptanalytic technique targeting physical implementations The physical leakage of the execution of any algorithm depends on the intermediate variables SCA exploits leakage on sensitive variables that depend on the secret key M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  4. Side Channel Analysis 8 + V depends on a few key bits ⇒ possible key recovery attack exploiting L ( V ) M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  5. Side Channel Analysis 8 + V depends on a few key bits ⇒ possible key recovery attack exploiting L ( V ) Classical statistical distinguishers: ◮ correlation techniques – generic ◮ maximum likelihood – strong adversary model M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  6. Masking & Higher Order SCA 8 + One or several random values – the masks – are added to every sensitive variable M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  7. Masking & Higher Order SCA 8 + One or several random values – the masks – are added to every sensitive variable First order masking: one single mask M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  8. Masking & Higher Order SCA 8 + One or several random values – the masks – are added to every sensitive variable First order masking: one single mask Second Order Side Channel Analysis ◮ M : random mask ◮ V ⊕ M : masked variable M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  9. Masking & Higher Order SCA 8 + One or several random values – the masks – are added to every sensitive variable First order masking: one single mask Second Order Side Channel Analysis ◮ M : random mask ◮ V ⊕ M : masked variable To thwart 2O-SCA: use second order masking M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  10. Masking & Higher Order SCA 8 + One or several random values – the masks – are added to every sensitive variable First order masking: one single mask Second Order Side Channel Analysis ◮ M : random mask ◮ V ⊕ M : masked variable To thwart 2O-SCA: use second order masking d th order masking is broken by ( d + 1) th order SCA M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  11. Why Using Masking ? 8 + [Chari+ CRYPTO’99] SCA complexity increases ◮ exponentially with the masking order ◮ polynomially with hiding-like countermeasures (noise addition, operation order randomization, ...) Incrementing the masking order is of great interest for SCA resistance M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  12. Why Using Masking ? 8 + [Chari+ CRYPTO’99] SCA complexity increases ◮ exponentially with the masking order ◮ polynomially with hiding-like countermeasures (noise addition, operation order randomization, ...) Incrementing the masking order is of great interest for SCA resistance Many papers focus on improving 2O-SCA A few papers deal with resistant implementations M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  13. Why Using Masking ? 8 + [Chari+ CRYPTO’99] SCA complexity increases ◮ exponentially with the masking order ◮ polynomially with hiding-like countermeasures (noise addition, operation order randomization, ...) Incrementing the masking order is of great interest for SCA resistance Many papers focus on improving 2O-SCA A few papers deal with resistant implementations First step: provable security against 2O-SCA M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  14. Security Against 2O-SCA 8 + Definition (2O-SCA Security) A cryptographic algorithm is said to be secure against 2O-SCA if every pair of its intermediate variables is independent of any sensitive variable. An algorithm security can be formally proved ◮ listing all intermediate variables ◮ checking every pair independency M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  15. Block Cipher Description 8 + Iterated block cipher M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  16. Block Cipher Description 8 + Iterated block cipher Round transformation: ρ [ k ]( · ) = λ ◦ γ ◦ σ [ k ]( · ) M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  17. Securing Block Ciphers Implementations 8 + Second order masking: ◮ p = p 0 ⊕ p 1 ⊕ p 2 ◮ k = k 0 ⊕ k 1 ⊕ k 2 ( p 1 , p 2 ) and ( k 1 , k 2 ) randomly generated M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  18. Securing Block Ciphers Implementations 8 + Second order masking: ◮ p = p 0 ⊕ p 1 ⊕ p 2 ◮ k = k 0 ⊕ k 1 ⊕ k 2 ( p 1 , p 2 ) and ( k 1 , k 2 ) randomly generated Goal: perform a round transformation from the 3 shares ◮ The shares must be process separately ◮ The completeness relation must be preserved M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  19. Securing the Round Transformation 8 + Linear layer: simple M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  20. Securing the Round Transformation 8 + Linear layer: λ ( p ) = λ ( p 0 ) ⊕ λ ( p 1 ) ⊕ λ ( p 2 ) M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  21. Securing the Round Transformation 8 + Linear layer: λ ( p ) = λ ( p 0 ) ⊕ λ ( p 1 ) ⊕ λ ( p 2 ) Key addition layer: simple M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  22. Securing the Round Transformation 8 + Linear layer: λ ( p ) = λ ( p 0 ) ⊕ λ ( p 1 ) ⊕ λ ( p 2 ) Key addition layer: σ [ k ]( p ) = σ [ k 0 ]( p 0 ) ⊕ σ [ k 1 ]( p 1 ) ⊕ σ [ k 2 ]( p 2 ) M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  23. Securing the Round Transformation 8 + Linear layer: λ ( p ) = λ ( p 0 ) ⊕ λ ( p 1 ) ⊕ λ ( p 2 ) Key addition layer: σ [ k ]( p ) = σ [ k 0 ]( p 0 ) ⊕ σ [ k 1 ]( p 1 ) ⊕ σ [ k 2 ]( p 2 ) Non-linear layer: issue M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  24. Securing the Round Transformation 8 + Linear layer: λ ( p ) = λ ( p 0 ) ⊕ λ ( p 1 ) ⊕ λ ( p 2 ) Key addition layer: σ [ k ]( p ) = σ [ k 0 ]( p 0 ) ⊕ σ [ k 1 ]( p 1 ) ⊕ σ [ k 2 ]( p 2 ) Non-linear layer: issue ◮ Problem: secure an S-box implementation M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  25. Secure S-box Implementation – Problem 8 + S : n × m S-box M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  26. Secure S-box Implementation – Problem 8 + S : n × m S-box x = x ⊕ r 1 ⊕ r 2 : n -bit masked input, ( r 1 , r 2 ) : n -bit input masks ˜ M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  27. Secure S-box Implementation – Problem 8 + S : n × m S-box x = x ⊕ r 1 ⊕ r 2 : n -bit masked input, ( r 1 , r 2 ) : n -bit input masks ˜ ( s 1 , s 2 ) : m -bit output masks M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  28. Secure S-box Implementation – Problem 8 + S : n × m S-box x = x ⊕ r 1 ⊕ r 2 : n -bit masked input, ( r 1 , r 2 ) : n -bit input masks ˜ ( s 1 , s 2 ) : m -bit output masks Goal : process S ( x ) ⊕ s 1 ⊕ s 2 Requirement : every pair of inter. var. must be indep. of x M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

  29. Our Proposition 8 + Input: ˜ x = x ⊕ r 1 ⊕ r 2 , ( r 1 , r 2 ) , ( s 1 , s 2 ) Output: S ( x ) ⊕ s 1 ⊕ s 2 1. r 3 ← rand ( n ) 2. r ′ ← ( r 1 ⊕ r 3 ) ⊕ r 2 3. for a from 0 to 2 n − 1 do a ′ ← a ⊕ r ′ 4. � � 5. T [ a ′ ] ← S (˜ x ⊕ a ) ⊕ s 1 ⊕ s 2 6. return T [ r 3 ] M. Rivain, E. Dottax & E. Prouff Block Ciphers Implementations Provably Secure ag. 2O-SCA

Recommend

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks Properties of Secure Ciphers Components of Block Ciphers Classes of Block Ciphers DES AES Secure Communication using

606 views • 27 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab,

513 views • 26 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation Introduction to Computer Security Announcements Cryptography, symmetric and public-key Hash functions and MACs Stephen McCamant Building a secure

440 views • 11 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

539 views • 17 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES 3.3 IDEA 3.4 AES Kaufman et al: Chapter 3 Stallings: Chapters 3, 5 1 Block ciphers Confidentiality primitive Threat: recover the plaintext

774 views • 15 slides
Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic constant-time Gilles Barthe Benjamin Grgoire Vincent Laporte CSF18, 2018-07-12 Vincent Laporte et alii Provably secure compilation of

501 views • 25 slides
PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m (stream) Enc One-time Encryption with a stream-cipher: SC K Generate a one-time pad from a short seed Can share just the seed as the key Mask

1.33k views • 102 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 15, 2016 Announcements Project due Sept 20 Recall: Block cipher A function E : {0, 1} k {0, 1} n {0, 1} n . Once

417 views • 30 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1

550 views • 23 slides
Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of block ciphers. 1 Block Ciphers and Stream Ciphers A one-key cipher is a 5-tuple ( M , C , K , E k , D k ) , where M , C , K are respectively the

461 views • 12 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides

More recommend