changing of the guards
play

Changing of the Guards . Joan Daemen CHES 2017 Taipei, September - PowerPoint PPT Presentation

Sep 03, 2023 •442 likes •1.17k views

Changing of the Guards . Joan Daemen CHES 2017 Taipei, September 26, 2017 Radboud University STMicroelectronics 1 / 18 Disclaimer . This is not a talk about higher-order countermeasures 2 / 18 Iterative cryptographic permutation . 3 /

  1. Changing of the Guards . Joan Daemen CHES 2017 Taipei, September 26, 2017 Radboud University STMicroelectronics 1 / 18

  2. Disclaimer . This is not a talk about higher-order countermeasures 2 / 18

  3. Iterative cryptographic permutation . 3 / 18

  4. Three-stage round function: wide trail . 4 / 18

  5. 5 / 18 5) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 257) 3), Subterranean , Cellhash ( n 3-Way ( n 17), BaseKing , 19), Panama ( n RadioGatun ( n Used in Ketje , Keyak , Keccak ( n . Invertible for odd length n 2 1 x i 1 x i x i x i X[i] ^= (~X[i+1]) & X[i+2] Nonlinear layer χ

  6. 5 / 18 5) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 257) 3), Subterranean , Cellhash ( n 3-Way ( n 17), BaseKing , 19), Panama ( n RadioGatun ( n Used in Ketje , Keyak , Keccak ( n . Invertible for odd length n 2 1 x i 1 x i x i x i X[i] ^= (~X[i+1]) & X[i+2] Nonlinear layer χ

  7. 5 / 18 5) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 257) 3), Subterranean , Cellhash ( n 3-Way ( n 17), BaseKing , 19), Panama ( n RadioGatun ( n Used in Ketje , Keyak , Keccak ( n . Invertible for odd length n 2 1 x i 1 x i x i x i X[i] ^= (~X[i+1]) & X[i+2] Nonlinear layer χ

  8. 5 / 18 5) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 257) 3), Subterranean , Cellhash ( n 3-Way ( n 17), BaseKing , 19), Panama ( n RadioGatun ( n Used in Ketje , Keyak , Keccak ( n . Invertible for odd length n 2 1 x i 1 x i x i x i X[i] ^= (~X[i+1]) & X[i+2] Nonlinear layer χ

  9. 5 / 18 5) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 257) 3), Subterranean , Cellhash ( n 3-Way ( n 17), BaseKing , 19), Panama ( n RadioGatun ( n Used in Ketje , Keyak , Keccak ( n . Invertible for odd length n 2 1 x i 1 x i x i x i X[i] ^= (~X[i+1]) & X[i+2] Nonlinear layer χ

  10. . X[i] ^= (~X[i+1]) & X[i+2] Invertible for odd length n Used in Ketje , Keyak , Keccak ( n 5) RadioGatun ( n 19), Panama ( n 17), BaseKing , 3-Way ( n 3), Subterranean , Cellhash ( n 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 5 / 18 Nonlinear layer χ x i ← x i + ( x i + 1 + 1 ) x i + 2

  11. . X[i] ^= (~X[i+1]) & X[i+2] Invertible for odd length n Used in Ketje , Keyak , Keccak ( n 5) RadioGatun ( n 19), Panama ( n 17), BaseKing , 3-Way ( n 3), Subterranean , Cellhash ( n 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 5 / 18 Nonlinear layer χ x i ← x i + ( x i + 1 + 1 ) x i + 2

  12. . X[i] ^= (~X[i+1]) & X[i+2] Invertible for odd length n RadioGatun ( n 19), Panama ( n 17), BaseKing , 3-Way ( n 3), Subterranean , Cellhash ( n 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 5 / 18 Nonlinear layer χ x i ← x i + ( x i + 1 + 1 ) x i + 2 Used in Ketje , Keyak , Keccak ( n = 5)

  13. . X[i] ^= (~X[i+1]) & X[i+2] Invertible for odd length n [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 5 / 18 Nonlinear layer χ x i ← x i + ( x i + 1 + 1 ) x i + 2 Used in Ketje , Keyak , Keccak ( n = 5) RadioGatun ( n = 19), Panama ( n = 17), BaseKing , 3-Way ( n = 3), Subterranean , Cellhash ( n = 257)

  14. x i with a i random 6 / 18 a 1 b 2 [Daemen, Peeters, Van Assche, FSE 2000] b 1 a 2 1 b 2 b 1 b 0 b 0 1 a 2 . a 1 a 0 a 0 b i a i Masking of χ as DPA/DEMA countermeasure x 0 ← x 0 + ( x 1 + 1 ) x 2

  15. . a 0 a 0 a 1 1 a 2 a 1 b 2 b 0 b 0 b 1 1 b 2 b 1 a 2 [Daemen, Peeters, Van Assche, FSE 2000] 6 / 18 Masking of χ as DPA/DEMA countermeasure x 0 ← x 0 + ( x 1 + 1 ) x 2 a i + b i = x i with a i random

  16. [Daemen, Peeters, Van Assche, FSE 2000] . 6 / 18 Masking of χ as DPA/DEMA countermeasure x 0 ← x 0 + ( x 1 + 1 ) x 2 a i + b i = x i with a i random a 0 ← a 0 + ( a 1 + 1 ) a 2 + a 1 b 2 b 0 ← b 0 + ( b 1 + 1 ) b 2 + b 1 a 2

  17. 7 / 18 1 c 2 [Bertoni, Daemen, Peeters, Van Assche, 2nd SHA-3, 2010] a 2 b 1 a 1 b 2 1 a 2 a 1 a 0 c 0 c 2 a 1 c 1 a 2 c 1 . c 0 b 0 b 2 c 1 b 1 c 2 1 b 2 b 1 b 0 a 0 χ ′ : a three-share masking of χ x 0 ← x 0 + ( x 1 + 1 ) x 2 a i + b i + c i = x i with a i and b i random

  18. . [Bertoni, Daemen, Peeters, Van Assche, 2nd SHA-3, 2010] 7 / 18 χ ′ : a three-share masking of χ x 0 ← x 0 + ( x 1 + 1 ) x 2 a i + b i + c i = x i with a i and b i random a 0 ← b 0 + ( b 1 + 1 ) b 2 + b 1 c 2 + b 2 c 1 b 0 ← c 0 + ( c 1 + 1 ) c 2 + c 1 a 2 + c 2 a 1 c 0 ← a 0 + ( a 1 + 1 ) a 2 + a 1 b 2 + a 2 b 1

  19. f a f b f c is a correct sharing of f f a f b f c is incomplete: requires x a x b x c is a uniform sharing of x : all values x a x b x c with x a x a x b x c x a x b x c x b x c x equiprobable x 0 Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] 0 0 0 1 1 0 1 0 1 1 x 1 1 1 1 0 0 1 0 1 0 1 0 0 1 1 0 shares d . 8 / 18 Scheme at the right computes f securely against 1st order DPA if: x = x a + x b + x c f f a f b f c y = y a + y b + y c

  20. f a f b f c is incomplete: requires x a x b x c is a uniform sharing of x : all values x a x b x c with x a x a x b x c x a x b x c 1 x b x c x equiprobable x 0 Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] 0 0 0 d 1 0 1 0 1 1 x 1 1 1 1 0 0 1 0 1 0 1 0 0 1 1 0 shares . 8 / 18 Scheme at the right computes f securely against 1st order DPA if: x = x a + x b + x c f f a f b f c y = y a + y b + y c ◮ ( f a , f b , f c ) is a correct sharing of f

  21. x a x b x c is a uniform sharing of x : all values x a x b x c with x a x a x b x c x a x b x c x b x c x equiprobable x 0 0 0 0 Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] 1 1 0 0 1 1 x 1 1 1 1 0 0 1 0 1 0 1 0 0 1 0 1 8 / 18 . Scheme at the right computes f securely against 1st order DPA if: x = x a + x b + x c f f a f b f c y = y a + y b + y c ◮ ( f a , f b , f c ) is a correct sharing of f ◮ ( f a , f b , f c ) is incomplete: requires # shares ≥ d + 1

  22. x a x b x c x a x b x c Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] . 1 0 0 0 1 0 0 0 1 1 1 1 1 x 0 1 1 1 0 1 1 1 0 0 0 0 0 x Scheme at the right computes f securely against 1st order DPA if: 8 / 18 x = x a + x b + x c f f a f b f c y = y a + y b + y c ◮ ( f a , f b , f c ) is a correct sharing of f ◮ ( f a , f b , f c ) is incomplete: requires # shares ≥ d + 1 ◮ ( x a , x b , x c ) is a uniform sharing of x : • all values ( x a , x b , x c ) with x a + x b + x c = x equiprobable

  23. Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] . Scheme at the right computes f securely against 1st order DPA if: 8 / 18 x = x a + x b + x c f f a f b f c y = y a + y b + y c ◮ ( f a , f b , f c ) is a correct sharing of f ◮ ( f a , f b , f c ) is incomplete: requires # shares ≥ d + 1 ◮ ( x a , x b , x c ) is a uniform sharing of x : • all values ( x a , x b , x c ) with x a + x b + x c = x equiprobable • x = 0 : ( x a , x b , x c ) ∈ { ( 0 , 0 , 0 )( 1 , 1 , 0 )( 1 , 0 , 1 )( 0 , 1 , 1 ) } • x = 1 : ( x a , x b , x c ) ∈ { ( 1 , 1 , 1 )( 0 , 0 , 1 )( 0 , 1 , 0 )( 1 , 0 , 0 ) }

  24. If f is invertible, for f a f b f c uniformity Uniformity of a threshold masking scheme . invertibility 9 / 18 x x a x b x c f f a f b f c y y a y b y c f f a f b f c z z a z b z c ◮ Sharing ( f a , f b , f c ) of f is called uniform if it preserves uniformity

  25. Uniformity of a threshold masking scheme . 9 / 18 x x a x b x c f f a f b f c y y a y b y c f f a f b f c z z a z b z c ◮ Sharing ( f a , f b , f c ) of f is called uniform if it preserves uniformity ◮ If f is invertible, for ( f a , f b , f c ) uniformity = invertibility

  26. Correct? Yes! . Incomplete? Yes! Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise 10 / 18 Back to χ ′ a 0 ← b 0 + ( b 1 + 1 ) b 2 + b 1 c 2 + b 2 c 1 b 0 ← c 0 + ( c 1 + 1 ) c 2 + c 1 a 2 + c 2 a 1 c 0 ← a 0 + ( a 1 + 1 ) a 2 + a 1 b 2 + a 2 b 1 Is this a secure threshold masking scheme of χ ?

  27. . Yes! Incomplete? Yes! Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise 10 / 18 Back to χ ′ a 0 ← b 0 + ( b 1 + 1 ) b 2 + b 1 c 2 + b 2 c 1 b 0 ← c 0 + ( c 1 + 1 ) c 2 + c 1 a 2 + c 2 a 1 c 0 ← a 0 + ( a 1 + 1 ) a 2 + a 1 b 2 + a 2 b 1 Is this a secure threshold masking scheme of χ ? ◮ Correct?

  28. . Incomplete? Yes! Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise 10 / 18 Back to χ ′ a 0 ← b 0 + ( b 1 + 1 ) b 2 + b 1 c 2 + b 2 c 1 b 0 ← c 0 + ( c 1 + 1 ) c 2 + c 1 a 2 + c 2 a 1 c 0 ← a 0 + ( a 1 + 1 ) a 2 + a 1 b 2 + a 2 b 1 Is this a secure threshold masking scheme of χ ? ◮ Correct? Yes!

  29. Yes! . Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise 10 / 18 Back to χ ′ a 0 ← b 0 + ( b 1 + 1 ) b 2 + b 1 c 2 + b 2 c 1 b 0 ← c 0 + ( c 1 + 1 ) c 2 + c 1 a 2 + c 2 a 1 c 0 ← a 0 + ( a 1 + 1 ) a 2 + a 1 b 2 + a 2 b 1 Is this a secure threshold masking scheme of χ ? ◮ Correct? Yes! ◮ Incomplete?

Recommend

Old Guards to No Guards The Veterans (1922-1943) 52 million Baby Boomers (1943-1960) 73.2

Old Guards to No Guards The Veterans (1922-1943) 52 million Baby Boomers (1943-1960) 73.2

Management and Supervision Fall 2014 Generational Diversity in the Workplace Presented by: Billy Bevill, MSN, RN Old Guards to No Guards The Veterans (1922-1943) 52 million Baby Boomers (1943-1960) 73.2 million Gen X (1960-1984) 51

500 views • 20 slides
Out of Control? How companies work in practice Why is executive pay so high and who guards the

Out of Control? How companies work in practice Why is executive pay so high and who guards the

Out of Control? How companies work in practice Why is executive pay so high and who guards the guards? Behind every shopfront theres a story Why the stockmarket matters: When things go wrong, companies: Raise funds from shareholders Sell

661 views • 32 slides
Changing Places/Changing Faces 1 Running Head: CHANGING PLACES/CHANGES FACES Changing

Changing Places/Changing Faces 1 Running Head: CHANGING PLACES/CHANGES FACES Changing

Changing Places/Changing Faces 1 Running Head: CHANGING PLACES/CHANGES FACES Changing Places/Changing Faces: Immigrant Youth and Identity Development Elham Bagheri & Jay M. Greenfeld, M.A. University of Iowa Changing Places/Changing

401 views • 11 slides
Installing BACKRACK Cab Guards on 2004-2012 Ford F-150 5.5 ft Bed In the past, the 5.5 ft bed

Installing BACKRACK Cab Guards on 2004-2012 Ford F-150 5.5 ft Bed In the past, the 5.5 ft bed

Installing BACKRACK Cab Guards on 2004-2012 Ford F-150 5.5 ft Bed In the past, the 5.5 ft bed F-150 was installed by drilling holes through the top plastic of the truck bed rail ( 10512 SC ) The installation method illustrated in this

545 views • 17 slides
THOUGHT FOR THE SESSION The wise listen and add to learning, because understanding guards them.

THOUGHT FOR THE SESSION The wise listen and add to learning, because understanding guards them.

CIS & Market applications Wealth Management Skills Program THE ACADEMY OF FINANCIAL MARKETS WELCOME TO THE SESSION! THOUGHT FOR THE SESSION The wise listen and add to learning, because understanding guards them. Module 12: Market

344 views • 6 slides
String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich

String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich

String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback: hard to

640 views • 26 slides
Linear time 8 / 3 -approx. of r -star guards in simple orthogonal art galleries obert Mezei 1

Linear time 8 / 3 -approx. of r -star guards in simple orthogonal art galleries obert Mezei 1

Linear time 8 / 3 -approx. of r -star guards in simple orthogonal art galleries obert Mezei 1 Ervin Gy ori & Tam as R ICGT 2018, July 9, Lyon 1 Alfr ed R enyi Institute of Mathematics, Hungarian Academy of Sciences 1/17 The

800 views • 68 slides
Transparency: Publishing the Cost of Elections Friday 30 September, 1 Horse Guards Road

Transparency: Publishing the Cost of Elections Friday 30 September, 1 Horse Guards Road

Transparency: Publishing the Cost of Elections Friday 30 September, 1 Horse Guards Road Introduction Ministers have approved publication of the cost of national elections resourced from the Consolidated Fund Will begin with report and

348 views • 10 slides
Mobile vs. point guards in orthogonal art gallery theorems Tams Rbert Mezei (joint work with

Mobile vs. point guards in orthogonal art gallery theorems Tams Rbert Mezei (joint work with

Mobile vs. point guards in orthogonal art gallery theorems Tams Rbert Mezei (joint work with Ervin Gyri) Discrete Geometry Fest, May 1519 2017, Budapest 1 Alfrd Rnyi Institute of Mathematics, Hungarian Academy of Sciences 2 Central

924 views • 35 slides
Matimba ACC Fan Guards Project Clarification Meeting Presented By: Francois Nel Date:2020/07/23

Matimba ACC Fan Guards Project Clarification Meeting Presented By: Francois Nel Date:2020/07/23

Matimba ACC Fan Guards Project Clarification Meeting Presented By: Francois Nel Date:2020/07/23 Overview 6 x Units 48 x Fans per unit 30ft fans 288 fans in total 45m elevation 2 Single fan 250 kW motor and gearbox 8 x bladed fan 1 x

485 views • 34 slides
Re Reali alizing Ch Choice: O Onli line Sa Safe fegu guards for for Cou ouples Adaptin

Re Reali alizing Ch Choice: O Onli line Sa Safe fegu guards for for Cou ouples Adaptin

Re Reali alizing Ch Choice: O Onli line Sa Safe fegu guards for for Cou ouples Adaptin ing g to to Cogn ognitiv itive Challenge ges NORA MCDONALD, UNIVERSITY OF MARYLAND, BALTIMORE COUNTY (UMBC) ALISON LARSEN, UMBC ALLISON

58 views • 5 slides
Well-Rounded SRTS Program Crossing Guards Champions Education Engagement Infrastructure

Well-Rounded SRTS Program Crossing Guards Champions Education Engagement Infrastructure

How Creative Partnerships Lead to Well-Rounded SRTS Program Crossing Guards Champions Education Engagement Infrastructure Kansas City, Kansas & City of Austin Wyandotte County, Kansas Safe Route to School Are reiona ona King, g,

865 views • 51 slides
Existing Civ-civ Cooperation: Japan Coast Guards Multi -lateral Relationships North Pacific

Existing Civ-civ Cooperation: Japan Coast Guards Multi -lateral Relationships North Pacific

Existing Civ-civ Cooperation: Japan Coast Guards Multi -lateral Relationships North Pacific Coast Guard Forum (NPCGF) 6 states: US, Canada, Russia, China, Korea and Japan, Since 2000 NPCGF Summit, Experts Meeting, MMEX (each, annually) 2011:

336 views • 8 slides
Womens Cyber Forum: Launching Careers in Cyber Space Guns, Guards, Gates, Geeks and

Womens Cyber Forum: Launching Careers in Cyber Space Guns, Guards, Gates, Geeks and

Womens Cyber Forum: Launching Careers in Cyber Space Guns, Guards, Gates, Geeks and Girls Building a Cyber Skill Set A nuclear security perspective Rhonda Evans, Head WINS Academy Outline WINS introduced Unpacking Demonstrable

552 views • 15 slides
The (all guards move) Eternal Domination number for 3 n Grids Margaret-Ellen Messinger Mount

The (all guards move) Eternal Domination number for 3 n Grids Margaret-Ellen Messinger Mount

The (all guards move) Eternal Domination number for 3 n Grids Margaret-Ellen Messinger Mount Allison University New Brunswick, CANADA with A.Z. Delaney (Mt.A.), S. Finbow (St.F.X.), M. van Bommel (St.F.X.) Margaret-Ellen Messinger (MtA)

2.95k views • 24 slides
EPAs Vessel General Permit (VGP) and The Coast Guards Ballast Water Management Regulatory

EPAs Vessel General Permit (VGP) and The Coast Guards Ballast Water Management Regulatory

EPAs Vessel General Permit (VGP) and The Coast Guards Ballast Water Management Regulatory Program June 12, 2013 EPAs Vessel General Permit (VGP) CLEAN WATER ACT (CWA) PERMIT BASICS For more info visit http://cfpub.epa.gov/npdes/

517 views • 30 slides
Study conducted at Oregon National Guards Lane Readiness Center Lane Readiness Center Located

Study conducted at Oregon National Guards Lane Readiness Center Lane Readiness Center Located

Springfield Utility Board and Oregon Military Department Behavior Based Energy Efficiency Study Study conducted at Oregon National Guards Lane Readiness Center Lane Readiness Center Located in Springfield, OR Approx 160,000SF 260 FTE 800

342 views • 19 slides
Timed automata with diagonal constraints B. Srivathsan Chennai Mathematical Institute, India In

Timed automata with diagonal constraints B. Srivathsan Chennai Mathematical Institute, India In

Timed automata with diagonal constraints B. Srivathsan Chennai Mathematical Institute, India In this lecture, we will consider timed automata that can additionally take guards of the form x y 5, z x > 20, etc. Such guards are

346 views • 5 slides
Primary Care Networks Things are changing The changing health needs of the population And our

Primary Care Networks Things are changing The changing health needs of the population And our

Primary Care Networks Things are changing The changing health needs of the population And our expectations are changing too. are putting pressure on the health and social care system in England. Ageing Between 2017 and 2027, there will be

709 views • 35 slides
Our uniform is NOT changing We are NOT changing the shirts

Our uniform is NOT changing We are NOT changing the shirts

Our uniform is NOT changing We are NOT changing the shirts We expect everyone to wear the correct school tie Old style school ties will no

449 views • 16 slides
Recurrence: State of Union Whats changing, why is it changing, and where are we going? What

Recurrence: State of Union Whats changing, why is it changing, and where are we going? What

Recurrence: State of Union Whats changing, why is it changing, and where are we going? What Youll Learn Today 1. Insights into our Future of Firm Management research 2. How that impacted our direction (and the ROI for your firm)

199 views • 15 slides
Changing needs in a changing world Research supported by TLRI Why change? FROM STATISTICAL

Changing needs in a changing world Research supported by TLRI Why change? FROM STATISTICAL

Statistics Road Tour 2012 Changing Needs in a Changing World: Part II: Maxine Pfannkuch Department of Statistics University of Auckland, New Zealand THE UNIVERSITY OF AUCKLAND DEPARTMENT OF STATISTICS Hans Rosling s TED talks, Documentary

225 views • 11 slides
Truck Side Guards and Other Safety Measures for Cyclists Presentation to General Committee June

Truck Side Guards and Other Safety Measures for Cyclists Presentation to General Committee June

Building Markhams Future Together Journey to Excellence Truck Side Guards and Other Safety Measures for Cyclists Presentation to General Committee June 16, 2014 1 Building Markhams Future Together Journey to Excellence AGENDA 1.

217 views • 17 slides
Scenario Week 4 (comp203p) Ilya Sergey scenario@cs.ucl.ac.uk 22-26 February 2016 How many

Scenario Week 4 (comp203p) Ilya Sergey scenario@cs.ucl.ac.uk 22-26 February 2016 How many

Scenario Week 4 (comp203p) Ilya Sergey scenario@cs.ucl.ac.uk 22-26 February 2016 How many guards do we really need? The answer depends on the shape of the gallery. How many guards do we really need? The answer depends on the shape of the

390 views • 26 slides

More recommend