Changing of the Guards . Joan Daemen CHES 2017 Taipei, September 26, 2017 Radboud University STMicroelectronics 1 / 18
Disclaimer . This is not a talk about higher-order countermeasures 2 / 18
Iterative cryptographic permutation . 3 / 18
Three-stage round function: wide trail . 4 / 18
5 / 18 5) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 257) 3), Subterranean , Cellhash ( n 3-Way ( n 17), BaseKing , 19), Panama ( n RadioGatun ( n Used in Ketje , Keyak , Keccak ( n . Invertible for odd length n 2 1 x i 1 x i x i x i X[i] ^= (~X[i+1]) & X[i+2] Nonlinear layer χ
5 / 18 5) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 257) 3), Subterranean , Cellhash ( n 3-Way ( n 17), BaseKing , 19), Panama ( n RadioGatun ( n Used in Ketje , Keyak , Keccak ( n . Invertible for odd length n 2 1 x i 1 x i x i x i X[i] ^= (~X[i+1]) & X[i+2] Nonlinear layer χ
5 / 18 5) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 257) 3), Subterranean , Cellhash ( n 3-Way ( n 17), BaseKing , 19), Panama ( n RadioGatun ( n Used in Ketje , Keyak , Keccak ( n . Invertible for odd length n 2 1 x i 1 x i x i x i X[i] ^= (~X[i+1]) & X[i+2] Nonlinear layer χ
5 / 18 5) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 257) 3), Subterranean , Cellhash ( n 3-Way ( n 17), BaseKing , 19), Panama ( n RadioGatun ( n Used in Ketje , Keyak , Keccak ( n . Invertible for odd length n 2 1 x i 1 x i x i x i X[i] ^= (~X[i+1]) & X[i+2] Nonlinear layer χ
5 / 18 5) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 257) 3), Subterranean , Cellhash ( n 3-Way ( n 17), BaseKing , 19), Panama ( n RadioGatun ( n Used in Ketje , Keyak , Keccak ( n . Invertible for odd length n 2 1 x i 1 x i x i x i X[i] ^= (~X[i+1]) & X[i+2] Nonlinear layer χ
. X[i] ^= (~X[i+1]) & X[i+2] Invertible for odd length n Used in Ketje , Keyak , Keccak ( n 5) RadioGatun ( n 19), Panama ( n 17), BaseKing , 3-Way ( n 3), Subterranean , Cellhash ( n 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 5 / 18 Nonlinear layer χ x i ← x i + ( x i + 1 + 1 ) x i + 2
. X[i] ^= (~X[i+1]) & X[i+2] Invertible for odd length n Used in Ketje , Keyak , Keccak ( n 5) RadioGatun ( n 19), Panama ( n 17), BaseKing , 3-Way ( n 3), Subterranean , Cellhash ( n 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 5 / 18 Nonlinear layer χ x i ← x i + ( x i + 1 + 1 ) x i + 2
. X[i] ^= (~X[i+1]) & X[i+2] Invertible for odd length n RadioGatun ( n 19), Panama ( n 17), BaseKing , 3-Way ( n 3), Subterranean , Cellhash ( n 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 5 / 18 Nonlinear layer χ x i ← x i + ( x i + 1 + 1 ) x i + 2 Used in Ketje , Keyak , Keccak ( n = 5)
. X[i] ^= (~X[i+1]) & X[i+2] Invertible for odd length n [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 5 / 18 Nonlinear layer χ x i ← x i + ( x i + 1 + 1 ) x i + 2 Used in Ketje , Keyak , Keccak ( n = 5) RadioGatun ( n = 19), Panama ( n = 17), BaseKing , 3-Way ( n = 3), Subterranean , Cellhash ( n = 257)
x i with a i random 6 / 18 a 1 b 2 [Daemen, Peeters, Van Assche, FSE 2000] b 1 a 2 1 b 2 b 1 b 0 b 0 1 a 2 . a 1 a 0 a 0 b i a i Masking of χ as DPA/DEMA countermeasure x 0 ← x 0 + ( x 1 + 1 ) x 2
. a 0 a 0 a 1 1 a 2 a 1 b 2 b 0 b 0 b 1 1 b 2 b 1 a 2 [Daemen, Peeters, Van Assche, FSE 2000] 6 / 18 Masking of χ as DPA/DEMA countermeasure x 0 ← x 0 + ( x 1 + 1 ) x 2 a i + b i = x i with a i random
[Daemen, Peeters, Van Assche, FSE 2000] . 6 / 18 Masking of χ as DPA/DEMA countermeasure x 0 ← x 0 + ( x 1 + 1 ) x 2 a i + b i = x i with a i random a 0 ← a 0 + ( a 1 + 1 ) a 2 + a 1 b 2 b 0 ← b 0 + ( b 1 + 1 ) b 2 + b 1 a 2
7 / 18 1 c 2 [Bertoni, Daemen, Peeters, Van Assche, 2nd SHA-3, 2010] a 2 b 1 a 1 b 2 1 a 2 a 1 a 0 c 0 c 2 a 1 c 1 a 2 c 1 . c 0 b 0 b 2 c 1 b 1 c 2 1 b 2 b 1 b 0 a 0 χ ′ : a three-share masking of χ x 0 ← x 0 + ( x 1 + 1 ) x 2 a i + b i + c i = x i with a i and b i random
. [Bertoni, Daemen, Peeters, Van Assche, 2nd SHA-3, 2010] 7 / 18 χ ′ : a three-share masking of χ x 0 ← x 0 + ( x 1 + 1 ) x 2 a i + b i + c i = x i with a i and b i random a 0 ← b 0 + ( b 1 + 1 ) b 2 + b 1 c 2 + b 2 c 1 b 0 ← c 0 + ( c 1 + 1 ) c 2 + c 1 a 2 + c 2 a 1 c 0 ← a 0 + ( a 1 + 1 ) a 2 + a 1 b 2 + a 2 b 1
f a f b f c is a correct sharing of f f a f b f c is incomplete: requires x a x b x c is a uniform sharing of x : all values x a x b x c with x a x a x b x c x a x b x c x b x c x equiprobable x 0 Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] 0 0 0 1 1 0 1 0 1 1 x 1 1 1 1 0 0 1 0 1 0 1 0 0 1 1 0 shares d . 8 / 18 Scheme at the right computes f securely against 1st order DPA if: x = x a + x b + x c f f a f b f c y = y a + y b + y c
f a f b f c is incomplete: requires x a x b x c is a uniform sharing of x : all values x a x b x c with x a x a x b x c x a x b x c 1 x b x c x equiprobable x 0 Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] 0 0 0 d 1 0 1 0 1 1 x 1 1 1 1 0 0 1 0 1 0 1 0 0 1 1 0 shares . 8 / 18 Scheme at the right computes f securely against 1st order DPA if: x = x a + x b + x c f f a f b f c y = y a + y b + y c ◮ ( f a , f b , f c ) is a correct sharing of f
x a x b x c is a uniform sharing of x : all values x a x b x c with x a x a x b x c x a x b x c x b x c x equiprobable x 0 0 0 0 Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] 1 1 0 0 1 1 x 1 1 1 1 0 0 1 0 1 0 1 0 0 1 0 1 8 / 18 . Scheme at the right computes f securely against 1st order DPA if: x = x a + x b + x c f f a f b f c y = y a + y b + y c ◮ ( f a , f b , f c ) is a correct sharing of f ◮ ( f a , f b , f c ) is incomplete: requires # shares ≥ d + 1
x a x b x c x a x b x c Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] . 1 0 0 0 1 0 0 0 1 1 1 1 1 x 0 1 1 1 0 1 1 1 0 0 0 0 0 x Scheme at the right computes f securely against 1st order DPA if: 8 / 18 x = x a + x b + x c f f a f b f c y = y a + y b + y c ◮ ( f a , f b , f c ) is a correct sharing of f ◮ ( f a , f b , f c ) is incomplete: requires # shares ≥ d + 1 ◮ ( x a , x b , x c ) is a uniform sharing of x : • all values ( x a , x b , x c ) with x a + x b + x c = x equiprobable
Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] . Scheme at the right computes f securely against 1st order DPA if: 8 / 18 x = x a + x b + x c f f a f b f c y = y a + y b + y c ◮ ( f a , f b , f c ) is a correct sharing of f ◮ ( f a , f b , f c ) is incomplete: requires # shares ≥ d + 1 ◮ ( x a , x b , x c ) is a uniform sharing of x : • all values ( x a , x b , x c ) with x a + x b + x c = x equiprobable • x = 0 : ( x a , x b , x c ) ∈ { ( 0 , 0 , 0 )( 1 , 1 , 0 )( 1 , 0 , 1 )( 0 , 1 , 1 ) } • x = 1 : ( x a , x b , x c ) ∈ { ( 1 , 1 , 1 )( 0 , 0 , 1 )( 0 , 1 , 0 )( 1 , 0 , 0 ) }
If f is invertible, for f a f b f c uniformity Uniformity of a threshold masking scheme . invertibility 9 / 18 x x a x b x c f f a f b f c y y a y b y c f f a f b f c z z a z b z c ◮ Sharing ( f a , f b , f c ) of f is called uniform if it preserves uniformity
Uniformity of a threshold masking scheme . 9 / 18 x x a x b x c f f a f b f c y y a y b y c f f a f b f c z z a z b z c ◮ Sharing ( f a , f b , f c ) of f is called uniform if it preserves uniformity ◮ If f is invertible, for ( f a , f b , f c ) uniformity = invertibility
Correct? Yes! . Incomplete? Yes! Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise 10 / 18 Back to χ ′ a 0 ← b 0 + ( b 1 + 1 ) b 2 + b 1 c 2 + b 2 c 1 b 0 ← c 0 + ( c 1 + 1 ) c 2 + c 1 a 2 + c 2 a 1 c 0 ← a 0 + ( a 1 + 1 ) a 2 + a 1 b 2 + a 2 b 1 Is this a secure threshold masking scheme of χ ?
. Yes! Incomplete? Yes! Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise 10 / 18 Back to χ ′ a 0 ← b 0 + ( b 1 + 1 ) b 2 + b 1 c 2 + b 2 c 1 b 0 ← c 0 + ( c 1 + 1 ) c 2 + c 1 a 2 + c 2 a 1 c 0 ← a 0 + ( a 1 + 1 ) a 2 + a 1 b 2 + a 2 b 1 Is this a secure threshold masking scheme of χ ? ◮ Correct?
. Incomplete? Yes! Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise 10 / 18 Back to χ ′ a 0 ← b 0 + ( b 1 + 1 ) b 2 + b 1 c 2 + b 2 c 1 b 0 ← c 0 + ( c 1 + 1 ) c 2 + c 1 a 2 + c 2 a 1 c 0 ← a 0 + ( a 1 + 1 ) a 2 + a 1 b 2 + a 2 b 1 Is this a secure threshold masking scheme of χ ? ◮ Correct? Yes!
Yes! . Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: no uniform d 1-share threshold schemes are known it is an active research area to find the best compromise 10 / 18 Back to χ ′ a 0 ← b 0 + ( b 1 + 1 ) b 2 + b 1 c 2 + b 2 c 1 b 0 ← c 0 + ( c 1 + 1 ) c 2 + c 1 a 2 + c 2 a 1 c 0 ← a 0 + ( a 1 + 1 ) a 2 + a 1 b 2 + a 2 b 1 Is this a secure threshold masking scheme of χ ? ◮ Correct? Yes! ◮ Incomplete?
Recommend
More recommend