constant time this code uses 256 squarings square and
play

Constant-time This code uses 256 squarings, square-and-multiply - PowerPoint PPT Presentation

Dec 14, 2023 •21 likes •381 views

1 2 Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for each bit set in e . D. J. Bernstein Problem when e is secret: time University of Illinois at Chicago; leaks number of bits set in e . Ruhr

  1. 1 2 Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for each bit set in e . D. J. Bernstein Problem when e is secret: time University of Illinois at Chicago; leaks number of bits set in e . Ruhr University Bochum def pow256bit(x,e): y = 1 for i in reversed(range(256)): y = y*y if 1&(e>>i): y = y*x return y

  2. 1 2 Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for each bit set in e . D. J. Bernstein Problem when e is secret: time University of Illinois at Chicago; leaks number of bits set in e . Ruhr University Bochum “I’ll choose secret 256-bit e with exactly 128 bits set. There are def pow256bit(x,e): enough of these e , and then y = 1 there are no more leaks.” for i in reversed(range(256)): y = y*y if 1&(e>>i): y = y*x return y

  3. 1 2 Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for each bit set in e . D. J. Bernstein Problem when e is secret: time University of Illinois at Chicago; leaks number of bits set in e . Ruhr University Bochum “I’ll choose secret 256-bit e with exactly 128 bits set. There are def pow256bit(x,e): enough of these e , and then y = 1 there are no more leaks.” for i in reversed(range(256)): y = y*y — Time still depends on e , if 1&(e>>i): even if each multiplication y = y*x takes time independent of inputs. return y

  4. 1 2 Constant-time This code uses 256 squarings, Hardware re-and-multiply plus 1 extra multiplication is inherently for each bit set in e . Bernstein CPU designers Problem when e is secret: time University of Illinois at Chicago; leaks number of bits set in e . University Bochum “I’ll choose secret 256-bit e with exactly 128 bits set. There are pow256bit(x,e): enough of these e , and then there are no more leaks.” in reversed(range(256)): y*y — Time still depends on e , 1&(e>>i): even if each multiplication = y*x takes time independent of inputs. return y

  5. 1 2 This code uses 256 squarings, Hardware reality: Accessing re-and-multiply plus 1 extra multiplication is inherently expensive for each bit set in e . CPU designers try Problem when e is secret: time Illinois at Chicago; leaks number of bits set in e . Bochum “I’ll choose secret 256-bit e with exactly 128 bits set. There are pow256bit(x,e): enough of these e , and then there are no more leaks.” reversed(range(256)): — Time still depends on e , even if each multiplication takes time independent of inputs.

  6. 1 2 This code uses 256 squarings, Hardware reality: Accessing plus 1 extra multiplication is inherently expensive. for each bit set in e . CPU designers try to reduce Problem when e is secret: time Chicago; leaks number of bits set in e . “I’ll choose secret 256-bit e with exactly 128 bits set. There are enough of these e , and then there are no more leaks.” reversed(range(256)): — Time still depends on e , even if each multiplication takes time independent of inputs.

  7. 2 3 This code uses 256 squarings, Hardware reality: Accessing RAM plus 1 extra multiplication is inherently expensive. for each bit set in e . CPU designers try to reduce cost. Problem when e is secret: time leaks number of bits set in e . “I’ll choose secret 256-bit e with exactly 128 bits set. There are enough of these e , and then there are no more leaks.” — Time still depends on e , even if each multiplication takes time independent of inputs.

  8. 2 3 This code uses 256 squarings, Hardware reality: Accessing RAM plus 1 extra multiplication is inherently expensive. for each bit set in e . CPU designers try to reduce cost. Problem when e is secret: time Example: “L1 cache” typically leaks number of bits set in e . has 32KB of recently used data. “I’ll choose secret 256-bit e with This cache inspects RAM exactly 128 bits set. There are addresses, performs various enough of these e , and then computations on addresses there are no more leaks.” to try to save time. — Time still depends on e , even if each multiplication takes time independent of inputs.

  9. 2 3 This code uses 256 squarings, Hardware reality: Accessing RAM plus 1 extra multiplication is inherently expensive. for each bit set in e . CPU designers try to reduce cost. Problem when e is secret: time Example: “L1 cache” typically leaks number of bits set in e . has 32KB of recently used data. “I’ll choose secret 256-bit e with This cache inspects RAM exactly 128 bits set. There are addresses, performs various enough of these e , and then computations on addresses there are no more leaks.” to try to save time. — Time still depends on e , : : : so time is a function of RAM even if each multiplication addresses. Avoid all data flow takes time independent of inputs. from secrets to RAM addresses.

  10. 2 3 code uses 256 squarings, Hardware reality: Accessing RAM Example: extra multiplication is inherently expensive. from secrets h bit set in e . CPU designers try to reduce cost. Often describ Problem when e is secret: time for softw Example: “L1 cache” typically number of bits set in e . the same has 32KB of recently used data. choose secret 256-bit e with This cache inspects RAM exactly 128 bits set. There are addresses, performs various enough of these e , and then computations on addresses are no more leaks.” to try to save time. Time still depends on e , : : : so time is a function of RAM if each multiplication addresses. Avoid all data flow time independent of inputs. from secrets to RAM addresses.

  11. 2 3 256 squarings, Hardware reality: Accessing RAM Example: Avoid all multiplication is inherently expensive. from secrets to branch in e . CPU designers try to reduce cost. Often described as is secret: time for software, but comes Example: “L1 cache” typically bits set in e . the same hardware has 32KB of recently used data. cret 256-bit e with This cache inspects RAM set. There are addresses, performs various e , and then computations on addresses re leaks.” to try to save time. depends on e , : : : so time is a function of RAM multiplication addresses. Avoid all data flow endent of inputs. from secrets to RAM addresses.

  12. 2 3 rings, Hardware reality: Accessing RAM Example: Avoid all data flow is inherently expensive. from secrets to branch condi CPU designers try to reduce cost. Often described as a separate time for software, but comes from Example: “L1 cache” typically e . the same hardware reality. has 32KB of recently used data. e with This cache inspects RAM There are addresses, performs various then computations on addresses to try to save time. , : : : so time is a function of RAM addresses. Avoid all data flow inputs. from secrets to RAM addresses.

  13. 3 4 Hardware reality: Accessing RAM Example: Avoid all data flow is inherently expensive. from secrets to branch conditions. CPU designers try to reduce cost. Often described as a separate rule for software, but comes from Example: “L1 cache” typically the same hardware reality. has 32KB of recently used data. This cache inspects RAM addresses, performs various computations on addresses to try to save time. : : : so time is a function of RAM addresses. Avoid all data flow from secrets to RAM addresses.

  14. 3 4 Hardware reality: Accessing RAM Example: Avoid all data flow is inherently expensive. from secrets to branch conditions. CPU designers try to reduce cost. Often described as a separate rule for software, but comes from Example: “L1 cache” typically the same hardware reality. has 32KB of recently used data. How CPU runs a program This cache inspects RAM (example of “code = data”): addresses, performs various computations on addresses while True: to try to save time. insn = RAM[state.ip] state = execute(state,insn) : : : so time is a function of RAM addresses. Avoid all data flow ip (“instruction pointer” or from secrets to RAM addresses. “program counter”): address in RAM of next instruction.

  15. 3 4 are reality: Accessing RAM Example: Avoid all data flow Standard inherently expensive. from secrets to branch conditions. to follow Square and designers try to reduce cost. Often described as a separate rule for software, but comes from def pow256bit(x,e): Example: “L1 cache” typically the same hardware reality. y = 1 32KB of recently used data. for i How CPU runs a program cache inspects RAM y = (example of “code = data”): addresses, performs various yx = computations on addresses while True: bit to save time. insn = RAM[state.ip] y = state = execute(state,insn) return time is a function of RAM addresses. Avoid all data flow ip (“instruction pointer” or If bit is secrets to RAM addresses. “program counter”): address an unused in RAM of next instruction.

Recommend

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

746 views • 73 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work

969 views • 94 slides
CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Dan Boneh, Stefan Savage Reminder: Side-channel attacks You saw before how timing

1.37k views • 81 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Supervisors: Author: Lesly-Ann Daniel Sbastien Bardin CEA LIST CEA LIST Tamara Rezk Oct 2018 - Oct 2021 INRIA Sophia Antipolis

777 views • 38 slides
McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands October 13, 2015 Joint work with Daniel J. Bernstein and Peter Schwabe Outline Summary of Our Work Background Main

439 views • 32 slides
Constant-time programming in FaCT What is FaCT? Domain specific language for writing

Constant-time programming in FaCT What is FaCT? Domain specific language for writing

Constant-time programming in FaCT What is FaCT? Domain specific language for writing constant-time code Whats the difference between a DSL and a general- purpose language? How do you use FaCT? Write your program in C Write your

420 views • 38 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Lesly-Ann Daniel Sbastien Bardin Tamara Rezk CEA LIST, France CEA LIST, France INRIA, France IEEE Symposium on Security and Privacy May

464 views • 25 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

823 views • 46 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

625 views • 41 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

643 views • 52 slides
McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter Schwabe Radboud University

902 views • 43 slides
+ - Can be constant or time varying +/- indicates polarity Current Source Can be

+ - Can be constant or time varying +/- indicates polarity Current Source Can be

Review of Circuit Analysis Common Symbols Independent Sources Battery Constant voltage DC voltage source Voltage Source + - Can be constant or time varying +/- indicates polarity Current Source Can be constant or time

388 views • 14 slides
1 of 30 Once Upon a Time... Constant diffusion: J = - D u u

1 of 30 Once Upon a Time... Constant diffusion: J = - D u u

1 of 30 Once Upon a Time... Constant diffusion: J = - D u u t = - J = D D u But is this truly realistic??? 2 of 30 Problems With Constant Diffusion Any initial

458 views • 32 slides
QcBits: constant-time small-key code-based cryptography Tung Chou Technische Universiteit

QcBits: constant-time small-key code-based cryptography Tung Chou Technische Universiteit

QcBits: constant-time small-key code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands Coding theory 2 Coding theory Linear codes 2 Coding theory Linear codes a linear subspace in F N 2 2 Coding theory

1k views • 77 slides
Generating k -independent variables in constant time Tobias Christiani, Rasmus Pagh IT

Generating k -independent variables in constant time Tobias Christiani, Rasmus Pagh IT

Generating k -independent variables in constant time Tobias Christiani, Rasmus Pagh IT University of Copenhagen Generating k -independent variables in constant time 1 Introduction Random seed 11010100 01101101 Generator Pseudorandom output

1k views • 85 slides
1 Dead Code Elimination for SSA Constant Propagation Dead code elimination Goal while a

1 Dead Code Elimination for SSA Constant Propagation Dead code elimination Goal while a

Using Static Single Assignment Form Variable Renaming (cont) Last Time Data Structures Constructing SSA form Stacks[v] v Holds the subscript of most recent definition of variable v, initially empty Counters[v] v Today

224 views • 5 slides
Constant-time programming in FaCT Sunjay Cauligi , UC San Diego Fraser Brown, Ranjit Jhala, Brian

Constant-time programming in FaCT Sunjay Cauligi , UC San Diego Fraser Brown, Ranjit Jhala, Brian

Constant-time programming in FaCT Sunjay Cauligi , UC San Diego Fraser Brown, Ranjit Jhala, Brian Johannesmeyer, John Renner, Gary Soeller, Deian Stefan, Riad Wahby Timing side channels Crypto Constant-time programming with FaCT Strange Loop

1.63k views • 114 slides
Dead Code Elimination & Dead code elimination Constant Propagation Conceptually similar

Dead Code Elimination & Dead code elimination Constant Propagation Conceptually similar

Dead Code Elimination on SSA Form Dead Code Elimination & Dead code elimination Constant Propagation Conceptually similar to mark-sweep garbage collection C t ll i il t k b ll ti > Mark useful operations on SSA Form SSA F

1.29k views • 4 slides
Multiplication by an Integer Constant: Lower Bounds on the Code Length Vincent L EFVRE Loria,

Multiplication by an Integer Constant: Lower Bounds on the Code Length Vincent L EFVRE Loria,

Multiplication by an Integer Constant: Lower Bounds on the Code Length Vincent L EFVRE Loria, INRIA Lorraine RNC5 September 3 5, 2003 Vincent L EFVRE Multiplication by an Integer Constant: Lower Bounds on the Code Length 1.0

339 views • 17 slides
Graph Transformation in Constant Time Mike Dodds miked@cs.york.ac.uk University of York Graph

Graph Transformation in Constant Time Mike Dodds miked@cs.york.ac.uk University of York Graph

Graph Transformation in Constant Time Mike Dodds miked@cs.york.ac.uk University of York Graph Transformation in Constant Time p.1/16 Sales Pitch Graph transformation is hard : polynomial or NP-complete depending on your point of view.

296 views • 28 slides
Computation structures Tutorial 4: : -code for ULg03 ULg02 - constant ROM and XP register

Computation structures Tutorial 4: : -code for ULg03 ULg02 - constant ROM and XP register

Computation structures Tutorial 4: : -code for ULg03 ULg02 - constant ROM and XP register For handling exceptions, ULg02 introduces the XP (R30) register in which is stored the user program address at which the execution must return after

183 views • 15 slides
Optimal Constant-Time Approximation Algorithms and (Unconditional) Inapproximability Results for

Optimal Constant-Time Approximation Algorithms and (Unconditional) Inapproximability Results for

Optimal Constant-Time Approximation Algorithms and (Unconditional) Inapproximability Results for Every Bounded-Degree CSP Yuichi Yoshida Kyoto Univ. & Preferred Infrastructure 2011 5 26 Polynomial-Time Approximation

633 views • 37 slides
DELIVERY l i m u a S h a h S 0 1 0 2 U L k . c a H net-square # who am i

DELIVERY l i m u a S h a h S 0 1 0 2 U L k . c a H net-square # who am i

Hi! Your exploits have arrived. EXPLOIT DELIVERY l i m u a S h a h S 0 1 0 2 U L k . c a H net-square # who am i Saumil Shah, CEO Net-square LinkedIn: saumilshah net-square The Web Has Evolved "The amount of

1.01k views • 37 slides
Constant Propagation on SSA form Advanced Compiler Techniques 2005 Erik Stenman Virtutech

Constant Propagation on SSA form Advanced Compiler Techniques 2005 Erik Stenman Virtutech

Constant Propagation on SSA form Advanced Compiler Techniques 2005 Erik Stenman Virtutech Constant Propagation Safety Proves that name always has known value Constant Propagation Specializes code around that value Moves some

437 views • 19 slides

More recommend