fides
play

FIDES: Lightweight Authentication Cipher with Side-Channel - PowerPoint PPT Presentation

May 28, 2023 •521 likes •1.29k views

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begl Bilgin, Andrey Bogdanov, Miroslav Kne evi , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago Side Channel Resistance 2 Side

  1. FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begül Bilgin, Andrey Bogdanov, Miroslav Kne ž evi ć , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago

  2. Side Channel Resistance 2

  3. Side Channel Resistance The Game... 2

  4. Side Channel Resistance The Game... ‣ Mathematically secure crypto algorithms 2

  5. Side Channel Resistance The Game... ‣ Mathematically secure crypto algorithms ✓ AES, RSA, Keccak, OCB, … 2

  6. Side Channel Resistance The Game... ‣ Mathematically secure crypto algorithms ✓ AES, RSA, Keccak, OCB, … ‣ Weak implementation 2

  7. Side Channel Resistance The Game... ‣ Mathematically secure crypto algorithms ✓ AES, RSA, Keccak, OCB, … ‣ Weak implementation 2

  8. Side Channel Resistance The Game... ‣ Mathematically secure crypto algorithms ✓ AES, RSA, Keccak, OCB, … ‣ Weak implementation Dependency between power consumption and intermediate value (depends on the key) 2

  9. Side Channel Resistance 3

  10. Side Channel Resistance x Change the key frequently 3

  11. Side Channel Resistance x Change the key frequently x Equalize power consumption 3

  12. Side Channel Resistance x Change the key frequently x Equalize power consumption ✓ Randomize power consumption 3

  13. Side Channel Resistance x Change the key frequently x Equalize power consumption ✓ Randomize power consumption - Boolean masking 3

  14. Side Channel Resistance inp^m 0 out^m 1 x Change the key frequently L x Equalize power consumption m 0 m 1 L ✓ Randomize power consumption - Boolean masking 3

  15. Side Channel Resistance x Change the key frequently x Equalize power consumption ✓ Randomize power consumption - Boolean masking 3

  16. Side Channel Resistance inp^m 0 out^m 1 x Change the key frequently S x Equalize power consumption m 0 m 1 S ✓ Randomize power consumption - Boolean masking 3

  17. Side Channel Resistance inp^m 0 out^m 1 x Change the key frequently S x Equalize power consumption m 0 m 1 S ✓ Randomize power consumption - Boolean masking - Multiplicative masking 3

  18. Side Channel Resistance x Change the key frequently x Equalize power consumption ✓ Randomize power consumption - Boolean masking - Multiplicative masking 3

  19. Side Channel Resistance x Change the key frequently x Equalize power consumption ✓ Randomize power consumption - Boolean masking - Multiplicative masking Secret sharing e.g. Threshold Implementations [Nikova’11] - 3

  20. Side Channel Resistance inp^m 0 ^m 1 out^m 2 ^m 3 x Change the key frequently S x Equalize power consumption m 0 m 2 S ✓ Randomize power consumption m 1 S m 3 - Boolean masking - Multiplicative masking Secret sharing e.g. Threshold Implementations [Nikova’11] - 3

  21. Side Channel Resistance 4

  22. Side Channel Resistance Have the design 4

  23. Side Channel Resistance Need efficient impl. Have the design 4

  24. Side Channel Resistance Need efficient impl. Need Have the secure impl. design 4

  25. Side Channel Resistance Need efficient impl. Need Have the secure impl. design 1 st Order Multipl. Mask Boolean Mask TI 2 nd Order SW HW ?? Still efficient ?? 4

  26. Side Channel Resistance Need efficient impl. Need Have the secure impl. design 1 st Order Multipl. Mask Boolean Mask TI 2 nd Order SW HW Still efficient 5

  27. Design - Structure a A 1 A 2 A v C 1 C u M u M 1 16R 16R 1R 1R 1R 1R 1R 1R K || N T . . . . . . K || 0 6

  28. Design - Structure a A 1 A 2 A v C 1 C u M u M 1 16R 16R 1R 1R 1R 1R 1R 1R K || N T . . . . . . K || 0 Similar to duplex sponge - 6

  29. Design - Structure a A 1 A 2 A v C 1 C u M u M 1 16R 16R 1R 1R 1R 1R 1R 1R K || N T . . . . . . K || 0 Similar to duplex sponge - Rounds are not keyed - 6

  30. Design - Structure a A 1 A 2 A v C 1 C u M u M 1 16R 16R 1R 1R 1R 1R 1R 1R K || N T . . . . . . K || 0 Similar to duplex sponge - Rounds are not keyed - Online ✓ 6

  31. Design - Structure a A 1 A 2 A v C 1 C u M u M 1 16R 16R 1R 1R 1R 1R 1R 1R K || N T . . . . . . K || 0 Similar to duplex sponge - Rounds are not keyed - Online ✓ Single pass ✓ 6

  32. Design - Structure a A 1 A 2 A v C 1 C u M u M 1 16R 16R 1R 1R 1R 1R 1R 1R K || N T . . . . . . K || 0 Similar to duplex sponge - b k/n/t r Rounds are not keyed - FIDES-80 160 80 10 Online ✓ FIDES-96 192 96 12 Single pass ✓ 6

  33. Design - Structure a A 1 A 2 A v C 1 C u M u M 1 16R 16R 1R 1R 1R 1R 1R 1R K || N T . . . . . . K || 0 Similar to duplex sponge - b k/n/t r Rounds are not keyed - FIDES-80 160 80 10 Online ✓ FIDES-96 192 96 12 Single pass ✓ 7

  34. Design - Structure a A 1 A 2 A v C 1 C u M u M 1 16R 16R 1R 1R 1R 1R 1R 1R K || N T . . . . . . K || 0 Similar to duplex sponge - b k/n/t r Rounds are not keyed - FIDES-80 160 80 10 Online ✓ FIDES-96 192 96 12 Single pass ✓ 8

  35. Design - Structure a A 1 A 2 A v C 1 C u M u M 1 16R 16R 1R 1R 1R 1R 1R 1R K || N T . . . . . . K || 0 Similar to duplex sponge - b k/n/t r Rounds are not keyed - FIDES-80 160 80 10 Online ✓ FIDES-96 192 96 12 Single pass ✓ 9

  36. Design - Structure 1R State SubBytes ShiftRows MixColumns ConstantAddition 10

  37. Design - Structure 1R State SubBytes ShiftRows MixColumns ConstantAddition 11

  38. Design - Structure 1R State 0 SubBytes 1 2 ShiftRows 7 MixColumns ConstantAddition 12

  39. Design - Structure 1R State SubBytes ShiftRows MixColumns ConstantAddition Almost MDS branch number is 4 13

  40. Design - Structure 1R State SubBytes ShiftRows MixColumns ConstantAddition 14

  41. Design - S-boxes • FIDES-80: 5-bit Almost Bent (AB) - optimal resistance against differential & linear cryptanalysis - degree 2 (two), 3(one), 4(one) • FIDES-96: 6-bit Almost Perfect Nonlinear (APN) - optimal resistance against differential cryptanalysis - degree 4 15

  42. Design - S-boxes • FIDES-80: 5-bit Almost Bent (AB) - optimal resistance against differential & linear cryptanalysis - degree 2 (two), 3(one), 4(one) • FIDES-96: 6-bit Almost Perfect Nonlinear (APN) - optimal resistance against differential cryptanalysis - degree 4 ++Low latency++ 15

  43. Design - S-boxes • FIDES-80: 5-bit Almost Bent (AB) - optimal resistance against differential & linear cryptanalysis - degree 2 (two), 3(one), 4(one) • FIDES-96: 6-bit Almost Perfect Nonlinear (APN) - optimal resistance against differential cryptanalysis - degree 4 ++Low latency++ 15

  44. Design - S-boxes • FIDES-80: 5-bit Almost Bent (AB) - optimal resistance against differential & linear cryptanalysis - degree 2 (two), 3(one), 4(one) • FIDES-96: 6-bit Almost Perfect Nonlinear (APN) - optimal resistance against differential cryptanalysis - degree 4 ++Low latency++ 16

  45. Design - S-boxes 17

  46. Design - S-boxes Affine Equivalent to AB permutation with degree 2 17

  47. Design - S-boxes Affine Equivalent to AB permutation with degree 2 Shared S-box Unshared S-box 25000 25000 20000 20000 # of S-boxes 15000 15000 10000 10000 5000 5000 0 0 45 50 55 60 65 70 75 80 85 90 95 100 105 245 255 135 145 155 165 175 185 195 205 215 225 235 # of GE (UMC 180nm) 17

  48. Design - S-boxes Affine Equivalent to AB permutation with degree 2 Shared S-box Unshared S-box 25000 25000 20000 20000 # of S-boxes 15000 15000 10000 10000 5000 5000 0 0 45 50 55 60 65 70 75 80 85 90 95 100 105 245 255 135 145 155 165 175 185 195 205 215 225 235 # of GE (UMC 180nm) 18

  49. Design - S-boxes Affine Equivalent to AB permutation with degree 2 Shared S-box Unshared S-box 25000 25000 20000 20000 # of S-boxes 15000 15000 10000 10000 5000 5000 0 0 45 50 55 60 65 70 75 80 85 90 95 100 105 245 255 135 145 155 165 175 185 195 205 215 225 235 # of GE (UMC 180nm) Similar for APN 18

  50. Security Analysis # Active Active S-box # # rnd. any diff. zero diff. 1 0 - 2 4 - 3 7 - 4 16 - 5 22 - 6 32 52 7 42 49 8 48 48 19

  51. Security Analysis # Active Active S-box # # rnd. any diff. zero diff. • Differential & Linear Cryptanalysis 1 0 - 2 4 - 3 7 - 4 16 - 5 22 - 6 32 52 7 42 49 8 48 48 19

  52. Security Analysis # Active Active S-box # # rnd. any diff. zero diff. • Differential & Linear Cryptanalysis 1 0 - 16 rounds: 2 -4x48x2 = 2 -384 2 4 - 3 7 - 4 16 - 5 22 - 6 32 52 7 42 49 8 48 48 19

  53. Security Analysis # Active Active S-box # # rnd. any diff. zero diff. • Differential & Linear Cryptanalysis 1 0 - 16 rounds: 2 -4x48x2 = 2 -384 2 4 - • Collision Trails 3 7 - 4 16 - 5 22 - 6 32 52 7 42 49 8 48 48 19

  54. Security Analysis # Active Active S-box # # rnd. any diff. zero diff. • Differential & Linear Cryptanalysis 1 0 - 16 rounds: 2 -4x48x2 = 2 -384 2 4 - • Collision Trails 3 7 - 16 rounds: 2 -4x(48+48) = 2 -384 4 16 - 5 22 - 6 32 52 7 42 49 8 48 48 19

Recommend

DSpace at UTS DSpace at UTS Fides Datu Lawton Fides Datu Lawton fides.lawton@uts.edu.au

DSpace at UTS DSpace at UTS Fides Datu Lawton Fides Datu Lawton fides.lawton@uts.edu.au

DSpace at UTS DSpace at UTS Fides Datu Lawton Fides Datu Lawton fides.lawton@uts.edu.au fides.lawton@uts.edu.au Director (Library Resources Unit) Director (Library Resources Unit) UTS:Library UTS:Library Repository Market Day Repository

165 views • 16 slides
Learning I/O Automata Fides Aarts and Frits Vaandrager ICIS, Radboud Universiteit Nijmegen

Learning I/O Automata Fides Aarts and Frits Vaandrager ICIS, Radboud Universiteit Nijmegen

Introduction I/O Behavior and Determinism Interface Automata Learning IOAs Conclusions and Future Work Learning I/O Automata Fides Aarts and Frits Vaandrager ICIS, Radboud Universiteit Nijmegen CONCUR 2010, Paris Fides Aarts and Frits

1.15k views • 56 slides
Establishing Regular Measurements of Halocarbons at Taunus Observatory Tanja Schuck, Fides

Establishing Regular Measurements of Halocarbons at Taunus Observatory Tanja Schuck, Fides

Establishing Regular Measurements of Halocarbons at Taunus Observatory Tanja Schuck, Fides Lefrancois, Franziska Gallmann, and Andreas Engel Goethe University Frankfurt, Institute for Atmospheric and Environmental Sciences Taunus Observatory

791 views • 21 slides
Cryptanalysis of FIDES Itai Dinur 1 Jrmy Jean 1 , 2 1 cole Normale Suprieure, France 2

Cryptanalysis of FIDES Itai Dinur 1 Jrmy Jean 1 , 2 1 cole Normale Suprieure, France 2

Introduction State Recovery Forgery Tradeoffs The end Cryptanalysis of FIDES Itai Dinur 1 Jrmy Jean 1 , 2 1 cole Normale Suprieure, France 2 Nanyang Technological University, Singapore FSE 2014 March 3, 2014 FSE 2014 Itai Dinur,

725 views • 33 slides
O On Automata Learning A t t L i and and Conformance Testing onformance est ng Bengt

O On Automata Learning A t t L i and and Conformance Testing onformance est ng Bengt

O On Automata Learning A t t L i and and Conformance Testing onformance est ng Bengt Jonsson Bengt Jonsson Uppsala University Acknowledgments Fides Aarts Therese Berg Johan Blom Olga Fides Aarts, Therese Berg, Johan Blom, Olga

1.47k views • 126 slides
Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors Thanks to the teams of KATAN, SPONGENT, PRINCE, FIDES Design and Security of Cryptographic Functions, Algorithms, and Devices, PAGE: 1 of 33 Summer

590 views • 45 slides
WIND INDUSTRY PERSPECTIVE Dave Belote, Col (ret), USAF Managing Partner & CEO DARE

WIND INDUSTRY PERSPECTIVE Dave Belote, Col (ret), USAF Managing Partner & CEO DARE

WIND INDUSTRY PERSPECTIVE Dave Belote, Col (ret), USAF Managing Partner & CEO DARE Strategies LLC Bona Fides 32 AOS/CC, Ramstein AB GE, 2001-03 32 EASOS/CC, Tel Aviv, Operation IRAQI FREEDOM 3 ASOG/CC, Fort Hood TX, 2004-06

456 views • 9 slides
One-Sided Access in Two-Sided Markets Marianne Verdier Universit de Lille 1, Laboratoire

One-Sided Access in Two-Sided Markets Marianne Verdier Universit de Lille 1, Laboratoire

One-Sided Access in Two-Sided Markets Marianne Verdier Universit de Lille 1, Laboratoire EQUIPPE I acknowledge financial support from FIDES, Forum sur les Institutions, le Droit, l'Economie et la Socit, to present at the EARIE (2013)

481 views • 34 slides
Cooper Cooperativ tive Ma Manag nagemen ment of of the the South South China China Sea: Sea:

Cooper Cooperativ tive Ma Manag nagemen ment of of the the South South China China Sea: Sea:

Cooper Cooperativ tive Ma Manag nagemen ment of of the the South South China China Sea: Sea: Lessons Lessons fr from other other Seas Seas Fides A. Quintos Foreign Service Institute What is Maritime Security? No universal legal definition

190 views • 18 slides
Learning of Automata Models Learning of Automata Models Extended with Data B Bengt Jonsson t J

Learning of Automata Models Learning of Automata Models Extended with Data B Bengt Jonsson t J

Learning of Automata Models Learning of Automata Models Extended with Data B Bengt Jonsson t J Uppsala University Uppsala University Acknowledgments Fid Fides Aarts A t M ik M Maik Mertens t Therese Bohlin Therese Bohlin Harald

1.19k views • 59 slides

More recommend