high order masking of look up tables with common shares
play

High Order Masking of Look-up Tables with Common Shares J-S.Coron, - PowerPoint PPT Presentation

Feb 08, 2024 •38 likes •388 views

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th September 2018 Outline Outline 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th

  1. High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th September 2018

  2. Outline Outline 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th September 2018 3 Conclusion 2

  3. Table of Contents Introduction 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th September 2018 3 Conclusion 3

  4. SCA Countermeasure Introduction Sharing Principle • Given a sensitive data x • Given t random values x 1 , . . . , x t • Let x 0 be such that: t � x = x i i =0 12th September 2018 • ( x 0 , . . . , x t ) is a sharing of x secure at order t 4

  5. SBox Evaluation Introduction The problematic • Given sensitive data x • Given a known table S • How to compute securely : x �→ S ( x ) 12th September 2018 5

  6. SBox Evaluation Introduction The problematic • Given sensitive data x • Given a known table S • How to compute securely for ℓ evaluations: x ( ℓ ) �→ S ( x ( ℓ ) ) 12th September 2018 5

  7. 1st Order Introduction Secure at 1st Order The ℓ -th evaluation of S is: x ( ℓ ) = ( x ( ℓ ) 0 , m ) �→ S ( x ( ℓ ) ) = ( y ( ℓ ) 0 , m ) 12th September 2018 6

  8. 1st Order Introduction Masked SBox Construction   S (0 ⊕ m ) ⊕ m   .   . T = . S ((2 k − 1) ⊕ m ) ⊕ m     Masked SBox Evaluation 12th September 2018 S ( x ) = ( T ( x 0 ) , m ) 7

  9. Higher Order Introduction Secure at Higher Order (Coron EUROCRYPT’14) The ℓ -th evaluation of S is: x ( ℓ ) = ( x ( ℓ ) 0 , x ( ℓ ) 1 , . . . , x ( ℓ ) 2 t ) �→ S ( x ( ℓ ) ) = ( y ( ℓ ) 0 , y ( ℓ ) 1 , . . . , y ( ℓ ) 2 t ) 12th September 2018 8

  10. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2)   S (0) 0 0 0     S (1) 0 0 0   S (2) 0 0 0     S (3) 0 0 0   12th September 2018 9

  11. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2 )   S (2) 0 0 0     S (3) 0 0 0   S (0) 0 0 0     S (1) 0 0 0   12th September 2018 9

  12. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2)   S (2) ⊕ 3 1 2 0     S (3) ⊕ 1 0 0 1   S (0) ⊕ 0 2 3 1     S (1) ⊕ 0 0 0 0   12th September 2018 9

  13. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2)     S (2) ⊕ 3 1 2 0 S (3) ⊕ 1 0 0 1         S (3) ⊕ 1 0 0 1 S (2) ⊕ 3 1 2 0     = ⇒ S (0) ⊕ 0 2 3 1 S (1) ⊕ 0 0 0 0         S (1) ⊕ 0 0 0 0 S (0) ⊕ 0 2 3 1     12th September 2018 9

  14. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2)   S (3) ⊕ 1 1 2 2     S (2) ⊕ 1 0 2 3   S (1) ⊕ 3 2 1 0     S (0) ⊕ 0 1 0 1   12th September 2018 9

  15. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2)   S (2) ⊕ 1 0 2 3     S (3) ⊕ 1 1 2 2   S (0) ⊕ 0 1 0 1     S (1) ⊕ 3 2 1 0   12th September 2018 9

  16. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2)   S (2) ⊕ 2 2 2 2     S (3) ⊕ 1 1 2 2   S (0) ⊕ 1 1 1 1     S (1) ⊕ 3 3 3 3   12th September 2018 9

  17. Higher Order Introduction Example at 3rd Order x = 2 = ( 0 , 1 , 1 , 2) S (2) ⊕ 2 2 2 2 12th September 2018 9

  18. Higher Order Introduction Example at 3rd Order x = 2 = (0 , 1 , 1 , 2) S (2) ⊕ 0 1 2 3 12th September 2018 9

  19. Higher Order Introduction Masked SBox Construction (Coron EUROCRYPT’14)  sharing of S (0)    . T (0) =   . . sharing of S (2 k − 1)     12th September 2018 10

  20. Higher Order Introduction Masked SBox Construction (Coron EUROCRYPT’14) new sharing of T (0) (0 ⊕ x 2t )     T (1) = .   . .  new sharing of T (0) ((2 k − 1) ⊕ x 2t )    12th September 2018 10

  21. Higher Order Introduction Masked SBox Construction (Coron EUROCRYPT’14) new sharing of T (1) (0 ⊕ x 2t − 1 )     T (2) = .   . .  new sharing of T (1) ((2 k − 1) ⊕ x 2t − 1 )    12th September 2018 10

  22. Higher Order Introduction Masked SBox Construction (Coron EUROCRYPT’14) new sharing of T (2 t − 1) (0 ⊕ x 1 )     T (2 t ) = .   . .  new sharing of T (2 t − 1) ((2 k − 1) ⊕ x 1 )    12th September 2018 10

  23. Higher Order Introduction Masked SBox Construction (Coron EUROCRYPT’14) new sharing of T (2 t − 1) (0 ⊕ x 1 )     T (2 t ) = .   . .  new sharing of T (2 t − 1) ((2 k − 1) ⊕ x 1 )    Masked SBox Evaluation 12th September 2018 S ( x ) = new sharing of T ( t ) ( x 0 ) 10

  24. Table of Contents Higher Order: Optimizations 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th September 2018 3 Conclusion 11

  25. Contributions Higher Order: Optimizations Our Contributions • Security proof at order t with n = t + 1 shares instead of n = 2 t + 1 shares (t-sni formalism) • Saves a factor 4 (running time) • A variant with increasing number of output shares • Saves a factor 2 (running time) • Adapt the common shares technique for multiple SBox evaluations • Saves a factor 2 (running time) 12th September 2018 12

  26. Common Shares Higher Order: Optimizations Common Shares (CGPZ CHES16) Two values a and b may be securely shared such that at most half of the shares are common: ( a 0 , . . . , a t 2 , m 0 , . . . m t − 1 2 ) ( b 0 , . . . , b t 2 , m 0 , . . . m t − 1 2 ) 12th September 2018 13

  27. Look-Up Tables with Common Shares Higher Order: Optimizations Secure at Higher Order The ℓ -th evaluation of S is: ( x ( ℓ ) 0 , x ( ℓ ) 1 , . . . , x ( ℓ ) 2 ) �→ S ( x ( ℓ ) ) = ( y ( ℓ ) 0 , y ( ℓ ) 1 , . . . , y ( ℓ ) ) 2 , m 0 , . . . , m t − 1 t t 12th September 2018 14

  28. Look-Up Tables with Common Shares Masked SBox Construction (Common Table) Higher Order: Optimizations  sharing of S (0)    . T (0) =   . . sharing of S (2 k − 1)     12th September 2018 15

  29. Look-Up Tables with Common Shares Masked SBox Construction (Common Table) Higher Order: Optimizations new sharing of T (0) (0 ⊕ m 0 )     T (1) = .   . .  new sharing of T (0) ((2 k − 1) ⊕ m 0 )    12th September 2018 15

  30. Look-Up Tables with Common Shares Masked SBox Construction (Common Table) Higher Order: Optimizations new sharing of T (1) (0 ⊕ m 1 )     T (2) = .   . .  new sharing of T (1) ((2 k − 1) ⊕ m 1 )    12th September 2018 15

  31. Look-Up Tables with Common Shares Masked SBox Construction (Common Table) Higher Order: Optimizations new sharing of T ( t − 1  2 ) (0 ⊕ m t − 1  2 )     2 ) =  .  T ( t +1 . .  new sharing of T ( t − 1  2 ) ((2 k − 1) ⊕ m t − 1   2 )   12th September 2018 15

  32. Look-Up Tables with Common Shares Masked SBox Construction (Common Table) Higher Order: Optimizations new sharing of T ( t − 1  2 ) (0 ⊕ m t − 1  2 )     2 ) =  .  T ( t +1 . .  new sharing of T ( t − 1  2 ) ((2 k − 1) ⊕ m t − 1   2 )   Masked SBox Evaluation 2 ) , . . . T ( t ) using shares x 1 , . . . , x t 1 Compute tables T ( t +3 12th September 2018 2 2 Evaluate using table T ( t ) : S ( x ) = new sharing of T ( t ) ( x 0 ) 15

  33. Performances AES Higher Order: Optimizations SBox Implementation 2 3 6 [RP10] 119 185 485 [Cor14] 2104 4413 17136 All optimizations 463 771 2767 Table: Software AES implementation, in thousand of clock cycles DES 12th September 2018 SBox Implementation 2 3 6 [CGP+12]+[CRV14] 219 290 602 [Cor14] 491 907 3075 All optimizations 203 308 764 Table: Software DES implementation, in thousand of clock cycles 16

  34. Table of Contents Conclusion 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th September 2018 3 Conclusion 17

  35. Conclusion Conclusion Conclusion • Generalization of SBox recomputation, proven secure at any order • Reduce the running time of common table by a factor of 2 • Reduce the running time by a factor of 8 (from Coron’14) • Remaining task: build a proof to generalize common shares in outputs ( x ( ℓ ) 0 , x ( ℓ ) 1 , . . . , x ( ℓ ) 2 ) �→ S ( x ( ℓ ) ) = ( y ( ℓ ) 0 , y ( ℓ ) 1 , . . . , y ( ℓ ) 2 ) 2 , m 0 , . . . , m t − 1 2 , m 0 , . . . , m t − 1 t t 12th September 2018 • Correct solution for generic small SBox (e.g. DES) 18

Recommend

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2 Rina Zeitoun 1 Jean-S 1 IDEMIA, France 2 University of Luxembourg CHES 2018 Side-channel Attacks Differential Power Analysis [KJJ99] Group by

620 views • 47 slides
Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views • 45 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes Outline 1 Introduction 2

1.33k views • 98 slides
February 2017 Corporate Summary Capital Structure TSX Venture HME Common Shares Outstanding

February 2017 Corporate Summary Capital Structure TSX Venture HME Common Shares Outstanding

February 2017 Corporate Summary Capital Structure TSX Venture HME Common Shares Outstanding 85.7 MM Share Price (Feb 10, 2017) $0.30 Fully Diluted Shares Outstanding 90.1 MM 52 Week High / Low $0.305 / $0.07 Insider Ownership (fully

209 views • 20 slides
How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

824 views • 54 slides
May 2016 Corporate Summary Capital Structure TSX Venture HME Common Shares Outstanding 75.9

May 2016 Corporate Summary Capital Structure TSX Venture HME Common Shares Outstanding 75.9

May 2016 Corporate Summary Capital Structure TSX Venture HME Common Shares Outstanding 75.9 MM Fully Diluted Shares Outstanding 80.9 MM Share Price (May 13, 2016) $0.18 Insider Ownership (fully diluted) 12% 52 Week High / Low $0.33 /

632 views • 23 slides
Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth Oswald March, 2013 Michael Tunstall (University of Bristol) Masking Tables March, 2013 1 / 21 Introduction Differential Power Analysis exploits

249 views • 21 slides
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

1.04k views • 51 slides
How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT 2017, Paris 1 Introduction 2 Field Multiplications 3 Non-Linear Operations 4 Generic Polynomial Methods 5 Polynomial Methods for

873 views • 51 slides
by any person(s) Prima facie evidence A certificate issued of the title of the under common

by any person(s) Prima facie evidence A certificate issued of the title of the under common

Specifies shares held by any person(s) Prima facie evidence A certificate issued of the title of the under common seal person(s) to such of the Company shares Where the shares are held in depository form, the record of What is share

526 views • 8 slides
Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on the spatial attribute type. Proposal part 2 Details of the masking attribute addition. Table 3-13 - S100_GF_SpatialAttributeType Role Name

558 views • 8 slides
Ch 7+8: Tables, Spatial Data Arrange not much about the ones in the middle Express

Ch 7+8: Tables, Spatial Data Arrange not much about the ones in the middle Express

News VAD Ch 7: Arrange Tables Arrange tables clarification on artery vis Encode Axis Orientation Express Values Rectilinear Parallel Radial diverging colormap since doctors care about high and low values Ch 7+8: Tables, Spatial

77 views • 3 slides
Investor Presentation Private placement of up to 190,454,000 new common shares 22 May 2019

Investor Presentation Private placement of up to 190,454,000 new common shares 22 May 2019

Investor Presentation Private placement of up to 190,454,000 new common shares 22 May 2019 Important information This Presentation has been prepared by Hunter Group ASA (the Company or HUNT ) and is made on 22 May 2019, solely for

649 views • 12 slides
Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1 Overview Masking,

785 views • 46 slides
TIMES TABLES HOW WE TEACH TIMES TABLES AND HOW YOU CAN HELP WHY ARE TIMES TABLES IMPORTANT?

TIMES TABLES HOW WE TEACH TIMES TABLES AND HOW YOU CAN HELP WHY ARE TIMES TABLES IMPORTANT?

TIMES TABLES HOW WE TEACH TIMES TABLES AND HOW YOU CAN HELP WHY ARE TIMES TABLES IMPORTANT? New from 2019: all children in year 4 will sit an online times table test. Times Tables knowledge and recall underpin so many different areas of

526 views • 25 slides
Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

6/8/2017 Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we Quantify Masking Risk? co-founder and shareholder Qview Medical (Los Altos, CA) Nico Karssemeijer consultant, co-founder and

883 views • 18 slides
Spectral and High-Order Methods Spectral and High-Order Methods for Shock-Induced Mixing for

Spectral and High-Order Methods Spectral and High-Order Methods for Shock-Induced Mixing for

Spectral and High-Order Methods Spectral and High-Order Methods for Shock-Induced Mixing for Shock-Induced Mixing Andrew W. Cook William Cabot Jeffrey A. Greenough Stephen V. Weber This work was performed under the auspices of the U.S.

338 views • 23 slides
Towards Industrial Adoption of High-Order Methods Towards Industrial Adoption of High-Order

Towards Industrial Adoption of High-Order Methods Towards Industrial Adoption of High-Order

Towards Industrial Adoption of High-Order Methods Towards Industrial Adoption of High-Order Methods PyFR Symposium 19 th June 2020 Mark Allan 19 th June 2020 Presenter Mark Allan [ Product Lead ] Towards Industrial Adoption of High-Order

553 views • 32 slides
Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble Alpes in

Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble Alpes in

Understanding the Masking-Shadowing Function in Understanding the Masking-Shadowing Function in Microfacet-Based BRDFs 2014-09-01 Microfacet-Based BRDFs Eric Heitz Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble

808 views • 77 slides

More recommend