higher order masking schemes for s boxes
play

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint - PowerPoint PPT Presentation

Nov 16, 2023 •346 likes •1.33k views

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes Outline 1 Introduction 2

  1. Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes

  2. Outline 1 � Introduction 2 � Higher-Order Masking of any S-box � General Method � Optimal Masking of Power Functions � Efficient Heuristics for Random S-Boxes 3 � Implementation Results 4 � Open Issues Higher-Order Masking Schemes for S-boxes

  3. Higher-Order Masking � Countermeasure to side-channel attacks Higher-Order Masking Schemes for S-boxes

  4. Higher-Order Masking � Countermeasure to side-channel attacks � Every key-dependent variable x is shared into d + 1 variables: x = x 0 + x 1 + · · · + x d Higher-Order Masking Schemes for S-boxes

  5. Higher-Order Masking � Countermeasure to side-channel attacks � Every key-dependent variable x is shared into d + 1 variables: x = x 0 + x 1 + · · · + x d � In this work, + is the bitwise addition Higher-Order Masking Schemes for S-boxes

  6. Higher-Order Masking � Countermeasure to side-channel attacks � Every key-dependent variable x is shared into d + 1 variables: x = x 0 + x 1 + · · · + x d � In this work, + is the bitwise addition � Attack complexity increases exponentially with d Higher-Order Masking Schemes for S-boxes

  7. Higher-Order Masking Schemes � Consider a block cipher: c ← E( m, k ) Higher-Order Masking Schemes for S-boxes

  8. Higher-Order Masking Schemes � Consider a block cipher: c ← E( m, k ) � A d th-order masking scheme for E is an algorithm: ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) Higher-Order Masking Schemes for S-boxes

  9. Higher-Order Masking Schemes � Consider a block cipher: c ← E( m, k ) � A d th-order masking scheme for E is an algorithm: ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) � d th-order security : ∀ ( iv 1 , iv 2 , . . . , iv d ) ∈ { intermediate var. of E ′ } d : � � MI ( iv 1 , iv 2 , . . . , iv d ) , ( m, k ) = 0 Higher-Order Masking Schemes for S-boxes

  10. Higher-Order Masking Schemes � Consider a block cipher: c ← E( m, k ) � A d th-order masking scheme for E is an algorithm: ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) � d th-order security : ∀ ( iv 1 , iv 2 , . . . , iv d ) ∈ { intermediate var. of E ′ } d : � � MI ( iv 1 , iv 2 , . . . , iv d ) , ( m, k ) = 0 � The main issue is masking the S-box Higher-Order Masking Schemes for S-boxes

  11. Literature � Software masking schemes: d = 1 d = 2 any d AES Many works x [RP10,KHL11,GPQ11] any s-box Many works [SP06,RDP08] This work [SP06] = [Schramm-Paar CT-RSA’06] [RPD08] = [Rivain-Dottax-Prouff FSE’08] [RP10] = [Rivain-Prouff CHES’10] [KHL11] = [Kim-Hong-Lim CHES’11] [GPQ11] = [Genelle-Prouff-Quisquater CHES’11] Higher-Order Masking Schemes for S-boxes

  12. Literature � Software masking schemes: d = 1 d = 2 any d AES Many works x [RP10,KHL11,GPQ11] any s-box Many works [SP06,RDP08] This work [SP06] = [Schramm-Paar CT-RSA’06] [RPD08] = [Rivain-Dottax-Prouff FSE’08] [RP10] = [Rivain-Prouff CHES’10] [KHL11] = [Kim-Hong-Lim CHES’11] [GPQ11] = [Genelle-Prouff-Quisquater CHES’11] � Hardware masking schemes: ◮ d = 1 ⇒ many works Higher-Order Masking Schemes for S-boxes

  13. Literature � Software masking schemes: d = 1 d = 2 any d AES Many works x [RP10,KHL11,GPQ11] any s-box Many works [SP06,RDP08] This work [SP06] = [Schramm-Paar CT-RSA’06] [RPD08] = [Rivain-Dottax-Prouff FSE’08] [RP10] = [Rivain-Prouff CHES’10] [KHL11] = [Kim-Hong-Lim CHES’11] [GPQ11] = [Genelle-Prouff-Quisquater CHES’11] � Hardware masking schemes: ◮ d = 1 ⇒ many works ◮ [Ishai-Sahai-Wagner CRYPTO’03] � any circuit, any order d Higher-Order Masking Schemes for S-boxes

  14. Literature � Software masking schemes: d = 1 d = 2 any d AES Many works x [RP10,KHL11,GPQ11] any s-box Many works [SP06,RDP08] This work [SP06] = [Schramm-Paar CT-RSA’06] [RPD08] = [Rivain-Dottax-Prouff FSE’08] [RP10] = [Rivain-Prouff CHES’10] [KHL11] = [Kim-Hong-Lim CHES’11] [GPQ11] = [Genelle-Prouff-Quisquater CHES’11] � Hardware masking schemes: ◮ d = 1 ⇒ many works ◮ [Ishai-Sahai-Wagner CRYPTO’03] � any circuit, any order d ◮ [Faust et al. EUROCRYPT’10] � generalization to further security models Higher-Order Masking Schemes for S-boxes

  15. Ishai-Sahai-Wagner (ISW) Scheme � Probing model: intermediate variable = wire � Any circuits composed of NOT and AND gates Higher-Order Masking Schemes for S-boxes

  16. Ishai-Sahai-Wagner (ISW) Scheme � Probing model: intermediate variable = wire � Any circuits composed of NOT and AND gates � NOT gate encoding: NOT( x ) = NOT( x 0 ) ⊕ x 1 · · · ⊕ x d Higher-Order Masking Schemes for S-boxes

  17. Ishai-Sahai-Wagner (ISW) Scheme � Probing model: intermediate variable = wire � Any circuits composed of NOT and AND gates � NOT gate encoding: NOT( x ) = NOT( x 0 ) ⊕ x 1 · · · ⊕ x d � AND gate encoding: �� ��� � AND( x, y ) = xy = i x i j y j � � = i,j x i y j = i z i Higher-Order Masking Schemes for S-boxes

  18. Ishai-Sahai-Wagner (ISW) Scheme � Probing model: intermediate variable = wire � Any circuits composed of NOT and AND gates � NOT gate encoding: NOT( x ) = NOT( x 0 ) ⊕ x 1 · · · ⊕ x d � AND gate encoding: �� ��� � AND( x, y ) = xy = i x i j y j � � = i,j x i y j = i z i ◮ ( d + 1) 2 ANDs + 2 d ( d + 1) XORs + d ( d + 1) / 2 random bits Higher-Order Masking Schemes for S-boxes

  19. Application to AES in Software � [Rivain-Prouff CHES 2010] Higher-Order Masking Schemes for S-boxes

  20. Application to AES in Software � [Rivain-Prouff CHES 2010] � AES S-box: S = Exp ◦ Af ◮ Af: affine transformation over GF(2) 8 ◮ Exp : x �→ x 254 over GF(2 8 ) Higher-Order Masking Schemes for S-boxes

  21. Application to AES in Software � [Rivain-Prouff CHES 2010] � AES S-box: S = Exp ◦ Af ◮ Af: affine transformation over GF(2) 8 ◮ Exp : x �→ x 254 over GF(2 8 ) � Masking Af is efficient: Af ( x ) = Af ( x 0 ) + Af ( x 1 ) + · · · + Af ( x d ) (+ 0x63 iff d is odd ) Higher-Order Masking Schemes for S-boxes

  22. Application to AES in Software � [Rivain-Prouff CHES 2010] � AES S-box: S = Exp ◦ Af ◮ Af: affine transformation over GF(2) 8 ◮ Exp : x �→ x 254 over GF(2 8 ) � Masking Af is efficient: Af ( x ) = Af ( x 0 ) + Af ( x 1 ) + · · · + Af ( x d ) (+ 0x63 iff d is odd ) � Masking Exp ◮ masked square: x 2 0 + x 2 1 + · · · + x 2 d = x 2 Higher-Order Masking Schemes for S-boxes

  23. Application to AES in Software � [Rivain-Prouff CHES 2010] � AES S-box: S = Exp ◦ Af ◮ Af: affine transformation over GF(2) 8 ◮ Exp : x �→ x 254 over GF(2 8 ) � Masking Af is efficient: Af ( x ) = Af ( x 0 ) + Af ( x 1 ) + · · · + Af ( x d ) (+ 0x63 iff d is odd ) � Masking Exp ◮ masked square: x 2 0 + x 2 1 + · · · + x 2 d = x 2 ◮ masked multiplications : ISW on GF(2 8 ) Higher-Order Masking Schemes for S-boxes

  24. Application to AES in Software � [Rivain-Prouff CHES 2010] � AES S-box: S = Exp ◦ Af ◮ Af: affine transformation over GF(2) 8 ◮ Exp : x �→ x 254 over GF(2 8 ) � Masking Af is efficient: Af ( x ) = Af ( x 0 ) + Af ( x 1 ) + · · · + Af ( x d ) (+ 0x63 iff d is odd ) � Masking Exp ◮ masked square: x 2 0 + x 2 1 + · · · + x 2 d = x 2 ◮ masked multiplications : ISW on GF(2 8 ) ◮ addition chain for 254 with only 4 multiplications (and 7 squares) Higher-Order Masking Schemes for S-boxes

  25. Outline 1 � Introduction 2 � Higher-Order Masking of any S-box � General Method � Optimal Masking of Power Functions � Efficient Heuristics for Random S-Boxes 3 � Implementation Results 4 � Open Issues Higher-Order Masking Schemes for S-boxes

  26. General Method � Generalization of Rivain-Prouff scheme Higher-Order Masking Schemes for S-boxes

  27. General Method � Generalization of Rivain-Prouff scheme � We consider an s-box S : { 0 , 1 } n → { 0 , 1 } m as a polynomial function over GF(2 n ) : S( x ) = a 0 + a 1 x + a 2 x 2 + · · · + a 2 n − 1 x 2 n − 1 Higher-Order Masking Schemes for S-boxes

  28. General Method � Generalization of Rivain-Prouff scheme � We consider an s-box S : { 0 , 1 } n → { 0 , 1 } m as a polynomial function over GF(2 n ) : S( x ) = a 0 + a 1 x + a 2 x 2 + · · · + a 2 n − 1 x 2 n − 1 � We evaluate this polynomial on the shared input ( x i ) i Higher-Order Masking Schemes for S-boxes

  29. General Method � Four kinds of operations over GF(2 n ) : 1 . additions 2 . scalar multiplications ( i.e. by constants) 3 . squares 4 . regular multiplications Higher-Order Masking Schemes for S-boxes

  30. General Method � Four kinds of operations over GF(2 n ) : 1 . additions 2 . scalar multiplications ( i.e. by constants) 3 . squares 4 . regular multiplications � Masking is efficient for the 3 first kinds Higher-Order Masking Schemes for S-boxes

  31. General Method � Four kinds of operations over GF(2 n ) : 1 . additions 2 . scalar multiplications ( i.e. by constants) 3 . squares 4 . regular multiplications � Masking is efficient for the 3 first kinds ◮ ( x + y ) = ( x 0 + y 0 ) + ( x 1 + y 1 ) + · · · + ( x d + y d ) Higher-Order Masking Schemes for S-boxes

Recommend

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th September 2018 Outline Outline 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th

388 views • 35 slides
Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views • 45 slides
How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT 2017, Paris 1 Introduction 2 Field Multiplications 3 Non-Linear Operations 4 Generic Polynomial Methods 5 Polynomial Methods for

873 views • 51 slides
Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

First Order Haskell Neil Mitchell York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order: functions are values Can be passed around Stored in data structure Harder for reasoning and analysis More

483 views • 15 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Static Power SCA of Sub-100 nm CMOS ASICs and the Insecurity of Masking Schemes in Low-Noise

Static Power SCA of Sub-100 nm CMOS ASICs and the Insecurity of Masking Schemes in Low-Noise

RUHR-UNIVERSITT BOCHUM Static Power SCA of Sub-100 nm CMOS ASICs and the Insecurity of Masking Schemes in Low-Noise Environments Thorben Moos Ruhr University Bochum, Horst Grtz Institute for IT Security, Germany August 28th, 2019 Section 1

735 views • 56 slides
Higher-Order Model Checking and Program Verification Naoki Kobayashi University of Tokyo

Higher-Order Model Checking and Program Verification Naoki Kobayashi University of Tokyo

Higher-Order Model Checking and Program Verification Naoki Kobayashi University of Tokyo Whats This Talk About? Introduction to higher-order model checking (model checking of higher- order recursion schemes) and its applications to

641 views • 40 slides
How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

824 views • 54 slides
Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Extending SMT solvers to higher-order logic Haniel Barbosa Andrew Reynolds Daniel El Ouraoui Clark Barrett Cesare Tinelli SMT 2019 20190707, Lisbon, PT To be published in the proceedings of CADE 2019 Why higher-order logic?

569 views • 25 slides
Higher-Order Model Checking: Principles and Applications to Program Verification and Security

Higher-Order Model Checking: Principles and Applications to Program Verification and Security

Higher-Order Model Checking: Principles and Applications to Program Verification and Security Part I: Types and Recursion Schemes for Higher-Order Program Verification Part II: Higher-Order Program Verification and Language-Based Security

836 views • 54 slides
Image Masking Schemes for Local Manifold Learning Methods Marco F. Duarte Joint work with

Image Masking Schemes for Local Manifold Learning Methods Marco F. Duarte Joint work with

Image Masking Schemes for Local Manifold Learning Methods Marco F. Duarte Joint work with Hamid Dadkhahi IEEE ICASSP - April 23 2015 Manifold Learning Given training points in , learn the mapping to the underlying K -dimensional

404 views • 22 slides
Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order

Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order

Background & motivation Higher order strategies Higher order Turing machines Computable analysis Conclusion Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order complexity 1/12 Background &

383 views • 15 slides
Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry & Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry & Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry & Romain Pchoux DICE-FOPARA, 22-23 april 2017 CNRS, INRIA, Universit de Lorraine & LORIA, Nancy, France 1 Introduction First-order computability and

801 views • 46 slides
Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures Dahmun Goudarzi, Matthieu Rivain, Srinivas Vivek, and Damien Vergnaud Background 2 Secure Software S-box Implementations Higher-Order

636 views • 25 slides
Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry & Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry & Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry & Romain Pchoux LPAR, 11 may 2017 CNRS, INRIA, Universit de Lorraine & LORIA, Nancy, France 1 Introduction First-order computability and complexity

665 views • 39 slides
BOXES BOXES PRESENTATION POP-UP GIFT CARD BOXES Boxes are made from recycled board. IMPRINT ME!

BOXES BOXES PRESENTATION POP-UP GIFT CARD BOXES Boxes are made from recycled board. IMPRINT ME!

BOXES BOXES PRESENTATION POP-UP GIFT CARD BOXES Boxes are made from recycled board. IMPRINT ME! Custom minimum 500. U.S. Patent #8.47 Standard hot stamping costs do not apply. Call for quote. *Lime Ice and Pearl Pillows cannot be hot

440 views • 4 slides
Outline Higher Order Statistics First, second and higher-order statistics Matthias Hennig

Outline Higher Order Statistics First, second and higher-order statistics Matthias Hennig

Outline Higher Order Statistics First, second and higher-order statistics Matthias Hennig Generative models, recognition models Neural Information Processing Sparse Coding School of Informatics, University of Edinburgh Independent Components

358 views • 9 slides
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2 Rina Zeitoun 1 Jean-S 1 IDEMIA, France 2 University of Luxembourg CHES 2018 Side-channel Attacks Differential Power Analysis [KJJ99] Group by

620 views • 47 slides
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

1.04k views • 51 slides
Outline Higher order is commonly used on convergence and on derivatives in opti- Trust Region with

Outline Higher order is commonly used on convergence and on derivatives in opti- Trust Region with

Workshop AD Higher Order Workshop AD Higher Order Outline Higher order is commonly used on convergence and on derivatives in opti- Trust Region with a Cubic Model mization. First order methods are gradient based and have

468 views • 7 slides

More recommend