how fast can higher order masking be in software
play

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi - PowerPoint PPT Presentation

Nov 13, 2023 •356 likes •873 views

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT 2017, Paris 1 Introduction 2 Field Multiplications 3 Non-Linear Operations 4 Generic Polynomial Methods 5 Polynomial Methods for

  1. How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT 2017, Paris

  2. 1 � Introduction 2 � Field Multiplications 3 � Non-Linear Operations 4 � Generic Polynomial Methods 5 � Polynomial Methods for AES 6 � The Bitslice Strategy 2/32

  3. Higher-Order Masking x = x 1 + x 2 + · · · + x d 3/32

  4. Higher-Order Masking x = x 1 + x 2 + · · · + x d � Linear operations: O ( d ) 3/32

  5. Higher-Order Masking x = x 1 + x 2 + · · · + x d � Linear operations: O ( d ) � Non-linear operations: O ( d 2 ) 3/32

  6. Higher-Order Masking x = x 1 + x 2 + · · · + x d � Linear operations: O ( d ) � Non-linear operations: O ( d 2 ) � Challenge for blockciphers: S-boxes 3/32

  7. Ishai-Sahai-Wagner Multiplication � c i = � � × � � � � � a i b i = a i × b j i i i i,j       a 1 b 1 a 1 b 2 . . . a 1 b d 0 0 . . . 0 0 r 1 , 2 . . . r 1 ,d . . . . . . 0 a 2 b 2 . . . . a 2 b 1 0 . . . . r 1 , 2 0 . . . .        +  +       . . . . . . ... . . . . . .       . . . . . . r d,d − 1     0 0 . . . a d b d a d b 1 a d b 2 . . . 0 r 1 ,d r d,d − 1 0 4/32

  8. The Polynomial Methods � Sbox seen as a polynomial over GF (2 n ) n � a i x i S ( x ) = i =0 5/32

  9. The Polynomial Methods � Sbox seen as a polynomial over GF (2 n ) n � a i x i S ( x ) = � i =0 Generic Methods � S ( x ) = ( p i ⋆ q i )( x ) i � CRV decomposition, ⋆ = × (CHES 2014) � Algebraic decomposition, ⋆ = ◦ (CRYPTO 2015) 5/32

  10. The Polynomial Methods � Sbox seen as a polynomial over GF (2 n ) n � a i x i S ( x ) = � i =0 � Generic Methods AES Specific Methods � S AES ( x ) = Aff ( x 254 ) S ( x ) = ( p i ⋆ q i )( x ) i � CRV decomposition, ⋆ = × (CHES 2014) � RP multiplication chain (CHES 2010) � Algebraic decomposition, ⋆ = ◦ (CRYPTO 2015) � KHL multiplication chain (CHES 2011) 5/32

  11. Our results � Optimized implementations of state of the art higher-order masking techniques � Bottom-up approach: ◮ base field multiplication ◮ ISW/CPRR ◮ polynomial methods � Finely tuned ARM assembly (parallelization) � Alternative strategy: bitslice method (new AES and PRESENT speed records) 6/32

  12. ARM � 32-bit architecture with 16 registers (13 user accessible register) � Barrelshifter: shifts and rotates virtually free � Example: x -times and add on GF(2)[ x ] in 1 cycle EOR $acc , $var , $acc , LSL #1 7/32

  13. 1 � Introduction 2 � Field Multiplications 3 � Non-Linear Operations 4 � Generic Polynomial Methods 5 � Polynomial Methods for AES 6 � The Bitslice Strategy 8/32

  14. Field Multiplication � Goal: efficient implementation of multiplication over GF(2 n ) � Fastest method: precomputed look-up table � Limitation: constrained memory on embedded system n 4 5 6 7 8 9 10 Table size 0.25 kiB 1 kiB 4 kiB 16 kiB 64 kiB 512 kiB 2048 kiB 9/32

  15. Field Multiplication bin mult v1 bin mult v2 exp-log v1 exp-log v2 kara. half-tab full-tab clock cycles 10 n + 3 7 n + 3 18 16 19 10 4 registers 5 5 5 5 6 5 5 2 n − 1 + 48 2 n +1 + 48 3 · 2 n + 40 3 · 2 n + 42 2 +1 + 24 2 2 n + 12 3 n code size 52 2 10/32

  16. Field Multiplication bin mult v1 bin mult v2 exp-log v1 exp-log v2 kara. half-tab full-tab clock cycles 10 n + 3 7 n + 3 18 16 19 10 4 registers 5 5 5 5 6 5 5 2 n − 1 + 48 2 n +1 + 48 3 · 2 n + 40 3 · 2 n + 42 2 +1 + 24 2 2 n + 12 3 n code size 52 2 n 2 + a ℓ ) × ( b h x n 2 + b ℓ ) a × b = ( a h x Karatsuba = T1[ a h | b h ] + T2[ a ℓ | b ℓ ] + T3[ a h + a ℓ | b h + b ℓ ] 10/32

  17. Field Multiplication bin mult v1 bin mult v2 exp-log v1 exp-log v2 kara. half-tab full-tab clock cycles 10 n + 3 7 n + 3 18 16 19 10 4 registers 5 5 5 5 6 5 5 2 n − 1 + 48 2 n +1 + 48 3 · 2 n + 40 3 · 2 n + 42 2 +1 + 24 2 2 n + 12 3 n code size 52 2 n 2 + a ℓ ) × ( b h x n 2 + b ℓ ) a × b = ( a h x Half table = T1[ a h | a ℓ | b h ] + T2[ a h | a ℓ | b ℓ ] 10/32

  18. Field Multiplication bin mult v1 bin mult v2 exp-log v1 exp-log v2 kara. half-tab full-tab clock cycles 10 n + 3 7 n + 3 18 16 19 10 4 registers 5 5 5 5 6 5 5 code size 52 56 B 80 B 88 B 90 B 152 B 268 B � For n = 4 : full table ◮ Fastest multiplication: 4 clock cycles ◮ Low code size: 268 B 10/32

  19. Field Multiplication bin mult v1 bin mult v2 exp-log v1 exp-log v2 kara. half-tab full-tab clock cycles 10 n + 3 7 n + 3 18 16 19 10 4 registers 5 5 5 5 6 5 5 code size 52 176 B 560 B 808 B 810 B 8216 B 64 kiB � For n = 8 : exp-log or half-tab ◮ tradeoff between clock cycles and code size 10/32

  20. 1 � Introduction 2 � Field Multiplications 3 � Non-Linear Operations 4 � Generic Polynomial Methods 5 � Polynomial Methods for AES 6 � The Bitslice Strategy 11/32

  21. Quadratic Operations � ISW ◮ Secure GF-mult of 2 operands ◮ Might need refreshing (see paper for details) � CPRR ◮ Evaluation of quadratic functions in 1 operand ◮ Similar to ISW: GF-mult � lookup tables ◮ Twice more random 12/32

  22. Performances Comparisons 3 , 500 ISW-FT ISW-HT 3 , 000 ISW-EL 2 , 500 CPRR Clock Cycles 2 , 000 1 , 500 1 , 000 500 0 d = 3 d = 5 d = 10 � ISW < CPRR when table too huge � Asymptotical comp: 1 CPRR � 1.16 ISW-FT, 0.88 ISW-HT, 0.75 ISW-EL 13/32

  23. Parallelization � 32-bit register filled with only n -bit elements � Perform several ISW/CPRR in parallel: ◮ n = 4 � 8 elements/register ◮ n = 8 � 4 elements/register � Consequence: ◮ Parallel: load, store, xor, loops ◮ Sequential: GF mult, CPRR lookups 14/32

  24. Performances Gain of Parallelization � n = 8 (4 elements) � n = 4 (8 elements) ISW-HT ISW-FT ISW-EL CPRR 15 , 000 15 , 000 CPRR sequential Clock Cycles Clock Cycles sequential parallel parallel 10 , 000 10 , 000 5 , 000 5 , 000 0 0 d = 3 d = 5 d = 10 d = 3 d = 5 d = 10 � Asympt. ratio: CPRR 54% . � Asympt. ratio: ISW 42% . 15/32

  25. 1 � Introduction 2 � Field Multiplications 3 � Non-Linear Operations 4 � Generic Polynomial Methods 5 � Polynomial Methods for AES 6 � The Bitslice Strategy 16/32

  26. Polynomial Decomposition S ( x ) = � i q i ( x ) ⋆ p i ( x ) 17/32

  27. Polynomial Decomposition S ( x ) = � i q i ( x ) ⋆ p i ( x ) � q i : random linear combinations from a basis B 17/32

  28. Polynomial Decomposition S ( x ) = � i q i ( x ) ⋆ p i ( x ) � q i : random linear combinations from a basis B � find p i by solving a linear system 17/32

  29. Polynomial Decomposition S ( x ) = � i q i ( x ) ⋆ p i ( x ) � q i : random linear combinations from a basis B � find p i by solving a linear system � CRV vs AD: ◮ CRV [CRV14]: ⋆ = GF-multiplication � ISW multiplication ◮ AD [CPRR15]: ⋆ = composition � CPRR evaluation 17/32

  30. CRV Improvement � Use CPRR for the basis computation � Example for n = 8 : This paper CRV x 3 = x 3 x 3 = x · x 2 x 9 = ( x 3 ) 3 x 7 = x · ( x 3 ) 2 x 5 = x 5 x 29 = x · ( x 7 ) 4 x 25 = ( x 5 ) 5 x 87 = x 3 · x 29 x 125 = ( x 25 ) 5 x 251 = ( x 6 ) 16 · ( x 87 ) 128 x 115 = ( x 125 ) 5 5 ISW 6 CPRR 18/32

  31. Implementation Results � n = 4 (8 s-boxes in / � n = 8 (4 s-boxes in / / ) / ) 3 , 000 Alge. dec. Alge. dec. 800 CRV-FT CRV-HT 2 , 500 CRV-EL Clock Cycles × 10 2 Clock Cycles × 10 600 2 , 000 1 , 500 400 1 , 000 200 500 0 0 d = 3 d = 5 d = 10 d = 3 d = 5 d = 10 19/32

  32. 1 � Introduction 2 � Field Multiplications 3 � Non-Linear Operations 4 � Generic Polynomial Methods 5 � Polynomial Methods for AES 6 � The Bitslice Strategy 20/32

  33. Polynomial Methods for AES � Based on the specific algebraic structure of the AES: S ( x ) = Aff( x 254 ) � RP10 method : 4 ISW mult � Security flaw due to refreshing � Patch [CPRR13]: 1 CPRR + 3 ISW � Improvement [GPS14]: 3 CPRR + 1 ISW � KHL11 method: 5 ISW mult on GF(16) � Patch [this paper]: 1 CPRR + 4 ISW 21/32

  34. Implementation Results � 16 s-boxes in / / KHL 100 RP-HT RP-EL Clock Cycles × 10 3 80 60 40 20 0 d = 3 d = 5 d = 10 � KHL < RP- ∗ : smaller elements � higher parallelization degree 22/32

  35. 1 � Introduction 2 � Field Multiplications 3 � Non-Linear Operations 4 � Generic Polynomial Methods 5 � Polynomial Methods for AES 6 � The Bitslice Strategy 23/32

  36. Bitslice for the AES � Sbox seen as boolean circuit X 1 X 2 X n x 1 x 2 . . . x n . . . . . . . . . � + + CPU CPU XOR XOR . . . . . . + CPU AND � 16 S-boxes in / / 24/32

  37. Application for AES S-boxes � Circuit for the AES S-box [BMP13] ◮ 83 XOR gates ◮ 32 AND gates � Bitslice (16 s-boxes) ◮ 83 XOR instructions ◮ 32 AND instructions � Masking at the order d : ◮ 83 × d XOR instructions ◮ 32 ISW-AND 25/32

  38. Improvement 2 16-bit ISW-AND � 1 32-bit ISW-AND � Goal: grouping AND gates per pairs � Validation on BMP circuit � 16 s-boxes = 16 ISW-AND � 1 ISW-AND per s-box 26/32

  39. Performance Comparison of ISW 8 , 000 ISW-AND (32 / / AND) ISW-FT (8 / / GF(16)-mult) ISW-HT (4 / / GF(256)-mult) 6 , 000 Clock Cycles 4 , 000 2 , 000 0 d = 3 d = 5 d = 10 27/32

Recommend

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes Outline 1 Introduction 2

1.33k views • 98 slides
High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th September 2018 Outline Outline 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th

388 views • 35 slides
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

1.04k views • 51 slides
Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

First Order Haskell Neil Mitchell York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order: functions are values Can be passed around Stored in data structure Harder for reasoning and analysis More

483 views • 15 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Extending SMT solvers to higher-order logic Haniel Barbosa Andrew Reynolds Daniel El Ouraoui Clark Barrett Cesare Tinelli SMT 2019 20190707, Lisbon, PT To be published in the proceedings of CADE 2019 Why higher-order logic?

569 views • 25 slides
Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order

Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order

Background &amp; motivation Higher order strategies Higher order Turing machines Computable analysis Conclusion Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order complexity 1/12 Background &amp;

383 views • 15 slides
Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry &amp; Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry &amp; Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry &amp; Romain Pchoux DICE-FOPARA, 22-23 april 2017 CNRS, INRIA, Universit de Lorraine &amp; LORIA, Nancy, France 1 Introduction First-order computability and

801 views • 46 slides
Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry &amp; Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry &amp; Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry &amp; Romain Pchoux LPAR, 11 may 2017 CNRS, INRIA, Universit de Lorraine &amp; LORIA, Nancy, France 1 Introduction First-order computability and complexity

665 views • 39 slides
Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal

Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal

Towards Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal Fontaine Stephan Schulz Uwe Waldmann Vision: Take the Hard Labor out of Vision: Interactive Verification Push button automation for

263 views • 14 slides
Outline Higher Order Statistics First, second and higher-order statistics Matthias Hennig

Outline Higher Order Statistics First, second and higher-order statistics Matthias Hennig

Outline Higher Order Statistics First, second and higher-order statistics Matthias Hennig Generative models, recognition models Neural Information Processing Sparse Coding School of Informatics, University of Edinburgh Independent Components

358 views • 9 slides
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2 Rina Zeitoun 1 Jean-S 1 IDEMIA, France 2 University of Luxembourg CHES 2018 Side-channel Attacks Differential Power Analysis [KJJ99] Group by

620 views • 47 slides
Outline Higher order is commonly used on convergence and on derivatives in opti- Trust Region with

Outline Higher order is commonly used on convergence and on derivatives in opti- Trust Region with

Workshop AD Higher Order Workshop AD Higher Order Outline Higher order is commonly used on convergence and on derivatives in opti- Trust Region with a Cubic Model mization. First order methods are gradient based and have

468 views • 7 slides
On Higher-Order Program Verification and Two Notions of Higher-Order Model Checking Naoki

On Higher-Order Program Verification and Two Notions of Higher-Order Model Checking Naoki

On Higher-Order Program Verification and Two Notions of Higher-Order Model Checking Naoki Kobayashi University of Tokyo Summaries of papers from POPL09, POPL17 (joint work with Etienne Lozes, Florian Bruse), and more recent work (joint work

963 views • 65 slides
v1 v2 vn my-map : (define (my-map f xs) F F F (F v2) (F vn) (F v1) (if (null? xs) null

v1 v2 vn my-map : (define (my-map f xs) F F F (F v2) (F vn) (F v1) (if (null? xs) null

Higher-order List Func2ons Higher-Order List Functions A function is higher-order if it takes another in Racket function as an input and/or returns another function as a result. E.g. app-3-5 , make-linear-function , flip2 from the previous

519 views • 6 slides
v1 v2 vn (if (null? xs) null F F F (cons ( f (first xs)) (F vn) (F v2) (F v1) (my-map f

v1 v2 vn (if (null? xs) null F F F (cons ( f (first xs)) (F vn) (F v2) (F v1) (my-map f

Higher-order List Func2ons Higher-Order List Functions A function is higher-order if it takes another in Racket function as an input and/or returns another function as a result. E.g. app-3-5 , make-linear-function , flip2 . We will now study

300 views • 6 slides
More JavaScript! Higher-Order Functions, Callbacks, and Array Methods Higher-Order Functions

More JavaScript! Higher-Order Functions, Callbacks, and Array Methods Higher-Order Functions

More JavaScript! Higher-Order Functions, Callbacks, and Array Methods Higher-Order Functions A Higher-Order Function is any function that operates on any other function, either by taking them in as arguments or returning them. In

308 views • 9 slides
Higher Order Proof Engineering Robert White ILLC/INRIA Cool Logic, ILLC 1/23 Higher Order

Higher Order Proof Engineering Robert White ILLC/INRIA Cool Logic, ILLC 1/23 Higher Order

Higher Order Proof Engineering Higher Order Proof Engineering Robert White ILLC/INRIA Cool Logic, ILLC 1/23 Higher Order Proof Engineering Outline Introduction HOL Light and HOL Proof Checking OpenTheory Holide and Dedukti ProofCloud

767 views • 23 slides
HO in Coq Guillaume Ambal, Sergue Lenglet and Alan Schmitt Higher-Order -calculus

HO in Coq Guillaume Ambal, Sergue Lenglet and Alan Schmitt Higher-Order -calculus

HO in Coq Guillaume Ambal, Sergue Lenglet and Alan Schmitt Higher-Order -calculus Model of concurrent and communicating systems First-order: inert data (channel names, . . . ) Higher-order: executable processes

866 views • 57 slides
Recursion and Induction: Higher Order Functions Greg Plaxton Theory in Programming Practice,

Recursion and Induction: Higher Order Functions Greg Plaxton Theory in Programming Practice,

Recursion and Induction: Higher Order Functions Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin Higher Order Functions A higher order function is a function that takes a

290 views • 13 slides

More recommend