improved high order conversion from boolean to arithmetic
play

Improved High-Order Conversion From Boolean to Arithmetic Masking - PowerPoint PPT Presentation

Mar 10, 2023 •132 likes •620 views

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2 Rina Zeitoun 1 Jean-S 1 IDEMIA, France 2 University of Luxembourg CHES 2018 Side-channel Attacks Differential Power Analysis [KJJ99] Group by

  1. Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2 Rina Zeitoun 1 Jean-S´ 1 IDEMIA, France 2 University of Luxembourg CHES 2018

  2. Side-channel Attacks

  3. Differential Power Analysis [KJJ99] Group by predicted SBox output bit Average trace 111 Differential trace 000

  4. Masking Countermeasure • Let x be some variable in a block-cipher. • Masking countermeasure: generate a random r , and manipulate the masked value x ′ x ′ = x ⊕ r instead of x . • r is random ⇒ x ′ is random ⇒ power consumption of x ′ is random ⇒ no information about x is leaked

  5. Arithmetic Masking • Some algorithms use arithmetic operations, for example IDEA, RC6, XTEA, SPECK, SHA-1. • For these algorithms, we can use arithmetic masking: x = A + r mod 2 k where we manipulate A and r separately. • Problem: how do we convert between Boolean and arithmetic masking ? • Goubin’s algorithm (CHES 01): first-order secure conversion between Boolean and arithmetic masking.

  6. Arithmetic Masking • Some algorithms use arithmetic operations, for example IDEA, RC6, XTEA, SPECK, SHA-1. • For these algorithms, we can use arithmetic masking: x = A + r mod 2 k where we manipulate A and r separately. • Problem: how do we convert between Boolean and arithmetic masking ? • Goubin’s algorithm (CHES 01): first-order secure conversion between Boolean and arithmetic masking.

  7. Second-order Attack • Second-order attack: E ( x ′ ) E ( r ) f ( E ( x ′ ) , E ( r )) correlated with x = x ′ ⊕ r • Requires more curves but can be practical

  8. Higher-order masking • Solution: n shares instead of 2 : x = x 1 ⊕ x 2 ⊕ · · · ⊕ x n • Any subset of n − 1 shares is uniformly and independently distributed • If we probe at most n − 1 shares x i , we learn nothing about x • ⇒ secure against a DPA attack of order n − 1 .

  9. Higher-order masking • Solution: n shares instead of 2 : x = x 1 ⊕ x 2 ⊕ · · · ⊕ x n • Any subset of n − 1 shares is uniformly and independently distributed • If we probe at most n − 1 shares x i , we learn nothing about x • ⇒ secure against a DPA attack of order n − 1 .

  10. Higher-order masking • High-order Boolean masking: x = x 1 ⊕ x 2 ⊕ · · · ⊕ x n • High-order arithmetic masking: x = A 1 + A 2 + . . . + A n mod 2 k • Problem: how do we convert between Boolean and arithmetic masking ? • This talk: high-order Boolean to arithmetic conversion algorithm, simpler and more efficient than [Cor17]. • complexity independent of the register size k • still with a proof of security in the ISW probing model

  11. Higher-order masking • High-order Boolean masking: x = x 1 ⊕ x 2 ⊕ · · · ⊕ x n • High-order arithmetic masking: x = A 1 + A 2 + . . . + A n mod 2 k • Problem: how do we convert between Boolean and arithmetic masking ? • This talk: high-order Boolean to arithmetic conversion algorithm, simpler and more efficient than [Cor17]. • complexity independent of the register size k • still with a proof of security in the ISW probing model

  12. Prior work and this talk n : number of shares k : arithmetic modulo 2 k ( k = 32 for HMAC-SHA-1). First-order High-order Direction complexity complexity Goubin’s algorithm B → A O (1) - [Gou01] A → B O ( k ) - B → A O ( n 2 · k ) [CGV14] - A → B B → A - O ( n 2 · log k ) [CGTV15] A → B O (log k ) 14 · 2 n + O ( n ) [Cor17] B → A - 10 · 2 n + O ( n ) - This talk B → A • Complexity independent of the register size k , as in [Cor17] • Exponential complexity, but one order of magnitude faster than [CGV14] and [CGTV15] for small values of n .

  13. Prior work and this talk n : number of shares k : arithmetic modulo 2 k ( k = 32 for HMAC-SHA-1). First-order High-order Direction complexity complexity Goubin’s algorithm B → A O (1) - [Gou01] A → B O ( k ) - B → A O ( n 2 · k ) [CGV14] - A → B B → A - O ( n 2 · log k ) [CGTV15] A → B O (log k ) 14 · 2 n + O ( n ) [Cor17] B → A - 10 · 2 n + O ( n ) - This talk B → A • Complexity independent of the register size k , as in [Cor17] • Exponential complexity, but one order of magnitude faster than [CGV14] and [CGTV15] for small values of n .

  14. Boolean to arithmetic conversion: comparison with prior work ( k = 32 bits)

  15. Comparison with CHES 2017 algorithm 14 · 2 n + O ( n ) [Cor17] B → A - 10 · 2 n + O ( n ) B → A - This talk • Our new algorithm is roughly 25% faster, and simpler. x ψ + R R F C D [Cor17] R F C x ψ + R C D This talk C

  16. Comparison with CHES 2017 algorithm 14 · 2 n + O ( n ) [Cor17] B → A - 10 · 2 n + O ( n ) B → A - This talk • Our new algorithm is roughly 25% faster, and simpler. x ψ + R R F C D [Cor17] R F C x ψ + R C D This talk C

  17. Our contribution • Our contribution: high-order conversion algorithm from Boolean to arithmetic masking • simplified variant of CHES 2017 algorithm • still with a proof of security in the ISW probing model. • Approach initiated by Hutter and Tunstall [HT16] (eprint) • but no proof of security against high-order attacks was provided by the authors. • 3rd order attack for any number of shares n described in [Cor17] • 3rd order attack against updated Hutter-Tunstall algorithm (see the proceedings)

  18. Our contribution • Our contribution: high-order conversion algorithm from Boolean to arithmetic masking • simplified variant of CHES 2017 algorithm • still with a proof of security in the ISW probing model. • Approach initiated by Hutter and Tunstall [HT16] (eprint) • but no proof of security against high-order attacks was provided by the authors. • 3rd order attack for any number of shares n described in [Cor17] • 3rd order attack against updated Hutter-Tunstall algorithm (see the proceedings)

  19. ISW security model • Simulation framework of [ISW03]: ( sk 1 , sk 2 , . . . , sk n ) m t probes Sim Block cipher c • Show that any t probes can be perfectly simulated from at most n − 1 of the sk i ’s. • Those n − 1 shares sk i are initially uniformly and independently distributed. • ⇒ the adversary learns nothing from the t probes, since he could perfectly simulate those t probes by himself.

  20. ISW security model • Simulation framework of [ISW03]: ( sk 1 , sk 2 , . . . , sk n ) m t probes Sim Block cipher c • Show that any t probes can be perfectly simulated from at most n − 1 of the sk i ’s. • Those n − 1 shares sk i are initially uniformly and independently distributed. • ⇒ the adversary learns nothing from the t probes, since he could perfectly simulate those t probes by himself.

  21. ISW security model • Simulation framework of [ISW03]: ( sk 1 , sk 2 , . . . , sk n ) m t probes Sim Block cipher c • Show that any t probes can be perfectly simulated from at most n − 1 of the sk i ’s. • Those n − 1 shares sk i are initially uniformly and independently distributed. • ⇒ the adversary learns nothing from the t probes, since he could perfectly simulate those t probes by himself.

  22. ISW security model • Simulation framework of [ISW03]: ( sk 1 , sk 2 , . . . , sk n ) m t probes Sim Block cipher c • Show that any t probes can be perfectly simulated from at most n − 1 of the sk i ’s. • Those n − 1 shares sk i are initially uniformly and independently distributed. • ⇒ the adversary learns nothing from the t probes, since he could perfectly simulate those t probes by himself.

  23. ISW security model • Simulation framework of [ISW03]: ( sk 1 , sk 2 , . . . , sk n ) m t probes Sim Block cipher c • Show that any t probes can be perfectly simulated from at most n − 1 of the sk i ’s. • Those n − 1 shares sk i are initially uniformly and independently distributed. • ⇒ the adversary learns nothing from the t probes, since he could perfectly simulate those t probes by himself.

  24. ISW security model • Simulation framework of [ISW03]: ( sk 1 , sk 2 , . . . , sk n ) m t probes Sim Block cipher c • Show that any t probes can be perfectly simulated from at most n − 1 of the sk i ’s. • Those n − 1 shares sk i are initially uniformly and independently distributed. • ⇒ the adversary learns nothing from the t probes, since he could perfectly simulate those t probes by himself.

  25. Security proofs for side-channel countermeasures • Never publish a high-order masking scheme without a proof of security ! • So many things can go wrong. • Many countermeasures without proofs have been broken in the past. • We have a poor intuition of high-order security.

  26. Goubin’s original conversion algorithm • Goubin’s theorem: the function (mod 2 k ) Ψ( x, r ) = ( x ⊕ r ) − r is affine with respect to r over F 2 . • This is surprising but true ! • Goubin’s Boolean to arithmetic conversion algorithm: x = x 1 ⊕ x 2 = ( x 1 ⊕ x 2 − x 2 ) + x 2 = Ψ( x 1 , x 2 ) + x 2 �� � � = x 1 ⊕ Ψ( x 1 , r ⊕ x 2 ) ⊕ Ψ( x 1 , r ) + x 2 (mod 2 k ) = A + x 2 • One can compute A without leaking information about x , thanks to the random r .

Recommend

ARITHMETIC OPERATIONS WE HAVE THE DATA, WHAT NOW? Operations in C Bit-wise boolean operations

ARITHMETIC OPERATIONS WE HAVE THE DATA, WHAT NOW? Operations in C Bit-wise boolean operations

ARITHMETIC OPERATIONS WE HAVE THE DATA, WHAT NOW? Operations in C Bit-wise boolean operations Logical operation Arithmetic operations 2 BOOLEAN ALGEBRA Algebraic representation of logic Encode True as 1 and False

594 views • 31 slides
CSCI-2500: Computer Organization Boolean Logic & Arithmetic for Computers (Chapter 3 and

CSCI-2500: Computer Organization Boolean Logic & Arithmetic for Computers (Chapter 3 and

CSCI-2500: Computer Organization Boolean Logic & Arithmetic for Computers (Chapter 3 and App. B) Boolean Algebra Developed by George Boole in the 1850s Mathematical theory of logic. Shannon was the first to use Boolean Algebra

1.94k views • 183 slides
Second Order Properties of Models of First Order Arithmetic Roman Kossak City University of New

Second Order Properties of Models of First Order Arithmetic Roman Kossak City University of New

Second Order Properties of Models of First Order Arithmetic Roman Kossak City University of New York RK, James H. Schmerl The Structure of Models of Peano Arithmetic , Oxford Logic Guides, 2006 1 M < Friedmans 14th Problem: Let

203 views • 18 slides
Closure conversion Expressing higher-order functions in first-order function languages Theory of

Closure conversion Expressing higher-order functions in first-order function languages Theory of

Closure Conversion in FOFL Closure Conversion in FOFL+ Closure Conversion in Java Closure conversion Expressing higher-order functions in first-order function languages Theory of Programming Languages Computer Science Department Wellesley

368 views • 7 slides
Operations in C Have the data, what now? Bit-wise boolean operations Logical operations

Operations in C Have the data, what now? Bit-wise boolean operations Logical operations

10/11/2018 Operations in C Have the data, what now? Bit-wise boolean operations Logical operations Operations and Arithmetic Arithmetic operations 2 In C Boolean Algebra Algebraic representation of logic Operators the

360 views • 7 slides
Preliminary Study on Growth, Feed Conversion and Preliminary Study on Growth, Feed Conversion and

Preliminary Study on Growth, Feed Conversion and Preliminary Study on Growth, Feed Conversion and

Preliminary Study on Growth, Feed Conversion and Preliminary Study on Growth, Feed Conversion and Production in Non- -Improved and Improved Strains of the Improved and Improved Strains of the Production in Non Nile tilapia Oreochromis niloticus

343 views • 16 slides
Boolean Arithmetic Foundations of Global Networked Computing: Building a Modern Computer From

Boolean Arithmetic Foundations of Global Networked Computing: Building a Modern Computer From

IWKS 3300: NAND to Tetris Spring 2019 John K. Bennett Boolean Arithmetic Foundations of Global Networked Computing: Building a Modern Computer From First Principles This course is based upon the work of Noam Nisan and Shimon Schocken. More

508 views • 36 slides
CO 2 Fixation by Anaerobic Non- Photosynthetic Mixotrophy for Improved Carbon Conversion Emily

CO 2 Fixation by Anaerobic Non- Photosynthetic Mixotrophy for Improved Carbon Conversion Emily

CO 2 Fixation by Anaerobic Non- Photosynthetic Mixotrophy for Improved Carbon Conversion Emily E. Crawford, John R. Phillips, Pradeep C. Munasinghe, Carrissa A. Wiedel, Biniam Maru, Ilana Aldor, & Shawn W. Jones, Terry Papoutsakis &

812 views • 42 slides
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Leuven, September 10th, 2012 I NTRODUCTION 1 K NOWN TABLE - BASED METHODS 2 C ORON -T CHULKINE METHOD N EISSE -P ULKUS METHOD 3 C

413 views • 28 slides
Nanopowder thermoelectrics: improved energy conversion by nanostructuring Sabine Schlecht

Nanopowder thermoelectrics: improved energy conversion by nanostructuring Sabine Schlecht

Nanopowder thermoelectrics: improved energy conversion by nanostructuring Sabine Schlecht DFG-JST Workshop Kyoto, 20.- 23. January 2009 Thermoelectric effects interconversion of thermal and electrical energy Seebeck 1821: difference in

355 views • 21 slides
Functional lower bounds for arithmetic circuits and connections to boolean circuit complexity

Functional lower bounds for arithmetic circuits and connections to boolean circuit complexity

Functional lower bounds for arithmetic circuits and connections to boolean circuit complexity Michael Forbes Mrinal Kumar Ramprasad Saptharishi Princeton University Rutgers University T el Aviv University Computational Complexity

1.35k views • 107 slides
and utilizing reduction promoters leads to improved conversion and selectivity with Co/silica

and utilizing reduction promoters leads to improved conversion and selectivity with Co/silica

Fischer-Tropsch synthesis: foregoing calcination and utilizing reduction promoters leads to improved conversion and selectivity with Co/silica Mohammad Mehrbod Mechanical Engineering Program, Mechanical Engineering Dept., UTSA Michela

485 views • 25 slides
Logic for Computer Science 04 Boolean algebra Wouter Swierstra University of Utrecht 1

Logic for Computer Science 04 Boolean algebra Wouter Swierstra University of Utrecht 1

Logic for Computer Science 04 Boolean algebra Wouter Swierstra University of Utrecht 1 Last time Naive set theory 2 This lecture Boolean algebra Computer circuits Binary arithmetic 3 Boolean algebra 4 Similarities We have seen the

993 views • 70 slides
On the Impact of Number Representation for High-Order LES F.D. Witherden Department of Ocean

On the Impact of Number Representation for High-Order LES F.D. Witherden Department of Ocean

On the Impact of Number Representation for High-Order LES F.D. Witherden Department of Ocean Engineering Texas A&M University Motivation LES is expensive really expensive. Computer Arithmetic Binary floating point

674 views • 23 slides
Definitions Boolean set: B 0 , 1 Boolean constants: 0, 1 Boolean variable: x 0

Definitions Boolean set: B 0 , 1 Boolean constants: 0, 1 Boolean variable: x 0

Computer Architecture applied computer science 03.01 Boolean algebra urbino worldwide campus 03 Logic networks 03.01 Boolean algebra Definitions Boolean

489 views • 6 slides
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Boolean Functions Boolean Expressions Let B = { 0 , 1 } . 1 ... true, 0 ... false Let x 1 , x 2 ,

Boolean Functions Boolean Expressions Let B = { 0 , 1 } . 1 ... true, 0 ... false Let x 1 , x 2 ,

Boolean Functions Boolean Expressions Let B = { 0 , 1 } . 1 ... true, 0 ... false Let x 1 , x 2 , . . . , x n be boolean variables. Boolean Function of Arity n Semantics and Verification 2005 Abstract Syntax for Boolean Expressions ( x ranges

382 views • 4 slides
Lecture 6 Arithmetic Operators 3. Hardware and Softw are 4. High Level Languages C has a

Lecture 6 Arithmetic Operators 3. Hardware and Softw are 4. High Level Languages C has a

1. Introduction 2. Binary Representation Lecture 6 Arithmetic Operators 3. Hardware and Softw are 4. High Level Languages C has a number of arithmetic operators which are used to 5. Standard input and output combine variables and

403 views • 3 slides
Boolean complexes and boolean numbers Bridget Eileen Tenner DePaul University

Boolean complexes and boolean numbers Bridget Eileen Tenner DePaul University

Boolean complexes and boolean numbers Bridget Eileen Tenner DePaul University bridget@math.depaul.edu math.depaul.edu/~bridget The Bruhat order gives a poset structure to any Coxeter group. The ideal of elements in this poset having boolean

1.25k views • 13 slides
Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary

Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary

Principles Of Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary Arithmetic Same basic methodology as decimal arithmetic Important to know number representation Unsigned Signed

704 views • 11 slides
Decidable Theories 1. Linear order. p.1/9 Decidable Theories 1. Linear order. 2.

Decidable Theories 1. Linear order. p.1/9 Decidable Theories 1. Linear order. 2.

Decidable Theories 1. Linear order. p.1/9 Decidable Theories 1. Linear order. 2. Presburger arithmetic: (Natural with +) p.1/9 Decidable Theories 1. Linear order. 2. Presburger arithmetic: (Natural with +) 3. Real Arithmetic (Reals

1.03k views • 46 slides
Processor Architecture Stream Arithmetic Logic Unit Programming ALU for high-performance

Processor Architecture Stream Arithmetic Logic Unit Programming ALU for high-performance

Processor Architecture Stream Arithmetic Logic Unit Programming ALU for high-performance computing 7 8 2 Memory CS334 F09 Prof. McGuire Williams College 1 2 Multi-Processor Stream Programming Arithmetic Logic Unit Arithmetic Logic

706 views • 3 slides
Closure Conversion Higher-order functions Michel Schinz Advanced Compiler Construction

Closure Conversion Higher-order functions Michel Schinz Advanced Compiler Construction

Closure Conversion Higher-order functions Michel Schinz Advanced Compiler Construction 2009-03-20 Higher-order functions HOFs in C In C, it is possible to pass a function as an argument, and to A higher-order function ( HOF ) is a

382 views • 7 slides
Closure conversion Higher-order functions Michel Schinz parts based on slides by X. Leroy

Closure conversion Higher-order functions Michel Schinz parts based on slides by X. Leroy

Closure conversion Higher-order functions Michel Schinz parts based on slides by X. Leroy Advanced compiler construction, 2008-04-04 Higher-order function HOFs in C In C, it is possible to pass a function as an argument, and to A

298 views • 6 slides

More recommend