leakage squeezing revisited
play

Leakage Squeezing Revisited Vincent Grosso 1 , Fran cois-Xavier - PowerPoint PPT Presentation

Sep 14, 2022 •209 likes •895 views

Leakage Squeezing Revisited Vincent Grosso 1 , Fran cois-Xavier Standaert 1 , Emmanuel Prouff 2 . 1 ICTEAM/ELEN/Crypto Group, Universit e catholique de Louvain, Belgium. 2 ANSSI, 51 Bd de la Tour-Maubourg, 75700 Paris 07 SP, France. CARDIS

  1. Leakage Squeezing Revisited Vincent Grosso 1 , Fran¸ cois-Xavier Standaert 1 , Emmanuel Prouff 2 . 1 ICTEAM/ELEN/Crypto Group, Universit´ e catholique de Louvain, Belgium. 2 ANSSI, 51 Bd de la Tour-Maubourg, 75700 Paris 07 SP, France. CARDIS 2013, Berlin.

  2. Secret Sharing UCL Crypto Group Leakage Squeezing 1 / 26 UCL/ICTEAM/ELEN

  3. Secret Sharing UCL Crypto Group Leakage Squeezing 1 / 26 UCL/ICTEAM/ELEN

  4. Secret Sharing P( | )=P( ) UCL Crypto Group Leakage Squeezing 1 / 26 UCL/ICTEAM/ELEN

  5. Boolean Secret Sharing Let X be a variable and M a random value uniformly chosen among the possible values of X . UCL Crypto Group Leakage Squeezing 2 / 26 UCL/ICTEAM/ELEN

  6. Boolean Secret Sharing Let X be a variable and M a random value uniformly chosen among the possible values of X . Then X can be shared with the vector ( X ⊕ M , M ). UCL Crypto Group Leakage Squeezing 2 / 26 UCL/ICTEAM/ELEN

  7. Boolean Secret Sharing Let X be a variable and M a random value uniformly chosen among the possible values of X . Then X can be shared with the vector ( X ⊕ M , M ). M is random ⇒ no information on X is available from the observation of M . UCL Crypto Group Leakage Squeezing 2 / 26 UCL/ICTEAM/ELEN

  8. Boolean Secret Sharing Let X be a variable and M a random value uniformly chosen among the possible values of X . Then X can be shared with the vector ( X ⊕ M , M ). M is random ⇒ no information on X is available from the observation of M . X ⊕ M one-time-pad of X ⇒ no information on X is available from the observation of X ⊕ M . UCL Crypto Group Leakage Squeezing 2 / 26 UCL/ICTEAM/ELEN

  9. Masking ≃ Computing on Shared Values Traces contain information plus some noise. UCL Crypto Group Leakage Squeezing 3 / 26 UCL/ICTEAM/ELEN

  10. Masking ≃ Computing on Shared Values Unprotected device: unidimensional leakage is sufficient to mount an attack. UCL Crypto Group Leakage Squeezing 3 / 26 UCL/ICTEAM/ELEN

  11. Masking ≃ Computing on Shared Values Protected software device with 2 shares: ideally bi- dimensional leakages are sufficient to mount an attack. UCL Crypto Group Leakage Squeezing 3 / 26 UCL/ICTEAM/ELEN

  12. Masking ≃ Computing on Shared Values Protected software device with 3 shares: ideally tri- dimensional leakages are sufficient to mount an attack. UCL Crypto Group Leakage Squeezing 3 / 26 UCL/ICTEAM/ELEN

  13. Masking ≃ Computing on Shared Values Dimension of an attack : number of leakage points used. UCL Crypto Group Leakage Squeezing 3 / 26 UCL/ICTEAM/ELEN

  14. Order (statistical) Let X i be r random variables, then the central mixed moment of orders d 1 , . . . , d r is defined by: E(( X 1 − E( X 1 )) d 1 × · · · × ( X r − E( X r )) d r ) . UCL Crypto Group Leakage Squeezing 4 / 26 UCL/ICTEAM/ELEN

  15. Order (statistical) Let X i be r random variables, then the central mixed moment of orders d 1 , . . . , d r is defined by: E(( X 1 − E( X 1 )) d 1 × · · · × ( X r − E( X r )) d r ) . The order of an attack is the smallest statical moment order ( d = � i d i ) used in the attack. UCL Crypto Group Leakage Squeezing 4 / 26 UCL/ICTEAM/ELEN

  16. Order (statistical) Let X i be r random variables, then the central mixed moment of orders d 1 , . . . , d r is defined by: E(( X 1 − E( X 1 )) d 1 × · · · × ( X r − E( X r )) d r ) . The order of an attack is the smallest statical moment order ( d = � i d i ) used in the attack. If we have noisy random variables, the moment becomes harder to estimate as the order increases. UCL Crypto Group Leakage Squeezing 4 / 26 UCL/ICTEAM/ELEN

  17. Application to attack ⊲ Order � ↔ data complexity. ⊲ Dimension � ↔ computational complexity. UCL Crypto Group Leakage Squeezing 5 / 26 UCL/ICTEAM/ELEN

  18. Application to attack ⊲ Order � ↔ data complexity. ⊲ Dimension � ↔ computational complexity. The data complexity of a successful attack increases exponentially with the order of the attack (with noise as a basis). UCL Crypto Group Leakage Squeezing 5 / 26 UCL/ICTEAM/ELEN

  19. Outline 1. Leakage squeezing 2. Assumption fulfilled 3. On the adversary condition 4. On the physical condition UCL Crypto Group Leakage Squeezing 6 / 26 UCL/ICTEAM/ELEN

  20. Outline 1. Leakage squeezing 2. Assumption fulfilled 3. On the adversary condition 4. On the physical condition UCL Crypto Group Leakage Squeezing 7 / 26 UCL/ICTEAM/ELEN

  21. Motivation ⊲ Masking security holds if all masks are uniformly distributed ⇒ strong randomness requirements in masked implementation. Leakage squeezing proposes to reduce the amount of entropy (i.e. the number of masks). ⊲ Less masks can lead to more efficient implementation ⊲ Preserved security order under two conditions: ◦ Unidimensional leakage. ◦ Linear leakage. UCL Crypto Group Leakage Squeezing 8 / 26 UCL/ICTEAM/ELEN

  22. On the security conditions ⊲ Unidimensional leakage only 1 share, adversarial condition: ◦ points of interest are difficult to find ◦ implementation always leak on all shares What happen if adversary obtain leakage on both shares? UCL Crypto Group Leakage Squeezing 9 / 26 UCL/ICTEAM/ELEN

  23. On the security conditions ⊲ Unidimensional leakage only 1 share, adversarial condition: ◦ points of interest are difficult to find ◦ implementation always leak on all shares What happen if adversary obtain leakage on both shares? Similar security as uniform masking :) UCL Crypto Group Leakage Squeezing 9 / 26 UCL/ICTEAM/ELEN

  24. On the security conditions ⊲ Unidimensional leakage only 1 share, adversarial condition: ◦ points of interest are difficult to find ◦ implementation always leak on all shares What happen if adversary obtain leakage on both shares? Similar security as uniform masking :) ⊲ Linear leakage, physical condition: ◦ classical hypothesis (Hamming weight leakage) for adversary but not for evaluation ◦ cryptographic designers can hardly control the leakage function What happen if the leakage function is not linear? UCL Crypto Group Leakage Squeezing 9 / 26 UCL/ICTEAM/ELEN

  25. On the security conditions ⊲ Unidimensional leakage only 1 share, adversarial condition: ◦ points of interest are difficult to find ◦ implementation always leak on all shares What happen if adversary obtain leakage on both shares? Similar security as uniform masking :) ⊲ Linear leakage, physical condition: ◦ classical hypothesis (Hamming weight leakage) for adversary but not for evaluation ◦ cryptographic designers can hardly control the leakage function What happen if the leakage function is not linear? The security order decrease, depending on the degree of the leakage function :( UCL Crypto Group Leakage Squeezing 9 / 26 UCL/ICTEAM/ELEN

  26. Target C 12 = { 0x03 , 0x18 , 0x3f , 0x55 , 0x60 , 0x6e , 0x8c , 0xa5 , 0xb2 , 0xcb , 0xd6 , 0xf9 } [NGD11]. Univariate security of order 2, if linear leakage. C 16 = { 0x10 , 0x1f , 0x26 , 0x29 , 0x43 , 0x4c , 0x75 , 0x7a , 0x85 , 0x8a , 0xb3 , 0xbc , 0xd6 , 0xd9 , 0xe0 , 0xef } [BCG13]. Univariate security of order 3, if linear leakage. UCL Crypto Group Leakage Squeezing 10 / 26 UCL/ICTEAM/ELEN

  27. Modification of hypothesis ⊲ Multivariate (higher dimension) attacks. ⇒ Adversarial condition. l 1 = l ( X ⊕ m ) + N 1 , UCL Crypto Group Leakage Squeezing 11 / 26 UCL/ICTEAM/ELEN

  28. Modification of hypothesis ⊲ Multivariate (higher dimension) attacks. ⇒ Adversarial condition. l 1 = l ( X ⊕ m ) + N 1 , l 2 = l ( m ) + N 2 UCL Crypto Group Leakage Squeezing 11 / 26 UCL/ICTEAM/ELEN

  29. Modification of hypothesis ⊲ Multivariate (higher dimension) attacks. ⇒ Adversarial condition. l 1 = l ( X ⊕ m ) + N 1 , l 2 = l ( m ) + N 2 ⊲ Polynomial leakage. ⇒ Physical condition. Let X be an internal value, X i denotes the value of the i th bit of X . For a linear leakage ∃{ a i } i s.t. l ( X ) = � i a i X i UCL Crypto Group Leakage Squeezing 11 / 26 UCL/ICTEAM/ELEN

  30. Modification of hypothesis ⊲ Multivariate (higher dimension) attacks. ⇒ Adversarial condition. l 1 = l ( X ⊕ m ) + N 1 , l 2 = l ( m ) + N 2 ⊲ Polynomial leakage. ⇒ Physical condition. Let X be an internal value, X i denotes the value of the i th bit of X . For a polynomial leakage ∃{ a i } i , { b i , j } i , j , . . . s.t. l ( X ) = � i a i X i + � � j b i , j X i × X j + � � � k c i , j , k X i × X j × X k i i j For uniform masking, polynomial leakage does not mix different shares. It has thus no incidence on security order. UCL Crypto Group Leakage Squeezing 11 / 26 UCL/ICTEAM/ELEN

  31. Framework ⊲ Mutual information. UCL Crypto Group Leakage Squeezing 12 / 26 UCL/ICTEAM/ELEN

  32. Framework ⊲ Mutual information. K UCL Crypto Group Leakage Squeezing 12 / 26 UCL/ICTEAM/ELEN

  33. Framework ⊲ Mutual information. L UCL Crypto Group Leakage Squeezing 12 / 26 UCL/ICTEAM/ELEN

  34. Framework ⊲ Mutual information. K L UCL Crypto Group Leakage Squeezing 12 / 26 UCL/ICTEAM/ELEN

  35. Framework ⊲ Mutual information. K L The maximum information available. UCL Crypto Group Leakage Squeezing 12 / 26 UCL/ICTEAM/ELEN

  36. Framework ⊲ Perceived information. K L The maximum information available. UCL Crypto Group Leakage Squeezing 12 / 26 UCL/ICTEAM/ELEN

Recommend

Squeezing Information from Data at Exascale Joel Saltz Emory University Georgia Tech Squeezing

Squeezing Information from Data at Exascale Joel Saltz Emory University Georgia Tech Squeezing

Squeezing Information from Data at Exascale Joel Saltz Emory University Georgia Tech Squeezing Information from Temporal Spatial Datasets Leverage exascale data and 2 computer resources to squeeze the most out of image, sensor or

642 views • 36 slides
Study and experiment on the alternative technique of frequencydependent squeezing generation

Study and experiment on the alternative technique of frequencydependent squeezing generation

Study and experiment on the alternative technique of frequencydependent squeezing generation with EPR entanglement for next generation of gravitational wave detectors. Mateusz Bawaj on behalf of Virgo squeezing team Noise sources in Adv

248 views • 11 slides
Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional Account Director Arcom Digital < HOME Digital Leakage Outline Digital Leakage Traditional Leakage LTE Ingress and Egress issues

877 views • 68 slides
Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

SAC Summer School 2019 Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions allow us to prove that our schemes achieve a certain leakage profile but doesnt tell us if a leakage profile is

477 views • 22 slides
Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

SAC Summer School 2019 Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1: ORAM simulation Store and simulate data structure with ORAM General-purpose Zero-leakage (if data is transformed

1.29k views • 60 slides
The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water

The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water

The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water leakage can occur . To prevent leakage-related damages it sends an alert whenever water is detected. The device also visualizes its status on the online

234 views • 10 slides
Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24

Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24

Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24 and December 3, 2015 Vivid Economics Overview Definition Theory Evidence Addressing leakage Why? Which sectors? How? 2

408 views • 29 slides
LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov Gordon, Feng-Hao Lui, Adam, ONeill, and Hong-Sheng Zhou O UTLINE OF T ALK Leakage Models for PKE Bounded, Continual, and Continual w/ Leakage on

1.05k views • 102 slides
Design of Mixed Gates for Design of Mixed Gates for Leakage Reduction Leakage Reduction Frank

Design of Mixed Gates for Design of Mixed Gates for Leakage Reduction Leakage Reduction Frank

GLSVLSI 2007 17th edition of ACM Great Lakes Symposium on VLSI Design of Mixed Gates for Design of Mixed Gates for Leakage Reduction Leakage Reduction Frank Sill, Jiaxi You, Dirk Timmermann Institute of Applied Microelectronics and Computer

738 views • 32 slides
Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and Ext, Revisited Hom and Ext, Revisited Joint work with Hailong Dao and Mohammad Eghbali JL Hom and Ext, Revisited Hom

871 views • 45 slides
Limit to Spin Squeezing in BEC : from two-mode to multimode A. Sinatra, Y. Castin, E. Witkowska

Limit to Spin Squeezing in BEC : from two-mode to multimode A. Sinatra, Y. Castin, E. Witkowska

Plan INTRODUCTION DEPHASING MODEL LOSSES TEMPERATURE Limit to Spin Squeezing in BEC : from two-mode to multimode A. Sinatra, Y. Castin, E. Witkowska , Li Yun, J.-C. Dornsetter Laboratoire Kastler Brossel, Ecole Normale Sup erieure,

645 views • 28 slides
Squeezing the limit: Quantum benchmarks for the teleportation and storage of squeezed states NJP,

Squeezing the limit: Quantum benchmarks for the teleportation and storage of squeezed states NJP,

Squeezing the limit: Quantum benchmarks for the teleportation and storage of squeezed states NJP, vol.10, 113014 (2008) M. Owari 1,2 , M.B. Plenio 1,2 , E.S. Polzik 3 , A. Serafini 4 , and M. M. Wolf 3 Institute of Mathematical Science, Imperial

686 views • 32 slides
Ti Time me Squeezing for Tiny Device ces DAC 2018, ISCA 2019

Ti Time me Squeezing for Tiny Device ces DAC 2018, ISCA 2019

Ti Time me Squeezing for Tiny Device ces DAC 2018, ISCA 2019 www.cs.northwestern.edu/~simonec/Research.html#Research_Variability Difficult to achieve energy wins in tiny devices Tiny devices include: Nano drones Implantable

490 views • 17 slides
Symplectic non-squeezing for the discrete nonlinear Schr odinger equation Alexander Tumanov

Symplectic non-squeezing for the discrete nonlinear Schr odinger equation Alexander Tumanov

Symplectic non-squeezing for the discrete nonlinear Schr odinger equation Alexander Tumanov University of Illinois at Urbana-Champaign Quasilinear equations, inverse problems and their applications dedicated to the memory of Gennadi

1.11k views • 85 slides
HVAC System Air Leakage 2019 Presented By: Mark Terzigni Director of Engineering Technical

HVAC System Air Leakage 2019 Presented By: Mark Terzigni Director of Engineering Technical

HVAC System Air Leakage 2019 Presented By: Mark Terzigni Director of Engineering Technical Services SMACNA Learning Objectives Understand the difference between System leakage and Duct leakage Understand what information

841 views • 59 slides
The UK position on ETS reform Dan Doherty 1 Key policy issues for Phase IV 1. Carbon leakage

The UK position on ETS reform Dan Doherty 1 Key policy issues for Phase IV 1. Carbon leakage

The UK position on ETS reform Dan Doherty 1 Key policy issues for Phase IV 1. Carbon leakage 2. Innovation Fund 3. Modernisation Fund 4. Article 10 c 5. Simplification Principles of Carbon Leakage Reform In order for carbon leakage policy

339 views • 13 slides
Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure Petrucci 2 Teofil Sidoruk 1 1 Institute of Computer Science, Polish Academy of Sciences 2 LIPN, CNRS UMR 7030, Universit e Sorbonne Paris Nord LAMAS

388 views • 23 slides
GPU peak performance vs. CPU Squeezing GPU performance Peak Double Precision FLOPS Peak Memory

GPU peak performance vs. CPU Squeezing GPU performance Peak Double Precision FLOPS Peak Memory

GPU peak performance vs. CPU Squeezing GPU performance Peak Double Precision FLOPS Peak Memory Bandwidth GPGPU 2015: High Performance Computing with CUDA University of Cape Town (South Africa), April, 20 th -24 th , 2015 GPU 6x faster on

178 views • 4 slides
Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy Dodis, Daniel Wichs New York University Speaker: Daniel Wichs CRYPTO 09 Goal of Leakage-Resilient Crypto Model of Leakage Resilience

303 views • 29 slides
I Heard It through the Firewall: Exploiting Cloud Management Services as an Information Leakage

I Heard It through the Firewall: Exploiting Cloud Management Services as an Information Leakage

I Heard It through the Firewall: Exploiting Cloud Management Services as an Information Leakage Channel Hyunwook Baek , Eric Eide, Robert Ricci, Jacobus Van der Merwe University of Utah 1 Motivation Information leakage in cloud has

874 views • 49 slides
How to Compute under AC 0 Leakage without Secure Hardware Guy Rothblum Microsoft Research

How to Compute under AC 0 Leakage without Secure Hardware Guy Rothblum Microsoft Research

How to Compute under AC 0 Leakage without Secure Hardware Guy Rothblum Microsoft Research Silicon Valley Protecting Sensitive Computations from Leakage/Side-Channel Attacks Sensitive computations: Cryptographic Algorithms Secret Key

232 views • 20 slides
Multi-Tuple Leakage Detection and the Dependent Signal Issue Olivier Bronchain Tobias Schneider

Multi-Tuple Leakage Detection and the Dependent Signal Issue Olivier Bronchain Tobias Schneider

Introduction Leakage Detection Multi-Tuple Leakage Detection Conclusion Multi-Tuple Leakage Detection and the Dependent Signal Issue Olivier Bronchain Tobias Schneider Fran cois-Xavier Standaert CHES 2019, Atlanta, USA Olivier Bronchain

1.3k views • 91 slides
Mixed Gates: Leakage Reduction Mixed Gates: Leakage Reduction Techniques applied to Techniques

Mixed Gates: Leakage Reduction Mixed Gates: Leakage Reduction Techniques applied to Techniques

Mixed Gates: Leakage Reduction Mixed Gates: Leakage Reduction Techniques applied to Techniques applied to Switches for on- -chip Networks chip Networks Switches for on Frank Sill, Claas Cornelius, Stephan Kubisch, Dirk Timmermann Institute

413 views • 24 slides
Squeezing down the computing Edit Master text styles Second level requirements of deep neural

Squeezing down the computing Edit Master text styles Second level requirements of deep neural

Squeezing down the computing Edit Master text styles Second level requirements of deep neural networks Third level Fourth level Fifth level Albert Shaw, Daniel Hunter, Sammy Sidhu, and Forrest Iandola Levels of automated driving Edit

1.19k views • 45 slides

More recommend