low randomness masking and shulfifgn
play

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual - PowerPoint PPT Presentation

Feb 17, 2023 •307 likes •785 views

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1 Overview Masking,

  1. Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1

  2. Overview • Masking, shuffling and the cost of RNG • New countermeasure variants that recycle randomness • Pitfalls in formal security and noise amplification 2

  3. Introduction Masking and Shuffling Schemes Against Side-Channel Analysis 3

  4. Introduction: Masking Schemes • One of the most popular S0 countermeasures against SCA S7 S1 • Forces the adversary to recombine shares • Performs noise amplification [1] Secret S2 S6 S S5 S3 S4 [1] Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. 3 [2] Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks

  5. Introduction: Masking Schemes • One of the most popular S0 countermeasures against SCA S7 S1 • Forces the adversary to recombine shares • Performs noise amplification [1] Secret S2 S6 S • Computationally demanding in operations and RNG, S5 S3 𝑃(𝑜 2 ) random elements for ISW S4 multiplication with 𝑜 shares [2] [1] Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. 3 [2] Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks

  6. Introduction: Shuffling Schemes • Widely deployed countermeasure Sbox1 Sbox2 Sbox3 Sbox4 • Permutes blocks • Performs noise amplification [3] Sbox3 Sbox1 Sbox4 Sbox2 [3] Nicolas Veyrat-Charvillon, Marcel Medwed, Stéphanie Kerckhof, and François-Xavier Standaert. Shuffling against side-channel attacks: A comprehensive study with cautionary note 6 [4] Donald E. Knuth. The Art of Computer Programming, Volume 2 (3rd Ed.): Seminumerical Algorithms

  7. Introduction: Shuffling Schemes • Widely deployed countermeasure • Permutes blocks Sbox1 Sbox2 Sbox3 Sbox4 • Performs noise amplification [3] • Computationally demanding in RNG, approx. k ∗ ceil 𝑚𝑝𝑕 2 k random bits, for 𝑙 operations shuffled [4] Sbox3 Sbox1 Sbox4 Sbox2 [3] Nicolas Veyrat-Charvillon, Marcel Medwed, Stéphanie Kerckhof, and François-Xavier Standaert. Shuffling against side-channel attacks: A comprehensive study with cautionary note 6 [4] Donald E. Knuth. The Art of Computer Programming, Volume 2 (3rd Ed.): Seminumerical Algorithms

  8. Introduction: RNG Overhead • The RNG constitutes a considerable performance overhead [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? 10 [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

  9. Introduction: RNG Overhead • The RNG constitutes a considerable performance overhead • 2 nd -order AES on AVR pseudoRNG [5] [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? 10 [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

  10. Introduction: RNG Overhead • The RNG constitutes a considerable performance overhead RNG • 2 nd -order AES on AVR 38% Cipher pseudoRNG [5] 62% [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? 10 [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

  11. Introduction: RNG Overhead • The RNG constitutes a considerable performance overhead RNG • 2 nd -order AES on AVR 38% Cipher pseudoRNG [5] 62% • 2 nd -order PRESENT on ARM Cortex-M4 trueRNG [6] [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? 10 [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

  12. Introduction: RNG Overhead • The RNG constitutes a considerable performance overhead RNG • 2 nd -order AES on AVR 38% Cipher pseudoRNG [5] 62% RNG 25% • 2 nd -order PRESENT on ARM Cortex-M4 Cipher 75% trueRNG [6] [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? 10 [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

  13. Introduction: RNG Overhead • The RNG constitutes a considerable performance overhead RNG • 2 nd -order AES on AVR 38% Cipher pseudoRNG [5] 62% RNG 25% • 2 nd -order PRESENT on ARM Cortex-M4 Cipher 75% trueRNG [6] • 4 th -order AES on ARM Cortex-A with NEON assembly /dev/urandom [7] [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? 10 [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

  14. Introduction: RNG Overhead • The RNG constitutes a considerable performance overhead RNG • 2 nd -order AES on AVR 38% Cipher pseudoRNG [5] 62% RNG 25% • 2 nd -order PRESENT on ARM Cortex-M4 Cipher 75% trueRNG [6] Cipher 1% • 4 th -order AES on ARM Cortex-A with NEON assembly /dev/urandom [7] RNG 99% [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? 10 [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen . Vectorizing Higher-Order Masking

  15. Recycled Randomness Masking Reducing the RNG overhead in masking with RRM 15

  16. RRM: Example • Assume two 2 nd -order secure, independent ISW mult. gadgets 𝑨 = 𝑦𝑧 , 𝑑 = 𝑏𝑐 𝑨 0 = 𝑦 0 𝑧 0 ⊕ 𝑥 0 ⊕ 𝑥 1 𝑨 1 = 𝑦 1 𝑧 1 ⊕ ((𝑥 0 ⊕ 𝑦 0 𝑧 1 ) ⊕ 𝑦 1 𝑧 0 ) ⊕ 𝑥 2 𝑨 2 = 𝑦 2 𝑧 2 ⊕ ((𝑥 1 ⊕ 𝑦 0 𝑧 2 ) ⊕ 𝑦 2 𝑧 0 ) ⊕ ((𝑥 2 ⊕ 𝑦 1 𝑧 2 ) ⊕ 𝑦 2 𝑧 1 ) 𝑑 0 = 𝑏 0 𝑐 0 ⊕ 𝑢 0 ⊕ 𝑢 1 𝑑 1 = 𝑏 1 𝑐 1 ⊕ ((𝑢 0 ⊕ 𝑏 0 𝑐 1 ) ⊕ 𝑏 1 𝑐 0 ) ⊕ 𝑢 2 𝑑 2 = 𝑏 2 𝑐 2 ⊕ ((𝑢 1 ⊕ 𝑏 0 𝑐 2 ) ⊕ 𝑏 2 𝑐 0 ) ⊕ ((𝑢 2 ⊕ 𝑏 1 𝑐 2 ) ⊕ 𝑏 2 𝑐 1 ) 16

  17. RRM: Example • Recycle some random numbers from the first to the second gadget 𝑨 0 = 𝑦 0 𝑧 0 ⊕ 𝑥 0 ⊕ 𝑥 1 𝑨 1 = 𝑦 1 𝑧 1 ⊕ ((𝑥 0 ⊕ 𝑦 0 𝑧 1 ) ⊕ 𝑦 1 𝑧 0 ) ⊕ 𝑥 2 𝑨 2 = 𝑦 2 𝑧 2 ⊕ ((𝑥 1 ⊕ 𝑦 0 𝑧 2 ) ⊕ 𝑦 2 𝑧 0 ) ⊕ ((𝑥 2 ⊕ 𝑦 1 𝑧 2 ) ⊕ 𝑦 2 𝑧 1 ) 𝑑 0 = 𝑏 0 𝑐 0 ⊕ 𝑥 0 ⊕ 𝑥 1 𝑑 1 = 𝑏 1 𝑐 1 ⊕ ((𝑥 0 ⊕ 𝑏 0 𝑐 1 ) ⊕ 𝑏 1 𝑐 0 ) ⊕ 𝑢 2 𝑑 2 = 𝑏 2 𝑐 2 ⊕ ((𝑥 1 ⊕ 𝑏 0 𝑐 2 ) ⊕ 𝑏 2 𝑐 0 ) ⊕ ((𝑢 2 ⊕ 𝑏 1 𝑐 2 ) ⊕ 𝑏 2 𝑐 1 ) Reduced Randomness cost by 2 random numbers 17

  18. RRM: Example • Formal security verification [8] : the 2-multiplication gadget is 2-NI 𝑨 0 = 𝑦 0 𝑧 0 ⊕ 𝑥 0 ⊕ 𝑥 1 𝑨 1 = 𝑦 1 𝑧 1 ⊕ ((𝑥 0 ⊕ 𝑦 0 𝑧 1 ) ⊕ 𝑦 1 𝑧 0 ) ⊕ 𝑥 2 𝑨 2 = 𝑦 2 𝑧 2 ⊕ ((𝑥 1 ⊕ 𝑦 0 𝑧 2 ) ⊕ 𝑦 2 𝑧 0 ) ⊕ ((𝑥 2 ⊕ 𝑦 1 𝑧 2 ) ⊕ 𝑦 2 𝑧 1 ) 𝑑 0 = 𝑏 0 𝑐 0 ⊕ 𝑥 0 ⊕ 𝑥 1 𝑑 1 = 𝑏 1 𝑐 1 ⊕ ((𝑥 0 ⊕ 𝑏 0 𝑐 1 ) ⊕ 𝑏 1 𝑐 0 ) ⊕ 𝑢 2 𝑑 2 = 𝑏 2 𝑐 2 ⊕ ((𝑥 1 ⊕ 𝑏 0 𝑐 2 ) ⊕ 𝑏 2 𝑐 0 ) ⊕ ((𝑢 2 ⊕ 𝑏 1 𝑐 2 ) ⊕ 𝑏 2 𝑐 1 ) [8] Jean-Sebastien Coron. Formal Verification of Side-channel Countermeasures via Elementary Circuit Transformations. 18

  19. RRM: Example • Recycle more! 𝑨 0 = 𝑦 0 𝑧 0 ⊕ 𝑥 0 ⊕ 𝑥 1 𝑨 1 = 𝑦 1 𝑧 1 ⊕ ((𝑥 0 ⊕ 𝑦 0 𝑧 1 ) ⊕ 𝑦 1 𝑧 0 ) ⊕ 𝑥 2 𝑨 2 = 𝑦 2 𝑧 2 ⊕ ((𝑥 1 ⊕ 𝑦 0 𝑧 2 ) ⊕ 𝑦 2 𝑧 0 ) ⊕ ((𝑥 2 ⊕ 𝑦 1 𝑧 2 ) ⊕ 𝑦 2 𝑧 1 ) 𝑑 0 = 𝑏 0 𝑐 0 ⊕ 𝑥 0 ⊕ 𝑥 1 𝑑 1 = 𝑏 1 𝑐 1 ⊕ ((𝑥 0 ⊕ 𝑏 0 𝑐 1 ) ⊕ 𝑏 1 𝑐 0 ) ⊕ 𝑥 2 𝑑 2 = 𝑏 2 𝑐 2 ⊕ ((𝑥 1 ⊕ 𝑏 0 𝑐 2 ) ⊕ 𝑏 2 𝑐 0 ) ⊕ ((𝑥 2 ⊕ 𝑏 1 𝑐 2 ) ⊕ 𝑏 2 𝑐 1 ) Reduced Randomness cost by 3 random numbers 19

Recommend

Randomness Complexity of Private Circuits for Multiplication Sonia Belad, Fabrice Benhamouda,

Randomness Complexity of Private Circuits for Multiplication Sonia Belad, Fabrice Benhamouda,

Randomness Complexity of Private Circuits for Multiplication Sonia Belad, Fabrice Benhamouda, Alain Passelgue , Emmanuel Prouff, Adrian Thillard, Damien Vergnaud brief introduction - side-channel attacks - masking - -probing model

955 views • 54 slides
Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on the spatial attribute type. Proposal part 2 Details of the masking attribute addition. Table 3-13 - S100_GF_SpatialAttributeType Role Name

558 views • 8 slides
Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias Hollick Technische Universitt Darmstadt, Germany ??? 2 How to acquire randomness? A: 42 B: Random

562 views • 32 slides
Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views • 45 slides
Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Randomness and Pseudorandomness Review Problem:

1.69k views • 33 slides
Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda Randomness in Private Key Generation Randomness in Election (fraud) Randomness in Coin Flipping What is random? Chosen without method

693 views • 35 slides
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems

Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems

Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems Andr e Nies CCC 2015, Kochel am See 1/1 Di ff erentiability Di ff erentiability of a function f at a real z means that the rate of change

1.19k views • 108 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and

15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and

15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and Probability Theory Review April 4th, 2017 Randomness and the Universe Randomness and the Universe Does the universe have true randomness?

693 views • 52 slides
Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

6/8/2017 Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we Quantify Masking Risk? co-founder and shareholder Qview Medical (Los Altos, CA) Nico Karssemeijer consultant, co-founder and

883 views • 18 slides
Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying

Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying

Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying polynomial identities Probability Amplification Probability Review Sofya Raskhodnikova 1/21/2020 Sofya Raskhodnikova;Randomness in Computing

348 views • 21 slides
Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni &

Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni &

Pre-processing and non-randomness Baroni & Evert Pre-Processing Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni & Stefan Evert M alaga, 11 August 2006 Outline Pre-processing and

879 views • 55 slides
Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi

Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi

Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi MIT/UC Berkeley University of Michigan Presented in QIP14 as plenary talk (joint with [MS14]) 1 Randomness Randomness is a vital resource

391 views • 17 slides
Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr

Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr

Algorithmic randomness Beyond arithmetic Higher randomness ITTM and randomness Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr eteil 5 May 2017 Algorithmic randomness Beyond arithmetic Higher

771 views • 64 slides
Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble Alpes in

Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble Alpes in

Understanding the Masking-Shadowing Function in Understanding the Masking-Shadowing Function in Microfacet-Based BRDFs 2014-09-01 Microfacet-Based BRDFs Eric Heitz Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble

808 views • 77 slides
Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1

Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1

Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1 Zeros of univariate random polynomials p : C C and potential theory; recent results of Bloom-Dauvergne 2 Random polynomials p : C 2 C and

585 views • 42 slides
Randomness Dependent Randomness Dependent Message Security g y Eleanor Birrell Kai

Randomness Dependent Randomness Dependent Message Security g y Eleanor Birrell Kai

Randomness Dependent Randomness Dependent Message Security g y Eleanor Birrell Kai Min Chung Rafael Pass Sidharth Telang Public key Encryption Public key Encryption Goal: l (pk,sk) Gen c = Enc(pk,m) E ( k ) Dec(sk,c) = m

638 views • 40 slides
Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth Oswald March, 2013 Michael Tunstall (University of Bristol) Masking Tables March, 2013 1 / 21 Introduction Differential Power Analysis exploits

249 views • 21 slides
Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th

Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th

Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th International Conference on Finite Fields and their Applications June 5, 2017 Violetta Weger Weight two Masking in the McEliece system Outline 1

1.31k views • 34 slides
CS 574: Randomized Algorithms Lecture 1. Introduction to Randomness August 25, 2015 Lecture 1.

CS 574: Randomized Algorithms Lecture 1. Introduction to Randomness August 25, 2015 Lecture 1.

Administrativia and Syllabus Why Randomness? Randomness in Computer Science CS 574: Randomized Algorithms Lecture 1. Introduction to Randomness August 25, 2015 Lecture 1. Introduction to Randomness CS 574: Randomized Algorithms

1.23k views • 61 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

824 views • 54 slides

More recommend