ls designs
play

LS-Designs Bitslice Encryption for Efficient Masked Software - PowerPoint PPT Presentation

Apr 20, 2023 •354 likes •638 views

1 / 20 Conclusion FSE 2014 LS-Designs G. Leurent (UCL,Inria) Motivation LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security Analysis LS-Designs . . . . . . . . . . . . . . . . . . Vincent

  1. 1 / 20 Conclusion FSE 2014 LS-Designs G. Leurent (UCL,Inria) Motivation LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security Analysis LS-Designs . . . . . . . . . . . . . . . . . . Vincent Grosso 1 Gaëtan Leurent 1 , 2 FrançoisXavier Standert 1 Kerem Varici 1 1 UCL, Belgium  2 Inria, France FSE 2014

  2. 2 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Secure communications . . . . . . . . . . . . . . . . . . ▶ Cryptography aims to provide secure communications in the presence of an adversary. ▶ Classical model: adversary controls the communication channel: . . . . . . . . . . . E D P C P Alice Bob ▶ Recovering the plaintext without the key should be hard. ▶ Mathematical properties of the cipher E .

  3. 3 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Side-channel analysis . . . . . . . . . . . . . . . . . . ▶ In practice, the cryptography is implemented by a physical system ▶ Smart card (credit card, SIM), computer, mechanical machine ... ▶ The adversary can measure physical properties of the system ▶ Time to encrypt data ▶ Power consumption ▶ Electromagnetic radiations ▶ Sound ▶ ... ▶ Information about values during the computation can break the system even if the algorithm is good. .

  4. 4 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Side-channel protection . . . . . . . . . . . . . . . . . . ▶ Implement crypto carefully: ▶ Constant time operations (avoid SPA attacks) ▶ No secret branches ▶ No secret table access (avoid cache timing) ▶ Power consumption depend on the value of the operands ▶ Correlated with Hamming weight/distance of values in bus/registers/... ▶ Exploited in DPA attacks ▶ Masking ▶ Best understood countermeasure

  5. 4 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Side-channel protection . . . . . . . . . . . . . . . . . . ▶ Implement crypto carefully: ▶ Constant time operations (avoid SPA attacks) ▶ No secret branches ▶ No secret table access (avoid cache timing) ▶ Power consumption depend on the value of the operands ▶ Correlated with Hamming weight/distance of values in bus/registers/... ▶ Exploited in DPA attacks ▶ Masking ▶ Best understood countermeasure

  6. 4 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Side-channel protection . . . . . . . . . . . . . . . . . . ▶ Implement crypto carefully: ▶ Constant time operations (avoid SPA attacks) ▶ No secret branches ▶ No secret table access (avoid cache timing) ▶ Power consumption depend on the value of the operands ▶ Correlated with Hamming weight/distance of values in bus/registers/... ▶ Exploited in DPA attacks ▶ Masking ▶ Best understood countermeasure

  7. 5 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Masking . . . . . . . . . . . . . . . . . . ▶ Split the sensitive data in r shares (secret sharing) ▶ k 1 ← $ , ... ▶ k r − 1 ← $ ▶ k r ← k − ∑ k i ▶ Use MPClike techniques to avoid manipulating the secret itself ▶ Linear operations are easy ▶ Perform operation on each share ▶ Nonlinear operations are expansive ▶ Need interaction, and randomness ▶ Cost increase with r 2 ▶ Sidechannel adversary must combine r measures (for an ideal implementation...) ▶ Data complexity is exponential in r : (𝜏 2 n ) r

  8. 6 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Motivation Main question . . . . . . . . . . . . . . . . . . How to have secure crypto on 8bit microcontrollers? ▶ Sidechannel resistance necessary in many lightweight settings ▶ Avoid your car keys / credit card being cloned ▶ Usual approach: 1 Design a secure cipher (AES, PRESENT, Noekeon, ...) 2 Implement with sidechannel countermeasures ▶ Can we reverse the problem? 1 Use operations that are easy to mask 2 In order to design a secure cipher ▶ Previous work: Zorro, PICARO

  9. 7 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Choice of operations Important remark . . . . . . . . . . . . . . . . . . Logic gates are easier to mask than tablebased Sboxes (If we target Boolean masking) ▶ Use bitsliced Sboxes (SERPENT, Noekeon, ...) ▶ One word contains the msb (resp. 2 nd bit, ...) of every Sbox ▶ Bitwise operations: 8 Sboxes in parallel using 8bit words ▶ Use a small number of nonlinear gates ▶ We can use tables for the diffusion layer! ▶ Efficient, good diffusion ▶ Easy to mask (linear)

  10. 7 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Choice of operations Important remark . . . . . . . . . . . . . . . . . . Logic gates are easier to mask than tablebased Sboxes (If we target Boolean masking) ▶ Use bitsliced Sboxes (SERPENT, Noekeon, ...) ▶ One word contains the msb (resp. 2 nd bit, ...) of every Sbox ▶ Bitwise operations: 8 Sboxes in parallel using 8bit words ▶ Use a small number of nonlinear gates ▶ We can use tables for the diffusion layer! ▶ Efficient, good diffusion ▶ Easy to mask (linear)

  11. 8 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion LS-designs . . . . . . . . . . . . . . . . . . ▶ Mathematical description: SPN network ▶ Sboxes (with simple gate representation) ▶ Linear diffusion layer (binary matrix) ▶ Good design criterion: widetrail S S S S S S S S S L . . . . . . . . . . . . . . . . . . . . . S S S S S S S S S L ▶ Bitslice implementation: ▶ Sbox as a series of bitwise operations ▶ Lbox tables for diffusion layer ▶ Easy to mask (simple nonlinear ops., complex linear ops.)

  12. 8 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion LS-designs . . . . . . . . . . . . . . . . . . . . . . x ← P ⊕ K State as a bitmatrix for 0 ≤ r < N r do ▷ Sbox layer: for 0 ≤ i < l do x [ i , ⋆] = 𝘛[ x [ i , ⋆]] Sbox layer ▷ Lbox layer: for 0 ≤ j < s do x [⋆, j ] = 𝘔[ x [⋆, j ]] Lbox layer ▷ Key addition: x ← x ⊕ k r return x

  13. 9 / 20 Class13 from [UCIKMP11] FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion S-box: 4-bit Involution with same prob. Motivation . . . . . . . . . . . . . . . . . . ▶ Exhaustive search possible for 4bit Sbox [UCIKMP11] ▶ Optimal Sbox with 4 nonlinear gates: Pr lin = 2 − 1 , Pr diff = 2 − 2 . . . .

  14. 10 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion S-box: 8-bit MISTY-like Feistel Whirlpool-like . . . . . . . . . . . . . . . . . . ▶ Exhaustive search not possible ▶ Use constructions from a 4bit Sbox: S 1 S 1 S 2 S 1 L S 2 S 2 S 3 S 4 S 3 S 3 . . . . . . . . . . . . . . . . ▶ Test properties

  15. 11 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Best S-Boxes . . . . . . . . . . . . . . . . . . size # AND # XOR Invol. deg (𝘛) Pr diff Pr lin 2 − 2 2 − 1 NOEKEON 4 4 7 Yes 3 2 − 2 2 − 1 Class 13 4 4 No 3 2 − 2 2 − 1 Figure (b) 4 4 Yes 3 2 − 6 2 − 3 AES 8 32 83 No 7 2 − 4 . 68 2 − 2 Whirlpool + Class 13 16 41 No 6 2 − 4 . 68 2 − 2 Whirlpool + Figure (b) 16 42 No 6 2 − 4 2 − 2 Feistel + Class13 12 24 Yes 6 2 − 4 2 − 2 Feistel + Figure (b) 12 24 Yes 5 2 − 4 2 − 2 MISTY + 3/5bit 11 25 No 5 Feistel 2 + Class13 2 − 8 2 − 4 16 36 96 Yes 13

  16. 11 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion Best S-Boxes . . . . . . . . . . . . . . . . . . size # AND # XOR Invol. deg (𝘛) Pr diff Pr lin 2 − 2 2 − 1 NOEKEON 4 4 7 Yes 3 2 − 2 2 − 1 Class 13 4 4 No 3 2 − 2 2 − 1 Figure (b) 4 4 Yes 3 2 − 6 2 − 3 AES 8 32 83 No 7 2 − 4 . 68 2 − 2 Whirlpool + Class 13 16 41 No 6 2 − 4 . 68 2 − 2 Whirlpool + Figure (b) 16 42 No 6 2 − 4 2 − 2 Feistel + Class13 12 24 Yes 6 2 − 4 2 − 2 Feistel + Figure (b) 12 24 Yes 5 2 − 4 2 − 2 MISTY + 3/5bit 11 25 No 5 Feistel 2 + Class13 2 − 8 2 − 4 16 36 96 Yes 13

  17. 12 / 20 Motivation FSE 2014 LS-Designs LS-Designs Security Analysis G. Leurent (UCL,Inria) Instances Conclusion L-box choice . . . . . . . . . . . . . . . . . . ▶ Wide trail strategy: maximum branch number ▶ At least B active Sboxes every two rounds ▶ Use coding theory results 8-bit Exhaustive search possible ▶ Maximum branch number is 5 ▶ Reachable with involutions 16-bit Optimal codes known ▶ Optimal distance is 8 ▶ ReedMuller(2,5) gives an involution 32-bit Optimal codes not known ▶ Best known code have a distance 12 ▶ Upper bound is 16

Recommend

CSE 140 Lecture 14 System Designs CK Cheng CSE Dept. UC San Diego 1 System Designs

CSE 140 Lecture 14 System Designs CK Cheng CSE Dept. UC San Diego 1 System Designs

CSE 140 Lecture 14 System Designs CK Cheng CSE Dept. UC San Diego 1 System Designs Introduction Components Spec Implementation 2 Digital Designs vs Computer Architectures Instruction Set (H.Chapter 6, CSE141)

503 views • 18 slides
Go 2 Draft Designs Hello everyone, Im here to talk about the draft designs that the Go team

Go 2 Draft Designs Hello everyone, Im here to talk about the draft designs that the Go team

Go 2 Draft Designs Hello everyone, Im here to talk about the draft designs that the Go team recently released for possible future additions to Go, specifically about two areas: improved error handling and parametric polymorphism (AKA generics),

411 views • 29 slides
Group Sequential and Adaptive Designs Part II: Adaptive Designs May 2, 2015 Cyrus Mehta, Ph.D.

Group Sequential and Adaptive Designs Part II: Adaptive Designs May 2, 2015 Cyrus Mehta, Ph.D.

Group Sequential and Adaptive Designs Part II: Adaptive Designs May 2, 2015 Cyrus Mehta, Ph.D. Cytel Inc. Adaptive Designs Adaptive designs are defined as: changes in design or analyses guided by examination of the accumulated

1.11k views • 64 slides
Designs Learning designs Learning objectives Learners will be able to Provide a

Designs Learning designs Learning objectives Learners will be able to Provide a

Learning Designs Learning designs Learning objectives Learners will be able to Provide a rationale for using multiple learning designs. Identify at least five to seven learning designs appropriate for one of their professional

274 views • 14 slides
D-optimal Designs and Equidistant Designs for Stationary Processes Milan Stehl k

D-optimal Designs and Equidistant Designs for Stationary Processes Milan Stehl k

D-optimal Designs and Equidistant Designs for Stationary Processes Milan Stehl k Department of Applied Statistics Johannes Kepler University in Linz Austria 1 This work was supported by WTZ project Nr. 04/2006. Outlook 1. Correlated

435 views • 29 slides
Single-Case Designs (SCD) I. Use of SCD in SW II. Requirements for SCD 1. Target problem (DV) 2.

Single-Case Designs (SCD) I. Use of SCD in SW II. Requirements for SCD 1. Target problem (DV) 2.

1 Single-Case Designs (SCD) I. Use of SCD in SW II. Requirements for SCD 1. Target problem (DV) 2. Quantification of data 3. Obtaining baseline 4. Graphic display of data III. Designs(AB, ABAB. ABC/ABCD) and Examples IV. Time Series Designs

667 views • 19 slides
Single Subject Designs ScWk 240 Week 8 Slides 1 Group vs. Single Subject Designs There are two

Single Subject Designs ScWk 240 Week 8 Slides 1 Group vs. Single Subject Designs There are two

Single Subject Designs ScWk 240 Week 8 Slides 1 Group vs. Single Subject Designs There are two broadly defined approaches to experimental research: group designs &amp; single-subject designs Both approaches apply components of the scientific

348 views • 24 slides
A number of steps are required in solving design problems. The steps should be carried out

A number of steps are required in solving design problems. The steps should be carried out

D AY 147 S QUARE AND RECTANGULAR DESIGNS I NTRODUCTION Geometry can be used in modeling of wonderful designs like designs of rectangular house roofs, a rectangular table top, a rectangular field, a rectangular window frame, among other

759 views • 17 slides
15. Scientific Foundations A MERICAN P SYCHOLOGICAL A SSOCIATION Research Designs for Recovery

15. Scientific Foundations A MERICAN P SYCHOLOGICAL A SSOCIATION Research Designs for Recovery

15. Scientific Foundations A MERICAN P SYCHOLOGICAL A SSOCIATION Research Designs for Recovery Oriented Mental Health Services Quantitative Studies: Experimental designs Quasi-experimental designs Non-experimental quantitative designs

74 views • 5 slides
Evaluating Interface Designs Evaluating Interface Designs SE3830 SE3830 - Jay Urbain J U b i

Evaluating Interface Designs Evaluating Interface Designs SE3830 SE3830 - Jay Urbain J U b i

Evaluating Interface Designs Evaluating Interface Designs SE3830 SE3830 - Jay Urbain J U b i Credits: Ben Shneiderman, Catherine Plaisant, Roger J. Chapman This graph depicts the relationships between 2367 people How to evaluate Interface

1.2k views • 47 slides
Leveraging Open Source Designs Creating a component search engine for reference designs used in

Leveraging Open Source Designs Creating a component search engine for reference designs used in

Leveraging Open Source Designs Creating a component search engine for reference designs used in practice WHOAMI Lasse Mnch M.Sc. Student at RWTH Aachen University Electronics Hobbyist Creating PCBs Choose Components Create Schematics

342 views • 11 slides
Session 6 - Innovative designs, pharmacometrics and optimal designs Joe Standing

Session 6 - Innovative designs, pharmacometrics and optimal designs Joe Standing

Session 6 - Innovative designs, pharmacometrics and optimal designs Joe Standing j.standing@ucl.ac.uk MRC Fellow: UCL Great Ormond Street Institute of Child Health Antimicrobial Pharmacist: Great Ormond Street Hospital for Children Honorary

689 views • 12 slides
Symmetric Designs Lucia Moura School of Electrical Engineering and Computer Science University

Symmetric Designs Lucia Moura School of Electrical Engineering and Computer Science University

Symmetric designs Projective Planes and Geometries Symmetric Designs Lucia Moura School of Electrical Engineering and Computer Science University of Ottawa lucia@eecs.uottawa.ca Winter 2017 Symmetric Designs Lucia Moura Symmetric designs

574 views • 20 slides
Search for systems of linked symmetric 2 (36 , 15 , 6) designs Matan Ziv-Av Ben-Gurion

Search for systems of linked symmetric 2 (36 , 15 , 6) designs Matan Ziv-Av Ben-Gurion

Search for systems of linked symmetric 2 (36 , 15 , 6) designs Matan Ziv-Av Ben-Gurion University of the Negev AGT16, Plze n, October 2016. Outline Symmetric 2-designs 1 Systems of linked symmetric designs 2 Parameters (36 , 15 , 6)

564 views • 30 slides
Wayfinding Sign Designs Northfield Historic District Preliminary designs prepared for the City of

Wayfinding Sign Designs Northfield Historic District Preliminary designs prepared for the City of

Wayfinding Sign Designs Northfield Historic District Preliminary designs prepared for the City of Northfield Presented to the Northfield Downtown Development Corporation Forum February 6, 2007 Scope of the Project: Design a wayfinding graphic

566 views • 21 slides
Tonights 8 Greenway Designs Tonight s 8 Greenway Designs Commonwealth Ave. Summer St / L St Ch

Tonights 8 Greenway Designs Tonight s 8 Greenway Designs Commonwealth Ave. Summer St / L St Ch

Tonights 8 Greenway Designs Tonight s 8 Greenway Designs Commonwealth Ave. Summer St / L St Ch Charlesgate l Dartmouth St. Route 9 Crossing Route 9 Crossing World Series Path Arborway 2008 Charlesgate Connection Northeastern

920 views • 44 slides
System Designs CK Cheng CSE Dept. UC San Diego 1 System Designs Introduction

System Designs CK Cheng CSE Dept. UC San Diego 1 System Designs Introduction

CSE 140 Lecture 16 System Designs CK Cheng CSE Dept. UC San Diego 1 System Designs Introduction Methodology and Framework Components Specification Implementation 2 Introduction Methodology Approach with

916 views • 28 slides
Under-Ramp Park Under-Ramp Park Schematic Designs Schematic Designs June 12, 2014 1 Transbay

Under-Ramp Park Under-Ramp Park Schematic Designs Schematic Designs June 12, 2014 1 Transbay

Under-Ramp Park Under-Ramp Park Schematic Designs Schematic Designs June 12, 2014 1 Transbay Neighborhood 2006 Concept Plan 2 2 1 Under-Ramp Park Summary Construction to start upon completion of Schedule: TJPA bus ramps $20M in Tax

179 views • 16 slides
DISPLAYS DESIGNS OF STAINLESS STEEL Reference: Four Seasons, Denver Sample Display DESIGNS OF

DISPLAYS DESIGNS OF STAINLESS STEEL Reference: Four Seasons, Denver Sample Display DESIGNS OF

DISPLAYS DESIGNS OF STAINLESS STEEL Reference: Four Seasons, Denver Sample Display DESIGNS OF STAINLESS STEEL 23 Inlaybox with magnetic lid dimensions: 12.6 x 12.09 height closed 2.48 height open 8.86 equipment: TORINO RD53 in

362 views • 8 slides
1 Low-power Techniques Power-aware Architecture Designs Physical (CMOS) level Utilize low-power

1 Low-power Techniques Power-aware Architecture Designs Physical (CMOS) level Utilize low-power

Importance of Low-power Designs Cost factor for high-end systems High-end systems Lecture 24: Power-efficient Cooling and package cost &gt; 40 W: 1 W $1 Designs Air-cooled techniques: reaching limits Electricity bill

311 views • 4 slides
Bayesian Bayesian Adaptive Adaptive Designs for Healthy Designs for Healthy Volunteer

Bayesian Bayesian Adaptive Adaptive Designs for Healthy Designs for Healthy Volunteer

Bayesian Bayesian Adaptive Adaptive Designs for Healthy Designs for Healthy Volunteer Volunteer First First in Man Studies in Man Studies AHPPI 30 th October 2014 Richard Peck, Roche Pharmaceutical Research &amp; Development, Roche

578 views • 14 slides
Survey Research Tyson S. Barrett, PhD PSY 3500 Survey Designs Often used in some way with

Survey Research Tyson S. Barrett, PhD PSY 3500 Survey Designs Often used in some way with

Survey Research Tyson S. Barrett, PhD PSY 3500 Survey Designs Often used in some way with almost all other designs Not as simple as it appears Answers can be influenced by unintended factors order of items the possible response

410 views • 7 slides
Tammy Beauvais Tammy Beauvais Designs TRADITIONAL Tammy Beauvais Designs FASHION Tammy

Tammy Beauvais Tammy Beauvais Designs TRADITIONAL Tammy Beauvais Designs FASHION Tammy

Tammy Beauvais Tammy Beauvais Designs TRADITIONAL Tammy Beauvais Designs FASHION Tammy Beauvais STARS Designs Tammy Beauvais Designs BRAND Tammy Beauvais Designs GRADUATION STOLES GRADUATION STOLES Tammy Beauvais Designs GRADUATION

542 views • 18 slides
Review:'Design'Pa.erns'are'NOT' ! Designs'that'can'be'encoded'in'classes'and' CS 619 Introduction

Review:'Design'Pa.erns'are'NOT' ! Designs'that'can'be'encoded'in'classes'and' CS 619 Introduction

Review:'Design'Pa.erns'are'NOT' ! Designs'that'can'be'encoded'in'classes'and' CS 619 Introduction to OO Design reused'as'is'(i.e.,'linked'lists,'hash'tables)' and Development ! 'Complex'domain;specific'designs'(for'an'en&gt;re' GoF Patterns

241 views • 9 slides

More recommend