masking the glp lattice based signature scheme at any
play

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles - PowerPoint PPT Presentation

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain


  1. The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin Grégoire (INRIA Sophia Antipolis) Mélissa Rossi (ENS Paris and Thales) Mehdi Tibouchi (NTT Secure Platform Laboratories) May 1st 2018 Eurocrypt

  2. The signature The countermeasure and its proof Performances Future work Masking a post-quantum signature ➳ Numerous side channel attacks against lattice-based schemes (Gaussian distributions, rejection sampling) ➳ Few countermeasures exist, especially on signatures ➳ Call for concrete implementations of post-quantum cryptography Strong countermeasures needed

  3. The signature The countermeasure and its proof Performances Future work Leakage models and masking Input Algorithm Returned value

  4. Proof-Friendly The signature The countermeasure and its proof Performances Future work Leakage models and masking Input Ishai, Sahai and Wagner model [ISW03] : The attacker can access the exact values of at most d intermediate values Algorithm Returned value

  5. Proof-Friendly Realistic The signature The countermeasure and its proof Performances Future work Leakage models and masking Ishai, Sahai and Wagner model [ISW03] : Input The attacker can access the exact values of at most d intermediate values Algorithm Noisy leakage model [CJRR99, PR13]: The attacker can access the noisy values of all the intermediate values Returned value

  6. The signature The countermeasure and its proof Performances Future work Leakage models and masking Input Security in the ISW model: d order masking Each sensitive value is replaced by d + 1 shares. Algorithm Returned value

  7. The signature The countermeasure and its proof Performances Future work Leakage models and masking Input Security in the ISW model: d order masking Each sensitive value is replaced by d + 1 shares. Algorithm Such that it is impossible to recover the value without having all d + 1 shares + + + + = Returned value

  8. The signature The countermeasure and its proof Performances Future work Leakage models and masking Input Security in the ISW model: d order masking Each sensitive value is replaced by d + 1 shares. Algorithm Such that it is impossible to recover the value without having all d + 1 shares + + + + = Any strict subset of at most d shares is independant from the sensitive value Returned value

  9. The signature The countermeasure and its proof Performances Future work Our contribution The fjrst provable masked implementation of a lattice-based signature scheme at any order ➳ New techniques for masking lattice-based Fiat–Shamir with abort signatures ➳ New proofs for masking probabilistic algorithms

  10. The signature The countermeasure and its proof Performances Future work 1 The signature 1 Why GLP signature scheme ? 2 GLP signature scheme 2 The countermeasure and its proof 1 Structure of the countermeasure and its proof 2 Masking GLP key generation 3 Masking GLP signature 4 Composition 5 Conversions Boolean to arithmetic 3 Performances

  11. But still some new diffjculties Probabilistic algorithm Reliance on rejection sampling The signature The countermeasure and its proof Performances Future work Why GLP signature scheme ? Introduced in [Lyu09, Lyu12] Implemented by Güneysu, Lyubashevsky and Pöppelmann in [GLP12] ➳ Ancestor of BLISS and Dilithium ➳ No Gaussians, only uniform distributions

  12. The signature The countermeasure and its proof Performances Future work Why GLP signature scheme ? Introduced in [Lyu09, Lyu12] Implemented by Güneysu, Lyubashevsky and Pöppelmann in [GLP12] ➳ Ancestor of BLISS and Dilithium ➳ No Gaussians, only uniform distributions But still some new diffjculties ➳ Probabilistic algorithm ➳ Reliance on rejection sampling

  13. The signature The countermeasure and its proof Performances Future work GLP Key derivation Z p [ x ] R = R k : coeffjcients in the range [ − k, k ] ( x n +1) Algorithm 1 GLP key derivation Ensure: Signing key sk , verifjcation key pk 1: s 1 , s 2 $ //s 1 and s 2 have coeffjcients in {− 1 , 0 , 1 } ← − R 1 $ 2: a ← − R 3: t ← as 1 + s 2 4: sk ← ( s 1 , s 2 ) 5: pk ← ( a , t ) ➳ Based on the Decisional Compact Knapsack problem

  14. The signature The countermeasure and its proof Performances Future work GLP signature ➳ Fiat–Shamir with abort signature Algorithm 2 GLP sign Require: m, pk = ( a , t ) , sk = ( s 1 , s 2 ) Ensure: Signature σ 1: y 1 , y 2 $ Random generation ← − R k 2: c ← H ( r = ay 1 + y 2 , m ) Commitment and challenge 3: z 1 ← s 1 c + y 1 4: z 2 ← s 2 c + y 2 5: if z 1 or z 2 / ∈ R k − α then restart Rejection Sampling 6: return σ = ( z 1 , z 2 , c ) k = 2 14 α = 16 n = 512 p = 8383489 Verifjcation : z 1 , z 2 ∈ R k − α and c = H ( az 1 + z 2 − tc , m )

  15. 2 Each block is proven securely masked with one of the following properties For non sensitive Every set of at most in- parts. termediate variables can Every set of at most in- be perfectly simulated termediate variables can with at most shares of be perfectly simulated each input. and at most shares of each input. We give some values (called out- puts)totheattackerandprovethat the countermeasure does not leak more than the outputs. 3 A composition proof combines all the securities to the whole scheme public outputs Non interferent with with the public outputs Non interferent Unmasked The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks

  16. For non sensitive Every set of at most in- parts. termediate variables can Every set of at most in- be perfectly simulated termediate variables can with at most shares of be perfectly simulated each input. and at most shares of each input. We give some values (called out- puts)totheattackerandprovethat the countermeasure does not leak more than the outputs. 3 A composition proof combines all the securities to the whole scheme public outputs Non interferent with with the public outputs Non interferent Unmasked The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties

  17. Every set of at most in- termediate variables can Every set of at most in- be perfectly simulated termediate variables can with at most shares of be perfectly simulated each input. and at most shares of each input. We give some values (called out- puts)totheattackerandprovethat the countermeasure does not leak more than the outputs. 3 A composition proof combines all the securities to the whole scheme public outputs Non interferent with Non interferent with the public outputs Unmasked The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties For non sensitive parts.

  18. Every set of at most in- termediate variables can be perfectly simulated and at most shares of each input. We give some values (called out- puts)totheattackerandprovethat the countermeasure does not leak more than the outputs. 3 A composition proof combines all the securities to the whole scheme Non interferent with the public outputs Non interferent with Unmasked public outputs The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties For non sensitive Every set of at most d in- parts. termediate variables can be perfectly simulated with at most d shares of each input.

  19. We give some values (called out- puts)totheattackerandprovethat the countermeasure does not leak more than the outputs. 3 A composition proof combines all the securities to the whole scheme Non interferent with the public outputs Unmasked public outputs Non interferent with The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties For non sensitive Every set of at most d in- parts. termediate variables can Every set of at most d in- be perfectly simulated termediate variables can with at most d shares of be perfectly simulated each input. and at most d shares of each input.

Recommend


More recommend