mixing additive and multiplicative masking for probing
play

Mixing Additive and Multiplicative Masking for Probing Secure - PowerPoint PPT Presentation

Jul 18, 2023 •180 likes •534 views

Introduction GPQ t-NI GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion Mixing Additive and Multiplicative Masking for Probing Secure Polynomial Evaluation Methods Axel Mathieu-Mahias and Michal Quisquater

  1. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion Mixing Additive and Multiplicative Masking for Probing Secure Polynomial Evaluation Methods Axel Mathieu-Mahias and Michaël Quisquater University of Versailles (UVSQ) CHES’18 September . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 / 36

  2. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion The Concept of Masking Side-channel analysis Information leak through physical leakages Data and physical leakages are dependent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2/16 2 / 36

  3. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion The Concept of Masking Side-channel analysis Information leak through physical leakages Data and physical leakages are dependent The masking countermeasure Randomly split every variable into several shares 1 Secure the processing through internal operations 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2/16 3 / 36

  4. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion The Concept of Masking Side-channel analysis Information leak through physical leakages Data and physical leakages are dependent The masking countermeasure Randomly split every variable into several shares 1 Secure the processing through internal operations 2 Higher-order masking More than 2 shares Sound countermeasure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2/16 4 / 36

  5. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion About security The Probing Model [ISW03] ( x 1 , . . . , x d ) ( y 1 , . . . , y d ) Adversary observations Inputs Sec- Op 1 Ω = ( I 1 , I 2 , . . . I t ) Sec-Op 2 Internals Sec-Op 3 Probe Outputs ( z 1 , . . . , z d ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/16 5 / 36

  6. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion About security The Probing Model [ISW03] ( x 1 , . . . , x d ) ( y 1 , . . . , y d ) Adversary observations Inputs Sec- Op 1 Ω = ( I 1 , I 2 , . . . I t ) Sec-Op 2 Internals t -probing security Sec-Op 3 Probe Is any set of t observations Outputs independent of sensitive variables ? ( z 1 , . . . , z d ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/16 6 / 36

  7. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion About security The Probing Model [ISW03] ( x 1 , . . . , x d ) ( y 1 , . . . , y d ) Adversary observations Inputs Sec- Op 1 Ω = ( I 1 , I 2 , . . . I t ) Sec-Op 2 Internals t -probing security Sec-Op 3 Probe Is any set of t observations Outputs independent of sensitive variables ? ( z 1 , . . . , z d ) Two security notions : t-NI and t-SNI [BBDFG15] → t-SNI transformations can be composed safely ֒ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/16 7 / 36

  8. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion State of the Art of Masking S-boxes (Additive Masking) Split every variable x into d = t + 1 shares such that x 1 ⊕ x 2 ⊕ . . . ⊕ x d = x Processing of linear transformations : very efficient Processing of multiplications : much more expensive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4/16 8 / 36

  9. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion State of the Art of Masking S-boxes (Additive Masking) Split every variable x into d = t + 1 shares such that x 1 ⊕ x 2 ⊕ . . . ⊕ x d = x Processing of linear transformations : very efficient Processing of multiplications : much more expensive AES : [RP10] S AES ( x ) : x �→ x 254 over F 2 8 Generic case : [CGPQR12] 2 n − 1 a i x i over F 2 n ∑ S ( x ) : x �→ i = 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4/16 9 / 36

  10. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion State of the Art of Masking S-boxes Masking schemes in additive encoding FSE’12 : Carlet et al. CHES’13 : Roy and Vivek CHES’14 : Coron et al. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5/16 10 / 36

  11. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion State of the Art of Masking S-boxes Masking schemes in additive encoding FSE’12 : Carlet et al. CHES’13 : Roy and Vivek CHES’14 : Coron et al. Masking schemes in other encodings CHES’11 : Prouff and Roche CRYPTO’15 : Carlet et al. EUROCRYPT’14 : Coron EUROCRYPT’15 : Balasch et al. CHES’16 : Goudarzi and Rivain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5/16 11 / 36

  12. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion The use of several encodings simultaneously GPQ : masking scheme for power functions [GPQ11] Mixes additive and multiplicative masking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6/16 12 / 36

  13. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion The use of several encodings simultaneously GPQ : masking scheme for power functions [GPQ11] Mixes additive and multiplicative masking The idea Linear transformations : efficient in additive masking Multiplications : efficient in multiplicative masking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6/16 13 / 36

  14. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion The use of several encodings simultaneously GPQ : masking scheme for power functions [GPQ11] Mixes additive and multiplicative masking The idea Linear transformations : efficient in additive masking Multiplications : efficient in multiplicative masking The scheme Secure processing of a Dirac function ( Secure-dirac ) Transformations to switch from additive into multiplicative masking ( AMtoMM ) and conversely ( MMtoAM ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6/16 14 / 36

  15. b Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion GPQ : Masking Scheme for Power Functions x Sec-dirac ⊕ AMtoMM ( x + δ ( x )) α x α ⊕ MMtoAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7/16 15 / 36

  16. b Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion GPQ : Masking Scheme for Power Functions x Sec-dirac ⊕ AMtoMM ( x + δ ( x )) α x α ⊕ MMtoAM Our first contribution GPQ t-NI → GPQ t-SNI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7/16 16 / 36

  17. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion Our approach and results Our Issue and Our Proposals How to extend GPQ to evaluate polynomials ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8/16 17 / 36

  18. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion Our approach and results Our Issue and Our Proposals How to extend GPQ to evaluate polynomials ? Our issues Adding monomials : not efficient in multiplicative masking Converting every monomials back in additive masking before adding them : not efficient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8/16 18 / 36

  19. Introduction GPQ t-NI → GPQ t-SNI Alternate Cyclotomic Method Alternate CRV Method Conclusion Our approach and results Our Issue and Our Proposals How to extend GPQ to evaluate polynomials ? Our issues Adding monomials : not efficient in multiplicative masking Converting every monomials back in additive masking before adding them : not efficient Our t-SNI proposals One method based on the cyclotomic method [CGPQR12] 1 One method based on our first proposal and the CRV 2 method [CRV14] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8/16 19 / 36

Recommend

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
USING ARRAYS TO HELP CHILDREN MOVE FROM ADDITIVE TO MULTIPLICATIVE THINKING Sen Delaney

USING ARRAYS TO HELP CHILDREN MOVE FROM ADDITIVE TO MULTIPLICATIVE THINKING Sen Delaney

USING ARRAYS TO HELP CHILDREN MOVE FROM ADDITIVE TO MULTIPLICATIVE THINKING Sen Delaney American Educational Research Association New York City, 14 April 2018 2-D ARRAYS & MULTIPLICATION MATHEMATICS PROBLEM Our local cinema has 26 rows

369 views • 18 slides
Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl Bilgin P ROBLEM : SIDE - CHANNEL ANALYSIS 2 S OLUTION : M ASKING 3 E XTRA P ROBLEM : G LITCHES ! 4 B OOLEAN M ASKING ! = # $ , # & , , # (

473 views • 43 slides
Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben

Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben

Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben Moos 1 , Amir Moradi 1 , Tobias Schneider 2 and Franois-Xavier Standaert 2 Horst Grtz Institute for IT Security, Ruhr-Universitt Bochum,

694 views • 46 slides
Set covering with ordered replacement: Additive and Multiplicative gaps Laura Sanit` a

Set covering with ordered replacement: Additive and Multiplicative gaps Laura Sanit` a

Set covering with ordered replacement: Additive and Multiplicative gaps Laura Sanit` a Institute of Mathematics, EPFL, Lausanne, Switzerland Joint work with: F. Eisenbrand, N. Kakimura, T. Rothvo Aussois, 2011 General Set covering problem

1.07k views • 77 slides
Topic Bandwidth allocation models Additive Increase Multiplicative Decrease (AIMD) control

Topic Bandwidth allocation models Additive Increase Multiplicative Decrease (AIMD) control

Topic Bandwidth allocation models Additive Increase Multiplicative Decrease (AIMD) control law AIMD! Sawtooth CSE 461 University of Washington 1 Recall Want to allocate capacity to senders Network layer provides feedback

578 views • 56 slides
How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

824 views • 54 slides
Privacy preserving data mining multiplicative perturbation techniques Li Xiong CS573 Data

Privacy preserving data mining multiplicative perturbation techniques Li Xiong CS573 Data

Privacy preserving data mining multiplicative perturbation techniques Li Xiong CS573 Data Privacy and Anonymity Outline Review and critique of randomization approaches (additive noise) Multiplicative data perturbations Rotation

526 views • 39 slides
Subgroups of the multiplicative group Greg Martin University of British Columbia joint work with

Subgroups of the multiplicative group Greg Martin University of British Columbia joint work with

Background, ( -)additive functions Results on I ( n ) and G ( n ) Outline of the proofs Subgroups of the multiplicative group Greg Martin University of British Columbia joint work with Lee Troupe Analytic Number Theory 2017 CMS Winter

841 views • 61 slides
Physical Defaults & the Robust Probing Model Sebastian Faust, Vincent Grosso, Santos Merino

Physical Defaults & the Robust Probing Model Sebastian Faust, Vincent Grosso, Santos Merino

Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, Franois-Xavier Standaert TU Darmstadt (Germany), Radbout University

774 views • 39 slides
Local Fourier Uniformity July 9, 2019 The main question Question: Is the multiplicative and

Local Fourier Uniformity July 9, 2019 The main question Question: Is the multiplicative and

Local Fourier Uniformity July 9, 2019 The main question Question: Is the multiplicative and additive structure of the integers independent? Conjectural answer: Yes, up to minor local obstructions. The precise form of this answer is due to Chowla

869 views • 28 slides
Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid,

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid,

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid, Dahmun Goudarzi, and Matthieu Rivain dahmun.goudarzi@pqshield.com 1 Side-Channel Attacks and Higher-Order Masking in 1 in 2 in 3

655 views • 52 slides
Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on the spatial attribute type. Proposal part 2 Details of the masking attribute addition. Table 3-13 - S100_GF_SpatialAttributeType Role Name

558 views • 8 slides
Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation

Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation

Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation techniques Additive perturbation Multiplicative perturbation Privacy metrics Privacy metrics Summary Definition of dataset Column

280 views • 23 slides
Occultations for Probing for Probing Occultations Atmosphere and Climate: Atmosphere and

Occultations for Probing for Probing Occultations Atmosphere and Climate: Atmosphere and

I nstitute for G eophysics, A strophysics, and M eteorology / U niversity of G raz A tmospheric R emote S ensing and Cli mate Sys tem Research Group ARSCliSys on the art of understanding the climate system Occultations for Probing for Probing

570 views • 12 slides
Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views • 45 slides
Developing Multiplicative Thinking More Assessing and Monitoring Multiplicative Thinking Welcome

Developing Multiplicative Thinking More Assessing and Monitoring Multiplicative Thinking Welcome

Developing Multiplicative Thinking More Assessing and Monitoring Multiplicative Thinking Welcome I Your Host: Tonda Thompson KCM Regional Math Coach tonda.thompson@grrec.org KCM WEBSITE kentuckymathematics.org AGENDA Standards

337 views • 14 slides
Developing Multiplicative Thinking- Foundations of Multiplicative Thinking with Julie Adams

Developing Multiplicative Thinking- Foundations of Multiplicative Thinking with Julie Adams

Developing Multiplicative Thinking- Foundations of Multiplicative Thinking with Julie Adams Welcome! Your host Julie Adams Regional Consultant Kentucky Center for Mathematics jaadams2@moreheadstate.edu KCM Website

472 views • 28 slides
colors www.yourinspirationweb.com 1 RGB model additive used for: web 2 CMYK model

colors www.yourinspirationweb.com 1 RGB model additive used for: web 2 CMYK model

colors www.yourinspirationweb.com 1 RGB model additive used for: web 2 CMYK model subtractive used for: print 3 color wheel 4 color wheel Primary colors: red , yellow , blue Secondary colors: obtained by mixing two adjacent

473 views • 23 slides
Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1 Overview Masking,

785 views • 46 slides
Multiplicative Weights Algorithms CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 13 :

Multiplicative Weights Algorithms CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 13 :

Multiplicative Weights Algorithms CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 13 : 590.03 Fall 12 1 This Class A Simple Multiplicative Weights Algorithm Multiplicative Weights for privately publishing synthetic data

464 views • 34 slides
AUTOMATIC MIXING Dissonance suppression during harmonic mixing A journey through the DJ world by

AUTOMATIC MIXING Dissonance suppression during harmonic mixing A journey through the DJ world by

AUTOMATIC MIXING Dissonance suppression during harmonic mixing A journey through the DJ world by Stefan Hamburger July 2017 Seminar Topics in Computer Music Prof. Paolo Bientinesi, RWTH Aachen 1 WHAT IS AUTOMATIC MIXING? Generating a

898 views • 35 slides
CS 170 Section 13 Multiplicative Updates Owen Jow April 25, 2018 University of California,

CS 170 Section 13 Multiplicative Updates Owen Jow April 25, 2018 University of California,

CS 170 Section 13 Multiplicative Updates Owen Jow April 25, 2018 University of California, Berkeley Table of Contents 1. Multiplicative Updates Intro 2. Follow the Regularized Leader 1 Multiplicative Updates Intro The Experts Problem

372 views • 19 slides

More recommend