protecting aes with shamir s secret sharing scheme
play

Protecting AES with Shamirs Secret Sharing Scheme Louis Goubin and - PowerPoint PPT Presentation

Introduction Description of the scheme Complexity analysis Security analysis Conclusion Protecting AES with Shamirs Secret Sharing Scheme Louis Goubin and Ange Martinelli CHES 2011, September 29, Nara Japan 1/26 grid Introduction


  1. Introduction Description of the scheme Complexity analysis Security analysis Conclusion Protecting AES with Shamir’s Secret Sharing Scheme Louis Goubin and Ange Martinelli CHES 2011, September 29, Nara Japan 1/26

  2. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 2/26

  3. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 3/26

  4. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Context Block ciphers are vulnerable to SCA. � d -th order boolean masking is the most implemented. � Improve security of masking schemes against SCA: � 4/26

  5. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Context Block ciphers are vulnerable to SCA. � d -th order boolean masking is the most implemented. � Improve security of masking schemes against SCA: � Increase the order d of the masking. ∗ + : Security of d O-masking grows exponentially with d due to intrinsic leakage noise [ChariJutlaRaoRohatgi99] ∗ – : Efficiency of d O-masking quickly decreases with d 4/26

  6. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Context Block ciphers are vulnerable to SCA. � d -th order boolean masking is the most implemented. � Improve security of masking schemes against SCA: � Increase the order d of the masking. ∗ + : Security of d O-masking grows exponentially with d due to intrinsic leakage noise [ChariJutlaRaoRohatgi99] ∗ – : Efficiency of d O-masking quickly decreases with d Complicate the relation between the masks and the masked variable. ⇒ this work 4/26

  7. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Shamir’s secret sharing scheme a 0 secret. � P is a polynomial s.t. � P ( x ) = a d · x d + a d − 1 · x d − 1 + · · · + a 1 · x + a 0 Each user i has ( x i , y i = P ( x i )) x i � =0 � Reconstruction: � d � a 0 = y i · β i 0 d − x j � where β i = . x i − x j j =0 , j � = i 5/26

  8. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 6/26

  9. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion d -th order masking scheme Each sensitive variable b is shared as � ( x i , y i ) i =0 .. d We only manipulate pairs ( x i , y i ) � The cipher text c verifies: � d � y final c = · β i i 0 where ( x i , y final ) is the output of the last round. i 7/26

  10. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � 8/26

  11. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � → ( x ′ i , y ′ b ⊕ v i ) = ( x i , y i ⊕ v ) 8/26

  12. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � → ( x ′ i , y ′ b ⊕ v i ) = ( x i , y i ⊕ v ) → ( x ′ i , y ′ b ⊕ u i ) = ( x i , y i ⊕ u i ) 8/26

  13. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � → ( x ′ i , y ′ b ⊕ v i ) = ( x i , y i ⊕ v ) → ( x ′ i , y ′ b ⊕ u i ) = ( x i , y i ⊕ u i ) → ( x ′ i , y ′ b · v i ) = ( x i , y i · v ) 8/26

  14. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking AES Sbox SubByte can be derived from [RivainProuff10] using � x − 1 = x 254 . Secure square: linear over GF(256): � b 2 → ( x ′ i , y ′ i ) = ( x 2 i , y i 2 ) x ′ i � = x i ⇒ need a RefreshMasks operation. � � Secure multiplication: product of 2 degree d polynomials ⇒ polynomial of degree 2 d 9/26

  15. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion RefreshMasks operation Derived from [Ben-OrGoldwasserWigderson88] � Sharing each share Reconstructing original value Algorithm 1 RefreshMasks Input: Shared representation of b , ( α i , y i ) i =0 .. d , chosen ( x i ) i =0 .. d , t such that α i = x 2 t i Output: Shared representation of b , ( x i , y ′ i ) i =0 .. d 1. for i = 0 to d do i ← β 2 t β ′ 2. i 3. Share y i in ( x j , z i j ) j =0 .. d 4. for i = 0 to d do   d � ( x i , y ′ β ′ 5. i ) ←  x i , j · z j i  j =0 6. return ( x i , y ′ i ) i =0 .. d 10/26

  16. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Two possibilities: � Adapt SMC algorithm of [Ben-OrGoldwasserWigderson88] 1 ⇒ huge complexity Provide a new algorithm exploiting the SCA context ⇒ loss of known security proof 1 see full version at http://eprint.iacr.org/2011/516.pdf 11/26

  17. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Two possibilities: � Adapt SMC algorithm of [Ben-OrGoldwasserWigderson88] 1 ⇒ huge complexity Provide a new algorithm exploiting the SCA context ⇒ loss of known security proof ⇒ our choice. Idea : truncate the degree 2 d polynomial to degree d � 1 see full version at http://eprint.iacr.org/2011/516.pdf 11/26

  18. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Let β j , k ( x ) be defined as: � d x − x l � β j ( x ) = . x j − x l l =0 , l � = j β j ( x ) · β k ( x ) = α 2 d x 2 d + · · · + α d x d + · · · + α 1 x + α 0 Then β j , k ( x ) = β k , j ( x ) = α d x d + · · · + α 1 x + α 0 . d d � � P ( x ) = y j · u k · β j , k ( x ) verifies: � j =0 k =0 degree ( P ) = d P (0) = b · u ∀ x ∈ { x i } i =0 .. d , P ( x i ) = y ′ i 12/26

  19. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Algorithm 2 Share multiplication SecMult Input: Shared representation of b , ( x i , y i ) i =0 .. d and u , ( x i , u i ) i =0 .. d Output: Shares ( x i , y ′ i ) i =0 .. d representing the product of b and u 1. for j = 0 to d do 2. for k = 0 to d do 3. z j , k ← y j · u k 4. for i = 0 to d do     d d � � � ( x i , y ′  + 5. i ) ←  x i , ( z j , k ⊕ z k , j ) · β j , k ( x i ) z j , j · β j , j ( x i )   j =1 0 ≤ k < j j =0 6. return ( x i , y ′ i ) i =0 .. d 13/26

  20. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Intuition of security Intuitively we have � One needs at least d + 1 shares to define a polynomial of degree d , β j , k ( x i ) is independent of any secret, y j · u k does not leak more information on b (resp. u ) than the knowledge of y j (resp. u k ), No easy security proof for SecMult a order d : open work. � 14/26

  21. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 15/26

Recommend


More recommend