Introduction Description of the scheme Complexity analysis Security analysis Conclusion Protecting AES with Shamir’s Secret Sharing Scheme Louis Goubin and Ange Martinelli CHES 2011, September 29, Nara Japan 1/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 2/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 3/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Context Block ciphers are vulnerable to SCA. � d -th order boolean masking is the most implemented. � Improve security of masking schemes against SCA: � 4/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Context Block ciphers are vulnerable to SCA. � d -th order boolean masking is the most implemented. � Improve security of masking schemes against SCA: � Increase the order d of the masking. ∗ + : Security of d O-masking grows exponentially with d due to intrinsic leakage noise [ChariJutlaRaoRohatgi99] ∗ – : Efficiency of d O-masking quickly decreases with d 4/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Context Block ciphers are vulnerable to SCA. � d -th order boolean masking is the most implemented. � Improve security of masking schemes against SCA: � Increase the order d of the masking. ∗ + : Security of d O-masking grows exponentially with d due to intrinsic leakage noise [ChariJutlaRaoRohatgi99] ∗ – : Efficiency of d O-masking quickly decreases with d Complicate the relation between the masks and the masked variable. ⇒ this work 4/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Shamir’s secret sharing scheme a 0 secret. � P is a polynomial s.t. � P ( x ) = a d · x d + a d − 1 · x d − 1 + · · · + a 1 · x + a 0 Each user i has ( x i , y i = P ( x i )) x i � =0 � Reconstruction: � d � a 0 = y i · β i 0 d − x j � where β i = . x i − x j j =0 , j � = i 5/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 6/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion d -th order masking scheme Each sensitive variable b is shared as � ( x i , y i ) i =0 .. d We only manipulate pairs ( x i , y i ) � The cipher text c verifies: � d � y final c = · β i i 0 where ( x i , y final ) is the output of the last round. i 7/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � 8/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � → ( x ′ i , y ′ b ⊕ v i ) = ( x i , y i ⊕ v ) 8/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � → ( x ′ i , y ′ b ⊕ v i ) = ( x i , y i ⊕ v ) → ( x ′ i , y ′ b ⊕ u i ) = ( x i , y i ⊕ u i ) 8/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � → ( x ′ i , y ′ b ⊕ v i ) = ( x i , y i ⊕ v ) → ( x ′ i , y ′ b ⊕ u i ) = ( x i , y i ⊕ u i ) → ( x ′ i , y ′ b · v i ) = ( x i , y i · v ) 8/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking AES Sbox SubByte can be derived from [RivainProuff10] using � x − 1 = x 254 . Secure square: linear over GF(256): � b 2 → ( x ′ i , y ′ i ) = ( x 2 i , y i 2 ) x ′ i � = x i ⇒ need a RefreshMasks operation. � � Secure multiplication: product of 2 degree d polynomials ⇒ polynomial of degree 2 d 9/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion RefreshMasks operation Derived from [Ben-OrGoldwasserWigderson88] � Sharing each share Reconstructing original value Algorithm 1 RefreshMasks Input: Shared representation of b , ( α i , y i ) i =0 .. d , chosen ( x i ) i =0 .. d , t such that α i = x 2 t i Output: Shared representation of b , ( x i , y ′ i ) i =0 .. d 1. for i = 0 to d do i ← β 2 t β ′ 2. i 3. Share y i in ( x j , z i j ) j =0 .. d 4. for i = 0 to d do d � ( x i , y ′ β ′ 5. i ) ← x i , j · z j i j =0 6. return ( x i , y ′ i ) i =0 .. d 10/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Two possibilities: � Adapt SMC algorithm of [Ben-OrGoldwasserWigderson88] 1 ⇒ huge complexity Provide a new algorithm exploiting the SCA context ⇒ loss of known security proof 1 see full version at http://eprint.iacr.org/2011/516.pdf 11/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Two possibilities: � Adapt SMC algorithm of [Ben-OrGoldwasserWigderson88] 1 ⇒ huge complexity Provide a new algorithm exploiting the SCA context ⇒ loss of known security proof ⇒ our choice. Idea : truncate the degree 2 d polynomial to degree d � 1 see full version at http://eprint.iacr.org/2011/516.pdf 11/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Let β j , k ( x ) be defined as: � d x − x l � β j ( x ) = . x j − x l l =0 , l � = j β j ( x ) · β k ( x ) = α 2 d x 2 d + · · · + α d x d + · · · + α 1 x + α 0 Then β j , k ( x ) = β k , j ( x ) = α d x d + · · · + α 1 x + α 0 . d d � � P ( x ) = y j · u k · β j , k ( x ) verifies: � j =0 k =0 degree ( P ) = d P (0) = b · u ∀ x ∈ { x i } i =0 .. d , P ( x i ) = y ′ i 12/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Algorithm 2 Share multiplication SecMult Input: Shared representation of b , ( x i , y i ) i =0 .. d and u , ( x i , u i ) i =0 .. d Output: Shares ( x i , y ′ i ) i =0 .. d representing the product of b and u 1. for j = 0 to d do 2. for k = 0 to d do 3. z j , k ← y j · u k 4. for i = 0 to d do d d � � � ( x i , y ′ + 5. i ) ← x i , ( z j , k ⊕ z k , j ) · β j , k ( x i ) z j , j · β j , j ( x i ) j =1 0 ≤ k < j j =0 6. return ( x i , y ′ i ) i =0 .. d 13/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Intuition of security Intuitively we have � One needs at least d + 1 shares to define a polynomial of degree d , β j , k ( x i ) is independent of any secret, y j · u k does not leak more information on b (resp. u ) than the knowledge of y j (resp. u k ), No easy security proof for SecMult a order d : open work. � 14/26
grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 15/26
Recommend
More recommend