protecting aes with shamir s secret sharing scheme
play

Protecting AES with Shamirs Secret Sharing Scheme Louis Goubin and - PowerPoint PPT Presentation

Mar 02, 2023 •289 likes •647 views

Introduction Description of the scheme Complexity analysis Security analysis Conclusion Protecting AES with Shamirs Secret Sharing Scheme Louis Goubin and Ange Martinelli CHES 2011, September 29, Nara Japan 1/26 grid Introduction

  1. Introduction Description of the scheme Complexity analysis Security analysis Conclusion Protecting AES with Shamir’s Secret Sharing Scheme Louis Goubin and Ange Martinelli CHES 2011, September 29, Nara Japan 1/26

  2. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 2/26

  3. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 3/26

  4. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Context Block ciphers are vulnerable to SCA. � d -th order boolean masking is the most implemented. � Improve security of masking schemes against SCA: � 4/26

  5. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Context Block ciphers are vulnerable to SCA. � d -th order boolean masking is the most implemented. � Improve security of masking schemes against SCA: � Increase the order d of the masking. ∗ + : Security of d O-masking grows exponentially with d due to intrinsic leakage noise [ChariJutlaRaoRohatgi99] ∗ – : Efficiency of d O-masking quickly decreases with d 4/26

  6. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Context Block ciphers are vulnerable to SCA. � d -th order boolean masking is the most implemented. � Improve security of masking schemes against SCA: � Increase the order d of the masking. ∗ + : Security of d O-masking grows exponentially with d due to intrinsic leakage noise [ChariJutlaRaoRohatgi99] ∗ – : Efficiency of d O-masking quickly decreases with d Complicate the relation between the masks and the masked variable. ⇒ this work 4/26

  7. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Shamir’s secret sharing scheme a 0 secret. � P is a polynomial s.t. � P ( x ) = a d · x d + a d − 1 · x d − 1 + · · · + a 1 · x + a 0 Each user i has ( x i , y i = P ( x i )) x i � =0 � Reconstruction: � d � a 0 = y i · β i 0 d − x j � where β i = . x i − x j j =0 , j � = i 5/26

  8. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 6/26

  9. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion d -th order masking scheme Each sensitive variable b is shared as � ( x i , y i ) i =0 .. d We only manipulate pairs ( x i , y i ) � The cipher text c verifies: � d � y final c = · β i i 0 where ( x i , y final ) is the output of the last round. i 7/26

  10. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � 8/26

  11. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � → ( x ′ i , y ′ b ⊕ v i ) = ( x i , y i ⊕ v ) 8/26

  12. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � → ( x ′ i , y ′ b ⊕ v i ) = ( x i , y i ⊕ v ) → ( x ′ i , y ′ b ⊕ u i ) = ( x i , y i ⊕ u i ) 8/26

  13. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking linear layers AddRoundKey, ShiftRows, MixColumns computed using linear � operations. Let u ∈ GF(256) shared as ( x i , u i ) i =0 .. d , v ∈ GF(256) � → ( x ′ i , y ′ b ⊕ v i ) = ( x i , y i ⊕ v ) → ( x ′ i , y ′ b ⊕ u i ) = ( x i , y i ⊕ u i ) → ( x ′ i , y ′ b · v i ) = ( x i , y i · v ) 8/26

  14. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking AES Sbox SubByte can be derived from [RivainProuff10] using � x − 1 = x 254 . Secure square: linear over GF(256): � b 2 → ( x ′ i , y ′ i ) = ( x 2 i , y i 2 ) x ′ i � = x i ⇒ need a RefreshMasks operation. � � Secure multiplication: product of 2 degree d polynomials ⇒ polynomial of degree 2 d 9/26

  15. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion RefreshMasks operation Derived from [Ben-OrGoldwasserWigderson88] � Sharing each share Reconstructing original value Algorithm 1 RefreshMasks Input: Shared representation of b , ( α i , y i ) i =0 .. d , chosen ( x i ) i =0 .. d , t such that α i = x 2 t i Output: Shared representation of b , ( x i , y ′ i ) i =0 .. d 1. for i = 0 to d do i ← β 2 t β ′ 2. i 3. Share y i in ( x j , z i j ) j =0 .. d 4. for i = 0 to d do   d � ( x i , y ′ β ′ 5. i ) ←  x i , j · z j i  j =0 6. return ( x i , y ′ i ) i =0 .. d 10/26

  16. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Two possibilities: � Adapt SMC algorithm of [Ben-OrGoldwasserWigderson88] 1 ⇒ huge complexity Provide a new algorithm exploiting the SCA context ⇒ loss of known security proof 1 see full version at http://eprint.iacr.org/2011/516.pdf 11/26

  17. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Two possibilities: � Adapt SMC algorithm of [Ben-OrGoldwasserWigderson88] 1 ⇒ huge complexity Provide a new algorithm exploiting the SCA context ⇒ loss of known security proof ⇒ our choice. Idea : truncate the degree 2 d polynomial to degree d � 1 see full version at http://eprint.iacr.org/2011/516.pdf 11/26

  18. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Let β j , k ( x ) be defined as: � d x − x l � β j ( x ) = . x j − x l l =0 , l � = j β j ( x ) · β k ( x ) = α 2 d x 2 d + · · · + α d x d + · · · + α 1 x + α 0 Then β j , k ( x ) = β k , j ( x ) = α d x d + · · · + α 1 x + α 0 . d d � � P ( x ) = y j · u k · β j , k ( x ) verifies: � j =0 k =0 degree ( P ) = d P (0) = b · u ∀ x ∈ { x i } i =0 .. d , P ( x i ) = y ′ i 12/26

  19. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Masking the field multiplication Algorithm 2 Share multiplication SecMult Input: Shared representation of b , ( x i , y i ) i =0 .. d and u , ( x i , u i ) i =0 .. d Output: Shares ( x i , y ′ i ) i =0 .. d representing the product of b and u 1. for j = 0 to d do 2. for k = 0 to d do 3. z j , k ← y j · u k 4. for i = 0 to d do     d d � � � ( x i , y ′  + 5. i ) ←  x i , ( z j , k ⊕ z k , j ) · β j , k ( x i ) z j , j · β j , j ( x i )   j =1 0 ≤ k < j j =0 6. return ( x i , y ′ i ) i =0 .. d 13/26

  20. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Intuition of security Intuitively we have � One needs at least d + 1 shares to define a polynomial of degree d , β j , k ( x i ) is independent of any secret, y j · u k does not leak more information on b (resp. u ) than the knowledge of y j (resp. u k ), No easy security proof for SecMult a order d : open work. � 14/26

  21. grid Introduction Description of the scheme Complexity analysis Security analysis Conclusion Outline 1 Introduction Context Shamir’s secret sharing scheme 2 Description of the scheme Core Idea Masking AES: SSS masking scheme 3 Complexity analysis Complexity of operations Overall complexity 4 Security analysis Information Theoretic Analysis Higher-Order DPA Evaluation Attack simulations 5 Conclusion 15/26

Recommend

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last time (n,t) secret-sharing (n,n) via additive secret-sharing Shamir secret-sharing for general (n,t) Shamir secret-sharing is a linear

611 views • 14 slides
Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp. 612613 Eli Biham - May 3, 2005 c 497 Secret Sharing (17) How to Keep a Secret Key Securely Information can be secured by encryption under a

597 views • 23 slides
Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views • 62 slides
Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013

Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013

Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013 Outline 1. Introduction 2. Shamir Secret Sharing and Habeeb-Kahrobaei-Shpilrain secret sharing 3. Adjustments to HKS secret sharing and analysis

444 views • 27 slides
A Latin square autotopism secret sharing scheme Talk by Rebecca J. Stones Co-authors: Ming Su,

A Latin square autotopism secret sharing scheme Talk by Rebecca J. Stones Co-authors: Ming Su,

A Latin square autotopism secret sharing scheme Talk by Rebecca J. Stones Co-authors: Ming Su, Xiaoguang Liu, Gang Wang, (Nankai University) and Sheng Lin (Tianjin University of Technology). September 12, 2014 Secret sharing schemes Secret

1.43k views • 86 slides
Vector Space Secret Sharing Scheme Mustafa Atici Western Kentucky University Department of

Vector Space Secret Sharing Scheme Mustafa Atici Western Kentucky University Department of

Vector Space Secret Sharing Scheme Mustafa Atici Western Kentucky University Department of Mathematics and Computer Science 52 MIGHTY Conference, Indiana State University, Terre Haute IN. April 27-28, 2012 Mustafa Atici Secret Sharing Scheme

461 views • 21 slides
Homomorphic Secret Sharing for Low Degree Polynomials Russell W. F. Lai, Giulio Malavolta , and

Homomorphic Secret Sharing for Low Degree Polynomials Russell W. F. Lai, Giulio Malavolta , and

Homomorphic Secret Sharing for Low Degree Polynomials Russell W. F. Lai, Giulio Malavolta , and Dominique Schrder Friedrich-Alexander University Erlangen-Nrnberg Homomorphic Secret Sharing A secret-sharing scheme allows a client to share his

247 views • 14 slides
Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini Vasudevan UC Berkeley Secret Sharing [Shamir 79, Blakley 79] Share 1 , , Reconstruction: Given at least

1.45k views • 20 slides
Adi Shamir, How to Share a Secret, CACM November 1979 CACM , November 1979. 2/23/2017

Adi Shamir, How to Share a Secret, CACM November 1979 CACM , November 1979. 2/23/2017

2/23/2017 Adi Shamir, How to Share a Secret, CACM November 1979 CACM , November 1979. 2/23/2017 Secret shares (S. S. Lam) 1 1 2/23/2017 How to share a secret [Shamir 1979] ( K N ) th ( K , N ) threshold scheme h ld h Secret D is

570 views • 8 slides
Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e Boyle Niv Gilboa Yuval Ishai IDC BGU Technion &amp; UCLA Secure ComputaGon Approaches Classical

342 views • 33 slides
Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT 50th ACM Symposium on Theory of Computing June 27, 2018 Secret Sharing [Blakley79,Shamir79,Ito-Saito-Nishizeki87] Secret Secret Sharing

790 views • 75 slides
Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is it? Any one of you knows nothing! Any two of you can figure it out! Example Applications: Nuclear launch: need at least 3 out of 5 people to

513 views • 23 slides
Towards Breaking the Exponential Barrier for General Secret Sharing Tianren Liu Vinod

Towards Breaking the Exponential Barrier for General Secret Sharing Tianren Liu Vinod

Towards Breaking the Exponential Barrier for General Secret Sharing Tianren Liu Vinod Vaikuntanathan Hoeteck Wee MIT MIT CNRS and ENS May 6, 2018 Secret Sharing [Blakley79,Shamir79,Ito-Saito-Nishizeki87] Secret s { 0 , 1 }

1.02k views • 85 slides
CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom

CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom

CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom Austin San Jos State University Secret Sharing: Motivation Goal: make secret available, but make it hard to peek. Divide secret among

731 views • 48 slides
On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes

On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes

On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes Akshay Degwekar (MIT) Joint with Fabrice Benhamouda (IBM Research), Yuval Ishai (Technion) and Tal Rabin (IBM Research) Leakage attacks can be

547 views • 30 slides
Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with

Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with

Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with Vipul Goyal, Raghu Meka, and Amit Sahai Secret Sharing secret s n s 1 s i Correctness: Any out of parties can

1.72k views • 144 slides
Berkeley CS276 &amp; MIT 6.875 Secret sharing and applications Lecturer: Raluca Ada Popa

Berkeley CS276 &amp; MIT 6.875 Secret sharing and applications Lecturer: Raluca Ada Popa

Berkeley CS276 &amp; MIT 6.875 Secret sharing and applications Lecturer: Raluca Ada Popa Starting to record Nuclear launch codes A judge, president and general receive shares ! , &quot; , # of a secret from a

473 views • 35 slides
Today. Secret Sharing. Polynomials A polynomial P ( x ) = a d x d + a d 1 x d 1 +

Today. Secret Sharing. Polynomials A polynomial P ( x ) = a d x d + a d 1 x d 1 +

Today. Secret Sharing. Polynomials A polynomial P ( x ) = a d x d + a d 1 x d 1 + a 0 . is specified by coefficients a d ,... a 0 . Share secret among n people. Polynomials. P ( x ) contains point ( a , b ) if b = P ( a ) .

221 views • 8 slides
escrypt GmbH for Embedded Security A Generic Architecture and Extension of eCryptfs: Secret

escrypt GmbH for Embedded Security A Generic Architecture and Extension of eCryptfs: Secret

System Provider escrypt GmbH for Embedded Security A Generic Architecture and Extension of eCryptfs: Secret Sharing Scheme, Smartcard Integration and a new Linux Security Module Daniel Bumeyer 2 , Benedikt Driessen 1 , Andr Osterhues 1 ,

630 views • 18 slides
Sharing and Protecting Data to Improve Student Outcomes Community Schools Community of Practice

Sharing and Protecting Data to Improve Student Outcomes Community Schools Community of Practice

Sharing and Protecting Data to Improve Student Outcomes Community Schools Community of Practice Nov. 16, 2017 Agenda Why sharing and protecting student data matters Sharing data deep dive Protecting data deep dive Tips

313 views • 30 slides
Protecting communications against forgery D. J. Bernstein University of Illinois at Chicago

Protecting communications against forgery D. J. Bernstein University of Illinois at Chicago

Protecting communications against forgery D. J. Bernstein University of Illinois at Chicago Secret-key authenticators Message m 10 50 Z , at most 1000000 digits. Sender and receiver know secret prime p , 10 39 &lt; p &lt; 10 40 , and

479 views • 18 slides
How to Keep a Secret Key Securely Information can be secured by encryption under a secret key.

How to Keep a Secret Key Securely Information can be secured by encryption under a secret key.

How to Keep a Secret Key Securely Information can be secured by encryption under a secret key. The ciphertext can be replicated. Even if one replicated copy is lost, or stolen, Secret Sharing the information

181 views • 6 slides
A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018

A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018

A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018 Eike Kiltz , Vadim Lyubashevsky, Christian Schaffner Classical Signature Schemes Full Domain Hash Trapdoor function Signature Scheme Fiat-Shamir

268 views • 26 slides
Ideal Multipartite Secret Sharing Schemes Oriol Farrs, Jaume Mart-Farr, Carles Padr

Ideal Multipartite Secret Sharing Schemes Oriol Farrs, Jaume Mart-Farr, Carles Padr

Ideal Secret Sharing Schemes Ideal Multipartite Access Structures Ideal Multipartite Secret Sharing Schemes Oriol Farrs, Jaume Mart-Farr, Carles Padr Universitat Politcnica de Catalunya Eurocrypt 2007, Barcelona Farrs,

890 views • 33 slides

More recommend