Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 – Provably Secure Higher-Order Masking of AES
Outline 1 � Introduction � Higher-Order Masking � ISW Scheme (CRYPTO’03) 2 � Our Scheme � Masking the S-box � Masking the Whole AES � Security � Implementation Results 3 � Conclusion CHES 2010 – Provably Secure Higher-Order Masking of AES
Outline 1 � Introduction � Higher-Order Masking � ISW Scheme (CRYPTO’03) 2 � Our Scheme � Masking the S-box � Masking the Whole AES � Security � Implementation Results 3 � Conclusion CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊥ x 1 ⊥ · · · ⊥ x d = x ⊥ CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ � The masks ( i ≥ 1 ): x i ← $ CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ � The masks ( i ≥ 1 ): x i ← $ � The masked variable : x 0 ← x ⊕ x 1 ⊕ · · · ⊕ x d CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ � The masks ( i ≥ 1 ): x i ← $ � The masked variable : x 0 ← x ⊕ x 1 ⊕ · · · ⊕ x d � Note: equiv. d + 1 out of d + 1 secret sharing of x CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ � The masks ( i ≥ 1 ): x i ← $ � The masked variable : x 0 ← x ⊕ x 1 ⊕ · · · ⊕ x d � Note: equiv. d + 1 out of d + 1 secret sharing of x � Computation carried out by processing the shares separately CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Soundness [Chari-Jutla-Rao-Rohatgi CRYPTO’99] � Bit x masked �→ x 0 , x 1 , . . . , x d � Leakage : L i ∼ x i + N ( µ, σ 2 ) CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Soundness [Chari-Jutla-Rao-Rohatgi CRYPTO’99] � Bit x masked �→ x 0 , x 1 , . . . , x d � Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � Number of leakage samples to distinguish ( L i ) i | x = 0 from � � ( L i ) i | x = 1 : q ≥ O (1) σ d CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Soundness [Chari-Jutla-Rao-Rohatgi CRYPTO’99] � Bit x masked �→ x 0 , x 1 , . . . , x d � Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � Number of leakage samples to distinguish ( L i ) i | x = 0 from � � ( L i ) i | x = 1 : q ≥ O (1) σ d Higher-order masking is sound in the presence of noisy leakage! CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Schemes Definition A d th-order masking scheme for an encryption algorithm c ← E ( m, k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Schemes Definition A d th-order masking scheme for an encryption algorithm c ← E ( m, k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) � completeness : � i m i = m and � i k i = k � ⇒ i c i = E ( m, k ) CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Schemes Definition A d th-order masking scheme for an encryption algorithm c ← E ( m, k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) � completeness : � i m i = m and � i k i = k � ⇒ i c i = E ( m, k ) � security : ∀ ( iv 1 , iv 2 , . . . , iv d ) ∈ { intermediate var. of E ′ } d : � � MI ( iv 1 , iv 2 , . . . , iv d ) , ( m, k ) = 0 CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Schemes Definition A d th-order masking scheme for an encryption algorithm c ← E ( m, k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) � completeness : � i m i = m and � i k i = k � ⇒ i c i = E ( m, k ) � security : ∀ ( iv 1 , iv 2 , . . . , iv d ) ∈ { intermediate var. of E ′ } d : � � MI ( iv 1 , iv 2 , . . . , iv d ) , ( m, k ) = 0 For SPN ( eg. DES, AES) the main issue is masking the S-box. CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Schemes Literature Software implementations: � [Schramm-Paar CT-RSA’06] ◮ secure only for d ≤ 2 [Coron-Prouff-Rivain CHES’07] CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Schemes Literature Software implementations: � [Schramm-Paar CT-RSA’06] ◮ secure only for d ≤ 2 [Coron-Prouff-Rivain CHES’07] � [Rivain-Dottax-Prouff FSE’08] ◮ alternative solutions dedicated to d = 2 CHES 2010 – Provably Secure Higher-Order Masking of AES
Higher-Order Masking Schemes Literature Software implementations: � [Schramm-Paar CT-RSA’06] ◮ secure only for d ≤ 2 [Coron-Prouff-Rivain CHES’07] � [Rivain-Dottax-Prouff FSE’08] ◮ alternative solutions dedicated to d = 2 Hardware implementations: � [Ishai-Sahai-Wagner CRYPTO’03] ◮ every wire/logic gate is masked at an arbitrary order d ◮ wires values ≡ intermediate variables ⇒ d th-order masking scheme CHES 2010 – Provably Secure Higher-Order Masking of AES
Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab CHES 2010 – Provably Secure Higher-Order Masking of AES
Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j CHES 2010 – Provably Secure Higher-Order Masking of AES
Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ): a 0 b 0 a 0 b 1 a 0 b 2 a 1 b 0 a 1 b 1 a 1 b 2 a 2 b 0 a 2 b 1 a 2 b 2 CHES 2010 – Provably Secure Higher-Order Masking of AES
Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ): a 0 b 0 a 0 b 1 a 0 b 2 0 0 0 ⊕ 0 a 1 b 1 a 1 b 2 a 1 b 0 0 0 0 0 a 2 b 2 a 2 b 0 a 2 b 1 0 CHES 2010 – Provably Secure Higher-Order Masking of AES
Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ): a 0 b 0 a 0 b 1 a 0 b 2 0 a 1 b 0 a 2 b 0 ⊕ 0 a 1 b 1 a 1 b 2 0 0 a 2 b 1 0 0 a 2 b 2 0 0 0 CHES 2010 – Provably Secure Higher-Order Masking of AES
Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ): a 0 b 1 ⊕ a 1 b 0 a 0 b 2 ⊕ a 2 b 0 a 0 b 0 0 a 1 b 1 a 1 b 2 ⊕ a 2 b 1 0 0 a 2 b 2 CHES 2010 – Provably Secure Higher-Order Masking of AES
Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ): a 0 b 1 ⊕ a 1 b 0 a 0 b 2 ⊕ a 2 b 0 a 0 b 0 0 a 1 b 1 a 1 b 2 ⊕ a 2 b 1 0 0 a 2 b 2 CHES 2010 – Provably Secure Higher-Order Masking of AES
Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ): a 0 b 1 ⊕ a 1 b 0 a 0 b 2 ⊕ a 2 b 0 a 0 b 0 0 r 1 , 2 r 1 , 3 ⊕ 0 a 1 b 1 a 1 b 2 ⊕ a 2 b 1 0 0 r 2 , 3 0 0 a 2 b 2 0 0 0 CHES 2010 – Provably Secure Higher-Order Masking of AES
Recommend
More recommend