provably secure higher order masking of aes
play

Provably Secure Higher-Order Masking of AES Matthieu Rivain - PowerPoint PPT Presentation

Dec 28, 2022 •319 likes •1.1k views

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

  1. Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 – Provably Secure Higher-Order Masking of AES

  2. Outline 1 � Introduction � Higher-Order Masking � ISW Scheme (CRYPTO’03) 2 � Our Scheme � Masking the S-box � Masking the Whole AES � Security � Implementation Results 3 � Conclusion CHES 2010 – Provably Secure Higher-Order Masking of AES

  3. Outline 1 � Introduction � Higher-Order Masking � ISW Scheme (CRYPTO’03) 2 � Our Scheme � Masking the S-box � Masking the Whole AES � Security � Implementation Results 3 � Conclusion CHES 2010 – Provably Secure Higher-Order Masking of AES

  4. Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊥ x 1 ⊥ · · · ⊥ x d = x ⊥ CHES 2010 – Provably Secure Higher-Order Masking of AES

  5. Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ CHES 2010 – Provably Secure Higher-Order Masking of AES

  6. Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ � The masks ( i ≥ 1 ): x i ← $ CHES 2010 – Provably Secure Higher-Order Masking of AES

  7. Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ � The masks ( i ≥ 1 ): x i ← $ � The masked variable : x 0 ← x ⊕ x 1 ⊕ · · · ⊕ x d CHES 2010 – Provably Secure Higher-Order Masking of AES

  8. Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ � The masks ( i ≥ 1 ): x i ← $ � The masked variable : x 0 ← x ⊕ x 1 ⊕ · · · ⊕ x d � Note: equiv. d + 1 out of d + 1 secret sharing of x CHES 2010 – Provably Secure Higher-Order Masking of AES

  9. Higher-Order Masking Basic principle � Every key-dependent variable x is shared into d + 1 variables ⊥ x 0 ⊕ x 1 ⊕ · · · ⊕ x d = x ⊥ � The masks ( i ≥ 1 ): x i ← $ � The masked variable : x 0 ← x ⊕ x 1 ⊕ · · · ⊕ x d � Note: equiv. d + 1 out of d + 1 secret sharing of x � Computation carried out by processing the shares separately CHES 2010 – Provably Secure Higher-Order Masking of AES

  10. Higher-Order Masking Soundness [Chari-Jutla-Rao-Rohatgi CRYPTO’99] � Bit x masked �→ x 0 , x 1 , . . . , x d � Leakage : L i ∼ x i + N ( µ, σ 2 ) CHES 2010 – Provably Secure Higher-Order Masking of AES

  11. Higher-Order Masking Soundness [Chari-Jutla-Rao-Rohatgi CRYPTO’99] � Bit x masked �→ x 0 , x 1 , . . . , x d � Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � Number of leakage samples to distinguish ( L i ) i | x = 0 from � � ( L i ) i | x = 1 : q ≥ O (1) σ d CHES 2010 – Provably Secure Higher-Order Masking of AES

  12. Higher-Order Masking Soundness [Chari-Jutla-Rao-Rohatgi CRYPTO’99] � Bit x masked �→ x 0 , x 1 , . . . , x d � Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � Number of leakage samples to distinguish ( L i ) i | x = 0 from � � ( L i ) i | x = 1 : q ≥ O (1) σ d Higher-order masking is sound in the presence of noisy leakage! CHES 2010 – Provably Secure Higher-Order Masking of AES

  13. Higher-Order Masking Schemes Definition A d th-order masking scheme for an encryption algorithm c ← E ( m, k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) CHES 2010 – Provably Secure Higher-Order Masking of AES

  14. Higher-Order Masking Schemes Definition A d th-order masking scheme for an encryption algorithm c ← E ( m, k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) � completeness : � i m i = m and � i k i = k � ⇒ i c i = E ( m, k ) CHES 2010 – Provably Secure Higher-Order Masking of AES

  15. Higher-Order Masking Schemes Definition A d th-order masking scheme for an encryption algorithm c ← E ( m, k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) � completeness : � i m i = m and � i k i = k � ⇒ i c i = E ( m, k ) � security : ∀ ( iv 1 , iv 2 , . . . , iv d ) ∈ { intermediate var. of E ′ } d : � � MI ( iv 1 , iv 2 , . . . , iv d ) , ( m, k ) = 0 CHES 2010 – Provably Secure Higher-Order Masking of AES

  16. Higher-Order Masking Schemes Definition A d th-order masking scheme for an encryption algorithm c ← E ( m, k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) � completeness : � i m i = m and � i k i = k � ⇒ i c i = E ( m, k ) � security : ∀ ( iv 1 , iv 2 , . . . , iv d ) ∈ { intermediate var. of E ′ } d : � � MI ( iv 1 , iv 2 , . . . , iv d ) , ( m, k ) = 0 For SPN ( eg. DES, AES) the main issue is masking the S-box. CHES 2010 – Provably Secure Higher-Order Masking of AES

  17. Higher-Order Masking Schemes Literature Software implementations: � [Schramm-Paar CT-RSA’06] ◮ secure only for d ≤ 2 [Coron-Prouff-Rivain CHES’07] CHES 2010 – Provably Secure Higher-Order Masking of AES

  18. Higher-Order Masking Schemes Literature Software implementations: � [Schramm-Paar CT-RSA’06] ◮ secure only for d ≤ 2 [Coron-Prouff-Rivain CHES’07] � [Rivain-Dottax-Prouff FSE’08] ◮ alternative solutions dedicated to d = 2 CHES 2010 – Provably Secure Higher-Order Masking of AES

  19. Higher-Order Masking Schemes Literature Software implementations: � [Schramm-Paar CT-RSA’06] ◮ secure only for d ≤ 2 [Coron-Prouff-Rivain CHES’07] � [Rivain-Dottax-Prouff FSE’08] ◮ alternative solutions dedicated to d = 2 Hardware implementations: � [Ishai-Sahai-Wagner CRYPTO’03] ◮ every wire/logic gate is masked at an arbitrary order d ◮ wires values ≡ intermediate variables ⇒ d th-order masking scheme CHES 2010 – Provably Secure Higher-Order Masking of AES

  20. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab CHES 2010 – Provably Secure Higher-Order Masking of AES

  21. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j CHES 2010 – Provably Secure Higher-Order Masking of AES

  22. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ):   a 0 b 0 a 0 b 1 a 0 b 2   a 1 b 0 a 1 b 1 a 1 b 2 a 2 b 0 a 2 b 1 a 2 b 2 CHES 2010 – Provably Secure Higher-Order Masking of AES

  23. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ):     a 0 b 0 a 0 b 1 a 0 b 2 0 0 0   ⊕   0 a 1 b 1 a 1 b 2 a 1 b 0 0 0 0 0 a 2 b 2 a 2 b 0 a 2 b 1 0 CHES 2010 – Provably Secure Higher-Order Masking of AES

  24. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ):     a 0 b 0 a 0 b 1 a 0 b 2 0 a 1 b 0 a 2 b 0   ⊕   0 a 1 b 1 a 1 b 2 0 0 a 2 b 1 0 0 a 2 b 2 0 0 0 CHES 2010 – Provably Secure Higher-Order Masking of AES

  25. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ):   a 0 b 1 ⊕ a 1 b 0 a 0 b 2 ⊕ a 2 b 0 a 0 b 0   0 a 1 b 1 a 1 b 2 ⊕ a 2 b 1 0 0 a 2 b 2 CHES 2010 – Provably Secure Higher-Order Masking of AES

  26. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ):   a 0 b 1 ⊕ a 1 b 0 a 0 b 2 ⊕ a 2 b 0 a 0 b 0   0 a 1 b 1 a 1 b 2 ⊕ a 2 b 1 0 0 a 2 b 2 CHES 2010 – Provably Secure Higher-Order Masking of AES

  27. Ishai-Sahai-Wagner (ISW) Scheme Principle � AND gates encoding: ◮ Input: ( a i ) i , ( b i ) i s.t. � i a i = a , � i b i = b ◮ Output: ( c i ) i s.t. � i c i = ab � �� ��� � � i c i = i a i i b i = i,j a i b j � Example ( d = 2 ):     a 0 b 1 ⊕ a 1 b 0 a 0 b 2 ⊕ a 2 b 0 a 0 b 0 0 r 1 , 2 r 1 , 3   ⊕   0 a 1 b 1 a 1 b 2 ⊕ a 2 b 1 0 0 r 2 , 3 0 0 a 2 b 2 0 0 0 CHES 2010 – Provably Secure Higher-Order Masking of AES

Recommend

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Leuven, September 10th, 2012 I NTRODUCTION 1 K NOWN TABLE - BASED METHODS 2 C ORON -T CHULKINE METHOD N EISSE -P ULKUS METHOD 3 C

413 views • 28 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes Outline 1 Introduction 2

1.33k views • 98 slides
High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th September 2018 Outline Outline 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th

388 views • 35 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT 2017, Paris 1 Introduction 2 Field Multiplications 3 Non-Linear Operations 4 Generic Polynomial Methods 5 Polynomial Methods for

873 views • 51 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic constant-time Gilles Barthe Benjamin Grgoire Vincent Laporte CSF18, 2018-07-12 Vincent Laporte et alii Provably secure compilation of

501 views • 25 slides
Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Introduction Contributions Conclusion Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J. Rangasamy * D. Stebila * C. Boyd * J.M. Gonzlez Nieto * * Information Security Institute Queensland

943 views • 22 slides
York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

First Order Haskell Neil Mitchell York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order: functions are values Can be passed around Stored in data structure Harder for reasoning and analysis More

483 views • 15 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides
Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute of Technology Thanks to Roberto Guanciale, Musard Balliu, Christoph Baumann, Hamed Nemati, Oliver Schwarz, Victor Do, Christian Gehrmann, Jonas

1.41k views • 114 slides
Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Extending SMT solvers to higher-order logic Haniel Barbosa Andrew Reynolds Daniel El Ouraoui Clark Barrett Cesare Tinelli SMT 2019 20190707, Lisbon, PT To be published in the proceedings of CADE 2019 Why higher-order logic?

569 views • 25 slides
Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G.

Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G.

Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G. Paterson Information Security Group Royal Holloway, University of London Outline of the Talk Hierarchical Key Assignment Schemes Definition of

802 views • 48 slides
ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12]

ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12]

ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12] Michael Backes 1 , 2 Aniket Kate 1 Matteo Maffei 2 Kim Pecina 2 1 MPI-SWS, Germany 2 Saarland University, Germany Tracking in the Advertising World Today

744 views • 35 slides
Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur

Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur

PETS 2017 The 17th Privacy Enhancing T echnologies Symposium July 1821, 2017 Minneapolis, MN, USA Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur Rahaman 1 , Long Cheng 1 , Danfeng (Daphne)

650 views • 18 slides
Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop September 14, 2017 Why Prove Things? Attackers often have more motivation/resources than defenders Heuristic defenses: arms race between attack and

738 views • 52 slides
Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order

Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order

Background & motivation Higher order strategies Higher order Turing machines Computable analysis Conclusion Higher order complexity Hugo Fre Mathieu Hoyrup CCA 2013 Hugo Fre Higher order complexity 1/12 Background &

383 views • 15 slides
Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry & Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry & Romain Pchoux

Higher-order Interpretations for Higher-order Complexity Emmanuel Hainry & Romain Pchoux DICE-FOPARA, 22-23 april 2017 CNRS, INRIA, Universit de Lorraine & LORIA, Nancy, France 1 Introduction First-order computability and

801 views • 46 slides
Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint work with: Ivan De Oliveira Nunes 1 , Karim Eldefrawy 2 , Norrathep Rattanavipanon 1 University of California Irvine 1 , SRI International 2 1 In

847 views • 48 slides

More recommend