second order masked lookup table compression scheme
play

Second-Order Masked Lookup Table Compression Scheme Annapurna - PowerPoint PPT Presentation

Mar 17, 2024 •284 likes •806 views

Second-Order Masked Lookup Table Compression Scheme Annapurna Valiveti , Srinivas Vivek IIIT Bangalore annapurna@iiitb.org, srinivas.vivek@iiitb.ac.in 14-17 September, CHES 2020 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup

  1. Second-Order Masked Lookup Table Compression Scheme Annapurna Valiveti , Srinivas Vivek IIIT Bangalore annapurna@iiitb.org, srinivas.vivek@iiitb.ac.in 14-17 September, CHES 2020 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  2. Introduction Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  3. Side-Channel Attacks Traditionally, cryptosystems were viewed as black boxes Change of view in the crypto research community since mid-90s due to Kocher et al. Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  4. Side-Channel Attacks Figure: Side-channel experiment Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  5. Side-Channel Attacks Figure: Power attack setup Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  6. Masking Countermeasure In this presentation, we only focus on software countermeasures to power analysis attacks Goal is to minimise the effect of side-channel leakage Masking countermeasure against SCA x = x 1 ⊕ . . . ⊕ x d ⊕ x d +1 d ← masking order Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  7. Security Models Loosely speaking, SCA complexity is exponential w.r.t. masking order d Security offered has been relatively well analysed Probing [ ISW’03 ] & noisy leakage model [ CJJR’99, RP’13, DDF’14 ] Figure: Adversary observing using at most d probes Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  8. Masking of Block Ciphers Categories of block cipher operations: Linear functions are straightforward to compute in presence of shares f ( x ) = f ( x 1 ) ⊕ f ( x 2 ) ⊕ . . . ⊕ f ( x d +1 ) Main challenge is to securely compute non-linear functions For block ciphers, this reduces to securing their S-boxes Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  9. Classification of Countermeasures SCA Countermeasures Lookup table- Circuit-based based schemes schemes Figure: Classification of countermeasures Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  10. First-Order Table-Based Masking First-order (1-O) lookup table masking. Originally proposed in [ CJJR’99 ] Input : ( n , m )-S-box Two input shares x 1 , x 2 , s.t. x = x 1 ⊕ x 2 Method : Create a temporary table T in RAM s.t. ∀ a ∈ { 0 , 1 } n T ( a ) = S ( x 1 ⊕ a ) ⊕ y 1 Output shares : y 1 , y 2 = T ( x 2 ), s.t. S( x ) = y 1 ⊕ y 2 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  11. Table-Based vs. Circuit-Based S-Box Masking AES : time overhead factor: 2 to 4 , RAM memory = 256 bytes per S-box function RAM Memory can be expensive for highly resource-constrained environments Alternate approaches exist ( [ PR’07 ] ): O (1) RAM but time overhead factor ≥ 30 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  12. Time vs. Memory Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  13. Time vs. Memory Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  14. Lookup Table Compression Schemes Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  15. Lookup Table Compression A first-order lookup table compression scheme was proposed in [ RRST’02 ] Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  16. Lookup Table Compression A first-order lookup table compression scheme was proposed in [ RRST’02 ] An improved lookup table compression scheme was by Vadnala [ Vad’17 ] Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  17. Lookup Table Compression A first-order lookup table compression scheme was proposed in [ RRST’02 ] An improved lookup table compression scheme was by Vadnala [ Vad’17 ] Figure: Pack entries based on higher-order bits Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  18. [Vad17] 1-O Table Compression Scheme Partition the original table T into T 1 and T 2 using compression parameter, ℓ a = a (1) || a (2) ���� ���� n − ℓ ℓ Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  19. [Vad17] 1-O Table Compression Scheme Partition the original table T into T 1 and T 2 using compression parameter, ℓ a = a (1) || a (2) ���� ���� n − ℓ ℓ Pack 2 ℓ distinct entries of T into each row of T 1 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  20. [Vad17] 1-O Table Compression Scheme Partition the original table T into T 1 and T 2 using compression parameter, ℓ a = a (1) || a (2) ���� ���� n − ℓ ℓ Pack 2 ℓ distinct entries of T into each row of T 1 Unpack one of the entries of T 1 into 2 ℓ rows of T 2 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  21. [Vad17] 1-O Table Compression Scheme Partition the original table T into T 1 and T 2 using compression parameter, ℓ a = a (1) || a (2) ���� ���� n − ℓ ℓ Pack 2 ℓ distinct entries of T into each row of T 1 Unpack one of the entries of T 1 into 2 ℓ rows of T 2 There is a set of shared random values across T 1 and T 2 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  22. 2-O Table Compression Scheme [Vad17] Base scheme used in [ Vad’17 ] is [ RDP’08 ] Three steps of the second-order scheme 1: Create Table T 1 : { 0 , 1 } n − ℓ → { 0 , 1 } m Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  23. 2-O Table Compression Scheme [Vad17] Base scheme used in [ Vad’17 ] is [ RDP’08 ] Three steps of the second-order scheme 1: Create Table T 1 : { 0 , 1 } n − ℓ → { 0 , 1 } m �� � � T 1 ( b (1) :) = i ∈{ 0 , 1 } ℓ S (( x 3(1) ⊕ a (1) ⊕ r i ) || i ) ⊕ ⊕ y 1 ⊕ y 2 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  24. 2-O Table Compression Scheme [Vad17] Base scheme used in [ Vad’17 ] is [ RDP’08 ] Three steps of the second-order scheme 1: Create Table T 1 : { 0 , 1 } n − ℓ → { 0 , 1 } m 2: Create Table T 2 : { 0 , 1 } ℓ → { 0 , 1 } m Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  25. 2-O Table Compression Scheme [Vad17] Base scheme used in [ Vad’17 ] is [ RDP’08 ] Three steps of the second-order scheme 1: Create Table T 1 : { 0 , 1 } n − ℓ → { 0 , 1 } m 2: Create Table T 2 : { 0 , 1 } ℓ → { 0 , 1 } m T 2 ( b (2) ) := T 1 ( v (1) ⊕ r ( x 3(2) ⊕ a (2) ) ) ⊕ j ∈{ 0 , 1 } ℓ , j � = a (2) S ( x 3(2) ⊕ j ) ( x (1) ⊕ r ( x 3(2) ⊕ a (2) ) ⊕ r ( x 3(2) ⊕ j ) ) ⊕ Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  26. 2-O Table Compression Scheme [Vad17] Base scheme used in [ Vad’17 ] is [ RDP’08 ] Three steps of the second-order scheme 1: Create Table T 1 : { 0 , 1 } n − ℓ → { 0 , 1 } m 2: Create Table T 2 : { 0 , 1 } ℓ → { 0 , 1 } m 3: Access Table T 2 to compute the third output share y 3 = T 2 ( v (2) ) Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  27. Attack on 2-O Scheme of [Vad’17] by [Viv’17] First-order scheme is proven to be secure [ Viv’17 ] pointed a second-order attack which show that any pair of entries in Table T 2 jointly leak up to n − ℓ bits of input Lemma Let β 1 , β 2 ∈ { 0 , 1 } l . Then T 2 ( β 1 ) ⊕ T 2 ( β 2 ) = S (x (1) || ( β 1 ⊕ x (2) ⊕ v (2) )) ⊕ S (x (1) || ( β 2 ⊕ x (2) ⊕ v (2) )) Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  28. Our Contribution Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  29. Second-Order Lookup Table Compression Following are the highlights of our scheme Randomise rows of tables T 1 and T 2 Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  30. Second-Order Lookup Table Compression Following are the highlights of our scheme Randomise rows of tables T 1 and T 2 Randomness complexity : � (2 ℓ · ( n − ℓ )) + m · (2 ( n − ℓ ) + 2 ℓ ) � -bits Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  31. Second-Order Lookup Table Compression Following are the highlights of our scheme Randomise rows of tables T 1 and T 2 Randomness complexity : � (2 ℓ · ( n − ℓ )) + m · (2 ( n − ℓ ) + 2 ℓ ) � -bits Use three-wise independent PRG [ TS09, IKL + 13 ] to reduce number of true random values Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

  32. Second-Order Lookup Table Compression Following are the highlights of our scheme Randomise rows of tables T 1 and T 2 Randomness complexity : � (2 ℓ · ( n − ℓ )) + m · (2 ( n − ℓ ) + 2 ℓ ) � -bits Use three-wise independent PRG [ TS09, IKL + 13 ] to reduce number of true random values Compute masks on-the-fly Annapurna Valiveti, Srinivas Vivek Second-Order Masked Lookup Table Compression Scheme

Recommend

Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David

Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David

Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David Malone and Josh Tobin. 2008-12-11 1 Hash Table Lookup scheme to avoid cost of searching full list. carrot zuchinni . . . . . . apricot apple

406 views • 16 slides
CS1100: Computer Science and Its Applications Table Lookup and Error Processing Created By

CS1100: Computer Science and Its Applications Table Lookup and Error Processing Created By

CS1100: Computer Science and Its Applications Table Lookup and Error Processing Created By Martin Schedlbauer m.schedlbauer@neu.edu Excel Basics LOOKUP AND MAPPING CS1100 Lookup and Error Processing 2 LOOKUP Tables LOOKUP Tables help

798 views • 32 slides
Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Crypto. group SWORD Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an Explanation Based on Externally-Amplified Couplings Itamar Levi, Davide Bellizia and Franois-Xavier Standaert Aug. 2018 Moti

298 views • 27 slides
Word embeddings Rappel Embeddings ( pas Word Embeddings ) Est une lookup table Formalisme:

Word embeddings Rappel Embeddings ( pas Word Embeddings ) Est une lookup table Formalisme:

Word embeddings Rappel Embeddings ( pas Word Embeddings ) Est une lookup table Formalisme: Index dun mot: w i Table dembeddings (lookup matrix): V Embedding: e i e i = V( w i ) Reprsentation dun mot

780 views • 47 slides
Cache misses for lookup, existing of random ints Cache misses for lookup, non-existing of random

Cache misses for lookup, existing of random ints Cache misses for lookup, non-existing of random

The hash tables Googles dense and sparse hash tables Use open addressing Quadratic probing SGI Is a chained hash table Referred to as gnu in graphs One-table and Two-table Doubly linked: Rather large compartments

645 views • 29 slides
A Novel Scalable IPv6 Lookup Scheme Using Compressed Pipelined Tries Michel Hanna, Sangyeun Cho,

A Novel Scalable IPv6 Lookup Scheme Using Compressed Pipelined Tries Michel Hanna, Sangyeun Cho,

A Novel Scalable IPv6 Lookup Scheme Using Compressed Pipelined Tries Michel Hanna, Sangyeun Cho, and Rami Melhem Computer Science Department, University of Pittsburgh, Pittsburgh, PA, 15260, USA { mhanna,cho,melhem } @cs.pitt.edu Abstract. An

482 views • 14 slides
Development of lookup tables of climate change impact on national water resources Naota Hanasaki

Development of lookup tables of climate change impact on national water resources Naota Hanasaki

Development of lookup tables of climate change impact on national water resources Naota Hanasaki (NIES) hanasaki@nies.go.jp What is lookup table of climate change impact? Typical impact studies Lookup table approach 1. Develop a detailed

479 views • 6 slides
with Dictionaries an alternative to InnoDB table compression Yura Sorokin, Senior Software

with Dictionaries an alternative to InnoDB table compression Yura Sorokin, Senior Software

Percona XtraDB: Compressed Columns with Dictionaries an alternative to InnoDB table compression Yura Sorokin, Senior Software Engineer at Percona Existing compression methods Overview Existing compression methods for MySQL InnoDB Table

1.24k views • 95 slides
hashes Hashes in lisp are basically a lookup table of key-value pairs can create/destroy

hashes Hashes in lisp are basically a lookup table of key-value pairs can create/destroy

hashes Hashes in lisp are basically a lookup table of key-value pairs can create/destroy tables can add/remove key/value pairs can check if key current present in table can update value associated with a key can look up value

416 views • 6 slides
Binary Access Memory: An Optimized Lookup Table for Successive Approximation Applications

Binary Access Memory: An Optimized Lookup Table for Successive Approximation Applications

Binary Access Memory: An Optimized Lookup Table for Successive Approximation Applications Benjamin Hershberg*, Skyler Weaver*, Seiji Takeuchi, Koichi Hamashita , Un -Ku Moon* *School of Electrical Engineering and Computer Science, Oregon

997 views • 41 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
CLUE: achieving fast update over compressed table for parallel lookup with reduced dynamic

CLUE: achieving fast update over compressed table for parallel lookup with reduced dynamic

CLUE: achieving fast update over compressed table for parallel lookup with reduced dynamic redundancy Tong Yang, Ruian Duan, Jianyuan Lu, Shenjiang Zhang, Huichen Dai and Bin Liu Dept. of Computer Science and Technology, Tsinghua University,

437 views • 10 slides
Frugal IP Lookup Based on a Parallel Search Zoran Ci ca and Aleksandra Smiljani c School

Frugal IP Lookup Based on a Parallel Search Zoran Ci ca and Aleksandra Smiljani c School

Frugal IP Lookup Based on a Parallel Search Zoran Ci ca and Aleksandra Smiljani c School of Electrical Engineering, Belgrade University, Serbia Email: cicasyl@etf.rs, aleksandra@etf.rs speed such as the trie compression [5], [6], leaf

222 views • 6 slides
A fourth order accurate finite difference scheme for the elastic wave equation in second order

A fourth order accurate finite difference scheme for the elastic wave equation in second order

A fourth order accurate finite difference scheme for the elastic wave equation in second order formulation 1 B. Sj ogreen and N.A.Petersson Lawrence Livermore National Laboratory October 18, 2011 1Work performed under the auspices of the

343 views • 20 slides
Organizing My I.B. Portfolio Table of Contents The table of contents displays the order of

Organizing My I.B. Portfolio Table of Contents The table of contents displays the order of

Organizing My I.B. Portfolio Table of Contents The table of contents displays the order of the portfolio dividers & work samples . In what place order should the Identities & relationships divider be placed? (select a choice

1.29k views • 50 slides
Lookup Tables 1 Example of Arbitrary Waveform Generator Clock Generator Output Increments a

Lookup Tables 1 Example of Arbitrary Waveform Generator Clock Generator Output Increments a

Lookup Tables 1 Example of Arbitrary Waveform Generator Clock Generator Output Increments a Counter Counter Output used as Memory (lookup table) Address Memory Stores One Period (or portion of period if symmetry is present) of a

233 views • 19 slides
Towards the Compression of First-Order Resolution Proofs by Lowering Unit Clauses J. Gorzny 1 B.

Towards the Compression of First-Order Resolution Proofs by Lowering Unit Clauses J. Gorzny 1 B.

Towards the Compression of First-Order Resolution Proofs by Lowering Unit Clauses J. Gorzny 1 B. Woltzenlogel Paleo 2 1 University of Victoria 2 Vienna University of Technology 6 August 2015 Gorzny, Woltzenlogel Paleo First-Order Lower Units

687 views • 45 slides
A machine learning approach against a masked AES L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI,

A machine learning approach against a masked AES L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI,

A machine learning approach against a masked AES A machine learning approach against a masked AES L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH Universit Libre de Bruxelles Faculty of Sciences Department of Computer

349 views • 20 slides
1-Bucket-Theta: Map Col T 1 6 Row Input: tuple x S T, 1 matrix-to-reducer mapping

1-Bucket-Theta: Map Col T 1 6 Row Input: tuple x S T, 1 matrix-to-reducer mapping

10/20/2011 1-Bucket-Theta: Map Col T 1 6 Row Input: tuple x S T, 1 matrix-to-reducer mapping lookup table 1 2 S 1. If x S then 3 1. matrixRow = random( 1, |S| ) 6 S.A=T.A 2. Forall regionID in lookup.getRegions(

281 views • 16 slides
Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Compression Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression Recap Bu ff er Management Thread Safety A piece of code is thread-safe if it functions correctly during simultaneous execution

784 views • 52 slides
Treating geospatial complex data by compression and reduced order methods 1 Stefano De Marchi

Treating geospatial complex data by compression and reduced order methods 1 Stefano De Marchi

Treating geospatial complex data by compression and reduced order methods 1 Stefano De Marchi Department of Mathematics Tullio Levi-Civita University of Padova (UNIPD) Italy Wroclaw, September 19, 2018 1 GeoEssential ERA-PLANET team

508 views • 35 slides
Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order 3 Formal Tools

1.24k views • 97 slides
From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg in browsers gzip, pkzip, compress, zip, ... for files (stacker?) Lossy compression, Lossless compression Huffman coding possible to

275 views • 6 slides
CMSC 206 Dictionaries and Hashing The Dictionary ADT n a dictionary (table) is an abstract

CMSC 206 Dictionaries and Hashing The Dictionary ADT n a dictionary (table) is an abstract

CMSC 206 Dictionaries and Hashing The Dictionary ADT n a dictionary (table) is an abstract model of a database or lookup table n like a priority queue, a dictionary stores key- element pairs n the main operation supported by a

496 views • 35 slides

More recommend