stronger and faster side channel protections for csidh
play

Stronger and Faster Side-Channel Protections for CSIDH azquez 1 - PowerPoint PPT Presentation

Sep 09, 2022 •304 likes •1.25k views

Stronger and Faster Side-Channel Protections for CSIDH azquez 1 Mathilde Chenu 2,3 Daniel Cervantes-V nguez 1 and Luca De Feo 4 and Jes us-Javier Chi-Dom quez 1 and Benjamin Smith 2,3 Francisco Rodr guez-Henr 1 Computer Science

  1. Stronger and Faster Side-Channel Protections for CSIDH azquez 1 Mathilde Chenu 2,3 Daniel Cervantes-V´ ınguez 1 and Luca De Feo 4 and Jes´ us-Javier Chi-Dom´ ıquez 1 and Benjamin Smith 2,3 Francisco Rodr´ ıguez-Henr´ 1 Computer Science Department, Cinvestav - IPN, Mexico City, Mexico 2 ´ Ecole polytechnique, Institut Polytechnique de Paris, Palaiseau, France 3 Inria, ´ equipe-projet GRACE, Universit´ e Paris–Saclay, France 4 Universit´ e Paris Saclay – UVSQ, Versailles, France October 2, 2019 1/25

  2. Overview 1 CSIDH overview 2 Constant-time CSIDH algorithm 3 Improvements to constant-time CSIDH algorithm Fixing random point selection Twisted Edwards or Montgomery curves? Addition chains for a faster scalar multiplication Removing dummy operations 4 Experimental results 5 Conclusions 1/25

  3. Outline 1 CSIDH overview 2 Constant-time CSIDH algorithm 3 Improvements to constant-time CSIDH algorithm Fixing random point selection Twisted Edwards or Montgomery curves? Addition chains for a faster scalar multiplication Removing dummy operations 4 Experimental results 5 Conclusions 1/25

  4. Timeline of CSIDH 6 0 8 9 0 1 1 1 0 0 0 0 2 2 2 2 Before CSIDH (ordinary curves): • Alexander Rostovtsev and Anton Stolbunov [10]; • Jean-Marc Couveignes [4]; 2/25

  5. Timeline of CSIDH 6 0 8 9 0 1 1 1 0 0 0 0 2 2 2 2 Before CSIDH (ordinary curves): • Alexander Rostovtsev and Anton Stolbunov [10]; • Jean-Marc Couveignes [4]; • Anton Stolbunov [11]; 2/25

  6. Timeline of CSIDH 6 0 8 9 0 1 1 1 0 0 0 0 2 2 2 2 Before CSIDH (ordinary curves): • Alexander Rostovtsev and Anton Stolbunov [10]; • Jean-Marc Couveignes [4]; • Anton Stolbunov [11]; • Luca De Feo, Jean Kieffer, and Benjamin Smith [5]; 2/25

  7. Timeline of CSIDH 6 0 8 9 0 1 1 1 0 0 0 0 2 2 2 2 CSIDH (supersingular curves): • April: Castryck, Lange, Martindale, Panny, and Renes proposed CSIDH [3]; 2/25

  8. Timeline of CSIDH 6 0 8 9 0 1 1 1 0 0 0 0 2 2 2 2 CSIDH (supersingular curves): • April: Castryck, Lange, Martindale, Panny, and Renes proposed CSIDH [3]; • August: Meyer and Reith [8]; 2/25

  9. Timeline of CSIDH 6 0 8 9 0 1 1 1 0 0 0 0 2 2 2 2 CSIDH (supersingular curves): • April: Castryck, Lange, Martindale, Panny, and Renes proposed CSIDH [3]; • August: Meyer and Reith [8]; • Constant-time implementations: • August: Jalali et al. [6]; 2/25

  10. Timeline of CSIDH 6 0 8 9 0 1 1 1 0 0 0 0 2 2 2 2 CSIDH (supersingular curves): • April: Castryck, Lange, Martindale, Panny, and Renes proposed CSIDH [3]; • August: Meyer and Reith [8]; • Constant-time implementations: • August: Jalali et al. [6]; • October: Bernstein, Lange, Martindale, and Panny [2]; 2/25

  11. Timeline of CSIDH 6 0 8 9 0 1 1 1 0 0 0 0 2 2 2 2 CSIDH (supersingular curves): • April: Castryck, Lange, Martindale, Panny, and Renes proposed CSIDH [3]; • August: Meyer and Reith [8]; • Constant-time implementations: • August: Jalali et al. [6]; • October: Bernstein, Lange, Martindale, and Panny [2]; • December: Meyer, Campos, and Reith [7]; 2/25

  12. Timeline of CSIDH 6 0 8 9 0 1 1 1 0 0 0 0 2 2 2 2 CSIDH (supersingular curves): • April: Castryck, Lange, Martindale, Panny, and Renes proposed CSIDH [3]; • August: Meyer and Reith [8]; • Constant-time implementations: • August: Jalali et al. [6]; • October: Bernstein, Lange, Martindale, and Panny [2]; • December: Meyer, Campos, and Reith [7]; • April: Onuki, Aikawa, Yamazaki, and Takagi [9]; 2/25

  13. Timeline of CSIDH 6 0 8 9 0 1 1 1 0 0 0 0 2 2 2 2 CSIDH (supersingular curves): • April: Castryck, Lange, Martindale, Panny, and Renes proposed CSIDH [3]; • August: Meyer and Reith [8]; • Constant-time implementations: • August: Jalali et al. [6]; • October: Bernstein, Lange, Martindale, and Panny [2]; • December: Meyer, Campos, and Reith [7]; • April: Onuki, Aikawa, Yamazaki, and Takagi [9]; • July: This work. 2/25

  14. CSIDH implementations • Castryck et al. [3]: The original CSIDH works on Montgomery curves; • Jalali et al. [6] keep using Montgomery curves; • Meyer and Reith [8]: Propose an hybrid CSIDH by using isogeny construction formulas but on Twisted Edwards curves, and then mapping into Montgomery form; • Meyer–Campos–Reith [7], and Onuki et al. [9]: They keep using the hybrid CSIDH as in [8]; 3/25

  15. Our contributions 1) A fully Twisted Edwards version of CSIDH; 2) An efficient projective elligator; 3) The use of Shortest Differential Addition Chains (SDACs) in the CSIDH algorithm, which are cheaper than Classical Mont- gomery Ladders. 4) A stronger constant-time CSIDH algorithm without dummy op- erations. 4/25

  16. CSIDH overview CSIDH framework [3]: • Small odd primes numbers ℓ i such that p = 4 � n i =1 ℓ i − 1 is prime number; • Supersingular elliptic curves in Montgomery form E A / F p : y 2 = x 3 + Ax 2 + x with # E ( F p ) = p + 1; and • Positive integer m . General description CSIDH: a E A a ∗ E A a ∗ E A The shared secret key is ( a · b ) ∗ E A . b b The security is given by the hardness E A of computing a (or b ) given the data ∗ b b ∗ E A ( a · b ) ∗ E A a colored in red ink. 5/25

  17. CSIDH overview CSIDH framework [3]: • Small odd primes numbers ℓ i such that p = 4 � n i =1 ℓ i − 1 is prime number; • Supersingular elliptic curves in Montgomery form E A / F p : y 2 = x 3 + Ax 2 + x with # E ( F p ) = p + 1; and • Positive integer m . General description CSIDH: a E A a ∗ E A a ∗ E A The shared secret key is ( a · b ) ∗ E A . b b The security is given by the hardness E A of computing a (or b ) given the data ∗ b b ∗ E A ( a · b ) ∗ E A a colored in red ink. Each ℓ i is required e i times for evaluating the action a ∗ E A (similarly for b ∗ E A ). Formally, this is written as a = l e 1 1 · · · l e n n . 5/25

  18. CSIDH overview The action a ∗ E A defines a path on the isogeny graph over F p , and is determined by an integer vector ( e 1 , . . . , e n ) ∈ � − m , m � n : 1) Nodes are supersingular el- liptic curves over F p in Montgomery form; 2) Edges are degree- ℓ i isoge- nies. Figure 1: Isogeny graph over F p with p = 4 · (5 · 13 · 61) − 1. Nodes are supersingular curves and edges marked with orange, green , and vi- olet inks denote isogenies of degree 5, 13 and 61, respectively. 6/25

  19. CSIDH overview The action a ∗ E A defines a path on the isogeny graph over F p , and is determined by an integer vector ( e 1 , . . . , e n ) ∈ � − m , m � n : 1) Nodes are supersingular el- liptic curves over F p in Montgomery form; 2) Edges are degree- ℓ i isoge- nies. Two types of edges: isogeny with kernel gener- ated by Figure 1: Isogeny graph over F p 2.a) ( x , y ) ∈ E A [ ℓ i , π − 1], or with p = 4 · (5 · 13 · 61) − 1. Nodes 2.b) ( x , iy ) ∈ E A [ ℓ i , π + 1]. are supersingular curves and edges marked with orange, green , and vi- Here, x , y ∈ F p , π : ( X , Y ) �→ olet inks denote isogenies of degree ( X p , Y p ) is the Frobenius map, i = √− 1 and thus i p = − i . 5, 13 and 61, respectively. 6/25

  20. CSIDH overview Figure 2: Action evaluation over F p with p = 4 · (5 · 13 · 61) − 1. Secret integer vector ( − 1 , 2 , 1) ∈ � − 2 , 2 � 3 : E 0 7/25

  21. CSIDH overview Figure 2: Action evaluation over F p with p = 4 · (5 · 13 · 61) − 1. Secret integer vector ( − 1 , 2 , 1) ∈ � − 2 , 2 � 3 : E 0 → E 0x3A7D 7/25

  22. CSIDH overview Figure 2: Action evaluation over F p with p = 4 · (5 · 13 · 61) − 1. Secret integer vector ( − 1 , 2 , 1) ∈ � − 2 , 2 � 3 : E 0 → E 0x3A7D → E 0x2BF7 7/25

  23. CSIDH overview Figure 2: Action evaluation over F p with p = 4 · (5 · 13 · 61) − 1. Secret integer vector ( − 1 , 2 , 1) ∈ � − 2 , 2 � 3 : E 0 → E 0x3A7D → E 0x2BF7 → E 0x1404 7/25

  24. CSIDH overview Figure 2: Action evaluation over F p with p = 4 · (5 · 13 · 61) − 1. Secret integer vector ( − 1 , 2 , 1) ∈ � − 2 , 2 � 3 : E 0 → E 0x3A7D → E 0x2BF7 → E 0x1404 → E 0x5EB 7/25

  25. CSIDH overview Figure 2: Action evaluation over F p with p = 4 · (5 · 13 · 61) − 1. In general, the atcion evaluation is commutative . Secret integer vector ( − 1 , 2 , 1) ∈ � − 2 , 2 � 3 : E 0 → E 0x7A0 → E 0x8EC → E 0x25B3 → E 0x5EB 7/25

  26. CSIDH overview Figure 2: Action evaluation over F p with p = 4 · (5 · 13 · 61) − 1. Secret integer vector (1 , − 2 , − 1) ∈ � − 2 , 2 � 3 has inverse ( − 1 , 2 , 1) ∈ � − 2 , 2 � 3 : E 0x5EB → E 0x1D50 → E 0x8EC → E 0x56D → E 0 7/25

  27. CSIDH overview Figure 2: Action evaluation over F p with p = 4 · (5 · 13 · 61) − 1. Secret integer vector (1 , − 2 , − 1) ∈ � − 2 , 2 � 3 has inverse ( − 1 , 2 , 1) ∈ � − 2 , 2 � 3 : E 0x5EB → E 0x1D50 → E 0x8EC → E 0x56D → E 0 7/25

  28. CSIDH overview Figure 2: Action evaluation over F p with p = 4 · (5 · 13 · 61) − 1. Secret integer vector (1 , − 2 , − 1) ∈ � − 2 , 2 � 3 has inverse ( − 1 , 2 , 1) ∈ � − 2 , 2 � 3 : E 0x5EB → E 0x1D50 → E 0x8EC → E 0x56D → E 0 7/25

Recommend

Side channel protections for CSIDH Luca De Feo IBM Research Zrich October 16, 2019, PHISIC,

Side channel protections for CSIDH Luca De Feo IBM Research Zrich October 16, 2019, PHISIC,

Side channel protections for CSIDH Luca De Feo IBM Research Zrich October 16, 2019, PHISIC, Gardanne based on joint work with D. Cervantes-Vzquez, M. Chenu, J.J. Chi-Domnguez, F. Rodrguez-Henrquez, B. Smith Slides online at

944 views • 90 slides
TLBleed Translation leak-aside buffer: Defeating cache side-channel protections with TLB

TLBleed Translation leak-aside buffer: Defeating cache side-channel protections with TLB

TLBleed Translation leak-aside buffer: Defeating cache side-channel protections with TLB attack B. Gras, K. Razavi, H. Bos, and C. Giuffrida Presented by Ayoosh Bansal Translation Lookaside Buffer (TLB) It is a cache, where every entry

1.04k views • 25 slides
Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand CNRS, Lab-STICC laboratory

Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand CNRS, Lab-STICC laboratory

Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand CNRS, Lab-STICC laboratory GDR SoC17, Bordeaux Summary Introduction & Cryptographic Background Side Channel Attacks Fault Injection Attacks Protections

1.87k views • 166 slides
Effjcient Side-Channel Protections of ARX Ciphers Bernhard Jungk 1 Richard Petri 2 Marc Stttinger

Effjcient Side-Channel Protections of ARX Ciphers Bernhard Jungk 1 Richard Petri 2 Marc Stttinger

Effjcient Side-Channel Protections of ARX Ciphers Bernhard Jungk 1 Richard Petri 2 Marc Stttinger 3 1 Fraunhofer Singapore, Singapore, bernhard.jungk@fraunhofer.sg 2 Fraunhofer SIT, Germany, richard.petri@sit.fraunhofer.de 3 Continental AG,

583 views • 40 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
["si:saId] Why CSIDH? Drop-in post-quantum replacement for (EC)DH.

["si:saId] Why CSIDH? Drop-in post-quantum replacement for (EC)DH.

CSIDH : An Efficient Post-Quantum Commutative Group Action Wouter Castryck 1 Tanja Lange 2 Chloe Martindale 2 Lorenz Panny 2 Joost Renes 3 1 KU Leuven 2 TU Eindhoven 3 Radboud Universiteit Brisbane, 6 December 2018 ["si:saId] Why CSIDH?

934 views • 57 slides
FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begl Bilgin, Andrey Bogdanov, Miroslav Kne evi , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago Side Channel Resistance 2 Side

1.29k views • 76 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel

The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel

The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel Evaluations Stjepan Picek, Annelie Heuser, Alan Jovic, Shivam Bhasin, and Francesco Regazzoni Big Picture side-channel measurements device classifier

822 views • 33 slides
Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X. Standaert UCL Crypto Group, Universit e catholique

355 views • 24 slides
In Search of A better, faster, stronger Web Marissa Mayer VP Search & User Experience

In Search of A better, faster, stronger Web Marissa Mayer VP Search & User Experience

In Search of A better, faster, stronger Web Marissa Mayer VP Search & User Experience Google The importance of first impressions We didnt have any webmasters And, I dont do HTML. Still simple, still fast 4 Key Elements

645 views • 28 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides
BISPHOSPHONATES: Benefits, Risks, and Patient Protections Suzanne Robotti SIDE EFFECTS Legal

BISPHOSPHONATES: Benefits, Risks, and Patient Protections Suzanne Robotti SIDE EFFECTS Legal

BISPHOSPHONATES: Benefits, Risks, and Patient Protections Suzanne Robotti SIDE EFFECTS Legal Fear Protection 25% of all new drugs have black box or significant warnings within 5 years. How to Update a Drug Label: Changes Being

306 views • 19 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

825 views • 48 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
The Need for Speed: Applications of HPC in Side Channel

The Need for Speed: Applications of HPC in Side Channel

The Need for Speed: Applications of HPC in Side Channel Research Dr. M. Elisabeth Oswald Reader, EPSRC Leadership Fellow University of Bristol Roadmap

280 views • 25 slides
Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of side-channel countermeasures Anh-Tuan Hoang, Neil Hanley and Mire ONeill CHES 2020 14-18 September 2020 Outline

622 views • 21 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

535 views • 31 slides
Roger Dingledine March 2013 update 1 2 3 4 5 6 7 8 9 10 Tor 0.2.4.7-alpha ..

Roger Dingledine March 2013 update 1 2 3 4 5 6 7 8 9 10 Tor 0.2.4.7-alpha ..

Roger Dingledine March 2013 update 1 2 3 4 5 6 7 8 9 10 Tor 0.2.4.7-alpha .. 0.2.4.9-alpha New stronger/faster ECC-based link encryption New stronger/faster ECC-based circuit handshake (ntor, curve25519) Support for exiting

237 views • 23 slides
FAST (Harder Better) FAster STronger Cryptography 2020/02/19 Bordeaux Damien Robert

FAST (Harder Better) FAster STronger Cryptography 2020/02/19 Bordeaux Damien Robert

FAST (Harder Better) FAster STronger Cryptography 2020/02/19 Bordeaux Damien Robert quipe LFANT, Inria Bordeaux Sud-Ouest Goal Cryptology: Encryption; Authenticity; Integrity. asymmetric encryption, signatures, zero-knowledge

225 views • 20 slides
Faster, Smarter, Stronger The Past, Present, and Future of Donor Intelligence Jay Frost The New

Faster, Smarter, Stronger The Past, Present, and Future of Donor Intelligence Jay Frost The New

6/12/2019 Faster, Smarter, Stronger The Past, Present, and Future of Donor Intelligence Jay Frost The New Hampshire & Vermont Council of Charitable Gift Planners June 2019 Which superpower would you choose? The Good News 1 6/12/2019

429 views • 11 slides

More recommend