Outline Preliminaries Comprehend the TI Applying TI Conclusion Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium July 4rd, 2013 1 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Preliminaries Side-channel attacks Countermeasures Masking Glitches Comprehend the TI What is TI? Notations, Definitions and Proofs Uniformity Affine Equivalence Classes Applying TI Sharing Techniques Decomposing small S-boxes HW implementations small S-boxes HW implementations AES Conclusion 2 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Preliminaries Side-channel attacks Countermeasures Masking Glitches Comprehend the TI What is TI? Notations, Definitions and Proofs Uniformity Affine Equivalence Classes Applying TI Sharing Techniques Decomposing small S-boxes HW implementations small S-boxes HW implementations AES Conclusion 3 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Side-channel attacks • Normal attacks: c = E ( k , p ) • Known plaintext: equations in the key • High nonlinearity, difficult to solve • Device executing the cryptographic algorithm leaks information on internal state • Instantaneous leakage depends on intermediate variables, which results in equations • That have lower nonlinearity • That may contain noise 4 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Countering power attacks • Ensure constant power consumption • Constant instruction sequence • Use special hardware logic styles • Avoid statistical correlation between secret key and data processed • Masking • Counters attacks that use repeated measurements and statistics to remove the noise 5 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Countermeasures at different levels • Hardware logic style → Relieves cryptographers BUT places burden on hardware designers • Algorithms and implementations → Probably lowest feasible level • Ciphers and Protocols → New standards, takes time 6 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Countermeasures We NEED secure implementations against DPA 7 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Countermeasures We NEED secure implementations against DPA • Hardware countermeasures • Balancing power consumption [Tiri et al., CHES’03] • · · · • Masking • Masking intermediate values [Chari et al., CRYPTO’99; Goubin et al., CHES’99] • Threshold Implementations [Nikova et al., ICISC’08] • Shamir’s Secret Sharing [Goubin et al., CHES’11; Prouff et al., CHES’11] • · · · • Leakage-Resilient Crypto Problem: Unfeasible circuit size, glitches 8 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Countermeasures We NEED secure implementations against DPA • Hardware countermeasures • Balancing power consumption [Tiri et al., CHES’03] • · · · • Masking • Masking intermediate values [Chari et al., CRYPTO’99; Goubin et al., CHES’99] • Threshold Implementations [Nikova et al., ICISC’08] • Shamir’s Secret Sharing [Goubin et al., CHES’11; Prouff et al., CHES’11] • · · · • Leakage-Resilient Crypto Problem: Unfeasible circuit size, glitches 9 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Masking Randomized redundant representation: v → ( v 1 , . . . , v n ) such that v = v 1 ∗ . . . ∗ v n n -th order masking: all n − 1 intermediate variables are independent of v The adversary needs to identify n leakage samples and combine their information Boolean masking: v 1 = v ⊕ m , v 2 = m Multiplicative masking (zero-value problem): v 1 = v ∗ m , v 2 = m Affine Masking: v 1 = v ∗ m ⊕ m 2 , v 2 = m 1 , v 3 = m 2 10 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Masking in Software Masking Table Look-Ups Two tables have to be computed T and T m , where T m ( v ⊕ m ) = T ( v ) ⊕ m Consequences: the computational effort and amount of memory increases. 11 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Problems with masking • Unintentional unmasking, • Glitches HD ( v m , w m ) = HW ( v m ⊕ w m ) = HW ( v ⊕ w ) 12 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output 13 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output z = x AND y , where x m = x ⊕ m x , y m = y ⊕ m y z m = x m y m ⊕ ( m y x m ⊕ ( m x y m ⊕ ( m x m y ⊕ m z ))) 14 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output z = x AND y , where x m = x ⊕ m x , y m = y ⊕ m y z m = x m y m ⊕ ( m y x m ⊕ ( m x y m ⊕ ( m x m y ⊕ m z ))) 15 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output z = x AND y , where x m = x ⊕ m x , y m = y ⊕ m y z m = x m y m ⊕ ( m y x m ⊕ ( m x y m ⊕ ( m x m y ⊕ m z ))) 16 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output z = x AND y , where x m = x ⊕ m x , y m = y ⊕ m y z m = x m y m ⊕ ( m y x m ⊕ ( m x y m ⊕ ( m x m y ⊕ m z ))) y m y y m AND XOR 0 0 0 0 0 0 1 1 2 2 1 0 1 1 1 1 1 0 1 2 17 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Why TI? Threshold Implementations • Any hardware technology • Realistic size • Provably secure against 1 st order DPA 18 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Why TI? Threshold Implementations • Any hardware technology • Realistic size • Provably secure against 1 st order DPA So far, • Noekeon [Nikova et al., ICISC’08] • Multiplication in GF (4) [Nikova et al., ICISC’08] • Keccak [Bertoni et al., SHA-3 candidates’10] • Present [Poschmann et al., J.Cryptology’11] • AES [Moradi et al., Eurocrypt’11] • All 3 × 3 and 4 × 4 S-boxes [Bilgin et al., CHES’12] • etc. 19 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Preliminaries Side-channel attacks Countermeasures Masking Glitches Comprehend the TI What is TI? Notations, Definitions and Proofs Uniformity Affine Equivalence Classes Applying TI Sharing Techniques Decomposing small S-boxes HW implementations small S-boxes HW implementations AES Conclusion 20 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S() ( x, y, z, . . . ) ( a, b, c, . . . ) 21 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S 1 ( x 1 , y 1 , z 1 , . . . ) ( a 1 , b 1 , c 1 , . . . ) ( x 2 , y 2 , z 2 , . . . ) ( a 2 , b 2 , c 2 , . . . ) S 2 . . . . . . . . . S s ( x s , y s , z s , . . . ) ( a s , b s , c s , . . . ) 22 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S 1 ( x 1 , y 1 , z 1 , . . . ) ( a 1 , b 1 , c 1 , . . . ) ( x 2 , y 2 , z 2 , . . . ) S 2 ( a 2 , b 2 , c 2 , . . . ) . . . . . . . . . S s ( x s , y s , z s , . . . ) ( a s , b s , c s , . . . ) • Non-complete 23 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S 1 ( x 1 , y 1 , z 1 , . . . ) ( a 1 , b 1 , c 1 , . . . ) ⊕ ⊕ ( x 2 , y 2 , z 2 , . . . ) S 2 ( a 2 , b 2 , c 2 , . . . ) ⊕ ⊕ . . . . . . . . . ⊕ ⊕ S s ( x s , y s , z s , . . . ) ( a s , b s , c s , . . . ) = = ( a, b, c, . . . ) ( x, y, z, . . . ) • Correct • Non-complete 24 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S 1 ( x 1 , y 1 , z 1 , . . . ) ( a 1 , b 1 , c 1 , . . . ) ⊕ ⊕ ( x 2 , y 2 , z 2 , . . . ) S 2 ( a 2 , b 2 , c 2 , . . . ) ⊕ ⊕ . . . . . . . . . ⊕ ⊕ S s ( x s , y s , z s , . . . ) ( a s , b s , c s , . . . ) = = ( a, b, c, . . . ) ( x, y, z, . . . ) • Correct • Non-complete • Uniform 25 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Uniformity • S-boxes: If S ( x ) = a is a bijection, then S ( x 1 , x 2 , x 3 ) = ( a 1 , a 2 , a 3 ) is also a bijection. 26 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Uniformity • S-boxes: If S ( x ) = a is a bijection, then S ( x 1 , x 2 , x 3 ) = ( a 1 , a 2 , a 3 ) is also a bijection. • Multiplication: x y a=x AND y a (0,0,0) (0,0,1) (0,1,0) (0,1,1) (1,0,0) (1,0,1) (1,1,0) (1,1,1) 0 0 0 0 4 0 0 4 0 4 4 0 0 1 0 0 4 0 0 4 0 4 4 0 1 0 0 0 4 0 0 4 0 4 4 0 1 1 1 1 0 4 4 0 4 0 0 4 0 12 0 0 12 0 12 12 0 1 0 4 4 0 4 0 0 4 27 / 97
Outline Preliminaries Comprehend the TI Applying TI Conclusion Uniform Masking and Non-completeness Let x ∈ F m denote the input of the (unshared) function f . Let X be correct and uniform masking of x i.e. X ∈ Sh ( x ), and F be a sharing of f . 28 / 97
Recommend
More recommend