threshold implementations comprehend and apply
play

Threshold Implementations: Comprehend and Apply Svetla Nikova, KU - PowerPoint PPT Presentation

Jan 08, 2024 •307 likes •1.29k views

Outline Preliminaries Comprehend the TI Applying TI Conclusion Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium July 4rd, 2013 1 / 97 Outline Preliminaries Comprehend the TI Applying TI Conclusion

  1. Outline Preliminaries Comprehend the TI Applying TI Conclusion Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium July 4rd, 2013 1 / 97

  2. Outline Preliminaries Comprehend the TI Applying TI Conclusion Preliminaries Side-channel attacks Countermeasures Masking Glitches Comprehend the TI What is TI? Notations, Definitions and Proofs Uniformity Affine Equivalence Classes Applying TI Sharing Techniques Decomposing small S-boxes HW implementations small S-boxes HW implementations AES Conclusion 2 / 97

  3. Outline Preliminaries Comprehend the TI Applying TI Conclusion Preliminaries Side-channel attacks Countermeasures Masking Glitches Comprehend the TI What is TI? Notations, Definitions and Proofs Uniformity Affine Equivalence Classes Applying TI Sharing Techniques Decomposing small S-boxes HW implementations small S-boxes HW implementations AES Conclusion 3 / 97

  4. Outline Preliminaries Comprehend the TI Applying TI Conclusion Side-channel attacks • Normal attacks: c = E ( k , p ) • Known plaintext: equations in the key • High nonlinearity, difficult to solve • Device executing the cryptographic algorithm leaks information on internal state • Instantaneous leakage depends on intermediate variables, which results in equations • That have lower nonlinearity • That may contain noise 4 / 97

  5. Outline Preliminaries Comprehend the TI Applying TI Conclusion Countering power attacks • Ensure constant power consumption • Constant instruction sequence • Use special hardware logic styles • Avoid statistical correlation between secret key and data processed • Masking • Counters attacks that use repeated measurements and statistics to remove the noise 5 / 97

  6. Outline Preliminaries Comprehend the TI Applying TI Conclusion Countermeasures at different levels • Hardware logic style → Relieves cryptographers BUT places burden on hardware designers • Algorithms and implementations → Probably lowest feasible level • Ciphers and Protocols → New standards, takes time 6 / 97

  7. Outline Preliminaries Comprehend the TI Applying TI Conclusion Countermeasures We NEED secure implementations against DPA 7 / 97

  8. Outline Preliminaries Comprehend the TI Applying TI Conclusion Countermeasures We NEED secure implementations against DPA • Hardware countermeasures • Balancing power consumption [Tiri et al., CHES’03] • · · · • Masking • Masking intermediate values [Chari et al., CRYPTO’99; Goubin et al., CHES’99] • Threshold Implementations [Nikova et al., ICISC’08] • Shamir’s Secret Sharing [Goubin et al., CHES’11; Prouff et al., CHES’11] • · · · • Leakage-Resilient Crypto Problem: Unfeasible circuit size, glitches 8 / 97

  9. Outline Preliminaries Comprehend the TI Applying TI Conclusion Countermeasures We NEED secure implementations against DPA • Hardware countermeasures • Balancing power consumption [Tiri et al., CHES’03] • · · · • Masking • Masking intermediate values [Chari et al., CRYPTO’99; Goubin et al., CHES’99] • Threshold Implementations [Nikova et al., ICISC’08] • Shamir’s Secret Sharing [Goubin et al., CHES’11; Prouff et al., CHES’11] • · · · • Leakage-Resilient Crypto Problem: Unfeasible circuit size, glitches 9 / 97

  10. Outline Preliminaries Comprehend the TI Applying TI Conclusion Masking Randomized redundant representation: v → ( v 1 , . . . , v n ) such that v = v 1 ∗ . . . ∗ v n n -th order masking: all n − 1 intermediate variables are independent of v The adversary needs to identify n leakage samples and combine their information Boolean masking: v 1 = v ⊕ m , v 2 = m Multiplicative masking (zero-value problem): v 1 = v ∗ m , v 2 = m Affine Masking: v 1 = v ∗ m ⊕ m 2 , v 2 = m 1 , v 3 = m 2 10 / 97

  11. Outline Preliminaries Comprehend the TI Applying TI Conclusion Masking in Software Masking Table Look-Ups Two tables have to be computed T and T m , where T m ( v ⊕ m ) = T ( v ) ⊕ m Consequences: the computational effort and amount of memory increases. 11 / 97

  12. Outline Preliminaries Comprehend the TI Applying TI Conclusion Problems with masking • Unintentional unmasking, • Glitches HD ( v m , w m ) = HW ( v m ⊕ w m ) = HW ( v ⊕ w ) 12 / 97

  13. Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output 13 / 97

  14. Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output z = x AND y , where x m = x ⊕ m x , y m = y ⊕ m y z m = x m y m ⊕ ( m y x m ⊕ ( m x y m ⊕ ( m x m y ⊕ m z ))) 14 / 97

  15. Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output z = x AND y , where x m = x ⊕ m x , y m = y ⊕ m y z m = x m y m ⊕ ( m y x m ⊕ ( m x y m ⊕ ( m x m y ⊕ m z ))) 15 / 97

  16. Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output z = x AND y , where x m = x ⊕ m x , y m = y ⊕ m y z m = x m y m ⊕ ( m y x m ⊕ ( m x y m ⊕ ( m x m y ⊕ m z ))) 16 / 97

  17. Outline Preliminaries Comprehend the TI Applying TI Conclusion Glitches Temporary states of the output z = x AND y , where x m = x ⊕ m x , y m = y ⊕ m y z m = x m y m ⊕ ( m y x m ⊕ ( m x y m ⊕ ( m x m y ⊕ m z ))) y m y y m AND XOR 0 0 0 0 0 0 1 1 2 2 1 0 1 1 1 1 1 0 1 2 17 / 97

  18. Outline Preliminaries Comprehend the TI Applying TI Conclusion Why TI? Threshold Implementations • Any hardware technology • Realistic size • Provably secure against 1 st order DPA 18 / 97

  19. Outline Preliminaries Comprehend the TI Applying TI Conclusion Why TI? Threshold Implementations • Any hardware technology • Realistic size • Provably secure against 1 st order DPA So far, • Noekeon [Nikova et al., ICISC’08] • Multiplication in GF (4) [Nikova et al., ICISC’08] • Keccak [Bertoni et al., SHA-3 candidates’10] • Present [Poschmann et al., J.Cryptology’11] • AES [Moradi et al., Eurocrypt’11] • All 3 × 3 and 4 × 4 S-boxes [Bilgin et al., CHES’12] • etc. 19 / 97

  20. Outline Preliminaries Comprehend the TI Applying TI Conclusion Preliminaries Side-channel attacks Countermeasures Masking Glitches Comprehend the TI What is TI? Notations, Definitions and Proofs Uniformity Affine Equivalence Classes Applying TI Sharing Techniques Decomposing small S-boxes HW implementations small S-boxes HW implementations AES Conclusion 20 / 97

  21. Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S() ( x, y, z, . . . ) ( a, b, c, . . . ) 21 / 97

  22. Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S 1 ( x 1 , y 1 , z 1 , . . . ) ( a 1 , b 1 , c 1 , . . . ) ( x 2 , y 2 , z 2 , . . . ) ( a 2 , b 2 , c 2 , . . . ) S 2 . . . . . . . . . S s ( x s , y s , z s , . . . ) ( a s , b s , c s , . . . ) 22 / 97

  23. Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S 1 ( x 1 , y 1 , z 1 , . . . ) ( a 1 , b 1 , c 1 , . . . ) ( x 2 , y 2 , z 2 , . . . ) S 2 ( a 2 , b 2 , c 2 , . . . ) . . . . . . . . . S s ( x s , y s , z s , . . . ) ( a s , b s , c s , . . . ) • Non-complete 23 / 97

  24. Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S 1 ( x 1 , y 1 , z 1 , . . . ) ( a 1 , b 1 , c 1 , . . . ) ⊕ ⊕ ( x 2 , y 2 , z 2 , . . . ) S 2 ( a 2 , b 2 , c 2 , . . . ) ⊕ ⊕ . . . . . . . . . ⊕ ⊕ S s ( x s , y s , z s , . . . ) ( a s , b s , c s , . . . ) = = ( a, b, c, . . . ) ( x, y, z, . . . ) • Correct • Non-complete 24 / 97

  25. Outline Preliminaries Comprehend the TI Applying TI Conclusion What is TI? S 1 ( x 1 , y 1 , z 1 , . . . ) ( a 1 , b 1 , c 1 , . . . ) ⊕ ⊕ ( x 2 , y 2 , z 2 , . . . ) S 2 ( a 2 , b 2 , c 2 , . . . ) ⊕ ⊕ . . . . . . . . . ⊕ ⊕ S s ( x s , y s , z s , . . . ) ( a s , b s , c s , . . . ) = = ( a, b, c, . . . ) ( x, y, z, . . . ) • Correct • Non-complete • Uniform 25 / 97

  26. Outline Preliminaries Comprehend the TI Applying TI Conclusion Uniformity • S-boxes: If S ( x ) = a is a bijection, then S ( x 1 , x 2 , x 3 ) = ( a 1 , a 2 , a 3 ) is also a bijection. 26 / 97

  27. Outline Preliminaries Comprehend the TI Applying TI Conclusion Uniformity • S-boxes: If S ( x ) = a is a bijection, then S ( x 1 , x 2 , x 3 ) = ( a 1 , a 2 , a 3 ) is also a bijection. • Multiplication: x y a=x AND y a (0,0,0) (0,0,1) (0,1,0) (0,1,1) (1,0,0) (1,0,1) (1,1,0) (1,1,1) 0 0 0 0 4 0 0 4 0 4 4 0 0 1 0 0 4 0 0 4 0 4 4 0 1 0 0 0 4 0 0 4 0 4 4 0 1 1 1 1 0 4 4 0 4 0 0 4 0 12 0 0 12 0 12 12 0 1 0 4 4 0 4 0 0 4 27 / 97

  28. Outline Preliminaries Comprehend the TI Applying TI Conclusion Uniform Masking and Non-completeness Let x ∈ F m denote the input of the (unshared) function f . Let X be correct and uniform masking of x i.e. X ∈ Sh ( x ), and F be a sharing of f . 28 / 97

Recommend

Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium June 8, 2013

Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium June 8, 2013

Outline Preliminaries Comprehend the TI Applying TI Conclusion Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium June 8, 2013 1 / 112 Outline Preliminaries Comprehend the TI Applying TI Conclusion

1.14k views • 112 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova, Ventzislav Nikov, and Vincent Rijmen Introduction Physical Attacks Active Passive (Fault Attacks) (Observing Attacks) Side Channel Attacks

644 views • 45 slides
A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key Management Implementations Back to ICANN 40 2 Key Management Implementations Needs Zones need to be re-signed PKCS#11 periodically. Keys

507 views • 14 slides
Watershed Below TMDL Threshold At TMDL Threshold Above TMDL Threshold Water Quality Overview

Watershed Below TMDL Threshold At TMDL Threshold Above TMDL Threshold Water Quality Overview

Nantucket Harbor Watershed Below TMDL Threshold At TMDL Threshold Above TMDL Threshold Water Quality Overview Routine monitoring: June-September. Water quality, dissolved oxygen, algae, eelgrass. Work with State agencies to

631 views • 19 slides
Calstate.edu/apply The new way to apply to CSU What Applicants Need to Apply Unofficial

Calstate.edu/apply The new way to apply to CSU What Applicants Need to Apply Unofficial

Calstate.edu/apply The new way to apply to CSU What Applicants Need to Apply Unofficial Transcripts T est Scores Annual Income (parent s if dependent) Social Security Number Citizenship Status (Including paren ts if

472 views • 23 slides
Briefing Slides From Application to Assessment Why should you apply? Who can apply?

Briefing Slides From Application to Assessment Why should you apply? Who can apply?

Briefing Slides From Application to Assessment Why should you apply? Who can apply? When to apply? What is the process? Why should you apply? SPARK Certification Benefits 1. Endorsement of centre quality 2. Information to guide

322 views • 21 slides
Threshold resummation far from threshold GGI, Firenze, September 7 th , 2011 Giovanni Ridolfi

Threshold resummation far from threshold GGI, Firenze, September 7 th , 2011 Giovanni Ridolfi

Threshold resummation far from threshold GGI, Firenze, September 7 th , 2011 Giovanni Ridolfi Universit` a di Genova and INFN Genova, Italy Plan of the talk: 1. When is threshold resummation relevant? 2. Ambiguities in resummed results

939 views • 69 slides
Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1

Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1

Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1 Vladimir V. Podolskii 2 1 Aarhus University 2 Steklov Mathematical Institute MFCS 2013 1 / 27 Boolean Threshold Functions Boolean function f : { a , b } n

927 views • 44 slides
OPT Basics How to Apply When to Apply What to Expect 1 What Is OPT? O ptional P ractical T

OPT Basics How to Apply When to Apply What to Expect 1 What Is OPT? O ptional P ractical T

OPT Basics How to Apply When to Apply What to Expect 1 What Is OPT? O ptional P ractical T raining Experiential learning benefit granted to F-1 students to work in their major field of study You can apply for twelve months of OPT for

1.09k views • 65 slides
Infrequent words are more difficult to comprehend. Shashank Sonkar Computer Sc. &

Infrequent words are more difficult to comprehend. Shashank Sonkar Computer Sc. &

Infrequent words are more difficult to comprehend. Shashank Sonkar Computer Sc. & Engineering, Senior Undergraduate, IIT Kanpur. Saccade Rapid, jerky movement of the eyes Silent Reading Terminology Eye movements & Visual

661 views • 11 slides
Enter the Threshold The NIST Threshold Cryptography Project National Institute of Standards and

Enter the Threshold The NIST Threshold Cryptography Project National Institute of Standards and

Enter the Threshold The NIST Threshold Cryptography Project National Institute of Standards and Technology NIST Threshold Cryptography Workshop 2019 (#NTCW2019) March 11, 2019 @ NIST campus, Gaithersburg MD, USA Contact email:

1.21k views • 80 slides
Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations : inst 1 , inst 2 Contracts vs. Implementations Boolean expressions for Contracts: exp 1 , exp 2 , exp 3 , exp 4 , exp 5 feature -- Commands

231 views • 6 slides
Why use apply? Lore Dirick Instructor, DataCamp Intermediate R for Finance Meet the apply

Why use apply? Lore Dirick Instructor, DataCamp Intermediate R for Finance Meet the apply

INTERMEDIATE R FOR FINANCE Why use apply? Lore Dirick Instructor, DataCamp Intermediate R for Finance Meet the apply family Function Description apply Apply functions over array margins lapply Apply a function over a list or vector

572 views • 14 slides
Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on

Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on

Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on Near-Threshold Computing June 14, 2014 Overview High-level talk summarizing my architectural perspective on near-threshold computing

850 views • 41 slides
Calstate.edu/apply The new way to apply to CSU Please be Patient We are still in the process of

Calstate.edu/apply The new way to apply to CSU Please be Patient We are still in the process of

Calstate.edu/apply The new way to apply to CSU Please be Patient We are still in the process of designing our application with our partner. What we show you today may change between now and our June Go-live. We will continue to update this

592 views • 33 slides
Calstate.edu/apply The new way to apply to CSU Cal State Apply Project Scope Replacing

Calstate.edu/apply The new way to apply to CSU Cal State Apply Project Scope Replacing

Calstate.edu/apply The new way to apply to CSU Cal State Apply Project Scope Replacing CSUMentor Application Updating and Organizing Web Content Based on Audience All in One Place CSU Mentor Content Calstate.edu Content

530 views • 20 slides
Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS:

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS:

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS: DAN BONEH, ROSARIO GENNARO, STEVEN GOLDFEDER, AAYUSH JAIN, SAM KIM, PETER M. R. RASMUSSEN AND AMIT SAHAI Introduction to Characters Thanos: Bad Guy

567 views • 36 slides
Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array Vector Linked Chain 2 Stack ADT #ifndef STACK_H_ #define STACK_H_ template<<typename ItemType> class

1.19k views • 71 slides
Software Engineering Janet Siegmund 1 Why Experiments? Programmers comprehend code most of

Software Engineering Janet Siegmund 1 Why Experiments? Programmers comprehend code most of

Controlled Experiments in Software Engineering Janet Siegmund 1 Why Experiments? Programmers comprehend code most of their time In general: Human factors 15% Read comments Search by tool 50% 14% Read documentation Notes 9%

1.01k views • 47 slides
Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold Stakeholder Working Group # 3 Stakeholder Working Group # 3 June 19, 2008 SCAQMD Diamond Bar, California GHG Significance Threshold GHG Significance

691 views • 12 slides
A STRUCTURAL MODELING APPROACH TO COMPREHEND PURCHASE INTENTION INFLUENCED BY SOCIAL MEDIA : THE

A STRUCTURAL MODELING APPROACH TO COMPREHEND PURCHASE INTENTION INFLUENCED BY SOCIAL MEDIA : THE

A STRUCTURAL MODELING APPROACH TO COMPREHEND PURCHASE INTENTION INFLUENCED BY SOCIAL MEDIA : THE MEDIATING ROLE OF CONSUMER ATTITUDE AND THE MODERATING ROLE OF MARKET MAVENS BY TUHIN CHATTOPADHYAY, PH.D. Source:

830 views • 40 slides
NSF NSF CAREER CAREER Pr Program NSF 14 532 Why Apply Wh Apply fo for a CAREER? CAREER?

NSF NSF CAREER CAREER Pr Program NSF 14 532 Why Apply Wh Apply fo for a CAREER? CAREER?

5/14/2014 NSF NSF CAREER CAREER Pr Program NSF 14 532 Why Apply Wh Apply fo for a CAREER? CAREER? Prestigious research funding for early career investigators Provide support at a sufficient level/duration to allow for career

645 views • 21 slides
Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold Stakeholder Working Group # 8 Stakeholder Working Group # 8 January 28, 2009 SCAQMD Diamond Bar, California Agenda Item #2 Staff s Interim Agenda

226 views • 19 slides

More recommend