threshold implementations
play

Threshold Implementations Svetla Nikova Threshold Implementations - PowerPoint PPT Presentation

Feb 05, 2024 •399 likes •990 views

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

  1. Threshold Implementations Svetla Nikova

  2. Threshold Implementations • A provably secure countermeasure • Against (first) order power analysis based on multi party computation and secret sharing 2

  3. Outline • Threshold Implementations (update) • Applications of TI • Higher-order TI 3

  4. Countermeasures • Hardware countermeasures Balancing power consumption [Tiri et al., CHES’03]  • Masking  Randomizing intermediate values [Chari et al., Crypto’99; Goubin et al., CHES’99]  Threshold Implementations [Nikova et al., ICICS’06]  Shamir’s Secret Sharing [Goubin et al,. Prouff et al., CHES’11] • Leakage-Resilient Crypto 4

  5. Threshold Implementations (x, y, z, ...) (a, b, c, ...) S() “Threshold Implementations … ”, S.Nikova, V.Rijmen et al. 2006, 2008, 2010 (JoC). 5

  6. Threshold Implementations (a 1 , b 1 , c 1 , ...) (x 1 , y 1 , z 1 , ...) S 1 () (a 2 , b 2 , c 2 , ...) Shares (x 2 , y 2 , z 2 , ...) S 2 () … (a s , b s , c s , ...) (x s , y s , z s , ...) S s () 6

  7. Threshold Implementations (a 1 , b 1 , c 1 , ...) (x 1 , y 1 , z 1 , ...) S 1 () (a 2 , b 2 , c 2 , ...) (x 2 , y 2 , z 2 , ...) S 2 () … … … (a s , b s , c s , ...) (x s , y s , z s , ...) S s () = = (x, y, z, ...) (a, b, c, ...) Correct, Non-complete, Uniform 7

  8. Threshold Implementations (x 1 , y 1 , z 1 , ...) (a 1 , b 1 , c 1 , ...) S 1 () (x 2 , y 2 , z 2 , ...) (a 2 , b 2 , c 2 , ...) S 2 () … … … (x s , y s , z s , ...) (a s , b s , c s , ...) S s () = = (x, y, z, ...) (a, b, c, ...) Correct, Non-complete, Uniform 8

  9. Threshold Implementations (a 1 , b 1 , c 1 , ...) (x 1 , y 1 , z 1 , ...) S 1 () (a 2 , b 2 , c 2 , ...) (x 2 , y 2 , z 2 , ...) S 2 () … … … (a s , b s , c s , ...) (x s , y s , z s , ...) S s () = = (x, y, z, ...) (a, b, c, ...) Correct, Non-complete, Uniform 9

  10. Threshold Implementations Non-completeness To protect a function with degree d, at least d+1 shares are required 10

  11. Threshold Implementations (a 1 , b 1 , c 1 , ...) (x 1 , y 1 , z 1 , ...) S 1 () (a 2 , b 2 , c 2 , ...) (x 2 , y 2 , z 2 , ...) S 2 () … … … (a s , b s , c s , ...) (x s , y s , z s , ...) S s () = = (x, y, z, ...) (a, b, c, ...) Correct, Non-complete, Uniform 11

  12. Threshold Implementations Uniformity a b f = a AND b f 12

  13. Threshold Implementations Uniformity If unshared function is a permutation, the shared function should also be a permutation 13

  14. Threshold Implementations S i S S No leak even in the presence of glitches! 14

  15. Threshold Implementations Uniformity f 15

  16. Threshold Implementations Uniformity and a remedy • Firstly, we can apply re-masking, i.e. by adding new masks to the shares we make the distribution uniform. • Secondly, we can impose an extra condition on F, such that the distribution of the output is always uniform. • If X, the masking of x is uniform and the circuit F is uniform, then the masking Y = F(X) of y = f (x) is uniform. 16

  17. Threshold Implementations Observations ✓ Linear functions are easy to protect • As the nonlinearity increases x DPA becomes easier x Sharing becomes costly ✓ S-boxes become mathematically stronger Decomposing nonlinear functions 17

  18. Threshold Implementations Decomposing nonlinear functions S = G o F Most of the block ciphers use 4x4 permutations 4x4 permutations have at most degree 3 18

  19. Threshold Implementations Decomposing nonlinear functions S = G o F All n x n affine bijections are in alternating group A 2n All 4x4 quadratic S-boxes belong to A 16 A 4x4 bijection can be decomposed using quadratic bijections IFF it belongs to A 16 19

  20. Threshold Implementations Decomposing nonlinear functions S = G o F 302 affine equivalent classes of 4x4 S-boxes S’=AoSoB half of the 4x4 S-boxes belong to A 16 3 shares 20

  21. Threshold Implementations Decomposing nonlinear functions unshared 3 shares 4 shares 5 shares remark 1 2 3 4 1 2 3 1 affine 1 1 1 1 quadratic 6 5 1 6 6 cubic in A 16 30 28 2 30 30 cubic in A 16 114 113 1 114 114 cubic in S 16 \ A 16 151 4 22 125 151 “Threshold Implementations of All 3 ×3 and 4 ×4 S-Boxes”, B.Bilgin et al., CHES 2012. 21

  22. Threshold Implementations Decomposing nonlinear functions unshare 3 shares 4 shares 5 shares d remark 1 2 3 4 1 2 3 1 affine 1 1 1 1 quadratic 6 5 1 6 6 cubic in A 16 30 28 2 30 30 cubic in A 16 114 113 1 114 114 cubic in S 16 \ A 16 151 4 22 125 151 Uniformity problem 22

  23. Threshold Implementations Decomposing nonlinear functions unshare 3 shares 4 shares 5 shares d remark 1 2 3 4 1 2 3 1 affine 1 1 1 1 quadratic 6 5 1 6 6 cubic in A 16 30 28 2 30 30 cubic in A 16 114 113 1 114 114 cubic in S 16 \ A 16 151 4 22 125 151 Many S-boxes with good cryptographic properties 23

  24. Threshold Implementations Decomposing nonlinear functions unshare 3 shares 4 shares 5 shares d remark 1 2 3 4 1 2 3 1 affine 1 1 1 1 quadratic 6 5 1 6 6 cubic in A 16 30 28 2 30 30 cubic in A 16 114 113 1 114 114 cubic in S 16 \ A 16 151 4 22 125 151 http://homes.esat.kuleuven.be/~snikova/ti_tools.html 24

  25. Outline • Threshold Implementations (update) • Applications of TI • Higher-order TI 25

  26. Applications - Present • “Side-Channel Resistant Crypto for less than 2300 GE”, A.Poschmann et al., JOC 2010. • uses 4x4 S-box with degree 3 • Implemented with 3 shares • 3,3 kGE (1,1 kGE unprotected) • 31×(16+1)+20 = 547 cycles 26

  27. Applications - Present • “On 3-share Threshold Implementations for 4-bit S- boxes”, S.Kutzner et al., COSADE 2013. • Implemented with 3 shares S` = G(G(.)) • G 1 = G 2 = G 3 • 3,0 kGE (-200 GE S-box) • 31×(16× 6 ) + 20 = 2996 cycles 27

  28. Applications • “Enabling 3-share Threshold Implementations for any 4- bit S-box”, S.Kutzner et al., ePrint Archive 2012. • Factorization S(.) = U(.) + V(.) • U(.) contains all the cubic terms, V(.) quadratic • U(.) = F(G(.)) with quadratic F(.) and G(.) 28

  29. Applications - AES • “Pushing the Limits: A Very Compact and a Threshold Implementation of AES”, A.Moradi et al., Eurocrypt 2011. • uses 8x8 S-box with degree 7; 3 shares • Tower field approach down to GF(4); re-sharing (48 random bits per S-box) • 11.1 kGE (2,4 kGE unprotected) • 266 cycles (226 unprotected) 29

  30. Applications - AES GF(2 4 ) GF(2 4 ) square multiplier inv. scaler GF(2 4 ) lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier • “A More Efficient AES Threshold Implementation”, B.Bilgin et al., Africacrypt 2014. • Implemented with n shares • Tower field approach down to GF(16); re-sharing (44 random bits per S-box) • 8,2 kGE (-2,9 kGE) • 246 cycles (-20 cycles) 30

  31. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares 31

  32. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares 32

  33. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares, 2 shares 33

  34. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares, 2 shares, 4 shares 34

  35. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares, 2 shares, 4 shares, 3 shares 35

  36. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares, 2 shares, 4 shares, 3 shares registers after every nonlinear function 36

  37. TI on AES S-box GF(2 4 ) GF(2 4 ) ⊕ square multiplier scaler inv. GF(2 4 ) ⊕ lin. lin. inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares, 2 shares, 4 shares, 3 shares registers after every nonlinear function re-masking to change the number of shares 37

  38. TI on AES Implementation Results State Key Mix cycles rand Array S-box Cont. MUXes Other Total Array Col. bits ** Moradi et al. 2529 2526 4244 1120 166 376 153 11114/11031 266 48 This paper 1698 1890 3708 770 221 746 69 9102 246 44 This paper* 1698 1890 3003 544 221 746 69 8171 246 44 * compile_ultra ** per S-box • Based on plain Canright S-box (233 GE) • Based on plain Moradi et al.’s AES (2.4 GE) • Keeping Hierarchy 38

  39. TI on AES Practical Security Evaluation • PRNG on, first order DPA / correlation collision attack • 10 million traces 39

  40. TI on AES Practical Security Evaluation • PRNG on, second order DPA • HD model at S-box output 40

  41. TI on AES Practical Security Evaluation • PRNG on, second order correlation collision attack 41

Recommend

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova, Ventzislav Nikov, and Vincent Rijmen Introduction Physical Attacks Active Passive (Fault Attacks) (Observing Attacks) Side Channel Attacks

644 views • 45 slides
A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key Management Implementations Back to ICANN 40 2 Key Management Implementations Needs Zones need to be re-signed PKCS#11 periodically. Keys

507 views • 14 slides
Watershed Below TMDL Threshold At TMDL Threshold Above TMDL Threshold Water Quality Overview

Watershed Below TMDL Threshold At TMDL Threshold Above TMDL Threshold Water Quality Overview

Nantucket Harbor Watershed Below TMDL Threshold At TMDL Threshold Above TMDL Threshold Water Quality Overview Routine monitoring: June-September. Water quality, dissolved oxygen, algae, eelgrass. Work with State agencies to

631 views • 19 slides
Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium July 4rd, 2013

Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium July 4rd, 2013

Outline Preliminaries Comprehend the TI Applying TI Conclusion Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium July 4rd, 2013 1 / 97 Outline Preliminaries Comprehend the TI Applying TI Conclusion

1.29k views • 97 slides
Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium June 8, 2013

Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium June 8, 2013

Outline Preliminaries Comprehend the TI Applying TI Conclusion Threshold Implementations: Comprehend and Apply Svetla Nikova, KU Leuven, Belgium June 8, 2013 1 / 112 Outline Preliminaries Comprehend the TI Applying TI Conclusion

1.14k views • 112 slides
Threshold resummation far from threshold GGI, Firenze, September 7 th , 2011 Giovanni Ridolfi

Threshold resummation far from threshold GGI, Firenze, September 7 th , 2011 Giovanni Ridolfi

Threshold resummation far from threshold GGI, Firenze, September 7 th , 2011 Giovanni Ridolfi Universit` a di Genova and INFN Genova, Italy Plan of the talk: 1. When is threshold resummation relevant? 2. Ambiguities in resummed results

939 views • 69 slides
Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1

Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1

Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1 Vladimir V. Podolskii 2 1 Aarhus University 2 Steklov Mathematical Institute MFCS 2013 1 / 27 Boolean Threshold Functions Boolean function f : { a , b } n

927 views • 44 slides
Enter the Threshold The NIST Threshold Cryptography Project National Institute of Standards and

Enter the Threshold The NIST Threshold Cryptography Project National Institute of Standards and

Enter the Threshold The NIST Threshold Cryptography Project National Institute of Standards and Technology NIST Threshold Cryptography Workshop 2019 (#NTCW2019) March 11, 2019 @ NIST campus, Gaithersburg MD, USA Contact email:

1.21k views • 80 slides
Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations : inst 1 , inst 2 Contracts vs. Implementations Boolean expressions for Contracts: exp 1 , exp 2 , exp 3 , exp 4 , exp 5 feature -- Commands

231 views • 6 slides
Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on

Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on

Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on Near-Threshold Computing June 14, 2014 Overview High-level talk summarizing my architectural perspective on near-threshold computing

850 views • 41 slides
Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS:

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS:

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS: DAN BONEH, ROSARIO GENNARO, STEVEN GOLDFEDER, AAYUSH JAIN, SAM KIM, PETER M. R. RASMUSSEN AND AMIT SAHAI Introduction to Characters Thanos: Bad Guy

567 views • 36 slides
Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array Vector Linked Chain 2 Stack ADT #ifndef STACK_H_ #define STACK_H_ template<<typename ItemType> class

1.19k views • 71 slides
Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold Stakeholder Working Group # 3 Stakeholder Working Group # 3 June 19, 2008 SCAQMD Diamond Bar, California GHG Significance Threshold GHG Significance

691 views • 12 slides
Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold Stakeholder Working Group # 8 Stakeholder Working Group # 8 January 28, 2009 SCAQMD Diamond Bar, California Agenda Item #2 Staff s Interim Agenda

226 views • 19 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
Threshold Networks over undirected graphs Universidad Adolfo

Threshold Networks over undirected graphs Universidad Adolfo

Threshold Networks over undirected graphs Universidad Adolfo Ibez, SanHago, Chile Antonio.chacc@gmail.com Threshold networks x {0,1} n n for 1 i n x i = H ( w ij x j

424 views • 41 slides
Lower and upper estimates on the excitation threshold for DNLS lattices J. Cuevas, N.I.

Lower and upper estimates on the excitation threshold for DNLS lattices J. Cuevas, N.I.

Definition of the excitation threshold Upper and lower estimates for the excitation threshold Figures from numerical studies Discussion Lower and upper estimates on the excitation threshold for DNLS lattices J. Cuevas, N.I. Karachalios and F.

246 views • 22 slides
Overview of 2016 10:15a.m. 11:45a.m. Materiality Threshold & Reporting Companies Time

Overview of 2016 10:15a.m. 11:45a.m. Materiality Threshold & Reporting Companies Time

Overview of 2016 10:15a.m. 11:45a.m. Materiality Threshold & Reporting Companies Time Period Total ONRR Materiality Annual # of Revenues Threshold Payments Companies CY 2013 $12.4 billion 83% $50.0 million 45 FY 2015 $8.9

174 views • 6 slides
Lecture 12- ECE 240a Threshold Mirror Loss Ver Chap. 8-9 Threshold Conditions Homogeneous

Lecture 12- ECE 240a Threshold Mirror Loss Ver Chap. 8-9 Threshold Conditions Homogeneous

Lecture 12- ECE 240a Review Small Signal Gain Resonant Frequencies Lasing Conditions Lasing Lecture 12- ECE 240a Threshold Mirror Loss Ver Chap. 8-9 Threshold Conditions Homogeneous Gain Media Gain Saturation 1 ECE 240a Lasers -

425 views • 40 slides
Same as Threshold - 1) Meet all Western Electrcity Coordinating Council Reliability Standards

Same as Threshold - 1) Meet all Western Electrcity Coordinating Council Reliability Standards

Attachment A G California ISO ~EXiiCe~~n,Gf:cl ncl Afiriet Opehiiins25% Same as Threshold - 1) Meet all Western Electrcity Coordinating Council Reliability Standards Same as Threshold - i. Reliabilty Standard CPS-1 (Number of

698 views • 4 slides
Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences Outline Background Our Results Our Constructions Conclusions 2 Threshold Public Key Encryption

854 views • 32 slides
Modelling of PMT analogue signal (II) Tuning of threshold and rise time M. de Jong 1

Modelling of PMT analogue signal (II) Tuning of threshold and rise time M. de Jong 1

Modelling of PMT analogue signal (II) Tuning of threshold and rise time M. de Jong 1 Procedure JCalibrateToT / JMergeCalibrateToT / JFitToT input ARCA2 runs 5005 - 5015 write fixed threshold and rise time values to file

429 views • 5 slides
Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold

Greenhouse Gas CEQA Greenhouse Gas CEQA Significance Threshold Significance Threshold Stakeholder Working Group # 9 Stakeholder Working Group # 9 March 19, 2009 SCAQMD Diamond Bar, California Agenda Item #2 Agenda Item #2 Recent GHG

172 views • 14 slides
Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Introduction Methodology Implementations Results Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla Kishore Kumar Surapathi Bilal Habib Susheel Vadlamudi Smriti Gurung John Pham Cryptographic

461 views • 29 slides

More recommend