Threshold Implementations (Efficient TI on AES) Begül Bilgin, Benedikt Gierlichs, Svetla Nikova, Ventzislav Nikov, and Vincent Rijmen
Introduction Physical Attacks Active Passive (Fault Attacks) (Observing Attacks) Side Channel Attacks Side Channel Attacks Glitching, Temperature Change, Non-Invasive (Timing Analysis, Power (Timing Analysis, Power Low Voltage, ... Analysis, EM Attacks) Analysis, EM Attacks) Light Attacks, Radiation Semi-Invasive Optical Inspection, ... Attacks, ... Laser cutters, Permanent circuit Invasive Probing, ... changes, ... 2
Introduction Power Analysis Exploit information from the correlation between the instantaneous power consumption of the device and the intermediate results of the cryptographic algorithm. • Simple Power Analysis (SPA) • • Differential Power Analysis (DPA) Differential Power Analysis (DPA) - Difference Of Means (DoM) - Correlation Power Analysis (CPA) - Templates 3
Introduction DPA Countermeasures • Circuit level - WDDL cells • Algorithmic level - Introducing Noise (not provably secure) random delays dummy operations - - Masking (provably secure) Masking (provably secure) - Leakage resilient crypto (limits encryptions per key) 4
Introduction Masking S F F L mask inp out 1 out shares out ⊕ S L F inp ⊕ mask out 2 S(inp) = S(mask ⊕ inp ⊕ mask) ≠ S(mask) ⊕ S(inp ⊕ mask) L(inp) = L(mask ⊕ inp ⊕ mask) = L(mask) ⊕ L(inp ⊕ mask) 5
Introduction Masking S mask out 1 out ⊕ S’ inp ⊕ mask out 2 S(x,y,z) = x ⊕ yz S(inp) = S(mask ⊕ inp ⊕ mask) = S(mask) ⊕ S’(mask, inp ⊕ mask) = (x 1 ⊕ x 2 ) ⊕ (y 1 ⊕ y 2 ) (z 1 ⊕ z 2 ) S(x 1 ,y 1 ,z 1 ) = x 1 ⊕ y 1 z 1 S’(x 1 ,x 2 ,y 1 ,y 2 ,z 1 ,z 2 ) = x 2 ⊕ y 1 z 2 ⊕ y 2 z 1 ⊕ y 2 z 2 6
Introduction Masking S’ mask out 1 out ⊕ S’ inp ⊕ mask out 2 S(x,y,z) = x ⊕ yz = (x 1 ⊕ x 2 ) ⊕ (y 1 ⊕ y 2 ) (z 1 ⊕ z 2 ) S’(x 1 ,x 2 ,y 1 ,y 2 ,z 1 ,z 2 ) = x 1 ⊕ y 1 z 1 ⊕ y 1 z 2 S’(x 2 ,x 1 ,y 2 ,y 1 ,z 2 ,z 1 ) = x 2 ⊕ y 2 z 2 ⊕ y 2 z 1 7
Introduction Masking S mask out 1 out ⊕ S’ inp ⊕ mask out 2 First-order masking 8
Introduction Masking S mask 1 out 1 S’ mask 2 out 2 out ⊕ S’’ inp ⊕ mask 1 ⊕ mask 2 out 3 Second-order masking 9
Introduction Masking ✓ Proper randomness ✓ Functions leak independently ✓ Functions should not leak intermediate information depending on both inputs x Not secure in CMOS because of glitches 10
Introduction Glitches y 1 z 2 y 2 z 1 y 2 z 2 y 1 z 2 y 2 z 1 y 2 z 2 S(y,z) = yz S(y,z) = yz = (y 1 ⊕ y 2 ) (z 1 ⊕ z 2 ) = (y 1 ⊕ y 2 ) (z 1 ⊕ z 2 ) S(y 1 ,z 1 ) = y 1 z 1 S(y 1 ,z 1 ) = y 1 z 1 S’(y 1 ,y 2 ,z 1 ,z 2 ) = y 1 z 2 ⊕ y 2 z 1 ⊕ y 2 z 2 S’(y 1 ,y 2 ,z 1 ,z 2 ) = y 1 z 2 ⊕ y 2 z 1 ⊕ y 2 z 2 Assume y 2 arrives late y 2 z 1 z 2 # AND # XOR # TOTAL 0 → 1 0 0 0 0 0 1 → 0 0 0 0 0 0 0 → 1 1 1 2 1 3 1 → 0 1 1 2 1 3 0 → 1 1 0 1 1 2 1 → 0 1 0 1 1 2 0 → 1 0 1 1 1 2 1 → 0 0 1 1 1 2 11
Threshold Implementations Masking Scheme based on Secret Sharing and Multiparty Computation Pros: Cons: ✓ Security in a circuit with x High order non-linear glitches function are challenging ✓ Efficient in HW ✓ Any HW technology AES (8k), Present (3k), Noekeon, Keccak (30k) roughly 3 times larger than unshared 12
Threshold Implementations S 1 (x 1 ,y 1 ,z 1 , ... ) (a 1 ,b 1 ,c 1 , ... ) S 2 S (x, y, z , ... ) (x 2 ,y 2 ,z 2 , ... ) (a, b, c , ... ) (a 2 ,b 2 ,c 2 , ... ) … … … S s (x s ,y s ,z s , ... ) (a s ,b s ,c s , ... ) 3 properties 13
Threshold Implementations S 1 (x 1 ,y 1 ,z 1 , ... ) (a 1 ,b 1 ,c 1 , ... ) ⊕ ⊕ S 2 (x 2 ,y 2 ,z 2 , ... ) (a 2 ,b 2 ,c 2 , ... ) ⊕ ⊕ … … … ⊕ ⊕ S s (x s ,y s ,z s , ... ) (a s ,b s ,c s , ... ) = = (x, y, z , ... ) (a, b, c , ... ) Correctness, Non-completeness, Uniformity 14
Threshold Implementations S 1 (x 1 ,y 1 ,z 1 , ... ) (a 1 ,b 1 ,c 1 , ... ) ⊕ ⊕ S 2 (x 2 ,y 2 ,z 2 , ... ) (a 2 ,b 2 ,c 2 , ... ) ⊕ ⊕ … … … ⊕ ⊕ S s (x s ,y s ,z s , ... ) (a s ,b s ,c s , ... ) = = (x, y, z , ... ) (a, b, c , ... ) Correctness, Non-completeness, Uniformity 15
Threshold Implementations S(x,y,z) = x ⊕ yz = (x 1 ⊕ x 2 ⊕ x 3 ) ⊕ (y 1 ⊕ y 2 ⊕ y 3 ) (z 1 ⊕ z 2 ⊕ z 3 ) S 1 (x 2 ,x 3 ,y 2 ,y 3 ,z 2 ,z 3 ) = x 2 ⊕ y 2 z 2 ⊕ y 2 z 3 ⊕ y 3 z 2 S 2 (x 1 ,x 3 ,y 1 ,y 3 ,z 1 ,z 3 ) = x 3 ⊕ y 3 z 3 ⊕ y 3 z 1 ⊕ y 1 z 3 S 3 (x 1 ,x 2 ,y 1 ,y 2 ,z 1 ,z 2 ) = x 1 ⊕ y 1 z 1 ⊕ y 1 z 2 ⊕ y 2 z 1 16
Threshold Implementations If the input masking is uniform and the circuit is non-complete, then the stochastic functions S i and x are independent for any i . If the input masking is uniform and the circuit is non-complete, then any single component function S i does not leak information on x . Need at least d+1 shares for a function of degree d 17
Threshold Implementations S 1 (x 1 ,y 1 ,z 1 , ... ) (a 1 ,b 1 ,c 1 , ... ) ⊕ ⊕ S 2 (x 2 ,y 2 ,z 2 , ... ) (a 2 ,b 2 ,c 2 , ... ) ⊕ ⊕ … … … ⊕ ⊕ S s (x s ,y s ,z s , ... ) (a s ,b s ,c s , ... ) = = (x, y, z , ... ) (a, b, c , ... ) Correctness, Non-completeness, Uniformity 18
Threshold Implementations Uniformity A masking X is uniform ⟺ ∃ a constant p s.t. ∀ x we have: if X ∈ Sh( x ) then Pr( X | x ) = p , else Pr( X | x )=0. If the unshared function is a permutation, the shared function should also be a permutation. If uniformity can not be achieved during S i calculation, apply re-masking. 19
Threshold Implementations Decomposition F 1 G 1 R 1 (x 1 ,y 1 ,z 1 , ... ) (a 1 ,b 1 ,c 1 , ... ) ⊕ ⊕ F 2 G 2 R 2 (x 2 ,y 2 ,z 2 , ... ) (a 2 ,b 2 ,c 2 , ... ) ⊕ ⊕ … … … … ⊕ ⊕ F s R s G s (x s ,y s ,z s , ... ) (a s ,b s ,c s , ... ) = = (x, y, z , ... ) (a, b, c , ... ) S = G o F Separate non-linear functions with registers 20
Applications • • All 3x3 and 4x4 S-boxes All 3x3 and 4x4 S-boxes • PRESENT: uses 4x4 S-box with degree 3 • 3,3 kGE (1,1 kGE unprotected) • KECCAK: uses 5x5 S-box with degree 2 • 32,6 kGE (10,6 kGE unprotected) • AES: uses 8x8 S-box with degree 7 • by Moradi et al. and by us • Authenticated Encryption designs FIDES and PRIMATEs 21
Threshold Implementations 4x4 S-boxes unshared 3 shar shares 4 s 4 shares res 5 shares remark remark 1 2 3 4 1 2 3 1 affine 1 1 1 1 quadratic 6 5 1 6 6 30 28 2 30 30 cubic in A 16 114 113 1 114 114 cubic in A 16 151 4 22 125 151 cubic in S 16 \ A 16 22
Threshold Implementations 4x4 S-boxes unshared 3 shar shares 4 s 4 shares res 5 shares remark remark 1 2 3 4 1 2 3 1 affine 1 1 1 1 quadratic 6 5 1 6 6 30 28 2 30 30 cubic in A 16 114 113 1 114 114 cubic in A 16 151 4 22 125 151 cubic in S 16 \ A 16 Many S-boxes with good cryptographic properties 23
Threshold Implementations 4x4 S-boxes unshared 3 shar shares 4 s 4 shares res 5 shares remark remark 1 2 3 4 1 2 3 1 affine 1 1 1 1 quadratic 6 5 1 6 6 30 28 2 30 30 cubic in A 16 114 113 1 114 114 cubic in A 16 151 4 22 125 151 cubic in S 16 \ A 16 Many S-boxes with good cryptographic properties GF(2^4) inversion 24
Applications • All 3x3 and 4x4 S-boxes • PRESENT: uses 4x4 S-box with degree 3 • 3,3 kGE (1,1 kGE unprotected) • KECCAK: uses 5x5 S-box with degree 2 • 32,6 kGE (10,6 kGE unprotected) • AES: uses 8x8 S-box with degree 7 • by Moradi et al. and by us • Authenticated Encryption designs FIDES and PRIMATEs 25
TI on AES A. Moradi, A. Poschmann, S. Ling, C. Paar, and H. Wang: Pushing the Limits: A Very Compact and a Threshold Implementation of AES. EUROCRYPT 2011 • All operations on 3 shares • 5 pipeline stages in S-box • Tower field GF(2 2 ) • Requires extra randomness (48 bits per S-box) 26
TI on AES B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen: A More Efficient AES Threshold Implementation. AFRICACRYPT 2014 • IDEA: Adjust the number of shares as needed • RESULT: Smaller area, less clock cycles, less extra randomness • Data flow as in Moradi et al. • Linear part: only 2 shares • S-box: 2 to 5 shares • Tower field GF(2 4 ) 27
TI on AES S-box GF(2 4 ) GF(2 4 ) square ⊕ multiplier scaler inv. GF(2 4 ) lin. lin. ⊕ inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 28
TI on AES S-box GF(2 4 ) GF(2 4 ) square ⊕ multiplier scaler inv. GF(2 4 ) lin. lin. ⊕ inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares 29
TI on AES S-box GF(2 4 ) GF(2 4 ) square ⊕ multiplier scaler inv. GF(2 4 ) lin. lin. ⊕ inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares 30
TI on AES S-box GF(2 4 ) GF(2 4 ) square ⊕ multiplier scaler inv. GF(2 4 ) lin. lin. ⊕ inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares, 2 shares 31
TI on AES S-box GF(2 4 ) GF(2 4 ) square ⊕ multiplier scaler inv. GF(2 4 ) lin. lin. ⊕ inverter map map GF(2 4 ) GF(2 4 ) multiplier multiplier 5 shares, 4 input 3 output shares, 2 shares, 4 shares 32
Recommend
More recommend