Masking vs. Multiparty Computation: How Large is the Gap for AES?
|
|
- Evelyn Eustace Barnett
- 5 years ago
- Views:
Transcription
1 Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso 1, François-Xavier Standaert 1, Sebastian Faust 2. 1 ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium. 2 Ecole Polytechnique Fédérale de Lausanne, 1015 Lausanne, Switzerland. CHES 2013, Santa Barbara, California, USA.
2 Secret Sharing UCL Crypto Group Masking vs. Multiparty Computation 1 / 29
3 Secret Sharing UCL Crypto Group Masking vs. Multiparty Computation 1 / 29
4 Secret Sharing P( )=P( ) UCL Crypto Group Masking vs. Multiparty Computation 1 / 29
5 Masking Computing on Shared Values Traces contain information plus some noise. UCL Crypto Group Masking vs. Multiparty Computation 2 / 29
6 Masking Computing on Shared Values Unprotected device: the leakage of 1 share is needed to mount an attack. UCL Crypto Group Masking vs. Multiparty Computation 2 / 29
7 Masking Computing on Shared Values Protected device with 2 shares: ideally the leakage of 2 shares is needed to mount an attack. UCL Crypto Group Masking vs. Multiparty Computation 2 / 29
8 Masking Computing on Shared Values Protected device with 3 shares: ideally the leakage of 3 shares is needed to mount an attack. UCL Crypto Group Masking vs. Multiparty Computation 2 / 29
9 Masking Computing on Shared Values Masking order: minimal number of shares of which the leakage has to be exploited minus 1. UCL Crypto Group Masking vs. Multiparty Computation 2 / 29
10 Intuition We have to combine leakage of shares multiplication noise. The data complexity of attacks against masking is ideally ( independent leakages) exponential in the masking order with noise as a basis. UCL Crypto Group Masking vs. Multiparty Computation 3 / 29
11 Masking Schemes Re-computation Additive Multiplicative Affine Polynomial/MPC Threshold UCL Crypto Group Masking vs. Multiparty Computation 4 / 29
12 Masking Schemes Re-computation: not higher-order Additive Multiplicative Affine: not higher-order Polynomial/MPC Threshold: not higher-order UCL Crypto Group Masking vs. Multiparty Computation 4 / 29
13 Masking Schemes Re-computation: not higher-order Boolean Multiplicative Affine: not higher-order Polynomial/MPC Threshold: not higher-order UCL Crypto Group Masking vs. Multiparty Computation 4 / 29
14 Masking Schemes Re-computation: not higher-order Boolean Switch Affine: not higher-order Polynomial/MPC Threshold: not higher-order UCL Crypto Group Masking vs. Multiparty Computation 4 / 29
15 Masking Schemes Re-computation: not higher-order Boolean Rivain Prouff 10 secure multiplication Kim Hong Lim 11 subfield Switch Affine: not higher-order Polynomial/MPC Threshold: not higher-order UCL Crypto Group Masking vs. Multiparty Computation 4 / 29
16 Masking Schemes Re-computation: not higher-order Boolean Rivain Prouff 10 secure multiplication Kim Hong Lim 11 subfield Switch Genelle Prouff Quisquater 11 Affine: not higher-order Polynomial/MPC Threshold: not higher-order UCL Crypto Group Masking vs. Multiparty Computation 4 / 29
17 Masking Schemes Re-computation: not higher-order Boolean Rivain Prouff 10 secure multiplication Kim Hong Lim 11 subfield Switch Genelle Prouff Quisquater 11 Affine: not higher-order Polynomial/MPC Prouff Roche 11 Threshold: not higher-order UCL Crypto Group Masking vs. Multiparty Computation 4 / 29
18 Pros and Cons Masking (RP 10, KHL 11, GPQ 11): Pros: Cons: efficiency sensitive to glitches well studied UCL Crypto Group Masking vs. Multiparty Computation 5 / 29
19 Pros and Cons Masking (RP 10, KHL 11, GPQ 11): Pros: Cons: efficiency sensitive to glitches well studied Pros: MPC (PR 11): Cons: leaks less information glitch-resistance (independent leakage) error detection? more expensive in time more expensive in memory not clear how much UCL Crypto Group Masking vs. Multiparty Computation 5 / 29
20 Contribution 1. What is the cost for each scheme? Unified comparison of existing schemes. 2. Can we improve the MPC technique? Packed secret sharing. 3. How good must be the randomness? Requirements and impact on efficiency. UCL Crypto Group Masking vs. Multiparty Computation 6 / 29
21 Methodology Target device: ATMEGA644p Generic description in C, compiled with avr gcc Supported by assembly subroutines Maximum overhead: < 2 compared to previous work Sufficient to obtain an idea on the efficiency of each scheme UCL Crypto Group Masking vs. Multiparty Computation 7 / 29
22 Outline 1. Unified comparison of existing schemes 2. Efficiency improvement with packed secret sharing 3. Randomness requirements and impact on efficiency of masking schemes UCL Crypto Group Masking vs. Multiparty Computation 8 / 29
23 Existing Schemes GPQ number of cycles masking order GPQ 11: The most efficient masking scheme for AES, since multiplicative and linear parts are well separated. UCL Crypto Group Masking vs. Multiparty Computation 9 / 29
24 Existing Schemes number of cycles GPQ RP masking order RP 10: secure multiplication with quadratic cost. UCL Crypto Group Masking vs. Multiparty Computation 9 / 29
25 Existing Schemes number of cycles GPQ RP 10 KHL masking order KHL 11 improvement of RP 10 by using subfield, secure multiplication with quadratic cost. UCL Crypto Group Masking vs. Multiparty Computation 9 / 29
26 Existing Schemes number of cycles GPQ RP 10 KHL 11 PR masking order PR 11 glitches-free solution, secure multiplication with cubic cost. UCL Crypto Group Masking vs. Multiparty Computation 9 / 29
27 Outline 1. Unified comparison of existing schemes 2. Efficiency improvement with packed secret sharing 3. Randomness requirements and impact on efficiency of masking schemes UCL Crypto Group Masking vs. Multiparty Computation 10 / 29
28 Polynomial Sharing P(X ) = S + r 1 X +... r d X d r i random values. S = P(0). Shares: P(t i ). UCL Crypto Group Masking vs. Multiparty Computation 11 / 29
29 Interpolation x 2 3x+5 d + 1 points are sufficient to recover the polynomial. UCL Crypto Group Masking vs. Multiparty Computation 12 / 29
30 Addition x 2 +3x x 2 3x+5 The sum of each couple of shares (located on the same point) UCL Crypto Group Masking vs. Multiparty Computation 13 / 29
31 Addition x 2 + 0x The sum of each couple of shares (located on the same point), is sufficient to sum the secrets. UCL Crypto Group Masking vs. Multiparty Computation 13 / 29
32 Multiplication 2x 4 3x 3 3x x To recover the secret we need 2d + 1 points, since the degree of the polynomial product is 2d. UCL Crypto Group Masking vs. Multiparty Computation 14 / 29
33 Multiplication 5x 2 +2x And a secure way to reduce the degree of the polynomial. UCL Crypto Group Masking vs. Multiparty Computation 14 / 29
34 Motivation 2d + 1 points of the polynomial are used for the shares, 1 point is used for the secret, all others are unused. Hide several, say t, secrets in the polynomial and have 2(d + t) 1 shares and keep the d-order masking. Secrets are hidden in different locations. UCL Crypto Group Masking vs. Multiparty Computation 15 / 29
35 Packed Secret Polynomial UCL Crypto Group Masking vs. Multiparty Computation 16 / 29
36 Intuition Perform the computation on the secrets in parallel rather than sequentially. UCL Crypto Group Masking vs. Multiparty Computation 17 / 29
37 Intuition Perform the computation on the secrets in parallel rather than sequentially. Let t be the number of secrets, packed secret sharing is interesting when: Cost(t packed) < t Cost(single secret) UCL Crypto Group Masking vs. Multiparty Computation 17 / 29
38 Intuition Perform the computation on the secrets in parallel rather than sequentially. Let t be the number of secrets, packed secret sharing is interesting when: Cost(t packed) < t Cost(single secret) Let d be the masking order and the cost of the algorithm be quadratic in the number of shares. (t + d) 2 < t (d + 1) 2 UCL Crypto Group Masking vs. Multiparty Computation 17 / 29
39 Example: Fixed Masking Order, d = 4 cost t Cost(single secret) Cost(t packed) number of secrets For any fixed masking order, there exists an interval of number of secrets for which packing is interesting. UCL Crypto Group Masking vs. Multiparty Computation 18 / 29
40 Example: Fixed Number of Secrets, t = 4 cost t Cost(single secret) Cost(t packed) masking order For any fixed number of secrets, the bigger the masking order is, the more interesting is the packing technique. UCL Crypto Group Masking vs. Multiparty Computation 19 / 29
41 Issues PR 11 multiplication is not suitable for packing, use Damgård et al. multiplication ShiftRows: how to move location of secrets MixColumns: how to combine sensitive values hidden in the same polynomial UCL Crypto Group Masking vs. Multiparty Computation 20 / 29
42 Switch Solution switch between packed and single secret polynomials Packed polynomials for the inversion Single secret polynomials for the linear parts UCL Crypto Group Masking vs. Multiparty Computation 21 / 29
43 Packed Secrets Sharing vs. Single Secret PR 11 number of cycles masking order PR 11 cubic complexity. UCL Crypto Group Masking vs. Multiparty Computation 22 / 29
44 Packed Secrets Sharing vs. Single Secret number of cycles PR 11 Damgård masking order New multiplication method has quadratic complexity. UCL Crypto Group Masking vs. Multiparty Computation 22 / 29
45 Packed Secrets Sharing vs. Single Secret number of cycles Damgård Packed 2 Packed 4 Packed 8 Packed masking order Packed for number of secrets 16 s divisor. As expected the best t depends on d. UCL Crypto Group Masking vs. Multiparty Computation 22 / 29
46 Packed Secrets Sharing vs. Single Secret number of cycles Damgård Best packed masking order Minimum of packed secrets have quasi-linear complexity. UCL Crypto Group Masking vs. Multiparty Computation 22 / 29
47 Packed Secrets Sharing vs. Single Secret number of cycles Damgård Best Packed masking order Cross around 10, unrealistic for contemporary devices. UCL Crypto Group Masking vs. Multiparty Computation 22 / 29
48 Outline 1. Unified comparison of existing schemes 2. Efficiency improvement with packed secret sharing 3. Randomness requirements and impact on efficiency of masking schemes UCL Crypto Group Masking vs. Multiparty Computation 23 / 29
49 Motivation In the previous experiment, we considered free random generator. Proof of security requires uniform randomness. In embedded systems, uniform randomness is expensive. UCL Crypto Group Masking vs. Multiparty Computation 24 / 29
50 Intuition What happen when of using non uniform randomness? UCL Crypto Group Masking vs. Multiparty Computation 25 / 29
51 Intuition What happen when of using non uniform randomness? predictable randomness, such as counter, such an imperfection of the randomness is that for low noise levels, all the masks will be recovered with probability one. UCL Crypto Group Masking vs. Multiparty Computation 25 / 29
52 Intuition What happen when of using non uniform randomness? predictable randomness, such as counter, such an imperfection of the randomness is that for low noise levels, all the masks will be recovered with probability one. slightly biased randomness, such biases directly create a lower-order weakness. UCL Crypto Group Masking vs. Multiparty Computation 25 / 29
53 Intuition What happen when of using non uniform randomness? predictable randomness, such as counter, such an imperfection of the randomness is that for low noise levels, all the masks will be recovered with probability one. slightly biased randomness, such biases directly create a lower-order weakness. Compute mutual information between subkey and leakage. UCL Crypto Group Masking vs. Multiparty Computation 25 / 29
54 Non Uniform Randomness Black curve unprotected case, blue curve curve expected from first order masking. UCL Crypto Group Masking vs. Multiparty Computation 26 / 29
55 Non Uniform Randomness Red curve predictable case, combined attacks, reduce the noise, recover the masks values, similar to unprotected. UCL Crypto Group Masking vs. Multiparty Computation 26 / 29
56 Non Uniform Randomness Green curves biased generator, first order leaks, like zero value issue. UCL Crypto Group Masking vs. Multiparty Computation 26 / 29
57 Cost for the Implementation? How to produce uniform random values: wait values from a TRNG few rounds of a good permutation hash function... UCL Crypto Group Masking vs. Multiparty Computation 27 / 29
58 Cost for the Implementation? How to produce uniform random values: wait values from a TRNG few rounds of a good permutation hash function... Cost: around 10 clock cycles per random byte. UCL Crypto Group Masking vs. Multiparty Computation 27 / 29
59 Randomness Impact number of cycles RP 10 GPQ 11 KHL masking order The order of schemes does not change. We just add a little overhead on performances < 5/4. UCL Crypto Group Masking vs. Multiparty Computation 28 / 29
60 Randomness Impact number of cycles RP 10 GPQ 11 KHL 11 Damgård masking order The MPC stays far from masking, even with quadratic multiplication. UCL Crypto Group Masking vs. Multiparty Computation 28 / 29
61 Randomness Impact number of cycles RP 10 GPQ 11 KHL 11 Damgård Best packed masking order Packed technique is interesting shortly after. Due to the switch between packed and single secret polynomials that uses lot of randomness. UCL Crypto Group Masking vs. Multiparty Computation 28 / 29
62 Conclusion Unified comparison of masking scheme allows designers to choose a scheme in function of security and performance. UCL Crypto Group Masking vs. Multiparty Computation 29 / 29
63 Conclusion Unified comparison of masking scheme allows designers to choose a scheme in function of security and performance. Packing technique theoretically interesting, but concrete gains only appear for large order (maybe interesting in the longer term). UCL Crypto Group Masking vs. Multiparty Computation 29 / 29
64 Conclusion Unified comparison of masking scheme allows designers to choose a scheme in function of security and performance. Packing technique theoretically interesting, but concrete gains only appear for large order (maybe interesting in the longer term). Randomness is not the most expensive part of masked implementation, but is not negligible. UCL Crypto Group Masking vs. Multiparty Computation 29 / 29
Block Ciphers that are Easier to Mask How Far Can we Go?
Block Ciphers that are Easier to Mask How Far Can we Go? Benoît Gérard, Vincent Grosso, María Naya-Plasencia, François-Xavier Standaert DGA & UCL Crypto Group & INRIA CHES 2013 Santa Barbara, USA Block
More informationOn the Practical Security of a Leakage Resilient Masking Scheme
On the Practical Security of a Leakage Resilient Masking Scheme T. Roche thomas.roche@ssi.gouv.fr Joint work with E. Prouff and M. Rivain CT-RSA 2014 Feb. 2014 Side Channel Analysis Side Channel Attacks
More informationSide-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel?
Side-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel? 11. Sep 2013 Ruhr University Bochum Outline Power Analysis Attack Masking Problems in hardware Possible approaches
More informationOn the Simplicity of Converting Leakages from Multivariate to Univariate
On the Simplicity of Converting Leakages from Multivariate to Univariate 21. Aug. 2013, Oliver Mischke Embedded Security Group + Hardware Security Group Ruhr University Bochum, Germany Outline Definitions,
More informationMasking Proofs are Tight
Masking Proofs are Tight and How to Exploit it in Security Evaluations Vincent Grosso 1, François-Xavier Standaert 2 1 Radboud University Nijmegen, Digital Security Group, The Netherlands. 2 ICTEAM - Crypto
More informationHiding Higher-Order Leakages in Hardware
Hiding Higher-Order Leakages in Hardware 21. May 2015 Ruhr-Universität Bochum Acknowledgement Pascal Sasdrich Tobias Schneider Alexander Wild 2 Story? Threshold Implementation should be explained? 1 st
More informationVery High-Order Masking: Efficient Implementation and Security Evaluation
Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and François-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking
More informationVery High Order Masking: Efficient Implementation and Security Evaluation
Very High Order Masking: Efficient Implementation and Security Evaluation Anthony Journault, François-Xavier Standaert ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium e-mails: anthony.journault,
More informationA First Step Towards Automatic Application of Power Analysis Countermeasures
A First Step Towards Automatic Application of Power Analysis Countermeasures Ali Galip Bayrak, Francesco Regazzoni 2,3, Philip Brisk 4, François-Xavier Standaert 3, Paolo Ienne Ecole Polytechnique Fédérale
More informationLeakage-Resilient Symmetric Cryptography (Overview of the ERC Project CRASH, part II)
Leakage-Resilient Symmetric Cryptography (Overview of the ERC Project CRASH, part II) François-Xavier Standaert UCL Crypto Group, Belgium INDOCRYPT, December 2016 Outline Introduction Natural PRGs/PRFs
More informationA Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks
A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks Romain Poussier, François-Xavier Standaert: Université catholique de Louvain Yuanyuan Zhou:
More informationThe Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab
The Davies-Murphy Power Attack Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab Introduction Two approaches for attacking crypto devices traditional cryptanalysis Side Channel Attacks
More informationAdaptive Chosen-Message Side-Channel Attacks
Adaptive Chosen-Message Side-Channel Attacks Nicolas Veyrat-Charvillon, François-Xavier Standaert, Université catholique de Louvain, Crypto Group, Belgium. e-mails: nicolas.veyrat;fstandae@uclouvain.be
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationMasking as a Side-Channel Countermeasure in Hardware
Masking as a Side-Channel Countermeasure in Hardware 6. September 2016 Ruhr-Universität Bochum 1 Agenda Physical Attacks and Side Channel Analysis Attacks Measurement setup Power Analysis Attacks Countermeasures
More informationHow to Certify the Leakage of a Chip?
How to Certify the Leakage of a Chip? F. Durvaux, F.-X. Standaert, N. Veyrat-Charvillon UCL Crypto Group, Belgium EUROCRYPT 2014, Copenhagen, Denmark Problem statement Evaluation / certification of leaking
More informationPower Analysis Attacks against FPGA Implementations of the DES
Power Analysis Attacks against FPGA Implementations of the DES François-Xavier Standaert 1, Sıddıka Berna Örs2, Jean-Jacques Quisquater 1, Bart Preneel 2 1 UCL Crypto Group Laboratoire de Microélectronique
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationAutomatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers
Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers 1 June 2010 1 Block Ciphers 2 The tool 3 Applications 4 Conclusion Basics P Block cipher E K (P) Input: Plaintext
More informationA Countermeasure Circuit for Secure AES Engine against Differential Power Analysis
A Countermeasure Circuit for Secure AES Engine against Differential Power Analysis V.S.Subarsana 1, C.K.Gobu 2 PG Scholar, Member IEEE, SNS College of Engineering, Coimbatore, India 1 Assistant Professor
More informationApplying TVLA to Public Key Cryptographic Algorithms. Michael Tunstall Gilbert Goodwill
Applying TVLA to Public Key Cryptographic Algorithms Michael Tunstall Gilbert Goodwill Introduction Test Vector Leakage Assessment (TVLA) was proposed in 2012 Efficient in evaluating the presence of leakage
More informationHOST Differential Power Attacks ECE 525
Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately, cryptographic
More informationFDTC 2010 Fault Diagnosis and Tolerance in Cryptography. PACA on AES Passive and Active Combined Attacks
FDTC 21 Fault Diagnosis and Tolerance in Cryptography PACA on AES Passive and Active Combined Attacks Christophe Clavier Benoît Feix Georges Gagnerot Mylène Roussellet Limoges University Inside Contactless
More informationDissecting Leakage Resilient PRFs with Multivariate Localized EM Attacks
Dissecting Leakage Resilient PRFs with Multivariate Localized EM Attacks A Practical Security Evaluation on FPGA Florian Unterstein Johann Heyszl Fabrizio De Santis a Robert Specht, 13.04.2017 a Technical
More informationUltra-Lightweight Cryptography
Ultra-Lightweight Cryptography F.-X. Standaert UCL Crypto Group European brokerage event, Cryptography Paris, September 2016 Outline Introduction Symmetric cryptography Hardware implementations Software
More informationA Brief Outlook at Block Ciphers
A Brief Outlook at Block Ciphers Pascal Junod École Polytechnique Fédérale de Lausanne, Suisse CSA 03, Rabat, Maroc, 10-09-2003 Content Generic Concepts DES / AES Cryptanalysis of Block Ciphers Provable
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationCryptanalysis of Block Ciphers: A Survey
UCL Crypto Group Technical Report Series Cryptanalysis of Block Ciphers: A Survey Francois-Xavier Standaert, Gilles Piret, Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/ Technical
More informationLowering the Bar: Deep Learning for Side Channel Analysis. Guilherme Perin, Baris Ege, Jasper van December 4, 2018
Lowering the Bar: Deep Learning for Side Channel Analysis Guilherme Perin, Baris Ege, Jasper van Woudenberg @jzvw December 4, 2018 1 Before Signal processing Leakage modeling 2 After 3 Helping security
More informationSecurity against Timing Analysis Attack
International Journal of Electrical and Computer Engineering (IJECE) Vol. 5, No. 4, August 2015, pp. 759~764 ISSN: 2088-8708 759 Security against Timing Analysis Attack Deevi Radha Rani 1, S. Venkateswarlu
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationExternal Encodings Do not Prevent Transient Fault Analysis
External Encodings Do not Prevent Transient Fault Analysis Christophe Clavier Gemalto, Security Labs CHES 2007 Vienna - September 12, 2007 Christophe Clavier CHES 2007 Vienna September 12, 2007 1 / 20
More informationA Reliable Architecture for Substitution Boxes in Integrated Cryptographic Devices
Author manuscript, published in "DCIS'08: Conference on Design of Circuits and Integrated Systems, (2008)" A Reliable Architecture for Substitution Boxes in Integrated Cryptographic Devices G. Di Natale,
More informationAn Overview of Secure Multiparty Computation
An Overview of Secure Multiparty Computation T. E. Bjørstad The Selmer Center Department of Informatics University of Bergen Norway Prøveforelesning for PhD-graden 2010-02-11 Outline Background 1 Background
More informationEfficient Selection of Time Samples for Higher-Order DPA with Projection Pursuits
Efficient Selection of Time Samples for Higher-Order DPA with Projection Pursuits François Durvaux 1, François-Xavier Standaert 1, Nicolas Veyrat-Charvillon 2 Jean-Baptiste Mairy 3, Yves Deville 3. 1 ICTEAM/ELEN/Crypto
More informationSIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017
SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017 WHAT WE DO What we do Robust and Efficient Cryptographic Protocols Research in Cryptography and
More informationPractical Electromagnetic Template Attack on HMAC
Practical Electromagnetic Template Attack on HMAC Pierre Alain Fouque 1 Gaétan Leurent 1 Denis Réal 2,3 Frédéric Valette 2 1ENS,75Paris,France. 2CELAR,35Bruz,France. 3INSA-IETR,35Rennes,France. September
More informationCountermeasures against EM Analysis
Countermeasures against EM Analysis Paolo Maistri 1, SebastienTiran 2, Amine Dehbaoui 3, Philippe Maurine 2, Jean-Max Dutertre 4 (1) (2) (3) (4) Context Side channel analysis is a major threat against
More informationImproved and Multiple Linear Cryptanalysis of Reduced Round Serpent
Improved and Multiple Linear Cryptanalysis of Reduced Round Serpent Description of the Linear Approximations B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group, Microelectronics Laboratory,
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationHow Far Should Theory be from Practice?
How Far Should Theory be from Practice? Evaluation of a Countermeasure Amir Moradi and Oliver Mischke Horst Görtz Institute for IT Security, Ruhr University Bochum, Germany {moradi,mischke}@crypto.rub.de
More informationSecond-Order Power Analysis Attacks against Precomputation based Masking Countermeasure
, pp.259-270 http://dx.doi.org/10.14257/ijsh.2016.10.3.25 Second-Order Power Analysis Attacks against Precomputation based Masking Countermeasure Weijian Li 1 and Haibo Yi 2 1 School of Computer Science,
More informationSide channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut
Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:
More informationBlind Differential Cryptanalysis for Enhanced Power Attacks
Blind Differential Cryptanalysis for Enhanced Power Attacks Bart Preneel COSIC K.U.Leuven - Belgium bart.preneel(at)esat.kuleuven.be Joint work with Helena Handschuh Concept Differential cryptanalysis
More informationOn the Cost of Lazy Engineering for Masked Software Implementations
On the Cost of Lazy Engineering for Masked Software Implementations Josep Balasch 1, Benedikt Gierlichs 1, Vincent Grosso, Oscar Reparaz 1, François-Xavier Standaert. 1 KU Leuven Dept. Electrical Engineering-ESAT/COSIC
More informationOn-Line Self-Test of AES Hardware Implementations
On-Line Self-Test of AES Hardware Implementations G. Di Natale, M. L. Flottes, B. Rouzeyre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier Université Montpellier II / CNRS
More informationStudy of a Novel Software Constant Weight Implementation
Study of a Novel Software Constant Weight Implementation Victor Servant 1, Nicolas Debande 2, Houssem Maghrebi 1, Julien Bringer 1 1 SAFRAN Morpho, 18, Chaussée Jules César, 9552 Osny, France. firstname.lastname@morpho.com
More informationPARALLEL ANALYSIS OF THE RIJNDAEL BLOCK CIPHER
PARALLEL ANALYSIS OF THE RIJNDAEL BLOCK CIPHER Philip Brisk, Adam Kaplan, Majid Sarrafzadeh Computer Science Department, University of California Los Angeles 3532C Boelter Hall, Los Angeles, CA 90095-1596
More informationOn the Cost of Lazy Engineering for Masked Software Implementations
On the Cost of Lazy Engineering for Masked Software Implementations Josep Balasch 1, Benedikt Gierlichs 1, Vincent Grosso, Oscar Reparaz 1, François-Xavier Standaert. 1 KU Leuven Dept. Electrical Engineering-ESAT/COSIC
More informationCryptography for Embedded Systems. Elisabeth Oswald Reader, University of Bristol
Cryptography for Embedded Systems Elisabeth Oswald Reader, University of Bristol 1 Outline 1 Embedded devices History, role and importance, use of cryptography 2 Security challenges Nothing is ever easy.
More informationSharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl
Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl Kimmo Järvinen Department of Information and Computer Science Aalto University, School of Science and Technology Espoo,
More informationWhoamI. Attacking WBC Implementations No con Name 2017
Attacking WBC Implementations No con Name 2017 1 WHO I AM EDUCATION: Computer Science MSc in IT security COMPANY & ROLES: HCE Security Evaluator R&D Engineer WBC project Responsible of Android security
More informationImplementing AES : performance and security challenges
Implementing AES 2000-2010: performance and security challenges Emilia Käsper Katholieke Universiteit Leuven SPEED-CC Berlin, October 2009 Emilia Käsper Implementing AES 2000-2010 1/ 31 1 The AES Performance
More informationAdvanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50
Advanced Encryption Standard and Modes of Operation Foundations of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) is a symmetric cryptographic algorithm AES has been originally requested
More informationFrom New Technologies to New Solutions
From New Technologies to New Solutions Exploiting FRAM Memories to Enhance Physical Security Stéphanie Kerckhof 1, François-Xavier Standaert 1, Eric Peeters 2 1 ICTEAM/ELEN/Crypto Group, Université catholique
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More informationFault Sensitivity Analysis
Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing
More informationFuture Challenges for Lightweight Cryptography
Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020, Tenerife, January 2013 Outline 1 1. Past results 2. Future challenges 1. Block ciphers 2 TEA, NOEKEON, AES,
More informationUsing Error Detection Codes to detect fault attacks on Symmetric Key Ciphers
Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers Israel Koren Department of Electrical and Computer Engineering Univ. of Massachusetts, Amherst, MA collaborating with Luca Breveglieri,
More informationEfficient DPA Attacks on AES Hardware Implementations
I. J. Communications, Network and System Sciences. 008; : -03 Published Online February 008 in SciRes (http://www.srpublishing.org/journal/ijcns/). Efficient DPA Attacks on AES Hardware Implementations
More informationAn Instruction Set Extension for Fast and Memory- Efficient AES Implementation. Stefan Tillich, Johann Großschädl, Alexander Szekely
Institute for Applied Information Processing and Communications () GRAZ UNIVERSITY OF TECHNOLOGY An Instruction Set Extension for Fast and Memory- Efficient AES Implementation Stefan Tillich, Johann Großschädl,
More informationDifferent attacks on the RC4 stream cipher
Different attacks on the RC4 stream cipher Andreas Klein Ghent University Dept. of Pure Mathematics and Computer Algebra Krijgslaan 281 - S22 9000 Ghent Belgium Overview The RC4 algorithm Overview The
More informationPower Analysis Attacks
Power Analysis Attacks Elisabeth Oswald Computer Science Department Crypto Group eoswald@cs.bris.ac.uk Elisabeth.Oswald@iaik.tugraz.at Outline Working principle of power analysis attacks DPA Attacks on
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationComputational Methods. Randomness and Monte Carlo Methods
Computational Methods Randomness and Monte Carlo Methods Manfred Huber 2010 1 Randomness and Monte Carlo Methods Introducing randomness in an algorithm can lead to improved efficiencies Random sampling
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationKey-Evolution Schemes Resilient to Space Bounded Leakage
Key-Evolution Schemes Resilient to Space Bounded Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure scheme for deterministic key-evolution Properties: leakage-resilient
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel
(a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationHigh-Performance Cryptography in Software
High-Performance Cryptography in Software Peter Schwabe Research Center for Information Technology Innovation Academia Sinica September 3, 2012 ECRYPT Summer School: Challenges in Security Engineering
More informationCIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)
CIS 6930/4930 Computer and Network Security Topic 3.1 Secret Key Cryptography (Cont d) 1 Principles for S-Box Design S-box is the only non-linear part of DES Each row in the S-Box table should be a permutation
More informationSymmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.
Symmetric Key Encryption Symmetric Key Encryption and 3- Tom Chothia Computer Security: Lecture 2 Padding Block cipher modes Advanced Encryption Standard ( AES ) AES is a state-of-the-art block cipher.
More informationDawn Song
1 Secret-Sharing & Zero-knowledge Proof Dawn Song dawnsong@cs.berkeley.edu Review DH key exchange protocol Password authentication protocol Random number generation 2 Lessons Learned Seeds must be unpredictable
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationA General Analysis of the Security of Elastic Block Ciphers
A General Analysis of the Security of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September
More informationSecure Conversion Between Boolean and Arithmetic Masking of Any Order
Secure Conversion Between Boolean and Arithmetic Masking of Any Order Jean-Sébastien Coron, Johann Großschädl, and Praveen Kumar Vadnala University of Luxembourg, Laboratory of Algorithmics, Cryptology
More informationKeynote: White-Box Cryptography
Keynote: White-Box Cryptography Matthieu Rivain PHIIC Workshop, 4 Oct 2016 Outline Context: white-box crypto: big trend in the industry cryptographic obfuscation: big trend in the scientific literature
More informationA Study on the Preservation on Cryptographic Constant-Time Security in the CompCert Compiler
A Study on the Preservation on Cryptographic Constant-Time Security in the CompCert Compiler Alix Trieu FOSAD 2018, Bertinoro Univ Rennes, Inria, CNRS, IRISA August 29th, 2018 1 / 20 Side-channels Crypto
More informationA Methodology to Implement Block Ciphers in Reconfigurable Hardware and its Application to Fast and Compact AES RIJNDAEL
A Methodology to Implement Block Ciphers in Reconfigurable Hardware and its Application to Fast and Compact AES RIJNDAEL François-Xavier Standaert, Gael Rouvroy, Jean-Jacques Quisquater, Jean-Didier Legat
More informationDFA on AES. Christophe Giraud. Oberthur Card Systems, 25, rue Auguste Blanche, Puteaux, France.
DFA on AES Christophe Giraud Oberthur Card Systems, 25, rue Auguste Blanche, 92800 Puteaux, France. c.giraud@oberthurcs.com Abstract. In this paper we describe two different DFA attacks on the AES. The
More informationEfficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Gemalto, 6 rue de la Verrerie, 92197 Meudon Cedex, France blandine.debraize@gemalto.com Abstract.
More informationSecure Multiple SBoxes Implementation with Arithmetically Masked Input
Secure Multiple SBoxes Implementation with Arithmetically Masked Input Luk Bettale Oberthur Technologies 71-73 rue des Hautes Pâtures 92726 Nanterre Cedex - France l.bettale@oberthur.com Abstract The building
More informationIntroduction to Software Countermeasures For Embedded Cryptography
Introduction to Software Countermeasures For Embedded Cryptography David Vigilant UMPC Master, 1 st December, 2017 Outline 1 Context and Motivations 2 Basic Rules and Countermeasures Examples Regarding
More informationAttacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More informationChapter 2 Introduction to Side-Channel Attacks
Chapter 2 Introduction to Side-Channel Attacks François-Xavier Standaert 2.1 Introduction A cryptographic primitive can be considered from two points of view: on the one hand, it can be viewed as an abstract
More informationAn Overview of Cryptanalysis Research for the Advanced Encryption Standard
An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky, Rochester Institute of Technology Michael Kurdziel, Harris Corporation Stanisław Radziszowski, Rochester Institute
More informationPiret and Quisquater s DFA on AES Revisited
Piret and Quisquater s DFA on AES Revisited Christophe Giraud 1 and Adrian Thillard 1,2 1 Oberthur Technologies, 4, allée du doyen Georges Brus, 33 600 Pessac, France. c.giraud@oberthur.com 2 Université
More informationOverview of Cryptography
18739A: Foundations of Security and Privacy Overview of Cryptography Anupam Datta CMU Fall 2007-08 Is Cryptography A tremendous tool The basis for many security mechanisms Is not The solution to all security
More informationImplementation and Performance analysis of Skipjack & Rijndael Algorithms. by Viswnadham Sanku ECE646 Project Fall-2001
Implementation and Performance analysis of Skipjack & Rijndael Algorithms by Viswnadham Sanku ECE646 Project Fall-2001 TABLE OF CONTENTS TABLE OF CONTENTS 2 1. OBJECTIVE 3 2. SKIPJACK CIPHER 3 2.1 CIPHER
More informationImplementation of the AES-128 on Virtex-5 FPGAs
Implementation of the AES-128 on Virtex-5 FPGAs Philippe Bulens 1, François-Xavier Standaert 1, Jean-Jacques Quisquater 1, Pascal Pellegrin 2, Gaël Rouvroy 2 1 UCL Crypto Group, Place du Levant, 3, B-1348
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationWhite-Box Cryptography
Based on: J. W. Bos, C. Hubain, W. Michiels, P. Teuwen. In CHES 2016: Differential computation analysis: Hiding your white-box designs is not enough. White-Box Cryptography Don't Forget About Grey Box
More informationInformation Security CS526
Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream CIphers 1 Announcements HW1 is out, due on Sept 11 Start early, late policy is 3 total late days
More informationLightweight Block Cipher Design
Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Croatia 2014 Outline 1 Motivation 2 Industry 3 Academia 4 A Critical View 5 Lightweight: 2nd Generation 6 Wrap-Up Outline
More informationOn the Optimality of Mutual Information Analysis for Discrete Leakages Cryptarchi June 29-30, 2015 Leuven
On the Optimality of Mutual Information Analysis for Discrete Leakages Cryptarchi June 29-30, 2015 Leuven Éloi de Chérisey*, Annelie Heuser**, Sylvain Guilley** and Olivier Rioul** * ENS Cachan, **Telecom
More informationHow to (not) Share a Password:
How to (not) Share a Password: Privacy preserving protocols for finding heavy hitters with adversarial behavior Moni Naor Benny Pinkas Eyal Ronen Passwords First modern use in MIT's CTSS (1961) Passwords
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationChosen-IV Correlation Power Analysis on KCipher-2 and a Countermeasure
Fourth International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE 2013) Chosen-IV Correlation Power Analysis on KCipher-2 and a Countermeasure Takafumi Hibiki*, Naofumi Homma*,
More informationOn the Easiness of Turning Higher-Order Leakages into First-Order
On the Easiness of Turning Higher-Order Leakages into First-Order Thorben Moos and Amir Moradi Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Bochum, Germany {firstname.lastname}@rub.de
More information