Masking vs. Multiparty Computation: How Large is the Gap for AES?

Similar documents
Block Ciphers that are Easier to Mask How Far Can we Go?

On the Practical Security of a Leakage Resilient Masking Scheme

Side-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel?

On the Simplicity of Converting Leakages from Multivariate to Univariate

Masking Proofs are Tight

Hiding Higher-Order Leakages in Hardware

Very High-Order Masking: Efficient Implementation and Security Evaluation

Very High Order Masking: Efficient Implementation and Security Evaluation

A First Step Towards Automatic Application of Power Analysis Countermeasures

Leakage-Resilient Symmetric Cryptography (Overview of the ERC Project CRASH, part II)

A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks

The Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab

Adaptive Chosen-Message Side-Channel Attacks

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Masking as a Side-Channel Countermeasure in Hardware

How to Certify the Leakage of a Chip?

Power Analysis Attacks against FPGA Implementations of the DES

Information Security CS526

Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers

A Countermeasure Circuit for Secure AES Engine against Differential Power Analysis

Applying TVLA to Public Key Cryptographic Algorithms. Michael Tunstall Gilbert Goodwill

HOST Differential Power Attacks ECE 525

FDTC 2010 Fault Diagnosis and Tolerance in Cryptography. PACA on AES Passive and Active Combined Attacks

Dissecting Leakage Resilient PRFs with Multivariate Localized EM Attacks

Ultra-Lightweight Cryptography

A Brief Outlook at Block Ciphers

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

Cryptanalysis of Block Ciphers: A Survey

Lowering the Bar: Deep Learning for Side Channel Analysis. Guilherme Perin, Baris Ege, Jasper van December 4, 2018

Security against Timing Analysis Attack

Data Encryption Standard (DES)

External Encodings Do not Prevent Transient Fault Analysis

A Reliable Architecture for Substitution Boxes in Integrated Cryptographic Devices

An Overview of Secure Multiparty Computation

Efficient Selection of Time Samples for Higher-Order DPA with Projection Pursuits

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

Practical Electromagnetic Template Attack on HMAC

Countermeasures against EM Analysis

Improved and Multiple Linear Cryptanalysis of Reduced Round Serpent

Computer Security CS 526

How Far Should Theory be from Practice?

Second-Order Power Analysis Attacks against Precomputation based Masking Countermeasure

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

Blind Differential Cryptanalysis for Enhanced Power Attacks

On the Cost of Lazy Engineering for Masked Software Implementations

On-Line Self-Test of AES Hardware Implementations

Study of a Novel Software Constant Weight Implementation

PARALLEL ANALYSIS OF THE RIJNDAEL BLOCK CIPHER

On the Cost of Lazy Engineering for Masked Software Implementations

Cryptography for Embedded Systems. Elisabeth Oswald Reader, University of Bristol

Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl

WhoamI. Attacking WBC Implementations No con Name 2017

Implementing AES : performance and security challenges

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

From New Technologies to New Solutions

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Fault Sensitivity Analysis

Future Challenges for Lightweight Cryptography

Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers

Efficient DPA Attacks on AES Hardware Implementations

An Instruction Set Extension for Fast and Memory- Efficient AES Implementation. Stefan Tillich, Johann Großschädl, Alexander Szekely

Different attacks on the RC4 stream cipher

Power Analysis Attacks

Security Analysis of Extended Sponge Functions. Thomas Peyrin

Computational Methods. Randomness and Monte Carlo Methods

Introduction to Cryptography. Lecture 3

Key-Evolution Schemes Resilient to Space Bounded Leakage

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Cryptography [Symmetric Encryption]

High-Performance Cryptography in Software

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Symmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.

Dawn Song

Winter 2011 Josh Benaloh Brian LaMacchia

A General Analysis of the Security of Elastic Block Ciphers

Secure Conversion Between Boolean and Arithmetic Masking of Any Order

Keynote: White-Box Cryptography

A Study on the Preservation on Cryptographic Constant-Time Security in the CompCert Compiler

A Methodology to Implement Block Ciphers in Reconfigurable Hardware and its Application to Fast and Compact AES RIJNDAEL

DFA on AES. Christophe Giraud. Oberthur Card Systems, 25, rue Auguste Blanche, Puteaux, France.

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking

Secure Multiple SBoxes Implementation with Arithmetically Masked Input

Introduction to Software Countermeasures For Embedded Cryptography

Attacks on Advanced Encryption Standard: Results and Perspectives

Chapter 2 Introduction to Side-Channel Attacks

An Overview of Cryptanalysis Research for the Advanced Encryption Standard

Piret and Quisquater s DFA on AES Revisited

Overview of Cryptography

Implementation and Performance analysis of Skipjack & Rijndael Algorithms. by Viswnadham Sanku ECE646 Project Fall-2001

Implementation of the AES-128 on Virtex-5 FPGAs

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

White-Box Cryptography

Information Security CS526

Lightweight Block Cipher Design

On the Optimality of Mutual Information Analysis for Discrete Leakages Cryptarchi June 29-30, 2015 Leuven

How to (not) Share a Password:

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Chosen-IV Correlation Power Analysis on KCipher-2 and a Countermeasure

On the Easiness of Turning Higher-Order Leakages into First-Order

Transcription:

Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso 1, François-Xavier Standaert 1, Sebastian Faust 2. 1 ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium. 2 Ecole Polytechnique Fédérale de Lausanne, 1015 Lausanne, Switzerland. CHES 2013, Santa Barbara, California, USA.

Secret Sharing UCL Crypto Group Masking vs. Multiparty Computation 1 / 29

Secret Sharing UCL Crypto Group Masking vs. Multiparty Computation 1 / 29

Secret Sharing P( )=P( ) UCL Crypto Group Masking vs. Multiparty Computation 1 / 29

Masking Computing on Shared Values Traces contain information plus some noise. UCL Crypto Group Masking vs. Multiparty Computation 2 / 29

Masking Computing on Shared Values Unprotected device: the leakage of 1 share is needed to mount an attack. UCL Crypto Group Masking vs. Multiparty Computation 2 / 29

Masking Computing on Shared Values Protected device with 2 shares: ideally the leakage of 2 shares is needed to mount an attack. UCL Crypto Group Masking vs. Multiparty Computation 2 / 29

Masking Computing on Shared Values Protected device with 3 shares: ideally the leakage of 3 shares is needed to mount an attack. UCL Crypto Group Masking vs. Multiparty Computation 2 / 29

Masking Computing on Shared Values Masking order: minimal number of shares of which the leakage has to be exploited minus 1. UCL Crypto Group Masking vs. Multiparty Computation 2 / 29

Intuition We have to combine leakage of shares multiplication noise. The data complexity of attacks against masking is ideally ( independent leakages) exponential in the masking order with noise as a basis. UCL Crypto Group Masking vs. Multiparty Computation 3 / 29

Masking Schemes Re-computation Additive Multiplicative Affine Polynomial/MPC Threshold UCL Crypto Group Masking vs. Multiparty Computation 4 / 29

Masking Schemes Re-computation: not higher-order Additive Multiplicative Affine: not higher-order Polynomial/MPC Threshold: not higher-order UCL Crypto Group Masking vs. Multiparty Computation 4 / 29

Masking Schemes Re-computation: not higher-order Boolean Multiplicative Affine: not higher-order Polynomial/MPC Threshold: not higher-order UCL Crypto Group Masking vs. Multiparty Computation 4 / 29

Masking Schemes Re-computation: not higher-order Boolean Switch Affine: not higher-order Polynomial/MPC Threshold: not higher-order UCL Crypto Group Masking vs. Multiparty Computation 4 / 29

Masking Schemes Re-computation: not higher-order Boolean Rivain Prouff 10 secure multiplication Kim Hong Lim 11 subfield Switch Affine: not higher-order Polynomial/MPC Threshold: not higher-order UCL Crypto Group Masking vs. Multiparty Computation 4 / 29

Masking Schemes Re-computation: not higher-order Boolean Rivain Prouff 10 secure multiplication Kim Hong Lim 11 subfield Switch Genelle Prouff Quisquater 11 Affine: not higher-order Polynomial/MPC Threshold: not higher-order UCL Crypto Group Masking vs. Multiparty Computation 4 / 29

Masking Schemes Re-computation: not higher-order Boolean Rivain Prouff 10 secure multiplication Kim Hong Lim 11 subfield Switch Genelle Prouff Quisquater 11 Affine: not higher-order Polynomial/MPC Prouff Roche 11 Threshold: not higher-order UCL Crypto Group Masking vs. Multiparty Computation 4 / 29

Pros and Cons Masking (RP 10, KHL 11, GPQ 11): Pros: Cons: efficiency sensitive to glitches well studied UCL Crypto Group Masking vs. Multiparty Computation 5 / 29

Pros and Cons Masking (RP 10, KHL 11, GPQ 11): Pros: Cons: efficiency sensitive to glitches well studied Pros: MPC (PR 11): Cons: leaks less information glitch-resistance (independent leakage) error detection? more expensive in time more expensive in memory not clear how much UCL Crypto Group Masking vs. Multiparty Computation 5 / 29

Contribution 1. What is the cost for each scheme? Unified comparison of existing schemes. 2. Can we improve the MPC technique? Packed secret sharing. 3. How good must be the randomness? Requirements and impact on efficiency. UCL Crypto Group Masking vs. Multiparty Computation 6 / 29

Methodology Target device: ATMEGA644p Generic description in C, compiled with avr gcc Supported by assembly subroutines Maximum overhead: < 2 compared to previous work Sufficient to obtain an idea on the efficiency of each scheme UCL Crypto Group Masking vs. Multiparty Computation 7 / 29

Outline 1. Unified comparison of existing schemes 2. Efficiency improvement with packed secret sharing 3. Randomness requirements and impact on efficiency of masking schemes UCL Crypto Group Masking vs. Multiparty Computation 8 / 29

Existing Schemes 8 10 6 GPQ number of cycles 6 4 2 2 3 4 5 6 masking order GPQ 11: The most efficient masking scheme for AES, since multiplicative and linear parts are well separated. UCL Crypto Group Masking vs. Multiparty Computation 9 / 29

Existing Schemes number of cycles 10 6 8 6 4 2 GPQ RP 10 2 3 4 5 6 masking order RP 10: secure multiplication with quadratic cost. UCL Crypto Group Masking vs. Multiparty Computation 9 / 29

Existing Schemes number of cycles 10 6 8 6 4 2 GPQ RP 10 KHL 11 2 3 4 5 6 masking order KHL 11 improvement of RP 10 by using subfield, secure multiplication with quadratic cost. UCL Crypto Group Masking vs. Multiparty Computation 9 / 29

Existing Schemes number of cycles 10 6 8 6 4 2 GPQ RP 10 KHL 11 PR 11 2 3 4 5 6 masking order PR 11 glitches-free solution, secure multiplication with cubic cost. UCL Crypto Group Masking vs. Multiparty Computation 9 / 29

Outline 1. Unified comparison of existing schemes 2. Efficiency improvement with packed secret sharing 3. Randomness requirements and impact on efficiency of masking schemes UCL Crypto Group Masking vs. Multiparty Computation 10 / 29

Polynomial Sharing P(X ) = S + r 1 X +... r d X d r i random values. S = P(0). Shares: P(t i ). UCL Crypto Group Masking vs. Multiparty Computation 11 / 29

Interpolation 16 8 5 4 3 2 1 1 2 3 4 5 8 1x 2 3x+5 d + 1 points are sufficient to recover the polynomial. UCL Crypto Group Masking vs. Multiparty Computation 12 / 29

Addition 16 8 2x 2 +3x 4 5 4 3 2 1 1 2 3 4 5 8 1x 2 3x+5 The sum of each couple of shares (located on the same point) UCL Crypto Group Masking vs. Multiparty Computation 13 / 29

Addition 16 8 1x 2 + 0x + 1 5 4 3 2 1 1 2 3 4 5 8 The sum of each couple of shares (located on the same point), is sufficient to sum the secrets. UCL Crypto Group Masking vs. Multiparty Computation 13 / 29

Multiplication 2x 4 3x 3 3x 2 40 +3x 20 32 24 16 8 5 4 3 2 1 8 1 2 16 24 32 40 To recover the secret we need 2d + 1 points, since the degree of the polynomial product is 2d. UCL Crypto Group Masking vs. Multiparty Computation 14 / 29

Multiplication 5x 2 +2x 20 40 32 24 16 8 5 4 3 2 1 8 1 2 16 24 32 40 And a secure way to reduce the degree of the polynomial. UCL Crypto Group Masking vs. Multiparty Computation 14 / 29

Motivation 2d + 1 points of the polynomial are used for the shares, 1 point is used for the secret, all others are unused. Hide several, say t, secrets in the polynomial and have 2(d + t) 1 shares and keep the d-order masking. Secrets are hidden in different locations. UCL Crypto Group Masking vs. Multiparty Computation 15 / 29

Packed Secret Polynomial 16 8 5 4 3 2 1 1 2 3 8 16 24 32 UCL Crypto Group Masking vs. Multiparty Computation 16 / 29

Intuition Perform the computation on the secrets in parallel rather than sequentially. UCL Crypto Group Masking vs. Multiparty Computation 17 / 29

Intuition Perform the computation on the secrets in parallel rather than sequentially. Let t be the number of secrets, packed secret sharing is interesting when: Cost(t packed) < t Cost(single secret) UCL Crypto Group Masking vs. Multiparty Computation 17 / 29

Intuition Perform the computation on the secrets in parallel rather than sequentially. Let t be the number of secrets, packed secret sharing is interesting when: Cost(t packed) < t Cost(single secret) Let d be the masking order and the cost of the algorithm be quadratic in the number of shares. (t + d) 2 < t (d + 1) 2 UCL Crypto Group Masking vs. Multiparty Computation 17 / 29

Example: Fixed Masking Order, d = 4 cost t Cost(single secret) Cost(t packed) number of secrets 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 For any fixed masking order, there exists an interval of number of secrets for which packing is interesting. UCL Crypto Group Masking vs. Multiparty Computation 18 / 29

Example: Fixed Number of Secrets, t = 4 cost t Cost(single secret) Cost(t packed) masking order 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 For any fixed number of secrets, the bigger the masking order is, the more interesting is the packing technique. UCL Crypto Group Masking vs. Multiparty Computation 19 / 29

Issues PR 11 multiplication is not suitable for packing, use Damgård et al. multiplication ShiftRows: how to move location of secrets MixColumns: how to combine sensitive values hidden in the same polynomial UCL Crypto Group Masking vs. Multiparty Computation 20 / 29

Switch Solution switch between packed and single secret polynomials Packed polynomials for the inversion Single secret polynomials for the linear parts UCL Crypto Group Masking vs. Multiparty Computation 21 / 29

Packed Secrets Sharing vs. Single Secret 40 106 PR 11 number of cycles 30 20 10 0 2 4 6 8 10 12 masking order PR 11 cubic complexity. UCL Crypto Group Masking vs. Multiparty Computation 22 / 29

Packed Secrets Sharing vs. Single Secret number of cycles 40 106 30 20 10 PR 11 Damgård 0 2 4 6 8 10 12 masking order New multiplication method has quadratic complexity. UCL Crypto Group Masking vs. Multiparty Computation 22 / 29

Packed Secrets Sharing vs. Single Secret number of cycles 40 106 30 20 10 Damgård Packed 2 Packed 4 Packed 8 Packed 16 0 2 4 6 8 10 12 masking order Packed for number of secrets 16 s divisor. As expected the best t depends on d. UCL Crypto Group Masking vs. Multiparty Computation 22 / 29

Packed Secrets Sharing vs. Single Secret number of cycles 40 106 30 20 10 Damgård Best packed 0 2 4 6 8 10 12 masking order Minimum of packed secrets have quasi-linear complexity. UCL Crypto Group Masking vs. Multiparty Computation 22 / 29

Packed Secrets Sharing vs. Single Secret number of cycles 40 106 30 20 10 Damgård Best Packed 0 2 4 6 8 10 12 masking order Cross around 10, unrealistic for contemporary devices. UCL Crypto Group Masking vs. Multiparty Computation 22 / 29

Outline 1. Unified comparison of existing schemes 2. Efficiency improvement with packed secret sharing 3. Randomness requirements and impact on efficiency of masking schemes UCL Crypto Group Masking vs. Multiparty Computation 23 / 29

Motivation In the previous experiment, we considered free random generator. Proof of security requires uniform randomness. In embedded systems, uniform randomness is expensive. UCL Crypto Group Masking vs. Multiparty Computation 24 / 29

Intuition What happen when of using non uniform randomness? UCL Crypto Group Masking vs. Multiparty Computation 25 / 29

Intuition What happen when of using non uniform randomness? predictable randomness, such as counter, such an imperfection of the randomness is that for low noise levels, all the masks will be recovered with probability one. UCL Crypto Group Masking vs. Multiparty Computation 25 / 29

Intuition What happen when of using non uniform randomness? predictable randomness, such as counter, such an imperfection of the randomness is that for low noise levels, all the masks will be recovered with probability one. slightly biased randomness, such biases directly create a lower-order weakness. UCL Crypto Group Masking vs. Multiparty Computation 25 / 29

Intuition What happen when of using non uniform randomness? predictable randomness, such as counter, such an imperfection of the randomness is that for low noise levels, all the masks will be recovered with probability one. slightly biased randomness, such biases directly create a lower-order weakness. Compute mutual information between subkey and leakage. UCL Crypto Group Masking vs. Multiparty Computation 25 / 29

Non Uniform Randomness Black curve unprotected case, blue curve curve expected from first order masking. UCL Crypto Group Masking vs. Multiparty Computation 26 / 29

Non Uniform Randomness Red curve predictable case, combined attacks, reduce the noise, recover the masks values, similar to unprotected. UCL Crypto Group Masking vs. Multiparty Computation 26 / 29

Non Uniform Randomness Green curves biased generator, first order leaks, like zero value issue. UCL Crypto Group Masking vs. Multiparty Computation 26 / 29

Cost for the Implementation? How to produce uniform random values: wait values from a TRNG few rounds of a good permutation hash function... UCL Crypto Group Masking vs. Multiparty Computation 27 / 29

Cost for the Implementation? How to produce uniform random values: wait values from a TRNG few rounds of a good permutation hash function... Cost: around 10 clock cycles per random byte. UCL Crypto Group Masking vs. Multiparty Computation 27 / 29

Randomness Impact number of cycles 10 6 50 40 30 20 10 RP 10 GPQ 11 KHL 11 0 2 4 6 8 10 12 masking order The order of schemes does not change. We just add a little overhead on performances < 5/4. UCL Crypto Group Masking vs. Multiparty Computation 28 / 29

Randomness Impact number of cycles 10 6 50 40 30 20 10 RP 10 GPQ 11 KHL 11 Damgård 0 2 4 6 8 10 12 masking order The MPC stays far from masking, even with quadratic multiplication. UCL Crypto Group Masking vs. Multiparty Computation 28 / 29

Randomness Impact number of cycles 10 6 50 40 30 20 10 RP 10 GPQ 11 KHL 11 Damgård Best packed 0 2 4 6 8 10 12 masking order Packed technique is interesting shortly after. Due to the switch between packed and single secret polynomials that uses lot of randomness. UCL Crypto Group Masking vs. Multiparty Computation 28 / 29

Conclusion Unified comparison of masking scheme allows designers to choose a scheme in function of security and performance. UCL Crypto Group Masking vs. Multiparty Computation 29 / 29

Conclusion Unified comparison of masking scheme allows designers to choose a scheme in function of security and performance. Packing technique theoretically interesting, but concrete gains only appear for large order (maybe interesting in the longer term). UCL Crypto Group Masking vs. Multiparty Computation 29 / 29

Conclusion Unified comparison of masking scheme allows designers to choose a scheme in function of security and performance. Packing technique theoretically interesting, but concrete gains only appear for large order (maybe interesting in the longer term). Randomness is not the most expensive part of masked implementation, but is not negligible. UCL Crypto Group Masking vs. Multiparty Computation 29 / 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback