Faster Evaluation of S-Boxes via Common Shares

Transcription

1 Faster Evaluation of S-Boxes via Common Shares J-S. Coron, A. Greuet, E. Prouff, R. Zeitoun F.Rondepierre CHES 2016 CHES

2 S-Box Evaluation AES By definition: S AES (x) = A x b F 2 8[x] CHES

3 S-Box Evaluation AES By definition: S AES (x) = A x b F 2 8[x] Other Blockciphers DES S-Box Table Polynomial interpolation S DES (x) = a 63 x 63 + a 62 x a 1 x + a }{{} 0 F 2 6[x] compute with +,, 2 CHES

4 Security Context t-probing Adversary A t-probing adversary is allowed to know the exact value of at most t intermediate results. CHES

5 Security Context t-probing Adversary A t-probing adversary is allowed to know the exact value of at most t intermediate results. Adversary can access key values. Security is built to twhart limited adversaries. CHES

6 Secret Sharing/Masking Secret Sharing/Masking In order to thwart a t-probing adversary, each sensitive variable x is split in n = t + 1 variables (x 0,..., x t ), such that: x = x 0 x 1 x t Variables x 1,..., x t are by convention random masks. x 0 = x i 1 x i X = (x 0,..., x t ) is a shared representation of x. CHES

7 Secure Multiplication 1st Order Secure Multiplication Let A, B be two shared variables and say we want to compute C = (c 0, c 1 ) such that C is a sharing of a b: (a a 1 ) (b b 1 ) = a b a b 1 a 1 b a 1 b 1 = a b (a a 1 ) b 1 (b b 1 ) a 1 a 1 b 1 a 0 b 0 = a b a 0 b 1 b 0 a 1 a 1 b 1 CHES

8 Secure Multiplication 1st Order Secure Multiplication Let A, B be two shared variables and say we want to compute C = (c 0, c 1 ) such that C is a sharing of a b: (a a 1 ) (b b 1 ) = a b a b 1 a 1 b a 1 b 1 = a b (a a 1 ) b 1 (b b 1 ) a 1 a 1 b 1 a 0 b 0 = a b a 0 b 1 b 0 a 1 a 1 b 1 We would say C(c 0, c 1 ): c 0 = a 0 b 0 c 1 = [(a 0 b 1 ) a 1 b 0 ] (a 1 b 1 ) CHES

9 Secure Multiplication 1st Order Secure Multiplication Let A, B be two shared variables and say we want to compute C = (c 0, c 1 ) such that C is a sharing of a b: (a a 1 ) (b b 1 ) = a b a b 1 a 1 b a 1 b 1 = a b (a a 1 ) b 1 (b b 1 ) a 1 a 1 b 1 a 0 b 0 = a b a 0 b 1 b 0 a 1 a 1 b 1 Security needs an additional random r: c 0 = a 0 b 0 r c 1 = (a 1 b 1 ) [(a 0 b 1 r) a 1 b 0 ] CHES

10 Secure Multiplication 1st Order Secure Multiplication Let A, B be two shared variables and say we want to compute C = (c 0, c 1 ) such that C is a sharing of a b: (a a 1 ) (b b 1 ) = a b a b 1 a 1 b a 1 b 1 = a b (a a 1 ) b 1 (b b 1 ) a 1 a 1 b 1 a 0 b 0 = a b a 0 b 1 b 0 a 1 a 1 b 1 Security needs an additional random r: c 0 = a 0 b 0 r c 1 = (a 1 b 1 ) [(a 0 b 1 r) a 1 b 0 ] Not secure if by construction we have a 1 = b 1 CHES

11 Common Shares Sequence of Secure Multiplications Say we want to compute E, F from A, B, C, D, such that: E = A B F = C D CHES

12 Common Shares Sequence of Secure Multiplications Say we want to compute E, F from A, B, C, D, such that: E = A B F = C D In a 1st order context, the paper deals with: e 0 = a 0 b 0 r e 1 = (a 1 b 1 ) [(a 0 b 1 r) a 1 b 0 ] f 0 = c 0 d 0 r f 1 = (c 1 d 1 ) [(c 0 d 1 r) c 1 d 0 ] CHES

13 Common Shares Sequence of Secure Multiplications Say we want to compute E, F from A, B, C, D, such that: E = A B F = C D In a 1st order context, the paper deals with: e 0 = a 0 b 0 r e 1 = (a 1 b 1 ) [(a 0 b 1 r) a 1 b 0 ] f 0 = c 0 d 0 r f 1 = (c 1 d 1 ) [(c 0 d 1 r) c 1 d 0 ] CHES

14 Common Shares Sequence of Secure Multiplications Say we want to compute E, F from A, B, C, D, such that: E = A B F = C D In a 1st order context, we can have: a 1 = c 1 b 1 = d 1 CHES

15 Common Shares Sequence of Secure Multiplications Say we want to compute E, F from A, B, C, D, such that: E = A B F = C D The paper also extends the result to t-probing context: a i = c i, b i = d i, t + 1 i t 2 t + 1 i t 2 CHES

16 Common Shares Optimality of sharing Let A, B be two shared variables, such that : a i = b i, k i t If k = 1, then a 0 b 0 = a b CHES

17 Common Shares Optimality of sharing Let A, B be two shared variables, such that : a i = b i, k i t If k = 1, then a 0 b 0 = a b If k < t+1 2, then i<k a i b i = a b CHES

18 Common Shares Optimality of sharing Let A, B be two shared variables, such that : a i = b i, k i t If k = 1, then a 0 b 0 = a b If k < t+1 2, then i<k a i b i = a b If k t+1 2, then i<k a i b i requires more than t probing CHES

19 Common Shares CommonShares Input: A = (a 0,..., a t ) shares of a and B, shares of b Output: A = (a 0,..., a t) shares of a and B, shares of b for i = t+1 2 to t do r i F 2 k j i t+1 2 a i r i, a j (a j r i ) a i b i r i, b j (b j r i ) b i CHES

20 Higher-Order Secure Multiplication SecMult Input: A = (a 0,..., a t ) shares of a and B, shares of b Output: C, shares of a b for i = 0 to t do c i a i b i for i = 0 to t do for j = i + 1 to t do r F 2 k c i c i r c j c j [(a i b j r) a j b i ] CHES

21 TwoMult Multiplications with Common Shares Input: A, B, C, D shares of a, b, c, d, where A, C (resp. B, D) have common shares Output: E, F shares of a b, c d for i = 0 to t do e i { a i b i c i d i 0 i t 1 f i 2 e i = c i d t+1 i 2 i t CHES

22 TwoMult Multiplications with Common Shares Input: A, B, C, D shares of a, b, c, d, where A, C (resp. B, D) have common shares Output: E, F shares of a b, c d for i = 0 to t do e i { a i b i c i d i 0 i t 1 f i e i = c i d i t+1 2 for i = 0 to t do for j = i + 1 to t do r F 2 k 2 i t s F 2 k e i e i r f i f i s e j e j [(a i b j r) a j b i ] f j f j [(c i d j s) c j d i ] CHES

23 Multiplications with Common Shares CommonMult Input: A, B, D shares of a, b, d, where B, D have common shares Output: E, F shares of a b, a d for i = 0 to t do e i { a i b i a i d i 0 i t 1 f i e i t+1 2 for i = 0 to t do for j = i + 1 to t do r F 2 k 2 i t s F 2 k e i e i r f i f i s e j e j [(a i b j r) a j b i ] f j f j [(a i d j s) a j d i ] CHES

24 Multiplications with Common Shares CommonMult Input: A, B, D shares of a, b, d, where B, D have common shares Output: E, F shares of a b, a d for i = 0 to t do e i { a i b i a i d i 0 i t 1 f i e i t+1 2 for i = 0 to t do for j = i + 1 to t do r F 2 k 2 i t s F 2 k e i e i r f i f i s e j e j [(a i b j r) a j b i ] f j f j [(a i d j s) a j d i ] CHES

25 Multiplications with Common Shares CommonMult Input: A, B, D shares of a, b, d, where B, D have common shares Output: E, F shares of a b, a d for i = 0 to t do e i { a i b i a i d i 0 i t 1 f i e i t+1 2 for i = 0 to t do for j = i + 1 to t do r F 2 k 2 i t s F 2 k e i e i r f i f i s e j e j [(a i b j r) a j b i ] f j f j [(a i d j s) a j d i ] CHES

26 Performances SecMult (t + 1) 2 TwoMult 2(t + 1) 2 ( t+1 ( CommonMult 2(t + 1) 2 t+1 (t + 1) 2 ) m-mult m(t + 1) 2 (m 1) ( t+1 2 ) 2 m-commonmult m(t + 1) 2 (m 1)(t + 1) 2 ) 2 ( t+1 Table: Complexity Comparison of Secure Multiplications 2 ) CHES

27 Security Security Proofs Security proven in the t-sni model. The proof in this model ensures the security with only t + 1 shares, instead of 2t + 1 shares in the original model. EasyCrypt verification tool on our AES S-box algorithm (thanks to S.Belaïd). CHES

28 Application to AES Possible evaluation of x 254 in F 2 8 x 15 x 240 x 254 x x 3 x 12 x 2 x 14 CHES

29 Application to AES SecExp254 Input: A shared representation X of x Output: A shared representation Res of x 254 = x 1 X 2 X 2 X RefreshMask(X ) X 3 SecMult(X 2, X ) X 12 X3 4 X 3 RefreshMask(X 3 ) (X 14, X 15 ) CommonMult(X 12, X 2, X 3 ) X 240 X15 16 Res SecMult(X 240, X 14 ) CHES

30 Performances on several S-Boxes k m N mult N mult AES DES PRESENT SERPENT CAMELLIA CLEFIA Table: Equivalent number of multiplications N mult for various block-ciphers, with m k-bit S-Boxes. CHES

31 Conclusion Conclusion General improvement for multiplications with t-sni security. Core idea: improvements with common shared values. The ratio between two multiplications and a CommonMult is 3. 4 A sequence of m multiplications has an equivalent cost of 3 (m 1) A sequence of m CommonMult has an equivalent cost of 5 (m 1) Implementation for AES S-Box evaluation. Theoretical gain for other block ciphers thanks to interpolation. CHES