Masking the GLP Lattice-Based Signature Scheme at Any Order
|
|
- Brenda Warner
- 5 years ago
- Views:
Transcription
1 Masking the GLP Lattice-Based Signature Scheme at Any Order Sonia Belaïd Joint Work with Gilles Barthe, Thomas Espitau, Pierre-Alain Fouque, Benjamin Grégoire, Mélissa Rossi, and Mehdi Tibouchi 1 / 31
2 1 Post-Quantum Schemes 2 Power Analysis Attacks and Masking 3 Contribution: Higher-Order Masking of GLP 4 Implementation of the Countermeasure 5 Conclusion 2 / 31
3 1 Post-Quantum Schemes 2 Power Analysis Attacks and Masking 3 Contribution: Higher-Order Masking of GLP 4 Implementation of the Countermeasure 5 Conclusion 3 / 31
4 Post-Quantum Schemes Context NIST postquantum competition demands for practical implementation 4 / 31
5 Lattice-Based Signatures So far Numerous physical attacks against lattice-based schemes (Gaussian distributions, rejection sampling) Few countermeasures exist 5 / 31
6 1 Post-Quantum Schemes 2 Power Analysis Attacks and Masking 3 Contribution: Higher-Order Masking of GLP 4 Implementation of the Countermeasure 5 Conclusion 6 / 31
7 Power Analysis Attacks 7 / 31
8 Masking sound countermeasure which splits every sensitive variable x into d + 1 shares (x i ) 0 i d such that for every 1 i d, x i is picking uniformly at random x 0 x x 1 x d any strict subvector of at most d shares is independent from x d is called masking order or security order 8 / 31
9 Leakage Models Probing model by Ishai, Sahai, and Wagner (Crypto 2003) a circuit is d-probing secure iff any set composed of the exact values of at most d intermediate variables is independent from the secret 9 / 31
10 Leakage Models Probing model by Ishai, Sahai, and Wagner (Crypto 2003) a circuit is d-probing secure iff any set composed of the exact values of at most d intermediate variables is independent from the secret Noisy leakage model by Chari, Jutla, Rao, and Rohatgi (Crypto 1999) then Rivain and Prouff (EC 2013) a circuit is secure in the noisy leakage model iff the adversary cannot recover information on the secret from the noisy values of all the intermediate variables 9 / 31
11 Leakage Models Probing model by Ishai, Sahai, and Wagner (Crypto 2003) a circuit is d-probing secure iff any set composed of the exact values of at most d intermediate variables is independent from the secret Noisy leakage model by Chari, Jutla, Rao, and Rohatgi (Crypto 1999) then Rivain and Prouff (EC 2013) a circuit is secure in the noisy leakage model iff the adversary cannot recover information on the secret from the noisy values of all the intermediate variables Reduction by Duc, Dziembowski, and Faust (EC 2014) d-probing security security in the noisy leakage model for some level of noise 9 / 31
12 Probing Model variables: secret, shares, constant masking order d = 3 function Ex-t3(x 0, x 1, x 2, x 3, c): (* x 0, x 1, x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 $ r 1 $ y 0 x 0 + r 0 y 1 x 3 + r 1 t 1 x 1 + r 0 t 2 (x 1 + r 0 ) + x 2 y 2 (x 1 + r 0 + x 2 ) + r 1 y 3 c + r 1 return(y 0, y 1, y 2, y 3 ) 10 / 31
13 Probing Model variables: secret, shares, constant masking order d = 3 independent from the secret? function Ex-t3(x 0, x 1, x 2, x 3, c): (* x 0, x 1, x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 $ r 1 $ y 0 x 0 + r 0 y 1 x 3 + r 1 t 1 x 1 + r 0 t 2 (x 1 + r 0 ) + x 2 y 2 (x 1 + r 0 + x 2 ) + r 1 y 3 c + r 1 return(y 0, y 1, y 2, y 3 ) 10 / 31
14 Probing Model variables: secret, shares, constant masking order d = 3 independent from the secret? function Ex-t3(x 0, x 1, x 2, x 3, c): (* x 0, x 1, x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 $ r 1 $ y 0 x 0 + r 0 y 1 x 3 + r 1 t 1 x 1 + r 0 t 2 (x 1 + r 0 ) + x 2 y 2 (x 1 + r 0 + x 2 ) + r 1 y 3 c + r 1 return(y 0, y 1, y 2, y 3 ) 10 / 31
15 Non-Interference (NI) d-ni d-probing secure a circuit is d-ni iff any set of d intermediate variables can be perfectly simulated with at most d shares of each input can be simulated with x 0 and x 1 function Ex-t3(x 0, x 1, x 2, x 3, c): (* x 0, x 1, x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 $ r 1 $ y 0 x 0 + r 0 y 1 x 3 + r 1 t 1 x 1 + r 0 t 2 (x 1 + r 0 ) + x 2 y 2 (x 1 + r 0 + x 2 ) + r 1 y 3 c + r 1 return(y 0, y 1, y 2, y 3 ) 11 / 31
16 Non-Interference (NI) d-ni d-probing secure a circuit is d-ni iff any set of d intermediate variables can be perfectly simulated with at most d shares of each input x 0 x 1 x 2 x 3 (= x + x 0 + x 1 + x 2 ) Ex-d3 3 observations y 0 y 1 y 2 y 3 12 / 31
17 Strong Non-Interference (SNI) d-sni d-ni d-probing secure a circuit is d-sni iff any set of d intermediate variables, whose d 1 on the internal variables and d 2 and the outputs, can be perfectly simulated with at most d 1 shares of each input require x 0 and x 1 to be perfectly simulated not 3-SNI since y 0 is an output variable function Ex-t3(x 0, x 1, x 2, x 3, c): (* x 0, x 1, x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 $ r 1 $ y 0 x 0 + r 0 y 1 x 3 + r 1 t 1 x 1 + r 0 t 2 (x 1 + r 0 ) + x 2 y 2 (x 1 + r 0 + x 2 ) + r 1 y 3 c + r 1 return(y 0, y 1, y 2, y 3 ) 13 / 31
18 Strong Non-Interference (SNI) d-sni d-ni d-probing secure a circuit is d-sni iff any set of d intermediate variables, whose d 1 on the internal variables and d 2 and the outputs, can be perfectly simulated with at most d 1 shares of each input x 0 x 1 x 2 x 3 Ex-d3 y 0 y 1 y 2 y 3 2 internal observations + 1 output observation 14 / 31
19 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) Constraint: d 0 +d 1 +d 2 +d 3 d d 0 observations d 3 observations [ ] [x] R [ 2] d 1 observations d 2 observations 15 / 31
20 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) Constraint: d 0 +d 1 +d 2 +d 3 d d 0 observations d 3 observations [ ] [x] R [ 2] d 1 observations d 2 observations 15 / 31
21 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) Constraint: d 0 +d 1 +d 2 +d 3 d d 0 + d 3 observations [ ] [x] R d [ 2] 1 observations d 2 internal observations t 3 output observations 15 / 31
22 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) Constraint: d 0 +d 1 +d 2 +d 3 d d 0 + d 3 observations [ ] [x] R d [ 2] 1 observations d 2 internal observations t 3 output observations 15 / 31
23 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) Constraint: d 0 +d 1 +d 2 +d 3 d d 0 + d 3 observations [ ] [x] R [ 2] d 1 + d 2 observations d 3 output observations 15 / 31
24 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) Constraint: d 0 +d 1 +d 2 +d 3 d d 0 + d 3 observations [ ] [x] R [ 2] d 1 + d 2 observations d 3 output observations 15 / 31
25 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) d 0 + d 3 +d 1 + d 2 observations [x] [ 2] Constraint: d 0 +d 1 +d 2 +d 3 d R d 3 output observations [ ] 15 / 31
26 1 Post-Quantum Schemes 2 Power Analysis Attacks and Masking 3 Contribution: Higher-Order Masking of GLP 4 Implementation of the Countermeasure 5 Conclusion 16 / 31
27 GLP Features Introduced at CHES 2012 by Tim Güneysu, Vadim Lyubashevsky, and Thomas Pöppelmann No Gaussians, only uniform distributions Probabilistic algorithm Rejection sampling 17 / 31
28 GLP Key Derivation R = Zp[x] x n +1 R k : coefficients in the range [ k, k] Algorithm 1 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) Based on the Decisional Compact Knapsack problem 18 / 31
29 GLP Signature Fiat Shamir with abort signature Algorithm 2 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ Rk Random generation 2: c H(r = ay 1 + y 2, m) Commitment 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart Rejection Sampling return σ = (z 1, z 2, c) Verification z 1, z 2 R k α and c = H(az 1 + z 2 tc, m) 19 / 31
30 Masking GLP Key Derivation Algorithm 3 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) DG (s1,i)0 i d DG (s2,i)0 i d
31 Masking GLP Key Derivation Algorithm 4 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a DG (s1,i)0 i d DG (s2,i)0 i d
32 Masking GLP Key Derivation Algorithm 5 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a DG (s1,i)0 i d H 1 (ti)0 i d DG (s2,i)0 i d
33 Masking GLP Key Derivation Algorithm 6 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a (s1,i)0 i d DG (s1,i)0 i d H 1 (ti)0 i d DG (s2,i)0 i d (s2,i)0 i d
34 Masking GLP Key Derivation Algorithm 7 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a (s1,i)0 i d DG (s1,i)0 i d H 1 (ti)0 i d FullAdd t DG (s2,i)0 i d (s2,i)0 i d 20 / 31
35 Security of Individual Gadgets Each sensitive variable must be masked mod-p arithmetic masking w-bit Boolean masking Each block (or sub-block) which manipulates secret data is individually proven according to one of the three properties Non-Interference (NI) Strong Non-Interference (SNI) Non-Interference with public Outputs (NIo) 21 / 31
36 Masking GLP Key Derivation DG: generation of sharings for coefficients x [ k, k] (k = 1) 22 / 31
37 Masking GLP Key Derivation DG: generation of sharings for coefficients x [ k, k] (k = 1) 1. generate a Boolean sharing of x: where 2 w0 > 2k w0 1 0 i d, x i [0, 2 w0 1] 22 / 31
38 Masking GLP Key Derivation DG: generation of sharings for coefficients x [ k, k] (k = 1) 1. generate a Boolean sharing of x: 0 i d, x i [0, 2 w0 1] where 2 w0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 22 / 31
39 Masking GLP Key Derivation DG: generation of sharings for coefficients x [ k, k] (k = 1) 1. generate a Boolean sharing of x: 0 i d, x i [0, 2 w0 1] where 2 w0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3. b unmask δ s most significant bit 4. b equals 0 iff x 2k / 31
40 Masking GLP Key Derivation DG: generation of sharings for coefficients x [ k, k] (k = 1) 1. generate a Boolean sharing of x: 0 i d, x i [0, 2 w0 1] where 2 w0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3. b unmask δ s most significant bit 4. b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking 22 / 31
41 Masking GLP Key Derivation DG: generation of sharings for coefficients x [ k, k] (k = 1) 1. generate a Boolean sharing of x: 0 i d, x i [0, 2 w0 1] where 2 w0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3. b unmask δ s most significant bit 4. b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking H 1 : t as 1 + s 2 FullAdd: refresh then add 22 / 31
42 Masking GLP Key Derivation Algorithm 8 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a (s1,i)0 i d DG (s1,i)0 i d H 1 (ti)0 i d FullAdd t DG (s2,i)0 i d (s2,i)0 i d Not masked Non interferent Non interferent with public outputs 23 / 31
43 Masking GLP Signature Algorithm 9 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) DG (y1,i)0 i d DG (y2,i)0 i d
44 Masking GLP Signature Algorithm 10 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) a DG (y1,i)0 i d H 1 (ri)0 i d DG (y2,i)0 i d
45 Masking GLP Signature Algorithm 11 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) a DG (y1,i)0 i d H 1 (ri)0 i d FullAdd r DG (y2,i)0 i d
46 Masking GLP Signature Algorithm 12 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) a m DG (y1,i)0 i d H 1 (ri)0 i d FullAdd r c Hash DG (y2,i)0 i d
47 Masking GLP Signature Algorithm 13 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) a (y1,i)0 i d (s1,i)0 i d m DG (y1,i)0 i d H 1 (ri)0 i d FullAdd r Hash c H 1 (z1,i)0 i d DG (y2,i)0 i d H 1 (z2,i)0 i d (y2,i)0 i d (s2,i)0 i d
48 Masking GLP Signature Algorithm 14 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) (y1,i)0 i d (s1,i)0 i d a (z1,i)0 i d m DG (y1,i)0 i d H 1 (ri)0 i d FullAdd r Hash c H 1 (z1,i)0 i d RS RejSp H 2 (z1,i)0 i d FullAdd z 1 DG (y2,i)0 i d H 1 (z2,i)0 i d H 2 (z2,i)0 i d FullAdd z 2 (z2,i)0 i d (y2,i)0 i d (s2,i)0 i d c 24 / 31
49 Masking GLP Signature DG: generation of sharings for coefficients x [ k, k] H 1 : ay 1 + y 2 FullAdd: refresh then add Hash: unmasked RS: some details follow H 2 : linear function FullAdd: refresh then add 25 / 31
50 Masking GLP Signature Rejection Sampling: are coefficients of z 1 and z 2 in [ k + α, k α]? 26 / 31
51 Masking GLP Signature Rejection Sampling: are coefficients of z 1 and z 2 in [ k + α, k α]? 1. convert mod-p arithmetic sharing into Boolean masking 26 / 31
52 Masking GLP Signature Rejection Sampling: are coefficients of z 1 and z 2 in [ k + α, k α]? 1. convert mod-p arithmetic sharing into Boolean masking 2. as in Data Generation, compute the masked difference with k α difference 26 / 31
53 Masking GLP Signature Rejection Sampling: are coefficients of z 1 and z 2 in [ k + α, k α]? 1. convert mod-p arithmetic sharing into Boolean masking 2. as in Data Generation, compute the masked difference with k α difference 3. securely check the most significant bit 26 / 31
54 Masking GLP Signature Algorithm 15 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) (y1,i)0 i d (s1,i)0 i d a (z1,i)0 i d m DG (y1,i)0 i d H 1 (ri)0 i d FullAdd r Hash c H 1 (z1,i)0 i d RS RejSp H 2 (z1,i)0 i d FullAdd z 1 DG (y2,i)0 i d H 1 (z2,i)0 i d H 2 (z2,i)0 i d FullAdd z 2 (z2,i)0 i d (y2,i)0 i d (s2,i)0 i d c 27 / 31
55 1 Post-Quantum Schemes 2 Power Analysis Attacks and Masking 3 Contribution: Higher-Order Masking of GLP 4 Implementation of the Countermeasure 5 Conclusion 28 / 31
56 Implementation unoptimized implementation based on a public domain implementation called GLYPH (n = 1024, p = 59393, k = 16383, and α = 16) Table: Implementation results. Timings are provided for 100 executions of the signing and verification algorithms, on one core of an Intel Core i CPU-based desktop machine. Number of shares (d + 1) Unprotected Total CPU time (s) Masking overhead / 31
57 1 Post-Quantum Schemes 2 Power Analysis Attacks and Masking 3 Contribution: Higher-Order Masking of GLP 4 Implementation of the Countermeasure 5 Conclusion 30 / 31
58 Conclusion In a nutshell... Higher-order masking of GLP with proof in the probing model New security notions to mask lattice-based signatures To continue... Extend these results to other lattice-based signatures Extend these results to other post-quantum schemes 31 / 31
Masking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationFormal Verification of Side-Channel Countermeasures
Formal Verification of Side-Channel Countermeasures Sonia Belaïd June 5th 2018 1 / 35 1 Side-Channel Attacks 2 Masking 3 Formal Tools Verification of Masked Implementations at Fixed Order Verification
More informationFormal Verification of Masked Implementations
Formal Verification of Masked Implementations Sonia Belaïd Benjamin Grégoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Gilles Barthe 1, Sonia Belaïd 2, Thomas Espitau 3, Pierre-Alain Fouque 4, Benjamin Grégoire 5, Mélissa Rossi 6,7, and Mehdi Tibouchi 8 1 IMDEA
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Gilles Barthe 1, Sonia Belaïd 2, Thomas Espitau 3, Pierre-Alain Fouque 4, Benjamin Grégoire 5, Mélissa Rossi 6,7, and Mehdi Tibouchi 8 1 IMDEA
More informationOn the Use of Masking to Defeat Power-Analysis Attacks
1/32 On the Use of Masking to Defeat Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd Outline Power-Analysis Attacks Masking Countermeasure Leakage Models Security
More informationFormal Verification of Side-channel Countermeasures via Elementary Circuit Transformations
Formal Verification of Side-channel Countermeasures via Elementary Circuit Transformations Jean-Sébastien Coron University of Luxembourg jean-sebastiencoron@unilu April 9, 2018 Abstract We describe a technique
More informationParallel Implementations of Masking Schemes and the Bounded Moment Leakage Model
Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model G. Barthe, F. Dupressoir, S. Faust, B. Grégoire, F.-X. Standaert, P.-Y. Strub IMDEA (Spain), Univ. Surrey (UK), Univ. Bochum
More informationFault Attacks Against Lattice-Based Signatures
Fault Attacks Against Lattice-Based Signatures T. Espitau P-A. Fouque B. Gérard M. Tibouchi Lip6, Sorbonne Universités, Paris August 12, 2016 SAC 16 1 Towards postquantum cryptography Quantum computers
More informationCompositional Verification of Higher-Order Masking
Compositional Verification of Higher-Order Masking Application to a Verifying Masking Compiler Gilles Barthe 2, Sonia Belaïd 1,5, François Dupressoir 2, Pierre-Alain Fouque 4,6, and Benjamin Grégoire 3
More informationHigh-Order Conversion From Boolean to Arithmetic Masking
High-Order Conversion From Boolean to Arithmetic Masking Jean-Sébastien Coron University of Luxembourg jean-sebastien.coron@uni.lu Abstract. Masking with random values is an effective countermeasure against
More informationImproved High-Order Conversion From Boolean to Arithmetic Masking
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1, Jean-Sébastien Coron 2, and Rina Zeitoun 1 1 IDEMIA, France luk.bettale@idemia.com, rina.zeitoun@idemia.com 2 University
More informationConsolidating Inner Product Masking
Consolidating Inner Product Masking Josep Balasch 1, Sebastian Faust 2,3, Benedikt Gierlichs 1, Clara Paglialonga 2,3, François-Xavier Standaert 4 1 imec-cosic KU euven, Belgium 2 Ruhr-Universität Bochum,
More informationMASKING is the most widely deployed countermeasure
1 Corrections to Further Improving Efficiency of Higher-Order Masking Schemes by Decreasing Randomness Complexity Shuang Qiu, Rui Zhang, Yongbin Zhou, Wei Cheng Abstract Provably secure masking schemes
More informationAmortizing Randomness Complexity in Private Circuits
Amortizing Randomness Complexity in Private Circuits Sebastian Faust 1,2, Clara Paglialonga 1,2, Tobias Schneider 1,3 1 Ruhr-Universität Bochum, Germany 2 Technische Universität Darmstadt, Germany 3 Université
More informationImproved Parallel Mask Refreshing Algorithms Generic Solutions with Parametrized Non-Interference & Automated Optimizations
Improved Parallel Mask Refreshing Algorithms Generic Solutions with Parametrized Non-Interference & Automated Optimizations Gilles Barthe 1, Sonia Belaïd 2, François Dupressoir 3, Pierre-Alain Fouque 4,
More informationParallel Implementations of Masking Schemes and the Bounded Moment Leakage Model
Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model Gilles Barthe 1, François Dupressoir 2, Sebastian Faust 3, Benjamin Grégoire 4, François-Xavier Standaert 5, and Pierre-Yves
More informationEciently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto
Eciently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto Tobias Schneider 1, Clara Paglialonga 2, Tobias Oder 3, and Tim Güneysu 3,4 1 ICTEAM/ELEN/Crypto Group, Université Catholique
More informationImproved Parallel Mask Refreshing Algorithms
Noname manuscript No. (will be inserted by the editor) Improved Parallel Mask Refreshing Algorithms Generic Solutions with Parametrized Non-Interference & Automated Optimizations Gilles Barthe 1 Sonia
More informationProvably Secure Higher-Order Masking of AES
Provably Secure Higher-Order Masking of AES Matthieu Rivain 1 and Emmanuel Prouff 2 1 CryptoExperts matthieu.rivain@cryptoexperts.com 2 Oberthur Technologies e.prouff@oberthur.com Abstract. Implementations
More informationProvable Security against Side-Channel Attacks
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable
More informationStrong Non-Interference and Type-Directed Higher-Order Masking
Strong Non-Interference and Type-Directed Higher-Order Masking Gilles Barthe 1, Sonia Belaïd 2, François Dupressoir 3, Pierre-Alain Fouque 4, Benjamin Grégoire 5, Pierre-Yves Strub 6, and Rébecca Zucchini
More informationConsolidating Masking Schemes
Consolidating Masking Schemes Oscar Reparaz, Begül Bilgin, Svetla Nikova, Benedikt Gierlichs, and Ingrid Verbauwhede firstname.lastname@esat.kuleuven.be KU Leuven ESAT/COSIC and iminds, Belgium Abstract.
More informationSymbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS Inès Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz Sorbonne Universités, UPMC Univ Paris
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland. CT-RSA 2014 1 / 22 Outline Introduction
More informationFaster Evaluation of S-Boxes via Common Shares
Faster Evaluation of S-Boxes via Common Shares J-S. Coron, A. Greuet, E. Prouff, R. Zeitoun F.Rondepierre CHES 2016 CHES 2016 1 S-Box Evaluation AES By definition: S AES (x) = A x 254 + b F 2 8[x] CHES
More informationLattice Signature Schemes. Vadim Lyubashevsky INRIA / ENS Paris
Lattice Signature Schemes Vadim Lyubashevsky INRIA / ENS Paris LATTICE PROBLEMS The Knapsack Problem A = t mod q A is random in Z q n x m s is a random small vector in Z q m t=as mod q s Given (A,t), find
More informationCircuit Compilers with O(1/ log(n)) Leakage Rate
Circuit Compilers with O(1/ log(n)) Leakage Rate Marcin Andrychowicz 1, Stefan Dziembowski 1, and Sebastian Faust 2 1 University of Warsaw 2 Ruhr University Bochum Abstract. The goal of leakage-resilient
More informationHorizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme
Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme Alberto Battistello 1, Jean-Sébastien Coron 2, Emmanuel Prouff 3, and Rina Zeitoun 1 1 Oberthur Technologies, France {a.battistello,r.zeitoun}@oberthur.com
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationMaking Masking Security Proofs Concrete
Making Masking Security Proofs Concrete Or How to Evaluate the Security of any Leaking Device Extended Version Alexandre Duc 1, Sebastian Faust 1,2, François-Xavier Standaert 3 1 HEIG-VD, Lausanne, Switzerland
More informationFast Lattice-Based Encryption: Stretching SPRING
Fast Lattice-Based Encryption: Stretching SPRING Charles Bouillaguet 1 Claire Delaplace 1,2 Pierre-Alain Fouque 2 Paul Kirchner 3 1 CFHP team, CRIStAL, Université de Lille, France 2 EMSEC team, IRISA,
More informationA Sound Method for Switching between Boolean and Arithmetic Masking
A Sound Method for Switching between Boolean and Arithmetic Masking Louis Goubin CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP45 78430 Louveciennes Cedex, France Louis.Goubin@louveciennes.tt.slb.com
More informationConstant-Time Higher-Order Boolean-to-Arithmetic Masking
Constant-Time Higher-Order Boolean-to-Arithmetic Masking Michael Hutter and Michael Tunstall Cryptography Research, 425 Market Street, 11th Floor, San Francisco, CA 94105, United States {michael.hutter,michael.tunstall}@cryptography.com
More informationInner Product Masking Revisited
Inner Product Masking Revisited Josep Balasch 1, Sebastian Faust 2, and Benedikt Gierlichs 1 1 KU Leuven Dept. Electrical Engineering-ESAT/COSIC and iminds Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee,
More informationImproved Parameters for the Ring-TESLA Digital Signature Scheme
Improved Parameters for the Ring-TESLA Digital Signature Scheme Arjun Chopra Abstract Akleylek et al. have proposed Ring-TESLA, a practical and efficient digital signature scheme based on the Ring Learning
More informationSeveral Masked Implementations of the Boyar-Peralta AES S-Box
Several Masked Implementations of the Boyar-Peralta AES S-Box Ashrujit Ghoshal 1[0000 0003 2436 0230] and Thomas De Cnudde 2[0000 0002 2711 8645] 1 Indian Institute of Technology Kharagpur, India ashrujitg@iitkgp.ac.in
More informationSharing Independence & Relabeling: Efficient Formal Verification of Higher-Order Masking
Sharing Independence & Relabeling: Efficient Formal Verification of Higher-Order Masking Roderick Bloem, Hannes Gross, Rinat Iusupov, Martin Krenn, and Stefan Mangard Institute for Applied Information
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationMasking against Side-Channel Attacks: a Formal Security Proof
Masking against Side-Channel Attacks: a Formal Security Proof Emmanuel Prouff 1 and Matthieu Rivain 2 1 ANSSI emmanuel.prouff@ssi.gouv.fr 2 CryptoExperts matthieu.rivain@cryptoexperts.com Abstract. Masking
More informationSide-Channel Attacks on Threshold Implementations using a Glitch Algebra
Side-Channel Attacks on Threshold Implementations using a Glitch Algebra Serge Vaudenay EPFL CH-1015 Lausanne, Switzerland http://lasec.epfl.ch Abstract. Threshold implementations allow to implement circuits
More informationSampling Lattice Trapdoors
Sampling Lattice Trapdoors November 10, 2015 Today: 2 notions of lattice trapdoors Efficient sampling of trapdoors Application to digital signatures Last class we saw one type of lattice trapdoor for a
More informationPractical CCA2-Secure and Masked Ring-LWE Implementation
Practical CCA2-Secure and Masked Ring-LWE Implementation Tobias Oder 1, Tobias Schneider 2, Thomas Pöppelmann 3, Tim Güneysu 1,4 1 Ruhr-University Bochum, 2 Université Catholique de Louvain, 3 Infineon
More informationTightly-Secure Signatures From Lossy Identification Schemes
Tightly-Secure Signatures From Lossy Identification Schemes Michel Abdalla, Pierre-Alain Fouque, Vadim Lyubashevsky, and Mehdi Tibouchi 2 École normale supérieure {michel.abdalla,pierre-alain.fouque,vadim.lyubashevsky}@ens.fr
More informationOn the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland, New Zealand. S.Bai@auckland.ac.nz S.Galbraith@math.auckland.ac.nz
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationComparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
International Conference on Manufacturing Science and Engineering (ICMSE 2015) Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
More informationUsing Second-Order Power Analysis to Attack DPA Resistant Software
Using Second-Order Power Analysis to Attack DPA Resistant Software Thomas S. Messerges Motorola Labs, Motorola 3 E. Algonquin Road, Room 7, Schaumburg, IL 696 Tom.Messerges@motorola.com Abstract. Under
More informationAffine Masking against Higher-Order Side Channel Analysis
Affine Masking against Higher-Order Side Channel Analysis Guillaume Fumaroli 1, Ange Martinelli 1, Emmanuel Prouff 2, and Matthieu Rivain 3 1 Thales Communications {guillaume.fumaroli, jean.martinelli}@fr.thalesgroup.com
More informationOn the Masking Countermeasure and Higher-Order Power Analysis Attacks
1 On the Masking Countermeasure and Higher-Order Power Analysis Attacks François-Xavier Standaert, Eric Peeters, Jean-Jacques Quisquater UCL Crypto Group, Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium.
More informationSIDE Channel Analysis (SCA in short) exploits information. Statistical Analysis of Second Order Differential Power Analysis
1 Statistical Analysis of Second Order Differential Power Analysis Emmanuel Prouff 1, Matthieu Rivain and Régis Bévan 3 Abstract Second Order Differential Power Analysis O- DPA is a powerful side channel
More informationEfficient Masked S-Boxes Processing A Step Forward
Efficient Masked S-Boxes Processing A Step Forward Vincent Grosso 1, Emmanuel Prouff 2, François-Xavier Standaert 1 1 ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium. 2 ANSSI, 51 Bd
More informationTHRESHOLD IMPLEMENTATIONS OF ALL 3x3 AND 4x4 S-BOXES
THRESHOLD IMPLEMENTATIONS OF ALL 3x3 AND 4x4 S-BOXES B.Bilgin, S.Nikova, V.Nikov, V.Rijmen, G.Stütz KU Leuven, UTwente, NXP, TU Graz CHES 2012 - Leuven, Belgium 2012-09-10 Countermeasures Search for a
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationFormal Verification of Masked Hardware Implementations in the Presence of Glitches
Formal Verification of Masked Hardware Implementations in the Presence of Glitches Roderick Bloem, Hannes Gross, Rinat Iusupov, Bettina Könighofer, Stefan Mangard, and Johannes Winter Institute for Applied
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationSide-Channel Attacks on BLISS Lattice-Based Signatures
Side-Channel Attacks on BLISS Lattice-Based Signatures Exploiting Branch Tracing against strongswan and Electromagnetic Emanations in Microcontrollers ABSTRACT Thomas Espitau UPMC Paris, France thomas.espitau@lip6.fr
More informationHigher-Order Glitches Free Implementation of the AES using Secure Multi-Party Computation Protocols
Higher-Order Glitches Free Implementation of the AES using Secure Multi-Party Computation Protocols Emmanuel Prouff 1 and Thomas Roche 2 1 Oberthur Technologies, 71-73, rue des Hautes Pâtures 92726 Nanterre,
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationRevisiting a Masked Lookup-Table Compression Scheme
Revisiting a Masked Lookup-Table Compression Scheme Srinivas Vivek University of Bristol, UK sv.venkatesh@bristol.ac.uk Abstract. Lookup-table based side-channel countermeasure is the prime choice for
More informationInner Product Masking for Bitslice Ciphers and Security Order Amplification for Linear Leakages
Inner Product Masking for Bitslice Ciphers and Security Order Amplification for Linear Leakages Weijia Wang 1, François-Xavier Standaert 2, Yu Yu 1,3, Sihang Pu 1, Junrong Liu 1, Zheng Guo 1, and Dawu
More informationA Lattice-Based Threshold Ring Signature Scheme (TRSS-L)
A Lattice-Based Threshold Ring Signature Scheme (TRSS-L) Pierre-Louis Cayrel 1 Richard Lindner 2 Markus Rückert 2 Rosemberg Silva 3 1 Center for Advanced Security Research Darmstadt (CASED) 2 Technische
More informationFast Evaluation of Polynomials over Binary Finite Fields. and Application to Side-channel Countermeasures
Fast Evaluation of Polynomials over Binary Finite Fields and Application to Side-channel Countermeasures Jean-Sébastien Coron 1, Arnab Roy 1,2, Srinivas Vivek 1 1 University of Luxembourg 2 DTU, Denmark
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationOn the Use of Shamir s Secret Sharing Against Side-Channel Analysis
On the Use of Shamir s Secret Sharing Against Side-Channel Analysis Jean-Sébastien Coron 1, Emmanuel Prouff 2, and Thomas Roche 2 1 Tranef jscoron@tranef.com 2 ANSSI, 51, Bd de la Tour-Maubourg, 75700
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationEnhanced Lattice-Based Signatures on Reconfigurable Hardware
Enhanced Lattice-Based Signatures on Reconfigurable Hardware Thomas Pöppelmann 1 Léo Ducas 2 Tim Güneysu 1 1 Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany 2 University of California,
More informationLecture 13: Seed-Dependent Key Derivation
Randomness in Cryptography April 11, 2013 Lecture 13: Seed-Dependent Key Derivation Lecturer: Yevgeniy Dodis Scribe: Eric Miles In today s lecture, we study seeded key-derivation functions (KDFs) in the
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationConversion from Arithmetic to Boolean Masking with Logarithmic Complexity
Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity Jean-Sébastien Coron 1, Johann Großschädl 1, Mehdi Tibouchi 2, and Praveen Kumar Vadnala 1 1 University of Luxembourg, jean-sebastien.coron,johann.groszschaedl,praveen.vadnala}@uni.lu
More informationTheory and Practice of a Leakage Resilient Masking Scheme
Theory and Practice of a Leakage Resilient Masking Scheme Josep Balasch 1, Sebastian Faust 2, Benedikt Gierlichs 1, and Ingrid Verbauwhede 1 1 KU Leuven Dept. Electrical Engineering-ESAT/SCD-COSIC and
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationSide-Channel Attacks on BLISS Lattice-Based Signatures
Side-Channel Attacks on BLISS Lattice-Based Signatures Exploiting Branch Tracing Against strongswan and Electromagnetic Emanations in Microcontrollers Anonymous Author(s) ABSTRACT In this paper, we investigate
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationConsolidating Security Notions in Hardware Masking
Consolidating Security Notions in Hardware Masking Lauren De Meyer 1, Begül Bilgin 1,2 and Oscar Reparaz 1,3 1 KU Leuven, imec - COSIC, Leuven, Belgium firstname.lastname@esat.kuleuven.be 2 Rambus, Cryptography
More informationProtecting AES with Shamir s Secret Sharing Scheme
Protecting AES with Shamir s Secret Sharing Scheme Louis Goubin 1 and Ange Martinelli 1,2 1 Versailles Saint-Quentin-en-Yvelines University Louis.Goubin@prism.uvsq.fr 2 Thales Communications jean.martinelli@fr.thalesgroup.com
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationHorizontal and Vertical Side-Channel Attacks against Secure RSA Implementations
Introduction Clavier et al s Paper This Paper Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations Aurélie Bauer Éliane Jaulmes Emmanuel Prouff Justine Wild ANSSI Session ID:
More informationLeakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi
Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi Wednesday, September 16 th, 015 Motivation Security Evaluation Motivation Security Evaluation
More informationFHE Over the Integers: Decomposed and Batched in the Post-Quantum Regime
FHE Over the Integers: Decomposed and Batched in the Post-Quantum Regime Daniel Benarroch,1, Zvika Brakerski,1, and Tancrède Lepoint,2 1 Weizmann Institute of Science, Israel 2 SRI International, USA Abstract.
More informationPractical Lattice-Based Digital Signature Schemes
Practical Lattice-Based Digital Signature Schemes Howe, J., Poppelmann, T., O'Neill, M., O'Sullivan, E., & Guneysu, T. (2015). Practical Lattice-Based Digital Signature Schemes. ACM Transactions on Embedded
More informationRelaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs
Relaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs Cecilia Boschini, Jan Camenisch, and Gregory Neven IBM Research Zurich {bos, jca, nev}@zurich.ibm.com Abstract. Higher-level cryptographic
More informationMasking against Side-Channel Attacks: AFormalSecurityProof
Masking against Side-Channel Attacks: AFormalSecurityProof Emmanuel Prouff 1 and Matthieu Rivain 2 1 ANSSI emmanuel.prouff@ssi.gouv.fr 2 CryptoExperts matthieu.rivain@cryptoexperts.com Abstract. Masking
More informationConversion from Arithmetic to Boolean Masking with Logarithmic Complexity
Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity Jean-Sébastien Coron 1, Johann Großschädl 1, Mehdi Tibouchi 2, and Praveen Kumar Vadnala 1 1 University of Luxembourg, jean-sebastien.coron,johann.groszschaedl,praveen.vadnala}@uni.lu
More informationMasking AES with d + 1 Shares in Hardware
Masking AES with d + 1 Shares in Hardware Thomas De Cnudde 1, Oscar Reparaz 1, Begül Bilgin 1, Svetla Nikova 1, Ventzislav Nikov 2 and Vincent Rijmen 1 1 KU Leuven, ESAT-COSIC and iminds, Belgium {name.surname}@esat.kuleuven.be
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationBitslice Ciphers and Power Analysis Attacks
Bitslice Ciphers and Power Analysis Attacks Joan Daemen, Michael Peeters and Gilles Van Assche Proton World Intl. Rue Du Planeur 10, B-1130 Brussel, Belgium Email: {daemen.j, peeters.m, vanassche.g}@protonworld.com
More informationOn the Practical Security of a Leakage Resilient Masking Scheme
On the Practical Security of a Leakage Resilient Masking Scheme T. Roche thomas.roche@ssi.gouv.fr Joint work with E. Prouff and M. Rivain French Network and Information Security Agency (ANSSI) CryptoExperts
More informationLattice-Based Fault Attacks on RSA Signatures
Lattice-Based Fault Attacks on RSA Signatures Mehdi Tibouchi École normale supérieure Workshop on Applied Cryptography, Singapore, 2010-12-03 Gist of this talk Review a classical attack on RSA signatures
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationMASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer Tore Frederiksen Emmanuela Orsini Marcel Keller Peter Scholl Aarhus University University of Bristol 31 May 2016 Secure Multiparty
More information