Masking the GLP Lattice-Based Signature Scheme at Any Order

Size: px

Start display at page:

Download "Masking the GLP Lattice-Based Signature Scheme at Any Order"

Brenda Warner
5 years ago
Views:

1 Masking the GLP Lattice-Based Signature Scheme at Any Order Sonia Belaïd Joint Work with Gilles Barthe, Thomas Espitau, Pierre-Alain Fouque, Benjamin Grégoire, Mélissa Rossi, and Mehdi Tibouchi 1 / 31

2 1 Post-Quantum Schemes 2 Power Analysis Attacks and Masking 3 Contribution: Higher-Order Masking of GLP 4 Implementation of the Countermeasure 5 Conclusion 2 / 31

3 1 Post-Quantum Schemes 2 Power Analysis Attacks and Masking 3 Contribution: Higher-Order Masking of GLP 4 Implementation of the Countermeasure 5 Conclusion 3 / 31

4 Post-Quantum Schemes Context NIST postquantum competition demands for practical implementation 4 / 31

5 Lattice-Based Signatures So far Numerous physical attacks against lattice-based schemes (Gaussian distributions, rejection sampling) Few countermeasures exist 5 / 31

6 1 Post-Quantum Schemes 2 Power Analysis Attacks and Masking 3 Contribution: Higher-Order Masking of GLP 4 Implementation of the Countermeasure 5 Conclusion 6 / 31

7 Power Analysis Attacks 7 / 31

8 Masking sound countermeasure which splits every sensitive variable x into d + 1 shares (x i ) 0 i d such that for every 1 i d, x i is picking uniformly at random x 0 x x 1 x d any strict subvector of at most d shares is independent from x d is called masking order or security order 8 / 31

9 Leakage Models Probing model by Ishai, Sahai, and Wagner (Crypto 2003) a circuit is d-probing secure iff any set composed of the exact values of at most d intermediate variables is independent from the secret 9 / 31

Leakage Models Probing model by Ishai, Sahai, and Wagner (Crypto 2003) a circuit is d-probing secure iff any set composed of the exact values of at most d intermediate variables is independent from

10 Leakage Models Probing model by Ishai, Sahai, and Wagner (Crypto 2003) a circuit is d-probing secure iff any set composed of the exact values of at most d intermediate variables is independent from the secret Noisy leakage model by Chari, Jutla, Rao, and Rohatgi (Crypto 1999) then Rivain and Prouff (EC 2013) a circuit is secure in the noisy leakage model iff the adversary cannot recover information on the secret from the noisy values of all the intermediate variables 9 / 31

11 Leakage Models Probing model by Ishai, Sahai, and Wagner (Crypto 2003) a circuit is d-probing secure iff any set composed of the exact values of at most d intermediate variables is independent from the secret Noisy leakage model by Chari, Jutla, Rao, and Rohatgi (Crypto 1999) then Rivain and Prouff (EC 2013) a circuit is secure in the noisy leakage model iff the adversary cannot recover information on the secret from the noisy values of all the intermediate variables Reduction by Duc, Dziembowski, and Faust (EC 2014) d-probing security security in the noisy leakage model for some level of noise 9 / 31

12 Probing Model variables: secret, shares, constant masking order d = 3 function Ex-t3(x 0, x 1, x 2, x 3, c): (* x 0, x 1, x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 $ r 1 $ y 0 x 0 + r 0 y 1 x 3 + r 1 t 1 x 1 + r 0 t 2 (x 1 + r 0 ) + x 2 y 2 (x 1 + r 0 + x 2 ) + r 1 y 3 c + r 1 return(y 0, y 1, y 2, y 3 ) 10 / 31

13 Probing Model variables: secret, shares, constant masking order d = 3 independent from the secret? function Ex-t3(x 0, x 1, x 2, x 3, c): (* x 0, x 1, x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 $ r 1 $ y 0 x 0 + r 0 y 1 x 3 + r 1 t 1 x 1 + r 0 t 2 (x 1 + r 0 ) + x 2 y 2 (x 1 + r 0 + x 2 ) + r 1 y 3 c + r 1 return(y 0, y 1, y 2, y 3 ) 10 / 31

14 Probing Model variables: secret, shares, constant masking order d = 3 independent from the secret? function Ex-t3(x 0, x 1, x 2, x 3, c): (* x 0, x 1, x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 $ r 1 $ y 0 x 0 + r 0 y 1 x 3 + r 1 t 1 x 1 + r 0 t 2 (x 1 + r 0 ) + x 2 y 2 (x 1 + r 0 + x 2 ) + r 1 y 3 c + r 1 return(y 0, y 1, y 2, y 3 ) 10 / 31

15 Non-Interference (NI) d-ni d-probing secure a circuit is d-ni iff any set of d intermediate variables can be perfectly simulated with at most d shares of each input can be simulated with x 0 and x 1 function Ex-t3(x 0, x 1, x 2, x 3, c): (* x 0, x 1, x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 $ r 1 $ y 0 x 0 + r 0 y 1 x 3 + r 1 t 1 x 1 + r 0 t 2 (x 1 + r 0 ) + x 2 y 2 (x 1 + r 0 + x 2 ) + r 1 y 3 c + r 1 return(y 0, y 1, y 2, y 3 ) 11 / 31

16 Non-Interference (NI) d-ni d-probing secure a circuit is d-ni iff any set of d intermediate variables can be perfectly simulated with at most d shares of each input x 0 x 1 x 2 x 3 (= x + x 0 + x 1 + x 2 ) Ex-d3 3 observations y 0 y 1 y 2 y 3 12 / 31

17 Strong Non-Interference (SNI) d-sni d-ni d-probing secure a circuit is d-sni iff any set of d intermediate variables, whose d 1 on the internal variables and d 2 and the outputs, can be perfectly simulated with at most d 1 shares of each input require x 0 and x 1 to be perfectly simulated not 3-SNI since y 0 is an output variable function Ex-t3(x 0, x 1, x 2, x 3, c): (* x 0, x 1, x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 $ r 1 $ y 0 x 0 + r 0 y 1 x 3 + r 1 t 1 x 1 + r 0 t 2 (x 1 + r 0 ) + x 2 y 2 (x 1 + r 0 + x 2 ) + r 1 y 3 c + r 1 return(y 0, y 1, y 2, y 3 ) 13 / 31

18 Strong Non-Interference (SNI) d-sni d-ni d-probing secure a circuit is d-sni iff any set of d intermediate variables, whose d 1 on the internal variables and d 2 and the outputs, can be perfectly simulated with at most d 1 shares of each input x 0 x 1 x 2 x 3 Ex-d3 y 0 y 1 y 2 y 3 2 internal observations + 1 output observation 14 / 31

19 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) Constraint: d 0 +d 1 +d 2 +d 3 d d 0 observations d 3 observations [ ] [x] R [ 2] d 1 observations d 2 observations 15 / 31

20 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) Constraint: d 0 +d 1 +d 2 +d 3 d d 0 observations d 3 observations [ ] [x] R [ 2] d 1 observations d 2 observations 15 / 31

21 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) Constraint: d 0 +d 1 +d 2 +d 3 d d 0 + d 3 observations [ ] [x] R d [ 2] 1 observations d 2 internal observations t 3 output observations 15 / 31

22 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) Constraint: d 0 +d 1 +d 2 +d 3 d d 0 + d 3 observations [ ] [x] R d [ 2] 1 observations d 2 internal observations t 3 output observations 15 / 31

23 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) Constraint: d 0 +d 1 +d 2 +d 3 d d 0 + d 3 observations [ ] [x] R [ 2] d 1 + d 2 observations d 3 output observations 15 / 31

24 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) Constraint: d 0 +d 1 +d 2 +d 3 d d 0 + d 3 observations [ ] [x] R [ 2] d 1 + d 2 observations d 3 output observations 15 / 31

25 Composition From NI and SNI gadgets, we are able to build a NI circuit by adding SNI refresh gadgets when necessary Example: AES S-box on GF(2 8 ) d 0 + d 3 +d 1 + d 2 observations [x] [ 2] Constraint: d 0 +d 1 +d 2 +d 3 d R d 3 output observations [ ] 15 / 31

26 1 Post-Quantum Schemes 2 Power Analysis Attacks and Masking 3 Contribution: Higher-Order Masking of GLP 4 Implementation of the Countermeasure 5 Conclusion 16 / 31

27 GLP Features Introduced at CHES 2012 by Tim Güneysu, Vadim Lyubashevsky, and Thomas Pöppelmann No Gaussians, only uniform distributions Probabilistic algorithm Rejection sampling 17 / 31

28 GLP Key Derivation R = Zp[x] x n +1 R k : coefficients in the range [ k, k] Algorithm 1 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) Based on the Decisional Compact Knapsack problem 18 / 31

29 GLP Signature Fiat Shamir with abort signature Algorithm 2 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ Rk Random generation 2: c H(r = ay 1 + y 2, m) Commitment 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart Rejection Sampling return σ = (z 1, z 2, c) Verification z 1, z 2 R k α and c = H(az 1 + z 2 tc, m) 19 / 31

30 Masking GLP Key Derivation Algorithm 3 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) DG (s1,i)0 i d DG (s2,i)0 i d

31 Masking GLP Key Derivation Algorithm 4 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a DG (s1,i)0 i d DG (s2,i)0 i d

32 Masking GLP Key Derivation Algorithm 5 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a DG (s1,i)0 i d H 1 (ti)0 i d DG (s2,i)0 i d

33 Masking GLP Key Derivation Algorithm 6 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a (s1,i)0 i d DG (s1,i)0 i d H 1 (ti)0 i d DG (s2,i)0 i d (s2,i)0 i d

34 Masking GLP Key Derivation Algorithm 7 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a (s1,i)0 i d DG (s1,i)0 i d H 1 (ti)0 i d FullAdd t DG (s2,i)0 i d (s2,i)0 i d 20 / 31

35 Security of Individual Gadgets Each sensitive variable must be masked mod-p arithmetic masking w-bit Boolean masking Each block (or sub-block) which manipulates secret data is individually proven according to one of the three properties Non-Interference (NI) Strong Non-Interference (SNI) Non-Interference with public Outputs (NIo) 21 / 31

36 Masking GLP Key Derivation DG: generation of sharings for coefficients x [ k, k] (k = 1) 22 / 31

37 Masking GLP Key Derivation DG: generation of sharings for coefficients x [ k, k] (k = 1) 1. generate a Boolean sharing of x: where 2 w0 > 2k w0 1 0 i d, x i [0, 2 w0 1] 22 / 31

38 Masking GLP Key Derivation DG: generation of sharings for coefficients x [ k, k] (k = 1) 1. generate a Boolean sharing of x: 0 i d, x i [0, 2 w0 1] where 2 w0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 22 / 31

39 Masking GLP Key Derivation DG: generation of sharings for coefficients x [ k, k] (k = 1) 1. generate a Boolean sharing of x: 0 i d, x i [0, 2 w0 1] where 2 w0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3. b unmask δ s most significant bit 4. b equals 0 iff x 2k / 31

40 Masking GLP Key Derivation DG: generation of sharings for coefficients x [ k, k] (k = 1) 1. generate a Boolean sharing of x: 0 i d, x i [0, 2 w0 1] where 2 w0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3. b unmask δ s most significant bit 4. b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking 22 / 31

41 Masking GLP Key Derivation DG: generation of sharings for coefficients x [ k, k] (k = 1) 1. generate a Boolean sharing of x: 0 i d, x i [0, 2 w0 1] where 2 w0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3. b unmask δ s most significant bit 4. b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking H 1 : t as 1 + s 2 FullAdd: refresh then add 22 / 31

42 Masking GLP Key Derivation Algorithm 8 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a (s1,i)0 i d DG (s1,i)0 i d H 1 (ti)0 i d FullAdd t DG (s2,i)0 i d (s2,i)0 i d Not masked Non interferent Non interferent with public outputs 23 / 31

43 Masking GLP Signature Algorithm 9 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) DG (y1,i)0 i d DG (y2,i)0 i d

44 Masking GLP Signature Algorithm 10 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) a DG (y1,i)0 i d H 1 (ri)0 i d DG (y2,i)0 i d

45 Masking GLP Signature Algorithm 11 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) a DG (y1,i)0 i d H 1 (ri)0 i d FullAdd r DG (y2,i)0 i d

46 Masking GLP Signature Algorithm 12 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) a m DG (y1,i)0 i d H 1 (ri)0 i d FullAdd r c Hash DG (y2,i)0 i d

47 Masking GLP Signature Algorithm 13 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) a (y1,i)0 i d (s1,i)0 i d m DG (y1,i)0 i d H 1 (ri)0 i d FullAdd r Hash c H 1 (z1,i)0 i d DG (y2,i)0 i d H 1 (z2,i)0 i d (y2,i)0 i d (s2,i)0 i d

48 Masking GLP Signature Algorithm 14 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) (y1,i)0 i d (s1,i)0 i d a (z1,i)0 i d m DG (y1,i)0 i d H 1 (ri)0 i d FullAdd r Hash c H 1 (z1,i)0 i d RS RejSp H 2 (z1,i)0 i d FullAdd z 1 DG (y2,i)0 i d H 1 (z2,i)0 i d H 2 (z2,i)0 i d FullAdd z 2 (z2,i)0 i d (y2,i)0 i d (s2,i)0 i d c 24 / 31

49 Masking GLP Signature DG: generation of sharings for coefficients x [ k, k] H 1 : ay 1 + y 2 FullAdd: refresh then add Hash: unmasked RS: some details follow H 2 : linear function FullAdd: refresh then add 25 / 31

50 Masking GLP Signature Rejection Sampling: are coefficients of z 1 and z 2 in [ k + α, k α]? 26 / 31

51 Masking GLP Signature Rejection Sampling: are coefficients of z 1 and z 2 in [ k + α, k α]? 1. convert mod-p arithmetic sharing into Boolean masking 26 / 31

52 Masking GLP Signature Rejection Sampling: are coefficients of z 1 and z 2 in [ k + α, k α]? 1. convert mod-p arithmetic sharing into Boolean masking 2. as in Data Generation, compute the masked difference with k α difference 26 / 31

53 Masking GLP Signature Rejection Sampling: are coefficients of z 1 and z 2 in [ k + α, k α]? 1. convert mod-p arithmetic sharing into Boolean masking 2. as in Data Generation, compute the masked difference with k α difference 3. securely check the most significant bit 26 / 31

54 Masking GLP Signature Algorithm 15 GLP signature Require: m, pk, sk Ensure: Signature σ 1: y 1, y 2 $ R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart return σ = (z 1, z 2, c) (y1,i)0 i d (s1,i)0 i d a (z1,i)0 i d m DG (y1,i)0 i d H 1 (ri)0 i d FullAdd r Hash c H 1 (z1,i)0 i d RS RejSp H 2 (z1,i)0 i d FullAdd z 1 DG (y2,i)0 i d H 1 (z2,i)0 i d H 2 (z2,i)0 i d FullAdd z 2 (z2,i)0 i d (y2,i)0 i d (s2,i)0 i d c 27 / 31

55 1 Post-Quantum Schemes 2 Power Analysis Attacks and Masking 3 Contribution: Higher-Order Masking of GLP 4 Implementation of the Countermeasure 5 Conclusion 28 / 31

56 Implementation unoptimized implementation based on a public domain implementation called GLYPH (n = 1024, p = 59393, k = 16383, and α = 16) Table: Implementation results. Timings are provided for 100 executions of the signing and verification algorithms, on one core of an Intel Core i CPU-based desktop machine. Number of shares (d + 1) Unprotected Total CPU time (s) Masking overhead / 31

57 1 Post-Quantum Schemes 2 Power Analysis Attacks and Masking 3 Contribution: Higher-Order Masking of GLP 4 Implementation of the Countermeasure 5 Conclusion 30 / 31

58 Conclusion In a nutshell... Higher-order masking of GLP with proof in the probing model New security notions to mask lattice-based signatures To continue... Extend these results to other lattice-based signatures Extend these results to other post-quantum schemes 31 / 31

Masking the GLP Lattice-Based Signature Scheme at any Order

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin