Masking the GLP Lattice-Based Signature Scheme at any Order

Transcription

1 Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin Grégoire (INRIA Sophia Antipolis) Mélissa Rossi (ENS Paris and Thales) Mehdi Tibouchi (NTT Secure Platform Laboratories) May 1st 2018 Eurocrypt

2 Masking a post-quantum signature Numerous side channel attacks against lattice-based schemes (Gaussian distributions, rejection sampling) Few countermeasures exist, especially on signatures Call for concrete implementations of post-quantum cryptography Strong countermeasures needed

3 Leakage models and masking Input Algorithm Returned value

4 Leakage models and masking Input Ishai, Sahai and Wagner model [ISW03] : The attacker can access the exact values of at most d intermediate values Algorithm Proof-Friendly Returned value

5 Leakage models and masking Input Ishai, Sahai and Wagner model [ISW03] : The attacker can access the exact values of at most d intermediate values Algorithm Proof-Friendly Noisy leakage model [CJRR99, PR13]: The attacker can access the noisy values of all the intermediate values Returned value Realistic

6 Leakage models and masking Input Security in the ISW model: d order masking Each sensitive value is replaced by d + 1 shares. Algorithm Returned value

7 Leakage models and masking Input Security in the ISW model: d order masking Each sensitive value is replaced by d + 1 shares. Algorithm Such that it is impossible to recover the value without having all d + 1 shares = Returned value

8 Leakage models and masking Input Security in the ISW model: d order masking Each sensitive value is replaced by d + 1 shares. Algorithm Such that it is impossible to recover the value without having all d + 1 shares = Returned value Any strict subset of at most d shares is independant from the sensitive value

9 Our contribution The first provable masked implementation of a lattice-based signature scheme at any order New techniques for masking lattice-based Fiat Shamir with abort signatures New proofs for masking probabilistic algorithms

10 1 The signature 1 Why GLP signature scheme? 2 GLP signature scheme 2 The countermeasure and its proof 1 Structure of the countermeasure and its proof 2 Masking GLP key generation 3 Masking GLP signature 4 Composition 5 Conversions Boolean to arithmetic 3 Performances

11 Why GLP signature scheme? Introduced in [Lyu09, Lyu12] Implemented by Güneysu, Lyubashevsky and Pöppelmann in [GLP12] Ancestor of BLISS and Dilithium No Gaussians, only uniform distributions

12 Why GLP signature scheme? Introduced in [Lyu09, Lyu12] Implemented by Güneysu, Lyubashevsky and Pöppelmann in [GLP12] Ancestor of BLISS and Dilithium No Gaussians, only uniform distributions But still some new difficulties Probabilistic algorithm Reliance on rejection sampling

13 GLP Key derivation R = Z p[x] (x n +1) R k : coefficients in the range [ k, k] Algorithm 1 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) Based on the Decisional Compact Knapsack problem

14 GLP signature Fiat Shamir with abort signature Algorithm 2 GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: y 1, y $ 2 R k Random generation 2: c H(r = ay 1 + y 2, m) Commitment and challenge 3: z 1 s 1c + y 1 4: z 2 s 2c + y 2 5: if z 1 or z 2 / R k α then restart Rejection Sampling 6: return σ = (z 1, z 2, c) k = 2 14 α = 16 n = 512 p = Verification : z 1, z 2 R k α and c = H(az 1 + z 2 tc, m)

15 The signature The countermeasure and its proof Performances Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks Future work

16 The signature The countermeasure and its proof Performances Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties Future work

17 The signature The countermeasure and its proof Performances Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties Unmasked For non sensitive parts. Future work

18 The signature The countermeasure and its proof Performances Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties Unmasked For non sensitive parts. Non interferent Every set of at most d intermediate variables can be perfectly simulated with at most d shares of each input. Future work

19 The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties Unmasked For non sensitive parts. Non interferent Every set of at most d intermediate variables can be perfectly simulated with at most d shares of each input. Non interferent with public outputs Every set of at most d intermediate variables can be perfectly simulated with the public outputs and at most d shares of each input.

20 The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties Unmasked For non sensitive parts. Non interferent Every set of at most d intermediate variables can be perfectly simulated with at most d shares of each input. Non interferent with public outputs Every set of at most d intermediate variables can be perfectly simulated with the public outputs and at most d shares of each input. We give some values (called outputs) to the attacker and prove that the countermeasure does not leak more than the outputs.

21 The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties Unmasked For non sensitive parts. Non interferent Every set of at most d intermediate variables can be perfectly simulated with at most d shares of each input. Non interferent with public outputs Every set of at most d intermediate variables can be perfectly simulated with the public outputs and at most d shares of each input. We give some values (called outputs) to the attacker and prove that the countermeasure does not leak more than the outputs. 3 A composition proof combines all the securities to the whole scheme

22 Masking GLP key generation Algorithm 1 GLP key generation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) s1 s2

23 Masking GLP key generation Algorithm 1 GLP key generation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a s1 s2

24 Masking GLP key generation Algorithm 1 GLP key generation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a s1 s2 H 1 t

25 Masking GLP key generation Algorithm 1 GLP key generation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a s1 s1 s2 H 1 t s2

26 Masking GLP key generation Algorithm 1 GLP key generation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a s1 s1 H 1 t FullAdd t s2 s2

27 Masking GLP key generation Algorithm 1 GLP key generation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a H 1 FullAdd t Not masked Non interferent Non interferent with public output

28 Masking the signature Algorithm 2 GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: y 1, y $ 2 R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1c + y 1 4: z 2 s 2c + y 2 5: if z 1 or z 2 / R k α then restart 6: return σ = (z 1, z 2, c)

29 Masking the signature Algorithm 2 GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: y 1, y $ 2 R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1c + y 1 4: z 2 s 2c + y 2 5: if z 1 or z 2 / R k α then restart 6: return σ = (z 1, z 2, c) Masking the commitment : unnecessary Distinguishing (c, r) pairs from uniform is heuristically 1 a hard problem even for rejected executions. 1 Thanks to V. Lyubashevsky, we also provided a non heuristic approach which requires somes changes in the algorithm

30 Masking the signature Algorithm 3 Tweaked GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: $ y 1, y 2 Rk 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then return 6: return σ = (z 1, z 2, c) y1 y2

31 Masking the signature Algorithm 3 Tweaked GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: $ y 1, y 2 Rk 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then return 6: return σ = (z 1, z 2, c) a y1 y2 H 1 r

32 Masking the signature Algorithm 3 Tweaked GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: $ y 1, y 2 Rk 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then return 6: return σ = (z 1, z 2, c) a y1 H 1 r FullAdd r y2

33 Masking the signature Algorithm 3 Tweaked GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: $ y 1, y 2 Rk 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then return 6: return σ = (z 1, z 2, c) a m y1 H 1 r FullAdd r Hash c y2

34 Masking the signature Algorithm 3 Tweaked GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: $ y 1, y 2 Rk 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then return 6: return σ = (z 1, z 2, c) s1 a m y1 H 1 r FullAdd r Hash c H 1 z1 y2 H 1 z2 s2

35 Masking the signature Algorithm 3 Tweaked GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: $ y 1, y 2 Rk 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then return 6: return σ = (z 1, z 2, c) s1 a m y1 H 1 r FullAdd r Hash c H 1 z1 RS RejSp H 2 z1 FullAdd z1 y2 H 1 z2 H 2 z2 FullAdd z2 s2 c

36 Composition s1 a m H 1 H 2 FullAdd z1 H 1 FullAdd r Hash c RS RejSp H 1 H 2 FullAdd z2 s2 c Not masked Non interferent Non interferent with public outputs and r

37 Conversions Boolean to arithmetic Proving the non interference of certain blocks (Rejection Sampling, Data Generation) was challenging Algorithm 2 GLP signature Require: m, pk, sk Ensure: Signature σ 1: $ y 1, y 2 R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart 6: return σ = (z 1, z 2, c) i=d z 1,i mod p k α? (1) i=0 We had to adapt arithmetic to Boolean conversions from Coron, Großschädl and Vadnala in [CGV14]. i=d z 1,i i=0 mod p i=d z 1,i (2) i=0

38 Performances Table 1: Performances Number of shares (d + 1) Unprotected Total CPU time (s) Penalty factor Timings are provided for 100 executions of the signing algorithm, on one core of an Intel Core i CPU-based desktop machine. The code will be published soon Quite promising in view of the lack of optimization

39 Future work In a nutshell, - Provable masked implementation of GLP signature scheme - New security notions adapted to Fiat Shamir framework. Can be applied directly to Dilithium (implementation in progress, Vincent Migliore) BLISS and Dilithium-G Gaussians Not sure the Hash function can be unmasked

40 Conclusion Thank you for your attention Questions? Blog article on the RISQ project webpage : Eprint :

41 References Jean-Sébastien Coron, Johann Großschädl, and Praveen Kumar Vadnala. Secure conversion between Boolean and arithmetic masking of any order. In Lejla Batina and Matthew Robshaw, editors, CHES 2014, volume 8731 of LNCS, pages Springer, Heidelberg, September Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. In Michael J. Wiener, editor, CRYPTO 99, volume 1666 of LNCS, pages Springer, Heidelberg, August Tim Güneysu, Vadim Lyubashevsky, and Thomas Pöppelmann. Practical lattice-based cryptography: A signature scheme for embedded systems. In Emmanuel Prouff and Patrick Schaumont, editors, CHES 2012, volume 7428 of LNCS, pages Springer, Heidelberg, September Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks. In Dan Boneh, editor, CRYPTO 2003, volume 2729 of LNCS, pages Springer, Heidelberg, August Vadim Lyubashevsky. Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In Mitsuru Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS, pages Springer, Heidelberg, December 2009.

42 References Vadim Lyubashevsky. Lattice signatures without trapdoors. In David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages Springer, Heidelberg, April Emmanuel Prouff and Matthieu Rivain. Masking against side-channel attacks: A formal security proof. In Thomas Johansson and Phong Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 of LNCS, pages Springer, Heidelberg, May 2013.

43 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1)

44 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: 0 i d, x i [0, 2 w 0 1] where 2 w 0 > 2k w 0 1

45 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 0 i d, x i [0, 2 w 0 1]

46 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3 b unmask δ s most significant bit 4 b equals 0 iff x 2k i d, x i [0, 2 w 0 1]

47 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: 0 i d, x i [0, 2 w 0 1] where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3 b unmask δ s most significant bit 4 b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking

48 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: 0 i d, x i [0, 2 w 0 1] where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3 b unmask δ s most significant bit 4 b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking Rejection Sampling: are coefficients of z 1 in [ k + α, k α]?

49 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: 0 i d, x i [0, 2 w 0 1] where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3 b unmask δ s most significant bit 4 b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking Rejection Sampling: are coefficients of z 1 in [ k + α, k α]? 1 convert mod-p arithmetic sharing into Boolean masking

50 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: 0 i d, x i [0, 2 w 0 1] where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3 b unmask δ s most significant bit 4 b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking Rejection Sampling: are coefficients of z 1 in [ k + α, k α]? 1 convert mod-p arithmetic sharing into Boolean masking 2 as in Data Generation, compute the masked difference with k α difference

51 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: 0 i d, x i [0, 2 w 0 1] where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3 b unmask δ s most significant bit 4 b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking Rejection Sampling: are coefficients of z 1 in [ k + α, k α]? 1 convert mod-p arithmetic sharing into Boolean masking 2 as in Data Generation, compute the masked difference with k α difference 3 securely check the most significant bit