Faster Evaluation of S-Boxes via Common Shares
|
|
- Sherman Ball
- 5 years ago
- Views:
Transcription
1 Faster Evaluation of S-Boxes via Common Shares J-S. Coron, A. Greuet, E. Prouff, R. Zeitoun F.Rondepierre CHES 2016 CHES
2 S-Box Evaluation AES By definition: S AES (x) = A x b F 2 8[x] CHES
3 S-Box Evaluation AES By definition: S AES (x) = A x b F 2 8[x] Other Blockciphers DES S-Box Table Polynomial interpolation S DES (x) = a 63 x 63 + a 62 x a 1 x + a }{{} 0 F 2 6[x] compute with +,, 2 CHES
4 Security Context t-probing Adversary A t-probing adversary is allowed to know the exact value of at most t intermediate results. CHES
5 Security Context t-probing Adversary A t-probing adversary is allowed to know the exact value of at most t intermediate results. Adversary can access key values. Security is built to twhart limited adversaries. CHES
6 Secret Sharing/Masking Secret Sharing/Masking In order to thwart a t-probing adversary, each sensitive variable x is split in n = t + 1 variables (x 0,..., x t ), such that: x = x 0 x 1 x t Variables x 1,..., x t are by convention random masks. x 0 = x i 1 x i X = (x 0,..., x t ) is a shared representation of x. CHES
7 Secure Multiplication 1st Order Secure Multiplication Let A, B be two shared variables and say we want to compute C = (c 0, c 1 ) such that C is a sharing of a b: (a a 1 ) (b b 1 ) = a b a b 1 a 1 b a 1 b 1 = a b (a a 1 ) b 1 (b b 1 ) a 1 a 1 b 1 a 0 b 0 = a b a 0 b 1 b 0 a 1 a 1 b 1 CHES
8 Secure Multiplication 1st Order Secure Multiplication Let A, B be two shared variables and say we want to compute C = (c 0, c 1 ) such that C is a sharing of a b: (a a 1 ) (b b 1 ) = a b a b 1 a 1 b a 1 b 1 = a b (a a 1 ) b 1 (b b 1 ) a 1 a 1 b 1 a 0 b 0 = a b a 0 b 1 b 0 a 1 a 1 b 1 We would say C(c 0, c 1 ): c 0 = a 0 b 0 c 1 = [(a 0 b 1 ) a 1 b 0 ] (a 1 b 1 ) CHES
9 Secure Multiplication 1st Order Secure Multiplication Let A, B be two shared variables and say we want to compute C = (c 0, c 1 ) such that C is a sharing of a b: (a a 1 ) (b b 1 ) = a b a b 1 a 1 b a 1 b 1 = a b (a a 1 ) b 1 (b b 1 ) a 1 a 1 b 1 a 0 b 0 = a b a 0 b 1 b 0 a 1 a 1 b 1 Security needs an additional random r: c 0 = a 0 b 0 r c 1 = (a 1 b 1 ) [(a 0 b 1 r) a 1 b 0 ] CHES
10 Secure Multiplication 1st Order Secure Multiplication Let A, B be two shared variables and say we want to compute C = (c 0, c 1 ) such that C is a sharing of a b: (a a 1 ) (b b 1 ) = a b a b 1 a 1 b a 1 b 1 = a b (a a 1 ) b 1 (b b 1 ) a 1 a 1 b 1 a 0 b 0 = a b a 0 b 1 b 0 a 1 a 1 b 1 Security needs an additional random r: c 0 = a 0 b 0 r c 1 = (a 1 b 1 ) [(a 0 b 1 r) a 1 b 0 ] Not secure if by construction we have a 1 = b 1 CHES
11 Common Shares Sequence of Secure Multiplications Say we want to compute E, F from A, B, C, D, such that: E = A B F = C D CHES
12 Common Shares Sequence of Secure Multiplications Say we want to compute E, F from A, B, C, D, such that: E = A B F = C D In a 1st order context, the paper deals with: e 0 = a 0 b 0 r e 1 = (a 1 b 1 ) [(a 0 b 1 r) a 1 b 0 ] f 0 = c 0 d 0 r f 1 = (c 1 d 1 ) [(c 0 d 1 r) c 1 d 0 ] CHES
13 Common Shares Sequence of Secure Multiplications Say we want to compute E, F from A, B, C, D, such that: E = A B F = C D In a 1st order context, the paper deals with: e 0 = a 0 b 0 r e 1 = (a 1 b 1 ) [(a 0 b 1 r) a 1 b 0 ] f 0 = c 0 d 0 r f 1 = (c 1 d 1 ) [(c 0 d 1 r) c 1 d 0 ] CHES
14 Common Shares Sequence of Secure Multiplications Say we want to compute E, F from A, B, C, D, such that: E = A B F = C D In a 1st order context, we can have: a 1 = c 1 b 1 = d 1 CHES
15 Common Shares Sequence of Secure Multiplications Say we want to compute E, F from A, B, C, D, such that: E = A B F = C D The paper also extends the result to t-probing context: a i = c i, b i = d i, t + 1 i t 2 t + 1 i t 2 CHES
16 Common Shares Optimality of sharing Let A, B be two shared variables, such that : a i = b i, k i t If k = 1, then a 0 b 0 = a b CHES
17 Common Shares Optimality of sharing Let A, B be two shared variables, such that : a i = b i, k i t If k = 1, then a 0 b 0 = a b If k < t+1 2, then i<k a i b i = a b CHES
18 Common Shares Optimality of sharing Let A, B be two shared variables, such that : a i = b i, k i t If k = 1, then a 0 b 0 = a b If k < t+1 2, then i<k a i b i = a b If k t+1 2, then i<k a i b i requires more than t probing CHES
19 Common Shares CommonShares Input: A = (a 0,..., a t ) shares of a and B, shares of b Output: A = (a 0,..., a t) shares of a and B, shares of b for i = t+1 2 to t do r i F 2 k j i t+1 2 a i r i, a j (a j r i ) a i b i r i, b j (b j r i ) b i CHES
20 Higher-Order Secure Multiplication SecMult Input: A = (a 0,..., a t ) shares of a and B, shares of b Output: C, shares of a b for i = 0 to t do c i a i b i for i = 0 to t do for j = i + 1 to t do r F 2 k c i c i r c j c j [(a i b j r) a j b i ] CHES
21 TwoMult Multiplications with Common Shares Input: A, B, C, D shares of a, b, c, d, where A, C (resp. B, D) have common shares Output: E, F shares of a b, c d for i = 0 to t do e i { a i b i c i d i 0 i t 1 f i 2 e i = c i d t+1 i 2 i t CHES
22 TwoMult Multiplications with Common Shares Input: A, B, C, D shares of a, b, c, d, where A, C (resp. B, D) have common shares Output: E, F shares of a b, c d for i = 0 to t do e i { a i b i c i d i 0 i t 1 f i e i = c i d i t+1 2 for i = 0 to t do for j = i + 1 to t do r F 2 k 2 i t s F 2 k e i e i r f i f i s e j e j [(a i b j r) a j b i ] f j f j [(c i d j s) c j d i ] CHES
23 Multiplications with Common Shares CommonMult Input: A, B, D shares of a, b, d, where B, D have common shares Output: E, F shares of a b, a d for i = 0 to t do e i { a i b i a i d i 0 i t 1 f i e i t+1 2 for i = 0 to t do for j = i + 1 to t do r F 2 k 2 i t s F 2 k e i e i r f i f i s e j e j [(a i b j r) a j b i ] f j f j [(a i d j s) a j d i ] CHES
24 Multiplications with Common Shares CommonMult Input: A, B, D shares of a, b, d, where B, D have common shares Output: E, F shares of a b, a d for i = 0 to t do e i { a i b i a i d i 0 i t 1 f i e i t+1 2 for i = 0 to t do for j = i + 1 to t do r F 2 k 2 i t s F 2 k e i e i r f i f i s e j e j [(a i b j r) a j b i ] f j f j [(a i d j s) a j d i ] CHES
25 Multiplications with Common Shares CommonMult Input: A, B, D shares of a, b, d, where B, D have common shares Output: E, F shares of a b, a d for i = 0 to t do e i { a i b i a i d i 0 i t 1 f i e i t+1 2 for i = 0 to t do for j = i + 1 to t do r F 2 k 2 i t s F 2 k e i e i r f i f i s e j e j [(a i b j r) a j b i ] f j f j [(a i d j s) a j d i ] CHES
26 Performances SecMult (t + 1) 2 TwoMult 2(t + 1) 2 ( t+1 ( CommonMult 2(t + 1) 2 t+1 (t + 1) 2 ) m-mult m(t + 1) 2 (m 1) ( t+1 2 ) 2 m-commonmult m(t + 1) 2 (m 1)(t + 1) 2 ) 2 ( t+1 Table: Complexity Comparison of Secure Multiplications 2 ) CHES
27 Security Security Proofs Security proven in the t-sni model. The proof in this model ensures the security with only t + 1 shares, instead of 2t + 1 shares in the original model. EasyCrypt verification tool on our AES S-box algorithm (thanks to S.Belaïd). CHES
28 Application to AES Possible evaluation of x 254 in F 2 8 x 15 x 240 x 254 x x 3 x 12 x 2 x 14 CHES
29 Application to AES SecExp254 Input: A shared representation X of x Output: A shared representation Res of x 254 = x 1 X 2 X 2 X RefreshMask(X ) X 3 SecMult(X 2, X ) X 12 X3 4 X 3 RefreshMask(X 3 ) (X 14, X 15 ) CommonMult(X 12, X 2, X 3 ) X 240 X15 16 Res SecMult(X 240, X 14 ) CHES
30 Performances on several S-Boxes k m N mult N mult AES DES PRESENT SERPENT CAMELLIA CLEFIA Table: Equivalent number of multiplications N mult for various block-ciphers, with m k-bit S-Boxes. CHES
31 Conclusion Conclusion General improvement for multiplications with t-sni security. Core idea: improvements with common shared values. The ratio between two multiplications and a CommonMult is 3. 4 A sequence of m multiplications has an equivalent cost of 3 (m 1) A sequence of m CommonMult has an equivalent cost of 5 (m 1) Implementation for AES S-Box evaluation. Theoretical gain for other block ciphers thanks to interpolation. CHES
Fast Evaluation of Polynomials over Binary Finite Fields. and Application to Side-channel Countermeasures
Fast Evaluation of Polynomials over Binary Finite Fields and Application to Side-channel Countermeasures Jean-Sébastien Coron 1, Arnab Roy 1,2, Srinivas Vivek 1 1 University of Luxembourg 2 DTU, Denmark
More informationFormal Verification of Side-Channel Countermeasures
Formal Verification of Side-Channel Countermeasures Sonia Belaïd June 5th 2018 1 / 35 1 Side-Channel Attacks 2 Masking 3 Formal Tools Verification of Masked Implementations at Fixed Order Verification
More informationFormal Verification of Side-channel Countermeasures via Elementary Circuit Transformations
Formal Verification of Side-channel Countermeasures via Elementary Circuit Transformations Jean-Sébastien Coron University of Luxembourg jean-sebastiencoron@unilu April 9, 2018 Abstract We describe a technique
More informationImproved High-Order Conversion From Boolean to Arithmetic Masking
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1, Jean-Sébastien Coron 2, and Rina Zeitoun 1 1 IDEMIA, France luk.bettale@idemia.com, rina.zeitoun@idemia.com 2 University
More informationFormal Verification of Masked Implementations
Formal Verification of Masked Implementations Sonia Belaïd Benjamin Grégoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Sonia Belaïd Joint Work with Gilles Barthe, Thomas Espitau, Pierre-Alain Fouque, Benjamin Grégoire, Mélissa Rossi, and Mehdi Tibouchi 1 / 31
More informationProvably Secure Higher-Order Masking of AES
Provably Secure Higher-Order Masking of AES Matthieu Rivain 1 and Emmanuel Prouff 2 1 CryptoExperts matthieu.rivain@cryptoexperts.com 2 Oberthur Technologies e.prouff@oberthur.com Abstract. Implementations
More informationOn the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order
More informationHigh-Order Conversion From Boolean to Arithmetic Masking
High-Order Conversion From Boolean to Arithmetic Masking Jean-Sébastien Coron University of Luxembourg jean-sebastien.coron@uni.lu Abstract. Masking with random values is an effective countermeasure against
More informationHorizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme
Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme Alberto Battistello 1, Jean-Sébastien Coron 2, Emmanuel Prouff 3, and Rina Zeitoun 1 1 Oberthur Technologies, France {a.battistello,r.zeitoun}@oberthur.com
More informationOn the Use of Masking to Defeat Power-Analysis Attacks
1/32 On the Use of Masking to Defeat Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd Outline Power-Analysis Attacks Masking Countermeasure Leakage Models Security
More informationCompositional Verification of Higher-Order Masking
Compositional Verification of Higher-Order Masking Application to a Verifying Masking Compiler Gilles Barthe 2, Sonia Belaïd 1,5, François Dupressoir 2, Pierre-Alain Fouque 4,6, and Benjamin Grégoire 3
More informationPolynomial Evaluation and Side Channel Analysis
Polynomial Evaluation and Side Channel Analysis Claude Carlet, Emmanuel Prouff To cite this version: Claude Carlet, Emmanuel Prouff. Polynomial Evaluation and Side Channel Analysis. The New Codebreakers,
More informationTHRESHOLD IMPLEMENTATIONS OF ALL 3x3 AND 4x4 S-BOXES
THRESHOLD IMPLEMENTATIONS OF ALL 3x3 AND 4x4 S-BOXES B.Bilgin, S.Nikova, V.Nikov, V.Rijmen, G.Stütz KU Leuven, UTwente, NXP, TU Graz CHES 2012 - Leuven, Belgium 2012-09-10 Countermeasures Search for a
More informationStrong Non-Interference and Type-Directed Higher-Order Masking
Strong Non-Interference and Type-Directed Higher-Order Masking Gilles Barthe 1, Sonia Belaïd 2, François Dupressoir 3, Pierre-Alain Fouque 4, Benjamin Grégoire 5, Pierre-Yves Strub 6, and Rébecca Zucchini
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationLinear Repairing Codes and Side-Channel Attacks
Linear Repairing Codes and Side-Channel Attacks Hervé Chabanne 1, Houssem Maghrebi 2, and Emmanuel Prouff 3 1 OT-Morpho, France herve.chabanne@morpho.com 2 Underwriters Laboratories houssem.maghrebi@ul.com
More informationA first order divided difference
A first order divided difference For a given function f (x) and two distinct points x 0 and x 1, define f [x 0, x 1 ] = f (x 1) f (x 0 ) x 1 x 0 This is called the first order divided difference of f (x).
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #2
CPSC 91 Computer Security Assignment #2 Note that for many of the problems, there are many possible solutions. I only describe one possible solution for each problem here, but we could examine other possible
More informationA Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version)
A Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version) Thomas Fuhr, Henri Gilbert, Jean-René Reinhard, and Marion Videau ANSSI, France Abstract In this note we show that the
More informationChosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers
Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers Simon Fischer 1, Shahram Khazaei 2, and Willi Meier 1 1 FHNW and 2 EPFL (Switzerland) AfricaCrypt 2008, Casablanca - June 11-14
More informationComparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
International Conference on Manufacturing Science and Engineering (ICMSE 2015) Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
More informationHow Fast Can Higher-Order Masking Be in Software?
How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi 1,2 and Matthieu Rivain 1 1 CryptoExperts, Paris, France 2 ENS, CNRS, INRIA and PSL Research University, Paris, France dahmun.goudarzi@cryptoexperts.com
More informationAmortizing Randomness Complexity in Private Circuits
Amortizing Randomness Complexity in Private Circuits Sebastian Faust 1,2, Clara Paglialonga 1,2, Tobias Schneider 1,3 1 Ruhr-Universität Bochum, Germany 2 Technische Universität Darmstadt, Germany 3 Université
More informationInner Product Masking Revisited
Inner Product Masking Revisited Josep Balasch 1, Sebastian Faust 2, and Benedikt Gierlichs 1 1 KU Leuven Dept. Electrical Engineering-ESAT/COSIC and iminds Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee,
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More informationOn the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi 1,2 and Matthieu Rivain 1 1 CryptoExperts, Paris, France 2 ENS, CNRS, INRIA and PSL Research University,
More informationAffine Masking against Higher-Order Side Channel Analysis
Affine Masking against Higher-Order Side Channel Analysis Guillaume Fumaroli 1, Ange Martinelli 1, Emmanuel Prouff 2, and Matthieu Rivain 3 1 Thales Communications {guillaume.fumaroli, jean.martinelli}@fr.thalesgroup.com
More informationParallel Implementations of Masking Schemes and the Bounded Moment Leakage Model
Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model G. Barthe, F. Dupressoir, S. Faust, B. Grégoire, F.-X. Standaert, P.-Y. Strub IMDEA (Spain), Univ. Surrey (UK), Univ. Bochum
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationSIDE Channel Analysis (SCA in short) exploits information. Statistical Analysis of Second Order Differential Power Analysis
1 Statistical Analysis of Second Order Differential Power Analysis Emmanuel Prouff 1, Matthieu Rivain and Régis Bévan 3 Abstract Second Order Differential Power Analysis O- DPA is a powerful side channel
More informationConsolidating Inner Product Masking
Consolidating Inner Product Masking Josep Balasch 1, Sebastian Faust 2,3, Benedikt Gierlichs 1, Clara Paglialonga 2,3, François-Xavier Standaert 4 1 imec-cosic KU euven, Belgium 2 Ruhr-Universität Bochum,
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationCube Analysis of KATAN Family of Block Ciphers
Cube Analysis of KATAN Family of Block Ciphers Speaker: Bingsheng Zhang University of Tartu, Estonia This talk covers partial results of the paper Algebraic, AIDA/Cube and Side Channel Analysis of KATAN
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationLS-Designs. Bitslice Encryption for Efficient Masked Software Implementations
Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1 Gaëtan Leurent 1,2 François Xavier Standert 1 Kerem Varici 1 1 UCL, Belgium 2 Inria, France FSE 2014 G Leurent (UCL,Inria)
More informationEfficient Masked S-Boxes Processing A Step Forward
Efficient Masked S-Boxes Processing A Step Forward Vincent Grosso 1, Emmanuel Prouff 2, François-Xavier Standaert 1 1 ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium. 2 ANSSI, 51 Bd
More informationLecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes
Lecture 30: Hybrid Encryption and Prime Number Generation Recall: ElGamal Encryption I We begin by recalling the ElGamal Public-key Encryption Recall that to describe a private-key encryption scheme we
More informationUsing Second-Order Power Analysis to Attack DPA Resistant Software
Using Second-Order Power Analysis to Attack DPA Resistant Software Thomas S. Messerges Motorola Labs, Motorola 3 E. Algonquin Road, Room 7, Schaumburg, IL 696 Tom.Messerges@motorola.com Abstract. Under
More informationImproved S-Box Construction from Binomial Power Functions
Malaysian Journal of Mathematical Sciences 9(S) June: 21-35 (2015) Special Issue: The 4 th International Cryptology and Information Security Conference 2014 (Cryptology 2014) MALAYSIAN JOURNAL OF MATHEMATICAL
More informationHuihui Yap* and Khoongming Khoo. Axel Poschmann
Int. J. Applied Cryptography, Vol. X, No. Y, 200X 1 Parallelisable variants of Camellia and SMS4 block cipher: p-camellia and p-sms4 Huihui Yap* and Khoongming Khoo DSO National Laboratories, 20 Science
More informationImplementing GCM on ARMv8
Introduction........ Implementation....... Results.... Conclusion Implementing GCM on ARMv8 Conrado P. L. Gouvêa Julio López KRYPTUS Information Security Solutions University of Campinas CT-RSA 2015 Conrado
More informationFormal Verification of Masked Hardware Implementations in the Presence of Glitches
Formal Verification of Masked Hardware Implementations in the Presence of Glitches Roderick Bloem, Hannes Gross, Rinat Iusupov, Bettina Könighofer, Stefan Mangard, and Johannes Winter Institute for Applied
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationModes of Operations for Wide-Block Encryption
Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to
More informationImproved Impossible Differential Attack on Reduced Version of Camellia-192/256
Improved Impossible Differential ttack on educed Version of Camellia-92/256 Ya iu, Dawu Gu, Zhiqiang iu, Wei i 2,3 Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai
More informationConsolidating Masking Schemes
Consolidating Masking Schemes Oscar Reparaz, Begül Bilgin, Svetla Nikova, Benedikt Gierlichs, and Ingrid Verbauwhede firstname.lastname@esat.kuleuven.be KU Leuven ESAT/COSIC and iminds, Belgium Abstract.
More informationBlock Ciphers that are Easier to Mask: How Far Can we Go?
Block Ciphers that are Easier to Mask: How Far Can we Go? Benoît Gérard, Vincent Grosso, María Naya-Plasencia, François-Xavier Standaert To cite this version: Benoît Gérard, Vincent Grosso, María Naya-Plasencia,
More informationRevisiting a Masked Lookup-Table Compression Scheme
Revisiting a Masked Lookup-Table Compression Scheme Srinivas Vivek University of Bristol, UK sv.venkatesh@bristol.ac.uk Abstract. Lookup-table based side-channel countermeasure is the prime choice for
More informationDifferential Cache Trace Attack Against CLEFIA
Differential Cache Trace Attack Against CLEFIA Chester Rebeiro and Debdeep Mukhopadhyay Dept. of Computer Science and Engineering Indian Institute of Technology Kharagpur, India {chester,debdeep}@cse.iitkgp.ernet.in
More informationProtecting AES with Shamir s Secret Sharing Scheme
Protecting AES with Shamir s Secret Sharing Scheme Louis Goubin 1 and Ange Martinelli 1,2 1 Versailles Saint-Quentin-en-Yvelines University Louis.Goubin@prism.uvsq.fr 2 Thales Communications jean.martinelli@fr.thalesgroup.com
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationOn the Use of Shamir s Secret Sharing Against Side-Channel Analysis
On the Use of Shamir s Secret Sharing Against Side-Channel Analysis Jean-Sébastien Coron 1, Emmanuel Prouff 2, and Thomas Roche 2 1 Tranef jscoron@tranef.com 2 ANSSI, 51, Bd de la Tour-Maubourg, 75700
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationSymbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS Inès Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz Sorbonne Universités, UPMC Univ Paris
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Gilles Barthe 1, Sonia Belaïd 2, Thomas Espitau 3, Pierre-Alain Fouque 4, Benjamin Grégoire 5, Mélissa Rossi 6,7, and Mehdi Tibouchi 8 1 IMDEA
More informationComprehensive Evaluation of AES Dual Ciphers as a Side-Channel Countermeasure
Comprehensive Evaluation of AES Dual Ciphers as a Side-Channel Countermeasure Amir Moradi and Oliver Mischke Horst Görtz Institute for IT Security, Ruhr University Bochum, Germany {moradi,mischke}@crypto.rub.de
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationMasking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Gilles Barthe 1, Sonia Belaïd 2, Thomas Espitau 3, Pierre-Alain Fouque 4, Benjamin Grégoire 5, Mélissa Rossi 6,7, and Mehdi Tibouchi 8 1 IMDEA
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationFurther improving security of Vector Stream Cipher
NOLTA, IEICE Paper Further improving security of Vector Stream Cipher Atsushi Iwasaki 1a) and Ken Umeno 2 1 Fukuoka Institute of Technology Wajiro-higashi, Higashiku, Fukuoka 811-0295, Japan 2 Graduate
More informationAlternative Approaches: Bounded Storage Model
Alternative Approaches: Bounded Storage Model A. Würfl 17th April 2005 1 Motivation Description of the Randomized Cipher 2 Motivation Motivation Description of the Randomized Cipher Common practice in
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationMasking against Side-Channel Attacks: a Formal Security Proof
Masking against Side-Channel Attacks: a Formal Security Proof Emmanuel Prouff 1 and Matthieu Rivain 2 1 ANSSI emmanuel.prouff@ssi.gouv.fr 2 CryptoExperts matthieu.rivain@cryptoexperts.com Abstract. Masking
More informationUsing MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism
Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism Mahdi Sajadieh and Mohammad Vaziri 1 Department of Electrical Engineering, Khorasgan Branch, Islamic Azad University,
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationHigher-Order Glitches Free Implementation of the AES using Secure Multi-Party Computation Protocols
Higher-Order Glitches Free Implementation of the AES using Secure Multi-Party Computation Protocols Emmanuel Prouff 1 and Thomas Roche 2 1 Oberthur Technologies, 71-73, rue des Hautes Pâtures 92726 Nanterre,
More informationRandomized Component and Group Oriented (t,m,n)-secret Sharing
Randomized Component and Group Oriented (t,m,n)-secret Sharing Miao Fuyou School of Computer Sci. & Tech.,USTC 2016.4.10 Outline (t,n)-secret Sharing 2 Attacks Against (t,n)-ss Randomized Component (t,m,n)-group
More informationLeakage-Resilient Symmetric Encryption via Re-keying
Leakage-Resilient Symmetric Encryption via Re-keying Michel Abdalla 1, Sonia Belaïd 1,2, and Pierre-Alain Fouque 1 1 École Normale Supérieure, 45 rue d Ulm 75005 Paris 2 Thales Communications & Security,
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationComparison of Bit and Word Level Algorithms for Evaluating U. Evaluating Unstructured Functions over Finite Rings
Comparison of Bit and Word Level Algorithms for Evaluating Unstructured Functions over Finite Rings Berk Sunar David Cyganski sunar,cyganski@wpi.edu http://crypto.wpi.edu Worcester Polytechnic Institute
More informationThe Improved 96th-Order Differential Attack on 11 Rounds of the Block Cipher CLEFIA
he Improved 96th-Order Differential Attack on 11 Rounds of the Block Cipher CLEFIA Yasutaka Igarashi, Seiji Fukushima, and omohiro Hachino Kagoshima University, Kagoshima, Japan Email: {igarashi, fukushima,
More informationSecret Sharing CPT, Version 3
Secret Sharing CPT, 2006 Version 3 1 Introduction In all secure systems that use cryptography in practice, keys have to be protected by encryption under other keys when they are stored in a physically
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationHASH FUNCTIONS. Mihir Bellare UCSD 1
HASH FUNCTIONS Mihir Bellare UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant
More informationWhite Box Cryptography: Another Attempt
White Box Cryptography: Another Attempt Julien Bringer 1, Hervé Chabanne 1, and Emmanuelle Dottax 1 Sagem Défense Sécurité Abstract. At CMS 2006 Bringer et al. show how to conceal the algebraic structure
More informationCharacterization of EME with Linear Mixing
Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi
More informationUNIT-II INTERPOLATION & APPROXIMATION
UNIT-II INTERPOLATION & APPROXIMATION LAGRANGE POLYNAMIAL 1. Find the polynomial by using Lagrange s formula and hence find for : 0 1 2 5 : 2 3 12 147 : 0 1 2 5 : 0 3 12 147 Lagrange s interpolation formula,
More informationImproved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption. Dagstuhl January 12, 2016
Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption Robert Granger, Philipp Jovanovic, Bart Mennink, Samuel Neves EPFL, EPFL, KU Leuven, University of Coimbra Dagstuhl
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationFPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256
IMES FPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256 Dorian Amiet 1, Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule für Technik, Rapperswil, Switzerland 2 Securosys SA, Zürich,
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationSolutions to Homework 5, Introduction to Differential Equations, 3450: , Dr. Montero, Spring y 4y = 48t 3.
Solutions to Homework 5, Introduction to Differential Equations, 3450:335-003, Dr. Montero, Spring 2009 Problem 1. Find a particular solution to the differential equation 4y = 48t 3. Solution: First we
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationConnecting and Improving Direct Sum Masking and Inner Product Masking
Connecting and Improving Direct Sum Masking and Inner Product Masking Romain Poussier 1, Qian Guo 1, François-Xavier Standaert 1, Claude Carlet 2, Sylvain Guilley 3 1 ICTEAM/ELEN/Crypto Group, Université
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationEciently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto
Eciently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto Tobias Schneider 1, Clara Paglialonga 2, Tobias Oder 3, and Tim Güneysu 3,4 1 ICTEAM/ELEN/Crypto Group, Université Catholique
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationLow Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128
Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128 Sareh Emami 2, San Ling 1, Ivica Nikolić 1, Josef Pieprzyk 3 and Huaxiong Wang 1 1 Nanyang Technological University, Singapore
More informationCryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur
Cryptographically Robust Large Boolean Functions Debdeep Mukhopadhyay CSE, IIT Kharagpur Outline of the Talk Importance of Boolean functions in Cryptography Important Cryptographic properties Proposed
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More information