Block Ciphers and Side Channel Protection
|
|
- Charity Peters
- 5 years ago
- Views:
Transcription
1 Block Ciphers and Side Channel Protection Gregor Leander
2 Main Idea Side-Channel Resistance Without protection having a strong cipher is useless Therefore: Masking necessary Usual Approach 1 Design a cipher 2 Try to mask it efficiently
3 Side-Channel Resistance by Design Usual Approach 1 Design a cipher 2 Try to mask it efficiently Better Design ciphers that are easy to mask NOEKEON PICARO ZORRO LS-Designs
4 Outline 1 2
5 Masking: Compute on Shares (Boolean)-Sharing Split the input x F n 2 into r shares x i F n 2 x = x 1 x 2... x r (n-out-of-n secret sharing). MPC-like computation Avoid to compute on the input directly, but on the shares. Easy for linear operations, i.e. XOR Expensive for non-linear operations, e.g. AND
6 One Application FSE 2014: LS-Designs [GLSVar] A family of easy to mask block ciphers Designed by UC-Louvain and INRIA Main idea Opposite approach of what is done usually: Use tables for the linear-layer Use (few) logical operations for S-boxes Two instances: Robin and iscream Fantomas and Scream
7 One square is a bit. Columns are stored in registers Robin and iscream
8 One square is a bit. Columns are stored in registers Robin and iscream S-Box
9 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box
10 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box S-Box
11 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box S-Box S-Box
12 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box S-Box S-Box S-Box
13 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box S-Box S-Box S-Box S-Box
14 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box S-Box S-Box S-Box S-Box S-Box
15 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box S-Box S-Box S-Box S-Box S-Box S-Box
16 One square is a bit. Columns are stored in registers Robin and iscream L
17 One square is a bit. Columns are stored in registers Robin and iscream L L
18 One square is a bit. Columns are stored in registers Robin and iscream L L L
19 One square is a bit. Columns are stored in registers Robin and iscream L L L L
20 One square is a bit. Columns are stored in registers Robin and iscream L L L L L
21 One square is a bit. Columns are stored in registers Robin and iscream L L L L L L
22 One square is a bit. Columns are stored in registers Robin and iscream L L L L L L L
23 One square is a bit. Columns are stored in registers Robin and iscream L L L L L L L L
24 One square is a bit. Columns are stored in registers Robin and iscream c
25 Bit-Sliced: From One To Many x 0 x 1 x 2 x 3 S-box y 0 y 1 y 2 y 3 Bit Sliced (cf. Serpent) Instead of using LUT use the algebraic description. Example y 0 = x 0 x 1 + x 3 y 1 = x 1 x 3 + x 2 x 3 y 2 = x 0 x 1 x 3 + x 1 y 4 = x 2 x 3 + x 1 x 3 + x 1 + x 3
26 Bit-Sliced: From One To Many Example y 0 = x 0 x 1 + x 3 y 1 = x 1 x 3 + x 2 x 3 y 2 = x 0 x 1 x 3 + x 1 y 4 = x 2 x 3 + x 1 x 3 + x 1 + x 3
27 Bit-Sliced: From One To Many Example y 0 = x 0 x 1 + x 3 y 1 = x 1 x 3 + x 2 x 3 y 2 = x 0 x 1 x 3 + x 1 y 4 = x 2 x 3 + x 1 x 3 + x 1 + x 3 Many Sboxes Replace bits by registers. Advantages: n-bit registers n-sboxes at once Easier to mask than LUTs.
28 The Linear Layer Bit-Sliced Sbox Simply use Tables for the L i. Input to L i in one register.
29 The Sbox Task Find a good/optimal Sbox using a minimal number of non-linear operations. Two approaches: Find the best implementation of a given S-box (e.g. [Sto16]) Find the cryptographically strong S-box that can be implemented most efficiently (cf. [UCI + 11]) 4-bit For 4 bits both approaches possible.
30 Optimal 4 Bit Solution (I/II) Class 13 from [UCI + 11].
31 Optimal 4 Bit Solution (II/II) MSB LSB MSB LSB Used in SKINNY [?]
32 Larger S-boxes Task How to construct larger S-boxes? Idea: Build on Small Ones Use small Sboxes to construct larger ones.
33 For 8-Bit Possible Constructions (cf. [GLSVar]) 1 1 Thanks to Gaëtan Leurent for the picture
34 Choice for ROBIN Feistel+Class 13.
35 The Robin Sbox S(, a, b, 0, 0, a, 0, a b) = (, α, β, 0, 0, α, 0, α β)
36 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b a 7 0 c 7 * a 6 b a 6 0 c 6 * a 5 b a 5 0 c 5 * a 4 b a 4 0 c 4 * a 3 b a 3 0 c 3 * a 2 b a 2 0 c 2 * a 1 b a 1 0 c 1 * a 0 b a 0 0 c 0
37 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * a 5 b 5 0S-Box 0 a 5 0 c 5 * a 4 b 4 0S-Box 0 a 4 0 c 4 * a 3 b 3 0S-Box 0 a 3 0 c 3 * a 2 b 2 0S-Box 0 a 2 0 c 2 * a 1 b 1 0S-Box 0 a 1 0 c 1 * a 0 b 0 0S-Box 0 a 0 0 c 0
38 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * a 5 b 5 0S-Box 0 a 5 0 c 5 * a 4 b 4 0S-Box 0 a 4 0 c 4 * a 3 b 3 0S-Box 0 a 3 0 c 3 * a 2 b 2 0S-Box 0 a 2 0 c 2 * a 1 b 1 0S-Box 0 a 1 0 c 1 * α 0 β α 0 0 γ 0
39 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * a 5 b 5 0S-Box 0 a 5 0 c 5 * a 4 b 4 0S-Box 0 a 4 0 c 4 * a 3 b 3 0S-Box 0 a 3 0 c 3 * a 2 b 2 0S-Box 0 a 2 0 c 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
40 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * a 5 b 5 0S-Box 0 a 5 0 c 5 * a 4 b 4 0S-Box 0 a 4 0 c 4 * a 3 b 3 0S-Box 0 a 3 0 c 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
41 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * a 5 b 5 0S-Box 0 a 5 0 c 5 * a 4 b 4 0S-Box 0 a 4 0 c 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
42 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * a 5 b 5 0S-Box 0 a 5 0 c 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
43 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
44 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
45 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
46 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L L L L L L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
47 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L L L L L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
48 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L L L L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
49 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L L L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
50 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
51 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
52 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
53 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
54 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
55 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
56 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 c * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
57 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0
58 Take Care Symmetries Simple Sbox might allow for symmetries Easy to avoid by choosing constants well Similar attacks on Scream Zorro... Improved LS-Designs XLS - took this into account
59 Outline 1 2
60 TI: Compute on Shares (Boolean)-Sharing Split the input x F n 2 into r shares x i F n 2 x = x 1 x 2... x r (n-out-of-n secret sharing). MPC-like computation Never compute on all shares simultaneously. Compute on r 1 shares at a time Make sure that the computation is correct. Threshold Implementation [NRR06] is a concrete way to achieve the above.
61 TI - In A Picture x = x a + x b + x c f f a f b f c y = y a + y b + y c 2 2 Thanks to J. Daemen for the picture
62 TI - More Formally Given a permutation F : F n 2 Fn 2 and x = x 1... x t construct t functions F i : F (t 1) 2 F n 2 such that F 1 (x 2,..., x t ) F t (x 1, x 2,..., x t 1 ) = F (x 1 x t ) = F(x) (F i is independent of x i )
63 TI - Main Properties x = (x 1,..., x t ) For a TI we need three important properties. Correctness Non-Completeness Uniformity
64 TI - Correctness Correctness F 1 (x) F 2 (x) F t (x) = F(x) Easy to achieve.
65 TI - In A Picture x = x a + x b + x c f f a f b f c y = y a + y b + y c 3 3 Thanks to J. Daemen for the picture
66 TI - Non-Completeness Non-Completeness F i (x) is independent of x i (wlog) Easy to achieve.
67 TI - Non-Completeness Non-Completeness F i (x) is independent of x i (wlog) Easy to achieve. Correctness and Non-Completeness possible iff t deg(f) + 1
68 TI - Non-Completeness x = x a + x b + x c f f a f b f c y = y a + y b + y c 4 4 Thanks to J. Daemen for the picture
69 TI - Uniformity Uniformity x (F 1 (x),..., F t (x) = F(x)) is a permutation on tn bits. Easy to achieve on its own But: Achieving all at the same time is difficult
70 TI - Uniformity x = x a + x b + x c f f a f b f c y = y a + y b + y c 5 5 Thanks to J. Daemen for the picture
71 TI - Quadratic Case Let us focus on the quadratic case. Q : F n 2 Fn 2 quadratic Quadratic 3.rd derivative is constant zero a Q(x) := Q(x) Q(x a) linear a,b Q(x) := b ( a Q(x)) constant a,b,c Q(x) := c ( b ( a Q(x))) constant zero
72 TI - Quadratic Case Let us focus on the quadratic case. Q : F n 2 Fn 2 quadratic Quadratic 3.rd derivative is constant zero a Q(x) := Q(x) Q(x a) linear a,b Q(x) := b ( a Q(x)) constant a,b,c Q(x) := c ( b ( a Q(x))) constant zero Why does this help to construct TI?
73 TI - Quadratic Case Non-complete and Correct TI +Q(x + c) + Q(x + c + a) + Q(x + b + c) + Q(x + a + b + c) 0 = a,b,c Q(x) = c ( b ( a Q(x))) = c ( b (Q(x) + Q(x + a))) = c (Q(x) + Q(x + a) + Q(x + b) + Q(x + a + b)) = Q(x) + Q(x + a) + Q(x + b) + Q(x + a + b)
74 TI - Quadratic Case Non-complete and Correct TI +Q(x + c) + Q(x + c + a) + Q(x + b + c) + Q(x + a + b + c) 0 = Q(x) + Q(x + a) + Q(x + b) + Q(x + a + b) For x = 0 we get (wlog Q(0) = 0) Q(a + b + c) = Q(b + c) + Q(c) +Q(a + c) + Q(a) +Q(a + b) + Q(b)
75 TI - Quadratic Case Non-complete and Correct TI Q(a + b + c) = Q(b + c) + Q(c) +Q(a + c) + Q(a) +Q(a + b) + Q(b) For a = x a, b = x b, c = x c and x = x a + x b + x c we get Q(x) = Q(x b + x c ) + Q(x c ) +Q(x a + x c ) + Q(x a ) +Q(x a + x b ) + Q(x b )
76 TI - Quadratic Case Non-complete and Correct TI Q(a + b + c) = Q(b + c) + Q(c) +Q(a + c) + Q(a) +Q(a + b) + Q(b) For a = x a, b = x b, c = x c and x = x a + x b + x c we get Q(x) = Q(x b + x c ) + Q(x c ) := f a (x b, x c ) +Q(x a + x c ) + Q(x a ) +Q(x a + x b ) + Q(x b )
77 TI - Quadratic Case Non-complete and Correct TI Q(a + b + c) = Q(b + c) + Q(c) +Q(a + c) + Q(a) +Q(a + b) + Q(b) For a = x a, b = x b, c = x c and x = x a + x b + x c we get Q(x) = Q(x b + x c ) + Q(x c ) := f a (x b, x c ) +Q(x a + x c ) + Q(x a ) := f b (x a, x c ) +Q(x a + x b ) + Q(x b )
78 TI - Quadratic Case Non-complete and Correct TI Q(a + b + c) = Q(b + c) + Q(c) +Q(a + c) + Q(a) +Q(a + b) + Q(b) For a = x a, b = x b, c = x c and x = x a + x b + x c we get Q(x) = Q(x b + x c ) + Q(x c ) := f a (x b, x c ) +Q(x a + x c ) + Q(x a ) := f b (x a, x c ) +Q(x a + x b ) + Q(x b ) := f c (x a, x b )
79 TI - 2 out of 3 x = x a + x b + x c f f a f b f c y = y a + y b + y c 6 6 Thanks to J. Daemen for the picture
80 Correction Terms f a (x b, x c ) = Q(x b + x c ) + Q(x c ) f b (x a, x c ) = Q(x a + x c ) + Q(x a ) f c (x a, x b ) = Q(x a + x b ) + Q(x b ) How To Get Uniformity Make this a permutation.
81 Correction Terms f a (x b, x c ) = Q(x b + x c ) + Q(x c ) + C b (x b ) + C c (x c ) f b (x a, x c ) = Q(x a + x c ) + Q(x a ) + C a (x a ) + C c (x c ) f c (x a, x b ) = Q(x a + x b ) + Q(x b ) + C a (x a ) + C b (x b ) How To Get Uniformity Make this a permutation. Add Correction Terms. Keep Non-completeness Keep Correctness Might give uniformity.
82 Correction Terms Finding CT High complexity. Even for small n 5. Possible for n = 3, 4 [BNN + 12] Sometimes for n = 5. Task How to find TI of larger S-boxes (e.g. n = 8)? For a given S-box: Decomposition For some good S-box: As for masking.
83 TI - Construction of Larger S-boxes Possible Constructions (cf. [BGG + 16])
84 TI - Feistel Feistel For Feistel one gets uniformity for free Use direct sharing Result is a Feistel structure again
85 TI - Feistel x 3 y 3 y 2 y 1 x 2 x 1 f 1 f 2 f 3 x 3 x 2 x 1 z 3 z 2 z 1
86 Uniformity: Out of the box solution x a x b x c r b r c S a S b S c R b R c y a y b y c Presented by J. Daemen in [Dae17].
87 Uniformity: Out of the box solution r b r c a 0 b 0 c 0 a 1 b 1 c 1 a 2 b 2 c 2 S a S b S c S a S b S c S a S b S c A 0 B 0 C 0 A 1 B 1 C 1 A 2 B 2 C 2 R c R b 7 7 Thanks to J. Daemen for the picture
88 References I Erik Boss, Vincent Grosso, Tim Güneysu, Gregor Leander, Amir Moradi, and Tobias Schneider, Strong 8-bit Sboxes with Efficient Masking in Hardware, CHES 2016, Begül Bilgin, Svetla Nikova, Ventzislav Nikov, Vincent Rijmen, and Georg Stütz, Threshold Implementations of All 3 3 and 4 4 S-Boxes, CHES 2012, Lecture Notes in Computer Science, vol. 7428, Springer, 2012, pp Joan Daemen, Changing of the guards: A simple and efficient method for achieving uniformity in threshold sharing, Cryptographic Hardware and Embedded Systems - CHES th International Conference, Taipei, Taiwan, September 25-28, 2017, Proceedings (Wieland Fischer and Naofumi Homma, eds.), Lecture Notes in
89 References II Computer Science, vol , Springer, 2017, pp Vincent Grosso, Gaëtan Leurent, François-Xavier Standaert, and Kerem Varıcı, LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations, Fast Software Encryption (FSE), LNCS, Springer, 2014, to appear. Svetla Nikova, Christian Rechberger, and Vincent Rijmen, Threshold implementations against side-channel attacks and glitches, Information and Communications Security, 8th International Conference, ICICS 2006, Raleigh, NC, USA, December 4-7, 2006, Proceedings (Peng Ning, Sihan Qing, and Ninghui Li, eds.), Lecture Notes in Computer Science, vol. 4307, Springer, 2006, pp
90 References III Ko Stoffelen, Optimizing s-box implementations for several criteria using SAT solvers, Fast Software Encryption - 23rd International Conference, FSE 2016, Bochum, Germany, March 20-23, 2016, Revised Selected Papers (Thomas Peyrin, ed.), Lecture Notes in Computer Science, vol. 9783, Springer, 2016, pp Markus Ullrich, Christophe De Cannière, Sebastiaan Indesteege,, Özgül Küçük, Nicky Mouha, and Bart Preneel, Finding Optimal Bitsliced Implementations of 4 x 4 bit S-boxes, SKEW, 2011.
91 The End Thank you very much.
LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations
Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1 Gaëtan Leurent 1,2 François Xavier Standert 1 Kerem Varici 1 1 UCL, Belgium 2 Inria, France FSE 2014 G Leurent (UCL,Inria)
More informationConstruction of Lightweight S-Boxes using Feistel and MISTY structures
Construction of Lightweight S-Boxes using Feistel and MISTY structures Anne Canteaut Sébastien Duval Gaëtan Leurent Inria, France SAC 2015 A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes
More informationChanging of the Guards: a simple and efficient method for achieving uniformity in threshold sharing
Changing of the Guards: a simple and efficient method for achieving uniformity in threshold sharing Joan Daemen 1,2 1 Radboud University 2 STMicroelectronics Abstract. Since they were first proposed as
More informationImproving the Security and Efficiency of Block Ciphers based on LS-Designs
Improving the Security and Efficiency of Block Ciphers based on S-Designs Anthony Journault, François-Xavier Standaert, Kerem Varici To cite this version: Anthony Journault, François-Xavier Standaert,
More informationConsolidating Masking Schemes
Consolidating Masking Schemes Oscar Reparaz, Begül Bilgin, Svetla Nikova, Benedikt Gierlichs, and Ingrid Verbauwhede firstname.lastname@esat.kuleuven.be KU Leuven ESAT/COSIC and iminds, Belgium Abstract.
More informationobservations on the simon block cipher family
observations on the simon block cipher family Stefan Kölbl 1 Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Görtz Institute for IT Security,
More informationOn the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order
More informationThe Invariant Set Attack 26th January 2017
The Invariant Set Attack 26th January 2017 Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer The Invariant Set Attack 26th January 2017 1 Nonlinear Invariant Attack
More informationConstruction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version )
Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version ) Anne Canteaut, Sébastien Duval, and Gaëtan Leurent Inria, project-team SECRET, France {Anne.Canteaut, Sebastien.Duval,
More informationRhythmic Keccak: SCA Security and Low Latency in HW
Rhythmic Keccak: SCA Security and Low Latency in HW Victor Arribas 1, Begül Bilgin 1, George Petrides 2, Svetla Nikova 1 and Vincent Rijmen 1 1 KU Leuven, imec-cosic, Belgium, name.surname@esat.kuleuven.be
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationSide-Channel Attacks on Threshold Implementations using a Glitch Algebra
Side-Channel Attacks on Threshold Implementations using a Glitch Algebra Serge Vaudenay EPFL CH-1015 Lausanne, Switzerland http://lasec.epfl.ch Abstract. Threshold implementations allow to implement circuits
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationA Note on the Empirical Evaluation of Security Margins against Algebraic Attacks
A Note on the Empirical Evaluation of Security Margins against Algebraic Attacks (with Application to Low Cost-Ciphers LED and Piccolo) - Full Version - Vincent Grosso 1,Christina Boura 2,3,Benoît Gérard
More informationSide-channel Analysis of Lightweight Ciphers: Does Lightweight Equal Easy?
Side-channel Analysis of Lightweight Ciphers: Does Lightweight Equal Easy? Annelie Heuser 1, Stjepan Picek 2, Sylvain Guilley 3, and Nele Mentens 2 1 IRISA/CNRS, Rennes, France 2 KU Leuven, ESAT/COSIC
More informationSeveral Masked Implementations of the Boyar-Peralta AES S-Box
Several Masked Implementations of the Boyar-Peralta AES S-Box Ashrujit Ghoshal 1[0000 0003 2436 0230] and Thomas De Cnudde 2[0000 0002 2711 8645] 1 Indian Institute of Technology Kharagpur, India ashrujitg@iitkgp.ac.in
More informationPractical CCA2-Secure and Masked Ring-LWE Implementation
Practical CCA2-Secure and Masked Ring-LWE Implementation Tobias Oder 1, Tobias Schneider 2, Thomas Pöppelmann 3, Tim Güneysu 1,4 1 Ruhr-University Bochum, 2 Université Catholique de Louvain, 3 Infineon
More informationTHRESHOLD IMPLEMENTATIONS OF ALL 3x3 AND 4x4 S-BOXES
THRESHOLD IMPLEMENTATIONS OF ALL 3x3 AND 4x4 S-BOXES B.Bilgin, S.Nikova, V.Nikov, V.Rijmen, G.Stütz KU Leuven, UTwente, NXP, TU Graz CHES 2012 - Leuven, Belgium 2012-09-10 Countermeasures Search for a
More informationDecomposed S-Boxes and DPA Attacks: A Quantitative Case Study using PRINCE
Decomposed S-Boxes and DPA Attacks: A Quantitative Case Study using PRINCE Ravikumar Selvam, Dillibabu Shanmugam, Suganya Annadurai, Jothi Rangasamy Society for Electronic Transactions and Security, India.
More informationCryptanalysis of PRESENT-like ciphers with secret S-boxes
Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander
More informationAttacking AES via SAT
Computer Science Department Swansea University BCTCS Warwick, April 7, 2009 Introduction In the following talk, a general translation framework, based around SAT, is considered, with the aim of providing
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More informationClassification of Balanced Quadratic Functions
Classification of Balanced Quadratic Functions Lauren De Meyer and Begül Bilgin KU Leuven, imec - COSIC, Belgium firstname.lastname@esat.kuleuven.be Abstract. S-boxes, typically the only nonlinear part
More informationComparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
International Conference on Manufacturing Science and Engineering (ICMSE 2015) Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
More informationMasking AES with d + 1 Shares in Hardware
Masking AES with d + 1 Shares in Hardware Thomas De Cnudde 1, Oscar Reparaz 1, Begül Bilgin 1, Svetla Nikova 1, Ventzislav Nikov 2 and Vincent Rijmen 1 1 KU Leuven, ESAT-COSIC and iminds, Belgium {name.surname}@esat.kuleuven.be
More informationHigher-Order Threshold Implementations
Higher-Order Threshold Implementations Begül Bilgin 1,2, Benedikt Gierlichs 1, Svetla Nikova 1, Ventzislav Nikov 3, and Vincent Rijmen 1 1 KU Leuven, ESAT-COSIC and iminds, Belgium {name.surname}@esat.kuleuven.be
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationUniform First-Order Threshold Implementations
Uniform First-Order Threshold Implementations Tim Beyne and Begül Bilgin ESAT/COSIC, KU Leuven and iminds, Belgium name.lastname@student.kuleuven.be, name.lastname@esat.kuleuven.be Abstract. Most masking
More informationFast Evaluation of Polynomials over Binary Finite Fields. and Application to Side-channel Countermeasures
Fast Evaluation of Polynomials over Binary Finite Fields and Application to Side-channel Countermeasures Jean-Sébastien Coron 1, Arnab Roy 1,2, Srinivas Vivek 1 1 University of Luxembourg 2 DTU, Denmark
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationLinear Cryptanalysis: Key Schedules and Tweakable Block Ciphers
Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers Thorsten Kranz, Gregor Leander, Friedrich Wiemer Horst Görtz Institute for IT Security, Ruhr University Bochum Block Cipher Design k KS m
More informationSymbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS Inès Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz Sorbonne Universités, UPMC Univ Paris
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationBlock Ciphers that are Easier to Mask: How Far Can we Go?
Block Ciphers that are Easier to Mask: How Far Can we Go? Benoît Gérard, Vincent Grosso, María Naya-Plasencia, François-Xavier Standaert To cite this version: Benoît Gérard, Vincent Grosso, María Naya-Plasencia,
More informationComprehensive Evaluation of AES Dual Ciphers as a Side-Channel Countermeasure
Comprehensive Evaluation of AES Dual Ciphers as a Side-Channel Countermeasure Amir Moradi and Oliver Mischke Horst Görtz Institute for IT Security, Ruhr University Bochum, Germany {moradi,mischke}@crypto.rub.de
More informationHard Fault Analysis of Trivium
1 Hard Fault Analysis of Trivium Yupu Hu, Fengrong Zhang, and Yiwei Zhang, arxiv:0907.2315v1 [cs.cr] 14 Jul 2009 Abstract Fault analysis is a powerful attack to stream ciphers. Up to now, the major idea
More informationImproved Collision Attacks on the Reduced-Round Grøstl Hash Function
Improved Collision Attacks on the Reduced-Round Grøstl Hash Function Kota Ideguchi 1,3, Elmar Tischhauser 1,2,, and Bart Preneel 1,2 1 Katholieke Universiteit Leuven, ESAT-COSIC and 2 IBBT Kasteelpark
More informationA Collision-Attack on AES Combining Side Channel- and Differential-Attack
A Collision-Attack on AES Combining Side Channel- and Differential-Attack Kai Schramm, Gregor Leander, Patrick Felke, and Christof Paar Horst Görtz Institute for IT Security Ruhr-Universität Bochum, Germany
More informationStatistical and Linear Independence of Binary Random Variables
Statistical and Linear Independence of Binary Random Variables Kaisa Nyberg Department of Computer Science, Aalto University School of Science, Finland kaisa.nyberg@aalto.fi October 10, 2017 Abstract.
More informationPreimages for Step-Reduced SHA-2
Preimages for Step-Reduced SHA-2 Jian Guo 1 and Krystian Matusiewicz 2 1 Division of Mathematical Sciences School of Physical and Mathematical Sciences Nanyang Technological University, Singapore guojian@ntu.edu.sg
More informationChoosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations
Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations Christof Beierle SnT, University of Luxembourg, Luxembourg (joint work with Anne Canteaut, Gregor Leander, and Yann
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationConstant-Time Higher-Order Boolean-to-Arithmetic Masking
Constant-Time Higher-Order Boolean-to-Arithmetic Masking Michael Hutter and Michael Tunstall Cryptography Research, 425 Market Street, 11th Floor, San Francisco, CA 94105, United States {michael.hutter,michael.tunstall}@cryptography.com
More informationOn the Security of NOEKEON against Side Channel Cube Attacks
On the Security of NOEKEON against Side Channel Cube Attacks Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Center for Computer and Information Security
More informationA New Distinguisher on Grain v1 for 106 rounds
A New Distinguisher on Grain v1 for 106 rounds Santanu Sarkar Department of Mathematics, Indian Institute of Technology, Sardar Patel Road, Chennai 600036, India. sarkar.santanu.bir@gmail.com Abstract.
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationSharing Independence & Relabeling: Efficient Formal Verification of Higher-Order Masking
Sharing Independence & Relabeling: Efficient Formal Verification of Higher-Order Masking Roderick Bloem, Hannes Gross, Rinat Iusupov, Martin Krenn, and Stefan Mangard Institute for Applied Information
More informationAnalysis of Differential Attacks in ARX Constructions
.. Analysis of Differential Attacks in ARX Constructions Gaëtan Leurent UCL Crypto Group University of Luxembourg Asiacrypt 2012 G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationRebound Attack on Reduced-Round Versions of JH
Rebound Attack on Reduced-Round Versions of JH Vincent Rijmen 1,2, Deniz Toz 1 and Kerem Varıcı 1, 1 Katholieke Universiteit Leuven Department of Electronical Engineering ESAT SCD-COSIC, and Interdisciplinary
More informationTHEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys
THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER A. A. Zadeh and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland
More informationAnalysis of Modern Stream Ciphers
Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007 estream Outline 1. estream Project
More informationLeakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi
Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi Wednesday, September 16 th, 015 Motivation Security Evaluation Motivation Security Evaluation
More informationOptimized Threshold Implementations: Securing Cryptographic Accelerators for Low-Energy and Low-Latency Applications
Optimized Threshold Implementations: Securing Cryptographic Accelerators for Low-Energy and Low-Latency Applications Dušan Božilov 1,2, Miroslav Knežević 1 and Ventzislav Nikov 1 1 NXP Semiconductors,
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationEfficient Masked S-Boxes Processing A Step Forward
Efficient Masked S-Boxes Processing A Step Forward Vincent Grosso 1, Emmanuel Prouff 2, François-Xavier Standaert 1 1 ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium. 2 ANSSI, 51 Bd
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationHow to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland
How to Improve Rebound Attacks María Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationIntrinsic Side-Channel Analysis Resistance and Efficient Masking
Intrinsic Side-Channel Analysis Resistance and Efficient Masking A case study of the use of SCA-related metrics and of design strategies leading to low-cost masking for CAESAR candidates Ko Stoffelen Master
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, and Guang Gong Department of Electrical and Computer Engineering, University of Waterloo, Waterloo,
More informationSimilarities between encryption and decryption: how far can we go?
Similarities between encryption and decryption: how far can we go? Anne Canteaut Inria, France and DTU, Denmark Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/anne.canteaut/ SAC 2013 based on a
More informationMcBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More informationBitslice Ciphers and Power Analysis Attacks
Bitslice Ciphers and Power Analysis Attacks Joan Daemen, Michael Peeters and Gilles Van Assche Proton World Intl. Rue Du Planeur 10, B-1130 Brussel, Belgium Email: {daemen.j, peeters.m, vanassche.g}@protonworld.com
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More informationA Sound Method for Switching between Boolean and Arithmetic Masking
A Sound Method for Switching between Boolean and Arithmetic Masking Louis Goubin CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP45 78430 Louveciennes Cedex, France Louis.Goubin@louveciennes.tt.slb.com
More informationOn the Masking Countermeasure and Higher-Order Power Analysis Attacks
1 On the Masking Countermeasure and Higher-Order Power Analysis Attacks François-Xavier Standaert, Eric Peeters, Jean-Jacques Quisquater UCL Crypto Group, Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium.
More informationA New Algorithm to Construct. Secure Keys for AES
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 26, 1263-1270 A New Algorithm to Construct Secure Keys for AES Iqtadar Hussain Department of Mathematics Quaid-i-Azam University, Islamabad, Pakistan
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationParallel Implementations of Masking Schemes and the Bounded Moment Leakage Model
Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model Gilles Barthe 1, François Dupressoir 2, Sebastian Faust 3, Benjamin Grégoire 4, François-Xavier Standaert 5, and Pierre-Yves
More informationBit-Based Division Property and Application to Simon Family
Bit-Based Division Property and Application to Simon Family Yosuke Todo 1,2 and Masakatu Morii 2 1 NTT Secure Platform Laboratories, Tokyo, Japan todo.yosuke@lab.ntt.co.jp 2 Kobe University, Kobe, Japan
More informationLightweight Cryptography Meets Threshold Implementation: A Case Study for Simon
Lightweight Cryptography Meets Threshold Implementation: A Case Study for Simon by Aria Shahverdi A Thesis Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationMultiplicative Complexity Reductions in Cryptography and Cryptanalysis
Multiplicative Complexity Reductions in Cryptography and Cryptanalysis THEODOSIS MOUROUZIS SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 1 Presentation Overview Linearity
More informationMultiplicative Complexity Gate Complexity Cryptography and Cryptanalysis
Multiplicative Complexity Gate Complexity Cryptography and Cryptanalysis Nicolas T. Courtois 1,2, Daniel Hulme 1,2, Theodosis Mourouzis 1 1 University College London, UK 2 NP-Complete Ltd, UK Two Interesting
More informationDifferential Analysis of the LED Block Cipher
Differential Analysis of the LED Block Cipher Florian Mendel, Vincent Rijmen, Deniz Toz, Kerem Varıcı KU Leuven, ESAT/COSIC and IBBT, Belgium {florian.mendel,vincent.rijmen,deniz.toz,kerem.varici}@esat.kuleuven.be
More informationExtending Glitch-Free Multiparty Protocols to Resist Fault Injection Attacks
Extending Glitch-Free Multiparty Protocols to Resist Fault Injection Attacks Okan Seker 1, Thomas Eisenbarth 1, and Rainer Steinwandt 2 1 Worcester Polytechnic Institute, Worcester, MA, USA {oseker,teisenbarth}@wpiedu
More informationCryptanalysis of Full Sprout
Cryptanalysis of Full Sprout Virginie Lallemand and María Naya-Plasencia Inria, France Abstract. A new method for reducing the internal state size of stream cipher registers has been proposed in FSE 2015,
More informationPreimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function
Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function Gaoli Wang 1 and Yanzhao Shen 1 1 School of Computer Science and Technology, Donghua University, Shanghai 201620, China wanggaoli@dhu.edu.cn,
More informationCold Boot Key Recovery by Solving Polynomial Systems with Noise
Cold Boot Key Recovery by Solving Polynomial Systems with Noise Martin R. Albrecht 1 & Carlos Cid 2 Team Salsa, LIP6, UPMC Information Security Group, Royal Holloway, University of London DTU, 04. April
More informationLinear Regression Side Channel Attack Applied on Constant XOR
Linear Regression Side Channel Attack Applied on Constant XOR Shan Fu ab, Zongyue Wang c, Fanxing Wei b, Guoai Xu a, An Wang d a National Engineering Laboratory of Mobile Internet Security, Beijing University
More informationOn the Practical Security of a Leakage Resilient Masking Scheme
On the Practical Security of a Leakage Resilient Masking Scheme T. Roche thomas.roche@ssi.gouv.fr Joint work with E. Prouff and M. Rivain French Network and Information Security Agency (ANSSI) CryptoExperts
More informationProving Resistance against Invariant Attacks: How to Choose the Round Constants
Proving Resistance against Invariant Attacks: How to Choose the Round Constants Christof Beierle 1, Anne Canteaut 2, Gregor Leander 1, and Yann Rotella 2 1 Horst Görtz Institute for IT Security, Ruhr-Universität
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationPower Analysis of Hardware Implementations Protected with Secret Sharing
Power Analysis of Hardware Implementations Protected with Secret Sharing Guido Bertoni, Joan Daemen, Nicolas Debande, Thanh-Ha Le, Michaël Peeters and Gilles Van Assche, STMicroelectronics, Morpho, TELECOM
More informationA Polynomial Description of the Rijndael Advanced Encryption Standard
A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,
More informationOn the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi 1,2 and Matthieu Rivain 1 1 CryptoExperts, Paris, France 2 ENS, CNRS, INRIA and PSL Research University,
More information