Block Ciphers and Side Channel Protection

Size: px

Start display at page:

Download "Block Ciphers and Side Channel Protection"

Charity Peters
5 years ago
Views:

1 Block Ciphers and Side Channel Protection Gregor Leander

2 Main Idea Side-Channel Resistance Without protection having a strong cipher is useless Therefore: Masking necessary Usual Approach 1 Design a cipher 2 Try to mask it efficiently

3 Side-Channel Resistance by Design Usual Approach 1 Design a cipher 2 Try to mask it efficiently Better Design ciphers that are easy to mask NOEKEON PICARO ZORRO LS-Designs

4 Outline 1 2

5 Masking: Compute on Shares (Boolean)-Sharing Split the input x F n 2 into r shares x i F n 2 x = x 1 x 2... x r (n-out-of-n secret sharing). MPC-like computation Avoid to compute on the input directly, but on the shares. Easy for linear operations, i.e. XOR Expensive for non-linear operations, e.g. AND

6 One Application FSE 2014: LS-Designs [GLSVar] A family of easy to mask block ciphers Designed by UC-Louvain and INRIA Main idea Opposite approach of what is done usually: Use tables for the linear-layer Use (few) logical operations for S-boxes Two instances: Robin and iscream Fantomas and Scream

7 One square is a bit. Columns are stored in registers Robin and iscream

8 One square is a bit. Columns are stored in registers Robin and iscream S-Box

9 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box

10 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box S-Box

11 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box S-Box S-Box

12 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box S-Box S-Box S-Box

13 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box S-Box S-Box S-Box S-Box

14 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box S-Box S-Box S-Box S-Box S-Box

15 One square is a bit. Columns are stored in registers Robin and iscream S-Box S-Box S-Box S-Box S-Box S-Box S-Box S-Box

16 One square is a bit. Columns are stored in registers Robin and iscream L

17 One square is a bit. Columns are stored in registers Robin and iscream L L

18 One square is a bit. Columns are stored in registers Robin and iscream L L L

19 One square is a bit. Columns are stored in registers Robin and iscream L L L L

20 One square is a bit. Columns are stored in registers Robin and iscream L L L L L

21 One square is a bit. Columns are stored in registers Robin and iscream L L L L L L

22 One square is a bit. Columns are stored in registers Robin and iscream L L L L L L L

23 One square is a bit. Columns are stored in registers Robin and iscream L L L L L L L L

24 One square is a bit. Columns are stored in registers Robin and iscream c

25 Bit-Sliced: From One To Many x 0 x 1 x 2 x 3 S-box y 0 y 1 y 2 y 3 Bit Sliced (cf. Serpent) Instead of using LUT use the algebraic description. Example y 0 = x 0 x 1 + x 3 y 1 = x 1 x 3 + x 2 x 3 y 2 = x 0 x 1 x 3 + x 1 y 4 = x 2 x 3 + x 1 x 3 + x 1 + x 3

26 Bit-Sliced: From One To Many Example y 0 = x 0 x 1 + x 3 y 1 = x 1 x 3 + x 2 x 3 y 2 = x 0 x 1 x 3 + x 1 y 4 = x 2 x 3 + x 1 x 3 + x 1 + x 3

27 Bit-Sliced: From One To Many Example y 0 = x 0 x 1 + x 3 y 1 = x 1 x 3 + x 2 x 3 y 2 = x 0 x 1 x 3 + x 1 y 4 = x 2 x 3 + x 1 x 3 + x 1 + x 3 Many Sboxes Replace bits by registers. Advantages: n-bit registers n-sboxes at once Easier to mask than LUTs.

28 The Linear Layer Bit-Sliced Sbox Simply use Tables for the L i. Input to L i in one register.

29 The Sbox Task Find a good/optimal Sbox using a minimal number of non-linear operations. Two approaches: Find the best implementation of a given S-box (e.g. [Sto16]) Find the cryptographically strong S-box that can be implemented most efficiently (cf. [UCI + 11]) 4-bit For 4 bits both approaches possible.

30 Optimal 4 Bit Solution (I/II) Class 13 from [UCI + 11].

31 Optimal 4 Bit Solution (II/II) MSB LSB MSB LSB Used in SKINNY [?]

32 Larger S-boxes Task How to construct larger S-boxes? Idea: Build on Small Ones Use small Sboxes to construct larger ones.

33 For 8-Bit Possible Constructions (cf. [GLSVar]) 1 1 Thanks to Gaëtan Leurent for the picture

34 Choice for ROBIN Feistel+Class 13.

35 The Robin Sbox S(, a, b, 0, 0, a, 0, a b) = (, α, β, 0, 0, α, 0, α β)

36 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b a 7 0 c 7 * a 6 b a 6 0 c 6 * a 5 b a 5 0 c 5 * a 4 b a 4 0 c 4 * a 3 b a 3 0 c 3 * a 2 b a 2 0 c 2 * a 1 b a 1 0 c 1 * a 0 b a 0 0 c 0

37 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * a 5 b 5 0S-Box 0 a 5 0 c 5 * a 4 b 4 0S-Box 0 a 4 0 c 4 * a 3 b 3 0S-Box 0 a 3 0 c 3 * a 2 b 2 0S-Box 0 a 2 0 c 2 * a 1 b 1 0S-Box 0 a 1 0 c 1 * a 0 b 0 0S-Box 0 a 0 0 c 0

38 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * a 5 b 5 0S-Box 0 a 5 0 c 5 * a 4 b 4 0S-Box 0 a 4 0 c 4 * a 3 b 3 0S-Box 0 a 3 0 c 3 * a 2 b 2 0S-Box 0 a 2 0 c 2 * a 1 b 1 0S-Box 0 a 1 0 c 1 * α 0 β α 0 0 γ 0

39 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * a 5 b 5 0S-Box 0 a 5 0 c 5 * a 4 b 4 0S-Box 0 a 4 0 c 4 * a 3 b 3 0S-Box 0 a 3 0 c 3 * a 2 b 2 0S-Box 0 a 2 0 c 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

40 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * a 5 b 5 0S-Box 0 a 5 0 c 5 * a 4 b 4 0S-Box 0 a 4 0 c 4 * a 3 b 3 0S-Box 0 a 3 0 c 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

41 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * a 5 b 5 0S-Box 0 a 5 0 c 5 * a 4 b 4 0S-Box 0 a 4 0 c 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

42 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * a 5 b 5 0S-Box 0 a 5 0 c 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

43 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * a 6 b 6 0S-Box 0 a 6 0 c 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

44 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * a 7 b 7 0S-Box 0 a 7 0 c 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

45 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

46 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L L L L L L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

47 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L L L L L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

48 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L L L L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

49 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L L L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

50 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

51 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

52 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

53 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 L * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

54 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

55 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

56 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 c * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

57 c i = a i b i γ i = α i β i A Symmetry in Robin and iscream * α 7 β α 7 0 γ 7 * α 6 β α 6 0 γ 6 * α 5 β α 5 0 γ 5 * α 4 β α 4 0 γ 4 * α 3 β α 3 0 γ 3 * α 2 β α 2 0 γ 2 * α 1 β α 1 0 γ 1 * α 0 β α 0 0 γ 0

58 Take Care Symmetries Simple Sbox might allow for symmetries Easy to avoid by choosing constants well Similar attacks on Scream Zorro... Improved LS-Designs XLS - took this into account

59 Outline 1 2

60 TI: Compute on Shares (Boolean)-Sharing Split the input x F n 2 into r shares x i F n 2 x = x 1 x 2... x r (n-out-of-n secret sharing). MPC-like computation Never compute on all shares simultaneously. Compute on r 1 shares at a time Make sure that the computation is correct. Threshold Implementation [NRR06] is a concrete way to achieve the above.

61 TI - In A Picture x = x a + x b + x c f f a f b f c y = y a + y b + y c 2 2 Thanks to J. Daemen for the picture

62 TI - More Formally Given a permutation F : F n 2 Fn 2 and x = x 1... x t construct t functions F i : F (t 1) 2 F n 2 such that F 1 (x 2,..., x t ) F t (x 1, x 2,..., x t 1 ) = F (x 1 x t ) = F(x) (F i is independent of x i )

63 TI - Main Properties x = (x 1,..., x t ) For a TI we need three important properties. Correctness Non-Completeness Uniformity

64 TI - Correctness Correctness F 1 (x) F 2 (x) F t (x) = F(x) Easy to achieve.

65 TI - In A Picture x = x a + x b + x c f f a f b f c y = y a + y b + y c 3 3 Thanks to J. Daemen for the picture

66 TI - Non-Completeness Non-Completeness F i (x) is independent of x i (wlog) Easy to achieve.

67 TI - Non-Completeness Non-Completeness F i (x) is independent of x i (wlog) Easy to achieve. Correctness and Non-Completeness possible iff t deg(f) + 1

68 TI - Non-Completeness x = x a + x b + x c f f a f b f c y = y a + y b + y c 4 4 Thanks to J. Daemen for the picture

69 TI - Uniformity Uniformity x (F 1 (x),..., F t (x) = F(x)) is a permutation on tn bits. Easy to achieve on its own But: Achieving all at the same time is difficult

70 TI - Uniformity x = x a + x b + x c f f a f b f c y = y a + y b + y c 5 5 Thanks to J. Daemen for the picture

71 TI - Quadratic Case Let us focus on the quadratic case. Q : F n 2 Fn 2 quadratic Quadratic 3.rd derivative is constant zero a Q(x) := Q(x) Q(x a) linear a,b Q(x) := b ( a Q(x)) constant a,b,c Q(x) := c ( b ( a Q(x))) constant zero

72 TI - Quadratic Case Let us focus on the quadratic case. Q : F n 2 Fn 2 quadratic Quadratic 3.rd derivative is constant zero a Q(x) := Q(x) Q(x a) linear a,b Q(x) := b ( a Q(x)) constant a,b,c Q(x) := c ( b ( a Q(x))) constant zero Why does this help to construct TI?

73 TI - Quadratic Case Non-complete and Correct TI +Q(x + c) + Q(x + c + a) + Q(x + b + c) + Q(x + a + b + c) 0 = a,b,c Q(x) = c ( b ( a Q(x))) = c ( b (Q(x) + Q(x + a))) = c (Q(x) + Q(x + a) + Q(x + b) + Q(x + a + b)) = Q(x) + Q(x + a) + Q(x + b) + Q(x + a + b)

74 TI - Quadratic Case Non-complete and Correct TI +Q(x + c) + Q(x + c + a) + Q(x + b + c) + Q(x + a + b + c) 0 = Q(x) + Q(x + a) + Q(x + b) + Q(x + a + b) For x = 0 we get (wlog Q(0) = 0) Q(a + b + c) = Q(b + c) + Q(c) +Q(a + c) + Q(a) +Q(a + b) + Q(b)

75 TI - Quadratic Case Non-complete and Correct TI Q(a + b + c) = Q(b + c) + Q(c) +Q(a + c) + Q(a) +Q(a + b) + Q(b) For a = x a, b = x b, c = x c and x = x a + x b + x c we get Q(x) = Q(x b + x c ) + Q(x c ) +Q(x a + x c ) + Q(x a ) +Q(x a + x b ) + Q(x b )

76 TI - Quadratic Case Non-complete and Correct TI Q(a + b + c) = Q(b + c) + Q(c) +Q(a + c) + Q(a) +Q(a + b) + Q(b) For a = x a, b = x b, c = x c and x = x a + x b + x c we get Q(x) = Q(x b + x c ) + Q(x c ) := f a (x b, x c ) +Q(x a + x c ) + Q(x a ) +Q(x a + x b ) + Q(x b )

77 TI - Quadratic Case Non-complete and Correct TI Q(a + b + c) = Q(b + c) + Q(c) +Q(a + c) + Q(a) +Q(a + b) + Q(b) For a = x a, b = x b, c = x c and x = x a + x b + x c we get Q(x) = Q(x b + x c ) + Q(x c ) := f a (x b, x c ) +Q(x a + x c ) + Q(x a ) := f b (x a, x c ) +Q(x a + x b ) + Q(x b )

78 TI - Quadratic Case Non-complete and Correct TI Q(a + b + c) = Q(b + c) + Q(c) +Q(a + c) + Q(a) +Q(a + b) + Q(b) For a = x a, b = x b, c = x c and x = x a + x b + x c we get Q(x) = Q(x b + x c ) + Q(x c ) := f a (x b, x c ) +Q(x a + x c ) + Q(x a ) := f b (x a, x c ) +Q(x a + x b ) + Q(x b ) := f c (x a, x b )

79 TI - 2 out of 3 x = x a + x b + x c f f a f b f c y = y a + y b + y c 6 6 Thanks to J. Daemen for the picture

80 Correction Terms f a (x b, x c ) = Q(x b + x c ) + Q(x c ) f b (x a, x c ) = Q(x a + x c ) + Q(x a ) f c (x a, x b ) = Q(x a + x b ) + Q(x b ) How To Get Uniformity Make this a permutation.

81 Correction Terms f a (x b, x c ) = Q(x b + x c ) + Q(x c ) + C b (x b ) + C c (x c ) f b (x a, x c ) = Q(x a + x c ) + Q(x a ) + C a (x a ) + C c (x c ) f c (x a, x b ) = Q(x a + x b ) + Q(x b ) + C a (x a ) + C b (x b ) How To Get Uniformity Make this a permutation. Add Correction Terms. Keep Non-completeness Keep Correctness Might give uniformity.

82 Correction Terms Finding CT High complexity. Even for small n 5. Possible for n = 3, 4 [BNN + 12] Sometimes for n = 5. Task How to find TI of larger S-boxes (e.g. n = 8)? For a given S-box: Decomposition For some good S-box: As for masking.

83 TI - Construction of Larger S-boxes Possible Constructions (cf. [BGG + 16])

84 TI - Feistel Feistel For Feistel one gets uniformity for free Use direct sharing Result is a Feistel structure again

85 TI - Feistel x 3 y 3 y 2 y 1 x 2 x 1 f 1 f 2 f 3 x 3 x 2 x 1 z 3 z 2 z 1

86 Uniformity: Out of the box solution x a x b x c r b r c S a S b S c R b R c y a y b y c Presented by J. Daemen in [Dae17].

87 Uniformity: Out of the box solution r b r c a 0 b 0 c 0 a 1 b 1 c 1 a 2 b 2 c 2 S a S b S c S a S b S c S a S b S c A 0 B 0 C 0 A 1 B 1 C 1 A 2 B 2 C 2 R c R b 7 7 Thanks to J. Daemen for the picture

88 References I Erik Boss, Vincent Grosso, Tim Güneysu, Gregor Leander, Amir Moradi, and Tobias Schneider, Strong 8-bit Sboxes with Efficient Masking in Hardware, CHES 2016, Begül Bilgin, Svetla Nikova, Ventzislav Nikov, Vincent Rijmen, and Georg Stütz, Threshold Implementations of All 3 3 and 4 4 S-Boxes, CHES 2012, Lecture Notes in Computer Science, vol. 7428, Springer, 2012, pp Joan Daemen, Changing of the guards: A simple and efficient method for achieving uniformity in threshold sharing, Cryptographic Hardware and Embedded Systems - CHES th International Conference, Taipei, Taiwan, September 25-28, 2017, Proceedings (Wieland Fischer and Naofumi Homma, eds.), Lecture Notes in

89 References II Computer Science, vol , Springer, 2017, pp Vincent Grosso, Gaëtan Leurent, François-Xavier Standaert, and Kerem Varıcı, LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations, Fast Software Encryption (FSE), LNCS, Springer, 2014, to appear. Svetla Nikova, Christian Rechberger, and Vincent Rijmen, Threshold implementations against side-channel attacks and glitches, Information and Communications Security, 8th International Conference, ICICS 2006, Raleigh, NC, USA, December 4-7, 2006, Proceedings (Peng Ning, Sihan Qing, and Ninghui Li, eds.), Lecture Notes in Computer Science, vol. 4307, Springer, 2006, pp

90 References III Ko Stoffelen, Optimizing s-box implementations for several criteria using SAT solvers, Fast Software Encryption - 23rd International Conference, FSE 2016, Bochum, Germany, March 20-23, 2016, Revised Selected Papers (Thomas Peyrin, ed.), Lecture Notes in Computer Science, vol. 9783, Springer, 2016, pp Markus Ullrich, Christophe De Cannière, Sebastiaan Indesteege,, Özgül Küçük, Nicky Mouha, and Bart Preneel, Finding Optimal Bitsliced Implementations of 4 x 4 bit S-boxes, SKEW, 2011.

91 The End Thank you very much.

LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations

LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1 Gaëtan Leurent 1,2 François Xavier Standert 1 Kerem Varici 1 1 UCL, Belgium 2 Inria, France FSE 2014 G Leurent (UCL,Inria)