Masking the GLP Lattice-Based Signature Scheme at any Order
|
|
- Cory Sims
- 5 years ago
- Views:
Transcription
1 Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin Grégoire (INRIA Sophia Antipolis) Mélissa Rossi (ENS Paris and Thales) Mehdi Tibouchi (NTT Secure Platform Laboratories) May 1st 2018 Eurocrypt
2 Masking a post-quantum signature Numerous side channel attacks against lattice-based schemes (Gaussian distributions, rejection sampling) Few countermeasures exist, especially on signatures Call for concrete implementations of post-quantum cryptography Strong countermeasures needed
3 Leakage models and masking Input Algorithm Returned value
4 Leakage models and masking Input Ishai, Sahai and Wagner model [ISW03] : The attacker can access the exact values of at most d intermediate values Algorithm Proof-Friendly Returned value
5 Leakage models and masking Input Ishai, Sahai and Wagner model [ISW03] : The attacker can access the exact values of at most d intermediate values Algorithm Proof-Friendly Noisy leakage model [CJRR99, PR13]: The attacker can access the noisy values of all the intermediate values Returned value Realistic
6 Leakage models and masking Input Security in the ISW model: d order masking Each sensitive value is replaced by d + 1 shares. Algorithm Returned value
7 Leakage models and masking Input Security in the ISW model: d order masking Each sensitive value is replaced by d + 1 shares. Algorithm Such that it is impossible to recover the value without having all d + 1 shares = Returned value
8 Leakage models and masking Input Security in the ISW model: d order masking Each sensitive value is replaced by d + 1 shares. Algorithm Such that it is impossible to recover the value without having all d + 1 shares = Returned value Any strict subset of at most d shares is independant from the sensitive value
9 Our contribution The first provable masked implementation of a lattice-based signature scheme at any order New techniques for masking lattice-based Fiat Shamir with abort signatures New proofs for masking probabilistic algorithms
10 1 The signature 1 Why GLP signature scheme? 2 GLP signature scheme 2 The countermeasure and its proof 1 Structure of the countermeasure and its proof 2 Masking GLP key generation 3 Masking GLP signature 4 Composition 5 Conversions Boolean to arithmetic 3 Performances
11 Why GLP signature scheme? Introduced in [Lyu09, Lyu12] Implemented by Güneysu, Lyubashevsky and Pöppelmann in [GLP12] Ancestor of BLISS and Dilithium No Gaussians, only uniform distributions
12 Why GLP signature scheme? Introduced in [Lyu09, Lyu12] Implemented by Güneysu, Lyubashevsky and Pöppelmann in [GLP12] Ancestor of BLISS and Dilithium No Gaussians, only uniform distributions But still some new difficulties Probabilistic algorithm Reliance on rejection sampling
13 GLP Key derivation R = Z p[x] (x n +1) R k : coefficients in the range [ k, k] Algorithm 1 GLP key derivation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) Based on the Decisional Compact Knapsack problem
14 GLP signature Fiat Shamir with abort signature Algorithm 2 GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: y 1, y $ 2 R k Random generation 2: c H(r = ay 1 + y 2, m) Commitment and challenge 3: z 1 s 1c + y 1 4: z 2 s 2c + y 2 5: if z 1 or z 2 / R k α then restart Rejection Sampling 6: return σ = (z 1, z 2, c) k = 2 14 α = 16 n = 512 p = Verification : z 1, z 2 R k α and c = H(az 1 + z 2 tc, m)
15 The signature The countermeasure and its proof Performances Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks Future work
16 The signature The countermeasure and its proof Performances Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties Future work
17 The signature The countermeasure and its proof Performances Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties Unmasked For non sensitive parts. Future work
18 The signature The countermeasure and its proof Performances Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties Unmasked For non sensitive parts. Non interferent Every set of at most d intermediate variables can be perfectly simulated with at most d shares of each input. Future work
19 The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties Unmasked For non sensitive parts. Non interferent Every set of at most d intermediate variables can be perfectly simulated with at most d shares of each input. Non interferent with public outputs Every set of at most d intermediate variables can be perfectly simulated with the public outputs and at most d shares of each input.
20 The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties Unmasked For non sensitive parts. Non interferent Every set of at most d intermediate variables can be perfectly simulated with at most d shares of each input. Non interferent with public outputs Every set of at most d intermediate variables can be perfectly simulated with the public outputs and at most d shares of each input. We give some values (called outputs) to the attacker and prove that the countermeasure does not leak more than the outputs.
21 The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties Unmasked For non sensitive parts. Non interferent Every set of at most d intermediate variables can be perfectly simulated with at most d shares of each input. Non interferent with public outputs Every set of at most d intermediate variables can be perfectly simulated with the public outputs and at most d shares of each input. We give some values (called outputs) to the attacker and prove that the countermeasure does not leak more than the outputs. 3 A composition proof combines all the securities to the whole scheme
22 Masking GLP key generation Algorithm 1 GLP key generation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) s1 s2
23 Masking GLP key generation Algorithm 1 GLP key generation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a s1 s2
24 Masking GLP key generation Algorithm 1 GLP key generation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a s1 s2 H 1 t
25 Masking GLP key generation Algorithm 1 GLP key generation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a s1 s1 s2 H 1 t s2
26 Masking GLP key generation Algorithm 1 GLP key generation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a s1 s1 H 1 t FullAdd t s2 s2
27 Masking GLP key generation Algorithm 1 GLP key generation Ensure: Signing key sk, verification key pk 1: s 1, s 2 $ R 1 //s 1 and s 2 have coefficients in { 1, 0, 1} 2: a $ R 3: t as 1 + s 2 4: sk (s 1, s 2 ) 5: pk (a, t) a H 1 FullAdd t Not masked Non interferent Non interferent with public output
28 Masking the signature Algorithm 2 GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: y 1, y $ 2 R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1c + y 1 4: z 2 s 2c + y 2 5: if z 1 or z 2 / R k α then restart 6: return σ = (z 1, z 2, c)
29 Masking the signature Algorithm 2 GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: y 1, y $ 2 R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1c + y 1 4: z 2 s 2c + y 2 5: if z 1 or z 2 / R k α then restart 6: return σ = (z 1, z 2, c) Masking the commitment : unnecessary Distinguishing (c, r) pairs from uniform is heuristically 1 a hard problem even for rejected executions. 1 Thanks to V. Lyubashevsky, we also provided a non heuristic approach which requires somes changes in the algorithm
30 Masking the signature Algorithm 3 Tweaked GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: $ y 1, y 2 Rk 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then return 6: return σ = (z 1, z 2, c) y1 y2
31 Masking the signature Algorithm 3 Tweaked GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: $ y 1, y 2 Rk 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then return 6: return σ = (z 1, z 2, c) a y1 y2 H 1 r
32 Masking the signature Algorithm 3 Tweaked GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: $ y 1, y 2 Rk 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then return 6: return σ = (z 1, z 2, c) a y1 H 1 r FullAdd r y2
33 Masking the signature Algorithm 3 Tweaked GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: $ y 1, y 2 Rk 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then return 6: return σ = (z 1, z 2, c) a m y1 H 1 r FullAdd r Hash c y2
34 Masking the signature Algorithm 3 Tweaked GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: $ y 1, y 2 Rk 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then return 6: return σ = (z 1, z 2, c) s1 a m y1 H 1 r FullAdd r Hash c H 1 z1 y2 H 1 z2 s2
35 Masking the signature Algorithm 3 Tweaked GLP sign Require: m, pk = (a, t), sk = (s 1, s 2 ) Ensure: Signature σ 1: $ y 1, y 2 Rk 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then return 6: return σ = (z 1, z 2, c) s1 a m y1 H 1 r FullAdd r Hash c H 1 z1 RS RejSp H 2 z1 FullAdd z1 y2 H 1 z2 H 2 z2 FullAdd z2 s2 c
36 Composition s1 a m H 1 H 2 FullAdd z1 H 1 FullAdd r Hash c RS RejSp H 1 H 2 FullAdd z2 s2 c Not masked Non interferent Non interferent with public outputs and r
37 Conversions Boolean to arithmetic Proving the non interference of certain blocks (Rejection Sampling, Data Generation) was challenging Algorithm 2 GLP signature Require: m, pk, sk Ensure: Signature σ 1: $ y 1, y 2 R k 2: c H(r = ay 1 + y 2, m) 3: z 1 s 1 c + y 1 4: z 2 s 2 c + y 2 5: if z 1 or z 2 / R k α then restart 6: return σ = (z 1, z 2, c) i=d z 1,i mod p k α? (1) i=0 We had to adapt arithmetic to Boolean conversions from Coron, Großschädl and Vadnala in [CGV14]. i=d z 1,i i=0 mod p i=d z 1,i (2) i=0
38 Performances Table 1: Performances Number of shares (d + 1) Unprotected Total CPU time (s) Penalty factor Timings are provided for 100 executions of the signing algorithm, on one core of an Intel Core i CPU-based desktop machine. The code will be published soon Quite promising in view of the lack of optimization
39 Future work In a nutshell, - Provable masked implementation of GLP signature scheme - New security notions adapted to Fiat Shamir framework. Can be applied directly to Dilithium (implementation in progress, Vincent Migliore) BLISS and Dilithium-G Gaussians Not sure the Hash function can be unmasked
40 Conclusion Thank you for your attention Questions? Blog article on the RISQ project webpage : Eprint :
41 References Jean-Sébastien Coron, Johann Großschädl, and Praveen Kumar Vadnala. Secure conversion between Boolean and arithmetic masking of any order. In Lejla Batina and Matthew Robshaw, editors, CHES 2014, volume 8731 of LNCS, pages Springer, Heidelberg, September Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. In Michael J. Wiener, editor, CRYPTO 99, volume 1666 of LNCS, pages Springer, Heidelberg, August Tim Güneysu, Vadim Lyubashevsky, and Thomas Pöppelmann. Practical lattice-based cryptography: A signature scheme for embedded systems. In Emmanuel Prouff and Patrick Schaumont, editors, CHES 2012, volume 7428 of LNCS, pages Springer, Heidelberg, September Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks. In Dan Boneh, editor, CRYPTO 2003, volume 2729 of LNCS, pages Springer, Heidelberg, August Vadim Lyubashevsky. Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In Mitsuru Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS, pages Springer, Heidelberg, December 2009.
42 References Vadim Lyubashevsky. Lattice signatures without trapdoors. In David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages Springer, Heidelberg, April Emmanuel Prouff and Matthieu Rivain. Masking against side-channel attacks: A formal security proof. In Thomas Johansson and Phong Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 of LNCS, pages Springer, Heidelberg, May 2013.
43 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1)
44 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: 0 i d, x i [0, 2 w 0 1] where 2 w 0 > 2k w 0 1
45 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 0 i d, x i [0, 2 w 0 1]
46 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3 b unmask δ s most significant bit 4 b equals 0 iff x 2k i d, x i [0, 2 w 0 1]
47 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: 0 i d, x i [0, 2 w 0 1] where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3 b unmask δ s most significant bit 4 b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking
48 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: 0 i d, x i [0, 2 w 0 1] where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3 b unmask δ s most significant bit 4 b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking Rejection Sampling: are coefficients of z 1 in [ k + α, k α]?
49 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: 0 i d, x i [0, 2 w 0 1] where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3 b unmask δ s most significant bit 4 b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking Rejection Sampling: are coefficients of z 1 in [ k + α, k α]? 1 convert mod-p arithmetic sharing into Boolean masking
50 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: 0 i d, x i [0, 2 w 0 1] where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3 b unmask δ s most significant bit 4 b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking Rejection Sampling: are coefficients of z 1 in [ k + α, k α]? 1 convert mod-p arithmetic sharing into Boolean masking 2 as in Data Generation, compute the masked difference with k α difference
51 References Conversions Boolean to arithmetic : generation of sharings for coefficients x [ k, k] (k = 1) 1 generate a Boolean sharing of x: 0 i d, x i [0, 2 w 0 1] where 2 w 0 > 2k w (δ i ) 0 i d (x i ) 0 i d (k i ) 0 i d 3 b unmask δ s most significant bit 4 b equals 0 iff x 2k convert (x i ) 0 i d to an arithmetic masking Rejection Sampling: are coefficients of z 1 in [ k + α, k α]? 1 convert mod-p arithmetic sharing into Boolean masking 2 as in Data Generation, compute the masked difference with k α difference 3 securely check the most significant bit
Masking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Sonia Belaïd Joint Work with Gilles Barthe, Thomas Espitau, Pierre-Alain Fouque, Benjamin Grégoire, Mélissa Rossi, and Mehdi Tibouchi 1 / 31
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Gilles Barthe 1, Sonia Belaïd 2, Thomas Espitau 3, Pierre-Alain Fouque 4, Benjamin Grégoire 5, Mélissa Rossi 6,7, and Mehdi Tibouchi 8 1 IMDEA
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Gilles Barthe 1, Sonia Belaïd 2, Thomas Espitau 3, Pierre-Alain Fouque 4, Benjamin Grégoire 5, Mélissa Rossi 6,7, and Mehdi Tibouchi 8 1 IMDEA
More informationFormal Verification of Masked Implementations
Formal Verification of Masked Implementations Sonia Belaïd Benjamin Grégoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order
More informationFormal Verification of Side-Channel Countermeasures
Formal Verification of Side-Channel Countermeasures Sonia Belaïd June 5th 2018 1 / 35 1 Side-Channel Attacks 2 Masking 3 Formal Tools Verification of Masked Implementations at Fixed Order Verification
More informationFormal Verification of Side-channel Countermeasures via Elementary Circuit Transformations
Formal Verification of Side-channel Countermeasures via Elementary Circuit Transformations Jean-Sébastien Coron University of Luxembourg jean-sebastiencoron@unilu April 9, 2018 Abstract We describe a technique
More informationOn the Use of Masking to Defeat Power-Analysis Attacks
1/32 On the Use of Masking to Defeat Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd Outline Power-Analysis Attacks Masking Countermeasure Leakage Models Security
More informationSymbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS Inès Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz Sorbonne Universités, UPMC Univ Paris
More informationFault Attacks Against Lattice-Based Signatures
Fault Attacks Against Lattice-Based Signatures T. Espitau P-A. Fouque B. Gérard M. Tibouchi Lip6, Sorbonne Universités, Paris August 12, 2016 SAC 16 1 Towards postquantum cryptography Quantum computers
More informationRevisiting a Masked Lookup-Table Compression Scheme
Revisiting a Masked Lookup-Table Compression Scheme Srinivas Vivek University of Bristol, UK sv.venkatesh@bristol.ac.uk Abstract. Lookup-table based side-channel countermeasure is the prime choice for
More informationParallel Implementations of Masking Schemes and the Bounded Moment Leakage Model
Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model G. Barthe, F. Dupressoir, S. Faust, B. Grégoire, F.-X. Standaert, P.-Y. Strub IMDEA (Spain), Univ. Surrey (UK), Univ. Bochum
More informationMASKING is the most widely deployed countermeasure
1 Corrections to Further Improving Efficiency of Higher-Order Masking Schemes by Decreasing Randomness Complexity Shuang Qiu, Rui Zhang, Yongbin Zhou, Wei Cheng Abstract Provably secure masking schemes
More informationImproved Parallel Mask Refreshing Algorithms Generic Solutions with Parametrized Non-Interference & Automated Optimizations
Improved Parallel Mask Refreshing Algorithms Generic Solutions with Parametrized Non-Interference & Automated Optimizations Gilles Barthe 1, Sonia Belaïd 2, François Dupressoir 3, Pierre-Alain Fouque 4,
More informationA Sound Method for Switching between Boolean and Arithmetic Masking
A Sound Method for Switching between Boolean and Arithmetic Masking Louis Goubin CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP45 78430 Louveciennes Cedex, France Louis.Goubin@louveciennes.tt.slb.com
More informationImproved Parallel Mask Refreshing Algorithms
Noname manuscript No. (will be inserted by the editor) Improved Parallel Mask Refreshing Algorithms Generic Solutions with Parametrized Non-Interference & Automated Optimizations Gilles Barthe 1 Sonia
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland. CT-RSA 2014 1 / 22 Outline Introduction
More informationImproved Parameters for the Ring-TESLA Digital Signature Scheme
Improved Parameters for the Ring-TESLA Digital Signature Scheme Arjun Chopra Abstract Akleylek et al. have proposed Ring-TESLA, a practical and efficient digital signature scheme based on the Ring Learning
More informationConstant-Time Higher-Order Boolean-to-Arithmetic Masking
Constant-Time Higher-Order Boolean-to-Arithmetic Masking Michael Hutter and Michael Tunstall Cryptography Research, 425 Market Street, 11th Floor, San Francisco, CA 94105, United States {michael.hutter,michael.tunstall}@cryptography.com
More informationCompositional Verification of Higher-Order Masking
Compositional Verification of Higher-Order Masking Application to a Verifying Masking Compiler Gilles Barthe 2, Sonia Belaïd 1,5, François Dupressoir 2, Pierre-Alain Fouque 4,6, and Benjamin Grégoire 3
More informationGeneralized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures
Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures Dahmun Goudarzi 1,2, Matthieu Rivain 1, Damien Vergnaud 2, and Srinivas Vivek 3 1 CryptoExperts, Paris,
More informationEnhanced Lattice-Based Signatures on Reconfigurable Hardware
Enhanced Lattice-Based Signatures on Reconfigurable Hardware Thomas Pöppelmann 1 Léo Ducas 2 Tim Güneysu 1 1 Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany 2 University of California,
More informationHigh-Order Conversion From Boolean to Arithmetic Masking
High-Order Conversion From Boolean to Arithmetic Masking Jean-Sébastien Coron University of Luxembourg jean-sebastien.coron@uni.lu Abstract. Masking with random values is an effective countermeasure against
More informationConversion from Arithmetic to Boolean Masking with Logarithmic Complexity
Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity Jean-Sébastien Coron 1, Johann Großschädl 1, Mehdi Tibouchi 2, and Praveen Kumar Vadnala 1 1 University of Luxembourg, jean-sebastien.coron,johann.groszschaedl,praveen.vadnala}@uni.lu
More informationImproved High-Order Conversion From Boolean to Arithmetic Masking
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1, Jean-Sébastien Coron 2, and Rina Zeitoun 1 1 IDEMIA, France luk.bettale@idemia.com, rina.zeitoun@idemia.com 2 University
More informationUsing Second-Order Power Analysis to Attack DPA Resistant Software
Using Second-Order Power Analysis to Attack DPA Resistant Software Thomas S. Messerges Motorola Labs, Motorola 3 E. Algonquin Road, Room 7, Schaumburg, IL 696 Tom.Messerges@motorola.com Abstract. Under
More informationConversion from Arithmetic to Boolean Masking with Logarithmic Complexity
Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity Jean-Sébastien Coron 1(B), Johann Großschädl 1, Mehdi Tibouchi 2, and Praveen Kumar Vadnala 1 1 University of Luxembourg, Luxembourg,
More informationProvable Security against Side-Channel Attacks
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland, New Zealand. S.Bai@auckland.ac.nz S.Galbraith@math.auckland.ac.nz
More informationConversion from Arithmetic to Boolean Masking with Logarithmic Complexity
Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity Jean-Sébastien Coron 1, Johann Großschädl 1, Mehdi Tibouchi 2, and Praveen Kumar Vadnala 1 1 University of Luxembourg, jean-sebastien.coron,johann.groszschaedl,praveen.vadnala}@uni.lu
More informationA Lattice-Based Threshold Ring Signature Scheme (TRSS-L)
A Lattice-Based Threshold Ring Signature Scheme (TRSS-L) Pierre-Louis Cayrel 1 Richard Lindner 2 Markus Rückert 2 Rosemberg Silva 3 1 Center for Advanced Security Research Darmstadt (CASED) 2 Technische
More informationFast Evaluation of Polynomials over Binary Finite Fields. and Application to Side-channel Countermeasures
Fast Evaluation of Polynomials over Binary Finite Fields and Application to Side-channel Countermeasures Jean-Sébastien Coron 1, Arnab Roy 1,2, Srinivas Vivek 1 1 University of Luxembourg 2 DTU, Denmark
More informationProtecting AES with Shamir s Secret Sharing Scheme
Protecting AES with Shamir s Secret Sharing Scheme Louis Goubin 1 and Ange Martinelli 1,2 1 Versailles Saint-Quentin-en-Yvelines University Louis.Goubin@prism.uvsq.fr 2 Thales Communications jean.martinelli@fr.thalesgroup.com
More informationEfficient Masked S-Boxes Processing A Step Forward
Efficient Masked S-Boxes Processing A Step Forward Vincent Grosso 1, Emmanuel Prouff 2, François-Xavier Standaert 1 1 ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium. 2 ANSSI, 51 Bd
More informationProvably Secure Higher-Order Masking of AES
Provably Secure Higher-Order Masking of AES Matthieu Rivain 1 and Emmanuel Prouff 2 1 CryptoExperts matthieu.rivain@cryptoexperts.com 2 Oberthur Technologies e.prouff@oberthur.com Abstract. Implementations
More informationSeveral Masked Implementations of the Boyar-Peralta AES S-Box
Several Masked Implementations of the Boyar-Peralta AES S-Box Ashrujit Ghoshal 1[0000 0003 2436 0230] and Thomas De Cnudde 2[0000 0002 2711 8645] 1 Indian Institute of Technology Kharagpur, India ashrujitg@iitkgp.ac.in
More informationEfficient Conversion Method from Arithmetic to Boolean Masking in Constrained Devices
Efficient Conversion Method from Arithmetic to Boolean Masing in Constrained Devices Yoo-Seung Won 1 and Dong-Gu Han 1,2 1 Department of Financial Information Security, Koomin University, Seoul, Korea
More informationOn the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi 1,2 and Matthieu Rivain 1 1 CryptoExperts, Paris, France 2 ENS, CNRS, INRIA and PSL Research University,
More informationDifferential Fault Attacks on Deterministic Lattice Signatures
S C I E N C E P A S S I O N T E C H N O L O G Y Differential Fault Attacks on Deterministic Lattice Signatures Leon Groot Bruinderink 1, Peter Pessl 2 1 Technische Universiteit Eindhoven, 2 Graz University
More informationHigher-Order Glitches Free Implementation of the AES using Secure Multi-Party Computation Protocols
Higher-Order Glitches Free Implementation of the AES using Secure Multi-Party Computation Protocols Emmanuel Prouff 1 and Thomas Roche 2 1 Oberthur Technologies, 71-73, rue des Hautes Pâtures 92726 Nanterre,
More informationConsolidating Masking Schemes
Consolidating Masking Schemes Oscar Reparaz, Begül Bilgin, Svetla Nikova, Benedikt Gierlichs, and Ingrid Verbauwhede firstname.lastname@esat.kuleuven.be KU Leuven ESAT/COSIC and iminds, Belgium Abstract.
More informationParallel Implementations of Masking Schemes and the Bounded Moment Leakage Model
Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model Gilles Barthe 1, François Dupressoir 2, Sebastian Faust 3, Benjamin Grégoire 4, François-Xavier Standaert 5, and Pierre-Yves
More informationMasking against Side-Channel Attacks: a Formal Security Proof
Masking against Side-Channel Attacks: a Formal Security Proof Emmanuel Prouff 1 and Matthieu Rivain 2 1 ANSSI emmanuel.prouff@ssi.gouv.fr 2 CryptoExperts matthieu.rivain@cryptoexperts.com Abstract. Masking
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationComparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
International Conference on Manufacturing Science and Engineering (ICMSE 2015) Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationTemplate Attacks with Partial Profiles and Dirichlet Priors: Application to Timing Attacks June 18, 2016
Template Attacks with Partial Profiles and Dirichlet Priors: Application to Timing Attacks June 18, 2016 Eloi de Chérisey, Sylvain Guilley, Darshana Jayasinghe and Olivier Rioul Contents Introduction Motivations
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationOn the Use of Shamir s Secret Sharing Against Side-Channel Analysis
On the Use of Shamir s Secret Sharing Against Side-Channel Analysis Jean-Sébastien Coron 1, Emmanuel Prouff 2, and Thomas Roche 2 1 Tranef jscoron@tranef.com 2 ANSSI, 51, Bd de la Tour-Maubourg, 75700
More informationAffine Masking against Higher-Order Side Channel Analysis
Affine Masking against Higher-Order Side Channel Analysis Guillaume Fumaroli 1, Ange Martinelli 1, Emmanuel Prouff 2, and Matthieu Rivain 3 1 Thales Communications {guillaume.fumaroli, jean.martinelli}@fr.thalesgroup.com
More informationLattice Signature Schemes. Vadim Lyubashevsky INRIA / ENS Paris
Lattice Signature Schemes Vadim Lyubashevsky INRIA / ENS Paris LATTICE PROBLEMS The Knapsack Problem A = t mod q A is random in Z q n x m s is a random small vector in Z q m t=as mod q s Given (A,t), find
More informationPractical CCA2-Secure and Masked Ring-LWE Implementation
Practical CCA2-Secure and Masked Ring-LWE Implementation Tobias Oder 1, Tobias Schneider 2, Thomas Pöppelmann 3, Tim Güneysu 1,4 1 Ruhr-University Bochum, 2 Université Catholique de Louvain, 3 Infineon
More informationFast Lattice-Based Encryption: Stretching SPRING
Fast Lattice-Based Encryption: Stretching SPRING Charles Bouillaguet 1 Claire Delaplace 1,2 Pierre-Alain Fouque 2 Paul Kirchner 3 1 CFHP team, CRIStAL, Université de Lille, France 2 EMSEC team, IRISA,
More informationSIDE Channel Analysis (SCA in short) exploits information. Statistical Analysis of Second Order Differential Power Analysis
1 Statistical Analysis of Second Order Differential Power Analysis Emmanuel Prouff 1, Matthieu Rivain and Régis Bévan 3 Abstract Second Order Differential Power Analysis O- DPA is a powerful side channel
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationHorizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme
Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme Alberto Battistello 1, Jean-Sébastien Coron 2, Emmanuel Prouff 3, and Rina Zeitoun 1 1 Oberthur Technologies, France {a.battistello,r.zeitoun}@oberthur.com
More informationOn the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order
More informationStrong Non-Interference and Type-Directed Higher-Order Masking
Strong Non-Interference and Type-Directed Higher-Order Masking Gilles Barthe 1, Sonia Belaïd 2, François Dupressoir 3, Pierre-Alain Fouque 4, Benjamin Grégoire 5, Pierre-Yves Strub 6, and Rébecca Zucchini
More informationConnecting and Improving Direct Sum Masking and Inner Product Masking
Connecting and Improving Direct Sum Masking and Inner Product Masking Romain Poussier 1, Qian Guo 1, François-Xavier Standaert 1, Claude Carlet 2, Sylvain Guilley 3 1 ICTEAM/ELEN/Crypto Group, Université
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationTightly-Secure Signatures From Lossy Identification Schemes
Tightly-Secure Signatures From Lossy Identification Schemes Michel Abdalla, Pierre-Alain Fouque, Vadim Lyubashevsky, and Mehdi Tibouchi 2 École normale supérieure {michel.abdalla,pierre-alain.fouque,vadim.lyubashevsky}@ens.fr
More informationLP Solutions of Vectorial Integer Subset Sums Cryptanalysis of Galbraith s Binary Matrix LWE
LP Solutions of Vectorial Integer Subset Sums Cryptanalysis of Galbraith s Binary Matrix LWE Gottfried Herold and Alexander May Horst Görtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationRecovering Private Keys Generated With Weak PRNGs
Recovering Private Keys Generated With Weak PRNGs Pierre-Alain Fouque (Univ. Rennes 1) Mehdi Tibouchi (NTT Secure Platform Lab.) Jean-Christophe Zapalowicz (Inria) Journées C2 2014 Jean-Christophe Zapalowicz
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationSide-Channel Leakage in Masked Circuits Caused by Higher-Order Circuit Effects
Side-Channel Leakage in Masked Circuits Caused by Higher-Order Circuit Effects Zhimin Chen, Syed Haider, and Patrick Schaumont Virginia Tech, Blacksburg, VA 24061, USA {chenzm,syedh,schaum}@vt.edu Abstract.
More informationMulti-Variate High-Order Attacks of Shuffled Tables Recomputation
Multi-Variate High-Order Attacks of Shuffled Tables Recomputation Nicolas BRUNEAU,2, Sylvain GUILLEY,3, Zakaria NAJM, Yannick TEGLIA 2, TELECOM-ParisTech, Crypto Group, Paris, FRANCE 2 STMicroelectronics,
More informationSimple Lattice Trapdoor Sampling from a Broad Class of Distributions
Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky 1 and Daniel Wichs 2 1 Inria/ENS, Paris 2 Northeastern University Abstract. At the center of many lattice-based constructions
More informationMaking Masking Security Proofs Concrete
Making Masking Security Proofs Concrete Or How to Evaluate the Security of any Leaking Device Extended Version Alexandre Duc 1, Sebastian Faust 1,2, François-Xavier Standaert 3 1 HEIG-VD, Lausanne, Switzerland
More informationGLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias
GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias Diego F. Aranha Pierre-Alain Fouque Benoît Gerard Jean-Gabriel Kammerer Mehdi Tibouchi Jean-Christophe
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationHigher-Order Threshold Implementations
Higher-Order Threshold Implementations Begül Bilgin 1,2, Benedikt Gierlichs 1, Svetla Nikova 1, Ventzislav Nikov 3, and Vincent Rijmen 1 1 KU Leuven, ESAT-COSIC and iminds, Belgium {name.surname}@esat.kuleuven.be
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationHigh (Physical) Security & Lightweight (Symmetric) Cryptography
High (Physical) Security & Lightweight (Symmetric) Cryptography François-Xavier Standaert UCL Crypto Group, Belgium HIGHLIGHT LIGHTCRYPTO, November 2016 Outline Preliminary questions / definitions Side-channel
More informationMasking against Side-Channel Attacks: AFormalSecurityProof
Masking against Side-Channel Attacks: AFormalSecurityProof Emmanuel Prouff 1 and Matthieu Rivain 2 1 ANSSI emmanuel.prouff@ssi.gouv.fr 2 CryptoExperts matthieu.rivain@cryptoexperts.com Abstract. Masking
More informationHow to improve information set decoding exploiting that = 0 mod 2
How to improve information set decoding exploiting that 1 + 1 = 0 mod 2 Anja Becker Postdoc at EPFL Seminar CCA January 11, 2013, Paris Representation Find unique solution to hard problem in cryptography
More informationCryptanalysis of GGH15 Multilinear Maps
Cryptanalysis of GGH15 Multilinear Maps Jean-Sébastien Coron 1, Moon Sung Lee 1, Tancrède Lepoint 2, and Mehdi Tibouchi 3 1 University of Luxembourg 2 CryptoExperts 3 NTT Secure Platform Laboratories June
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationA signature scheme from the finite field isomorphism problem
A signature scheme from the finite field isomorphism problem Jeffrey Hoffstein 1, Joseph H. Silverman 1, William Whyte 2, and Zhenfei Zhang 2 1 Brown University, Providence, USA {jhoff,jhs}@math.brown.edu
More informationqdsa: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs
qdsa: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs Joost Renes 1 Benjamin Smith 2 1 Radboud University 2 INRIA and Laboratoire d Informatique de l École polytechnique 15
More informationSide-Channel Attacks on BLISS Lattice-Based Signatures
Side-Channel Attacks on BLISS Lattice-Based Signatures Exploiting Branch Tracing against strongswan and Electromagnetic Emanations in Microcontrollers ABSTRACT Thomas Espitau UPMC Paris, France thomas.espitau@lip6.fr
More informationEciently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto
Eciently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto Tobias Schneider 1, Clara Paglialonga 2, Tobias Oder 3, and Tim Güneysu 3,4 1 ICTEAM/ELEN/Crypto Group, Université Catholique
More informationFast Side-Channel Security Evaluation of ECC Implementations
Fast Side-Channel Security Evaluation of ECC Implementations Shortcut Formulas for Horizontal Side-channel Attacks against ECSM with the Montgomery ladder Melissa Azouaoui 1,2, Romain Poussier 3, François-Xavier
More informationLattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018
Lattice Reduction Attacks on HE Schemes Martin R. Albrecht 15/03/2018 Learning with Errors The Learning with Errors (LWE) problem was defined by Oded Regev. 1 Given (A, c) with uniform A Z m n q, uniform
More informationLoop abort Faults on Lattice-Based Fiat-Shamir Hash n Sign signatures
Loop abort Faults on Lattice-Based Fiat-Shamir Hash n Sign signatures Thomas Espitau, Pierre-Alain Fouque, Benoit Gérard, Mehdi Tibouchi To cite this version: Thomas Espitau, Pierre-Alain Fouque, Benoit
More informationFault Attacks Against emv Signatures
Fault Attacks Against emv Signatures Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 2 1 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi l-1359 Luxembourg, Luxembourg {jean-sebastien.coron,
More informationA Lattice-based AKE on ARM Cortex-M4
A Lattice-based AKE on ARM Cortex-M4 Julian Speith 1, Tobias Oder 1, Marcel Kneib 2, and Tim Güneysu 1,3 1 Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany {julian.speith,tobias.oder,tim.gueneysu}@rub.de
More informationLecture 13: Seed-Dependent Key Derivation
Randomness in Cryptography April 11, 2013 Lecture 13: Seed-Dependent Key Derivation Lecturer: Yevgeniy Dodis Scribe: Eric Miles In today s lecture, we study seeded key-derivation functions (KDFs) in the
More informationInner Product Masking Revisited
Inner Product Masking Revisited Josep Balasch 1, Sebastian Faust 2, and Benedikt Gierlichs 1 1 KU Leuven Dept. Electrical Engineering-ESAT/COSIC and iminds Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee,
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu
More informationLattice-Based Fault Attacks on RSA Signatures
Lattice-Based Fault Attacks on RSA Signatures Mehdi Tibouchi École normale supérieure Workshop on Applied Cryptography, Singapore, 2010-12-03 Gist of this talk Review a classical attack on RSA signatures
More informationTHRESHOLD IMPLEMENTATIONS OF ALL 3x3 AND 4x4 S-BOXES
THRESHOLD IMPLEMENTATIONS OF ALL 3x3 AND 4x4 S-BOXES B.Bilgin, S.Nikova, V.Nikov, V.Rijmen, G.Stütz KU Leuven, UTwente, NXP, TU Graz CHES 2012 - Leuven, Belgium 2012-09-10 Countermeasures Search for a
More informationPSS Is Secure against Random Fault Attacks
PSS Is Secure against Random Fault Attacks Jean-Sébastien Coron and Avradip Mandal University of Luxembourg Abstract. A fault attack consists in inducing hardware malfunctions in order to recover secrets
More informationCircuit Compilers with O(1/ log(n)) Leakage Rate
Circuit Compilers with O(1/ log(n)) Leakage Rate Marcin Andrychowicz 1, Stefan Dziembowski 1, and Sebastian Faust 2 1 University of Warsaw 2 Ruhr University Bochum Abstract. The goal of leakage-resilient
More information