Constructing TI-Friendly Substitution Boxes using Shift-Invariant Permutations. Si Gao, Arnab Roy, and Elisabeth Oswald

Similar documents
Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers. Praveen Vadnala

Threshold Implementations. Svetla Nikova

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

Glitch-Free Implementation of Masking in Modern FPGAs

Recommendations for Secure IC s and ASIC s

DPA Leakage Models for CMOS Logic Circuits

An on-chip glitchy-clock generator and its application to safe-error attack

Smashing the Implementation Records of AES S-box

SHA-3 and permutation-based cryptography

Conditional Cube Attack on Reduced-Round Keccak Sponge Function

Low Randomness Masking and Shulfifgn:

Power Analysis an overview. Agenda. Measuring power consumption. Measuring power consumption (2) Benedikt Gierlichs, KU Leuven - COSIC.

Meet-in-the-Middle Attacks on Reduced-Round Midori-64

CESEL: Flexible Crypto Acceleration. Kevin Kiningham Dan Boneh, Mark Horowitz, Philip Levis

High Diffusion Cipher: Encryption and Error Correction in a Single Cryptographic Primitive

Side-Channel Leakage through Static Power

Lightweight Mixcolumn Architecture for Advanced Encryption Standard

Variety of scalable shuffling countermeasures against side channel attacks

Alternative forms of representation of Boolean functions in Cryptographic Information Security Facilities. Kushch S.

DETECTING POWER ATTACKS ON RECONFIGURABLE HARDWARE. Adrien Le Masle, Wayne Luk

Correlation Power Analysis of Lightweight Block Ciphers

Hardware Bit-Mixers. Laszlo Hars January, 2016

IND-CCA Secure Hybrid Encryption from QC-MDPC Niederreiter

4. Design Principles of Block Ciphers and Differential Attacks

Design of a High Throughput 128-bit AES (Rijndael Block Cipher)

Keywords: dynamic P-Box and S-box, modular calculations, prime numbers, key encryption, code breaking.

Investigating the DPA-Resistance Property of Charge Recovery Logics

SIDE-CHANNEL attacks exploit the leaked physical information

Dedicated Cryptanalysis of Lightweight Block Ciphers

Comparison of Profiling Power Analysis Attacks Using Templates and Multi-Layer Perceptron Network

Differential Cryptanalysis of REDOC III

EE 382C EMBEDDED SOFTWARE SYSTEMS. Literature Survey Report. Characterization of Embedded Workloads. Ajay Joshi. March 30, 2004

Generic Attacks on Feistel Schemes

Some Cryptanalysis of the Block Cipher BCMPQ

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Cryptology and Graph Theory

Is Your Mobile Device Radiating Keys?

Course Business. Harry. Hagrid. Homework 2 Due Now. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Location: Right here

Generic Attacks on Feistel Schemes

Power Analysis Based Side Channel Attack

Transient-Steady Effect Attack on Block Ciphers

paioli Power Analysis Immunity by Offsetting Leakage Intensity Sylvain Guilley perso.enst.fr/ guilley Telecom ParisTech

Implementation and Performance Testing of the SQUASH RFID Authentication Protocol

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

From New Technologies to New Solutions: Exploiting FRAM Memories to Enhance Physical Security

A Visual Cryptography Based Watermark Technology for Individual and Group Images

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR. Pieter Robyns

Lecture 1: Introduction

A Novel Encryption System using Layered Cellular Automata

Minimum key length for cryptographic security

On Permutation Operations in Cipher Design

Test Apparatus for Side-Channel Resistance Compliance Testing

IMPROVING CPA ATTACK AGAINST DSA AND ECDSA

A Simulation-Based Methodology for Evaluating the DPA-Resistance of Cryptographic Functional Units with Application to CMOS and MCML Technologies

Robust profiled attacks: should the adversary trust the dataset?

Permutation Operations in Block Ciphers

When Failure Analysis Meets Side-Channel Attacks

Reviewing Multiple Secret Image Sharing Scheme based on Matrix Multiplication

New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256

UNIT-II LOW POWER VLSI DESIGN APPROACHES

Methods for Reducing the Activity Switching Factor

Secure Adiabatic Logic: a Low-Energy DPA-Resistant Logic Style

AES Encryption and Decryption in Microsoft.NET

ADVANCES IN SIDE-CHANNEL SECURITY

Understanding Cryptography: A Textbook For Students And Practitioners PDF

Why (Special Agent) Johnny (Still) Can t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System

Published in: Proceedings of the 3rd International Conference on Information Systems Security and Privacy

Evaluation of the Masked Logic Style MDPL on a Prototype Chip

Abstract. 1 Introduction. 2 The Proposed Scheme. The 29th Workshop on Combinatorial Mathematics and Computation Theory

Cryptanalysis of an Improved One-Way Hash Chain Self-Healing Group Key Distribution Scheme

List of publications

Three Phase Dynamic Current Mode Logic: AMoreSecureDyCML to Achieve a More Balanced Power Consumption

Network Security: Secret Key Cryptography

Figure 1 Basic Block diagram of self checking logic circuit

Optimized area-delay and power efficient carry select adder

Transform. Jeongchoon Ryoo. Dong-Guk Han. Seoul, Korea Rep.

A Cryptosystem Based on the Composition of Reversible Cellular Automata

TRUDEVICE TH WORKSHOP ON SECURE HARDWARE AND SECURITY EVALUATION September 17 th, 2015, Saint- Malo, France

Generation of AES Key Dependent S-Boxes using RC4 Algorithm

Throughput vs. Area Trade-offs in High-Speed Architectures of Five Round 3 SHA-3 Candidates Implemented Using Xilinx and Altera FPGAs

(Or Living Between a Rock and a Hard Place) Nigel Smart University Of Bristol

Implementation of 1-bit Full Adder using Gate Difuision Input (GDI) cell

On Path Memory in List Successive Cancellation Decoder of Polar Codes

Investigations of Power Analysis Attacks on Smartcards

International Journal of Scientific & Engineering Research, Volume 4, Issue 8, August ISSN

Development of a Highly Selective First-Level Muon Trigger for ATLAS at HL-LHC Exploiting Precision Muon Drift-Tube Data

Triple-DES Block of 96 Bits: An Application to. Colour Image Encryption

Evaluation of the Masked Logic Style MDPL on a Prototype Chip

Automated FSM Error Correction for Single Event Upsets

Data Word Length Reduction for Low-Power DSP Software

ELLIPTIC curve cryptography (ECC) was proposed by

Differential Cryptanalysis of Round-Reduced PRINTcipher: Computing Roots of. permutations

Atomic-AES: A Compact Implementation of the AES Encryption/Decryption Core

OFDM Based Low Power Secured Communication using AES with Vedic Mathematics Technique for Military Applications

Explaining Differential Fault Analysis on DES. Christophe Clavier Michael Tunstall

II. RC4 Cryptography is the art of communication protection. This art is scrambling a message so it cannot be clear; it

SUBTHRESHOLD DESIGN SPACE EXPLORATION FOR GAUSSIAN NORMAL BASIS MULTIPLIER

What do ultra low power requirements mean for secure hardware?

The backend duplication method

Transcription:

Constructing TI-Friendly Substitution Boxes using Shift-Invariant Permutations Si Gao, Arnab Roy, and Elisabeth Oswald

Outline Introduction Design Philosophy Sbox Constructions Implementations Summary

Outline Introduction Design Philosophy Sbox Constructions Implementations Summary

Block Ciphers & Side Channel Protection Component design (Sbox, diffusion layer etc.) Strength against cryptanalysis Implementation cost Side channel protection Not a metric, yet draw attention o Bit-sliced masking: reducing the number of AND2 o Threshold implementation (TI): TI-friendly Sboxes

Threshold Implementation A countermeasure that based on the MPC concept Goal: cope with hardware glitches Requirements o Correct o Assigning each term (eg. a i ) to one of the parties (eg. f_i)

Threshold Implementation A countermeasure that based on the MPC concept Goal: cope with hardware glitches Requirements o Non-complete o Ensure deg(f)<s, so that every term uses at most s-1 shares

Threshold Implementation A countermeasure that based on the MPC concept Goal: cope with hardware glitches Requirements o Uniform o Add fresh randomness o Otherwise, no general constructions Should be a valid share!

TI-friendly Designs Diffusion Layer For an s-share scheme, simply performing linear operation on each share Sbox Lower degree functions/decomposition o Idea: less shares (s) save time/area o All 3*3/4*4 Sboxes up to affine equivalence [CHES 12] o 5-bit/ some 6-bit quadratic permutations [FSE 17, BFA18] 8-bit Sbox constructions with smaller Sboxes o Feistel/SPN/MISTY [CHES 16] o Other structures [SITB 17]

Implementation perspective Hardware Main target o Glitches etc. Serial TI o If f is intrinsically uniform, all parties (f 1,,f s ) share the same functionality o Implement only f 1, learn others by shifting shares [COSADE 13, 18]

Implementation perspective Software Less discussed o Glitches become less dreadful o Lost its competitive advantages in a restricted architecture Why software-ti? o Obscure internal operations unexpected leakage o 1 st order leakage in global look-up tables [COSADE 18 ] o Security order reduction in Boolean masking [CARDIS 14]

Goal Constructing TI-friendly Sbox Considering SW platforms Realistic implementations & Security Evaluation Meet cryptographic requirements Security Evaluation Crypto property HW/SW support Sbox

Outline Introduction Design Philosophy Sbox Constructions Implementations Summary

Design Philosophy Shift-Invariant Definition o For any rotated shift τ, F satisfies F o τ = τ o F o Originally studied in Joan Daemen s thesis, Chapter 6 [JDA 95] o Cellular automaton perspective: 7*7 Sbox [CC 18] o Keccak s χ 2 13 Source: Keccak sponge function family main document, https://keccak.team/obsolete/keccak-main-1.1.pdf

Design Philosophy Why Shift-Invariant? Software Implementation o Suitable for bit-slicing o Fine-grained Shift-invariant Security Evaluation HW/SW support Crypto property Source: Keccak sponge function family main document, https://keccak.team/obsolete/keccak-main-1.1.pdf Sbox 14

Design Philosophy Detour Efficiency in bit-slicing o Pack the same bits to one register o Best when b>processor s bit width Otherwise, borrow from other blocks o Part of the slicing cost Shift-invariant o Easier slicing Same Eg. a 32-bit shift-invariant function does not take any slicing on 32-bit processors

Design Philosophy Why Shift-Invariant? Serial TI o Provides more trade-off options Eg, a 1 =f a (x 1,y 1,z 1, ) b 1 =f b (x 1,y 1,z 1, ) =f a (z 1,y 1,,x 1 ) o 1 bit of 1 share v.s. all the bits in 1 share o Hardware: smaller footprint o Software: easier for bit-slicing 16

Design Philosophy To sum up, in our constructions, we choose Quadratic (deg=2) permutations o Quadratic: 3-share TI (less shares -> lower cost) o Permutation: Sbox construction without invertible structure Shift-invariant o More trade-off options (eg. 1-bit implementation) Uniform TI o Shift-invariant on each share o Further trade-off options (eg. 1-bit of one share)

Outline Introduction Design Philosophy Sbox Constructions Implementations Summary

Sbox Constructions Quadratic building block search n=4 o Total 2 11 o Permutation 24 o 3-share TI uniform 24 n=8 o Total 2 37 o Permutation 520128 o 3-share TI uniform 520128 only for n=4 or 8!

Sbox Constructions Design Architecture Full range SPN o Branches: not perfect for slicing Permutation Layer o Not shift-invariant F already covers all possible options Security concern [FSE 10] o AES Xtime-like operation Rotate with conditional XOR Do it twice for better diffusion

Sbox Constructions n=4 Diff.=4, Lin.=8 (a.k.a. optimal ) o 16 options, 2 rounds o One instance:

Sbox Constructions n=8 Diff.<=8, Lin.<=72 o 6 options, 3 rounds o One instance: diff=8, lin=64, deg=6

Outline Introduction Design Philosophy Sbox Constructions Implementations Summary

Implementations Software Target platform o ARM M0 (Thumb)/M3 (ARM) o 32 bit data width Possible trade-offs o Size-based: same share, different bit o Moderate trade-off (x 1 [1] x 1 [2] y 1 [1] y 1 [2] z 1 [1] z 1 [2] ) >>> 1 becomes >>> b

Implementations Software Results o No fresh-randomness o Otherwise, not that fast Not a fair comparison o Effort spent on optimizing AES/PRESENT s Sbox Number of concurrent Sboxes

Implementations Software Not a fair comparison o Possible security overhead [EUROCRYPT 17] o Could be not as trivial as it sounds.. Practical flaws

Implementations Software Security Evaluation o Cortex M0: NXP LPC1114

Implementations Hardware Selected trade-off o 1-bit implementation o 2D rotation: possible on hardware Possible pitfall o Glitches leakage on shifting shares o Pre-charge the input to 0 o 1 extra cycle (per shift-share ) Shift bits Shift shares

Implementations Hardware Results o Trade cycles for GEs o Add cost to the control logic o Not attractive for n=8

Implementations Hardware Security Evaluation o SAKURA-X: Kintex-7 FPGA

Outline Introduction Design Philosophy Sbox Constructions Implementations Summary

Summary TI-friendly Sbox designs Shift-invariant permutations o 3-share implementation o shift-invariant TI-form o Easier for bit-slicing Results o 4-bit Sbox: 2 rounds/ 8-bit Sbox: 3 rounds o HW/SW Implementation o Security evaluation with TVLA test

Summary Discussion 8-bit Sbox constructions o Using 4-bit Sboxes as building blocks still seems more attractive [CHES 16] o Shift-invariant for non-sbox designs? Implementation pitfalls o Non-academic, yet not an easy task for engineers! o Better understanding of processors & leakages --- obscure & time consuming o More security margins (eg. more shares) --- higher cost!

Reference [CHES 12] Bilgin, B., Nikova, S., Nikov, V., Rijmen, V., St utz, G.: Threshold Implementations of All 3 3 and 4 4 S-Boxes. In: Cryptographic Hardware and Embedded Systems- CHES 2012-14th International Workshop, Leuven, Belgium, September 9-12,2012. Proceedings [FSE 17] Bozilov, D., Bilgin, B., Sahin, H.A.: A Note on 5-bit Quadratic Permutations Classification. IACR Trans. Symmetric Cryptol. 2017 398-404 [BFA18] De Meyer, L., Bilgin, B.: Classification of Balanced Quadratic Functions. IACR Cryptology eprint Archive 2018 [CHES 16] Boss, E., Grosso, V., G uneysu, T., Leander, G., Moradi, A., Schneider, T.: Strong 8- bit Sboxes with efficient masking in hardware extended version. J. Cryptographic Engineering 7(2) (2017) 149-165 [SITB 17] Meyer, L.D., Varici, K.: More Constructions for strong 8-bit S-boxes with efficient masking in hardware. In: Proceedings of the 38th Symposium on Information Theory in the Benelux, Delft,NE, Werkgemeenschap voor Informatie- en Communicatietheorie (2017) 11

Reference [COSADE 13] Kutzner, S., Nguyen, P.H., Poschmann, A., Wang, H.: On 3-Share Threshold Implementations for 4-Bit S-boxes. In: Constructive Side-Channel Analysis and Secure Design - 4th International Workshop, COSADE 2013, Paris, France, March 6-8, 2013, Revised Selected Papers. (2013) 99-113 [COSADE 18] Wegener, F., Moradi, A.: A First-Order SCA Resistant AES Without Fresh Randomness. In: Constructive Side-Channel Analysis and Secure Design - 9th International Workshop, COSADE 2018, Singapore, April 23-24, 2018, Proceedings. (2018) 245-262 [COSADE 18 ] Sasdrich, P., Bock, R., Moradi, A.: Threshold Implementation in Software - Case Study of PRESENT. In: Constructive Side-Channel Analysis and Secure Design - 9th International Workshop, COSADE 2018, Singapore, April 23-24, 2018, Proceedings. (2018) 227-244

Reference [CARDIS 14] Balasch, J., Gierlichs, B., Grosso, V., Reparaz, O., Standaert, F.: On the Cost of Lazy Engineering for Masked Software Implementations. In: Smart Card Research and Advanced Applications - 13th International Conference, CARDIS 2014, Paris, France, November 5-7, 2014. Revised Selected Papers. (2014) 64-81 [JDA 95] Daemen, J.: Cipher and hash function design, strategies based on linear and differential cryptanalysis, PhD Thesis. K.U.Leuven (1995) http://jda:noekeon:org/ [CC 18] Mariot, L., Picek, S., Leporati, A., Jakobovic, D.: Cellular automata based s-boxes. Cryptography and Communications (May 2018) [COSADE 18 ] Corre, Yann Le et al. Micro-Architectural Power Simulator for Leakage Assessment of Cryptographic Software on ARM Cortex-M3 Processors. IACR Cryptology eprint Archive 2017 (2017): 1253.

Reference [EUROCRYPT 17] Goudarzi, D., Rivain, M.: How Fast Can Higher-Order Masking Be in Software? In: Advances in Cryptology - EUROCRYPT 2017-36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part I. (2017) 567-597

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback