block ciphers and side channel protection...software masking hardware masking side-channel...
TRANSCRIPT
Software Masking Hardware Masking
Block Ciphers and Side Channel Protection
Gregor Leander
ECRYPT-CSA@CHANIA-2017
Software Masking Hardware Masking
Main Idea
Side-Channel ResistanceWithout protection having a strong cipher is useless
Therefore: Masking necessary
Usual Approach1 Design a cipher2 Try to mask it efficiently
Software Masking Hardware Masking
Side-Channel Resistance by Design
Usual Approach1 Design a cipher2 Try to mask it efficiently
BetterDesign ciphers that are easy to mask
NOEKEONPICAROZORROLS-Designs
Software Masking Hardware Masking
Outline
1 Software Masking
2 Hardware Masking
Software Masking Hardware Masking
Masking: Compute on Shares
(Boolean)-Sharing
Split the input x ∈ Fn2 into r shares xi ∈ Fn
2
x = x1 ⊕ x2 ⊕ ...⊕ xr
(n-out-of-n secret sharing).
MPC-like computationAvoid to compute on the input directly, but on the shares.
Easy for linear operations, i.e. XORExpensive for non-linear operations, e.g. AND
Software Masking Hardware Masking
One Application
FSE 2014: LS-Designs [GLSVar]
A family of easy to mask block ciphers
Designed by UC-Louvain and INRIA
Main ideaOpposite approach of what is done usually:
Use tables for the linear-layerUse (few) logical operations for S-boxes
Two instances:Robin and iScreamFantomas and Scream
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L
L L L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L
L L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L
L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L
L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L
L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L
L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L
L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
One square is a bit. Columns are stored in registers
Software Masking Hardware Masking
Bit-Sliced: From One To Many
S-boxy0
x0
y1
x1
y2
x2
y3
x3
Bit Sliced (cf. Serpent)Instead of using LUT use the algebraic description.
Exampley0 = x0x1 + x3 y1 = x1x3 + x2x3y2 = x0x1x3 + x1 y4 = x2x3 + x1x3 + x1 + x3
Software Masking Hardware Masking
Bit-Sliced: From One To Many
Exampley0 = x0x1 + x3 y1 = x1x3 + x2x3y2 = x0x1x3 + x1 y4 = x2x3 + x1x3 + x1 + x3
Many SboxesReplace bits by registers.
Advantages:n-bit registers⇒ n-Sboxes at onceEasier to mask than LUTs.
Software Masking Hardware Masking
Bit-Sliced: From One To Many
Exampley0 = x0x1 + x3 y1 = x1x3 + x2x3y2 = x0x1x3 + x1 y4 = x2x3 + x1x3 + x1 + x3
Many SboxesReplace bits by registers.
Advantages:n-bit registers⇒ n-Sboxes at onceEasier to mask than LUTs.
Software Masking Hardware Masking
The Linear Layer
Bit-Sliced Sbox
⇒
Input to Li in one register.
Simply use Tables for the Li .
Software Masking Hardware Masking
The Sbox
TaskFind a good/optimal Sbox using a minimal number of non-linearoperations.
Two approaches:Find the best implementation of a given S-box (e.g.[Sto16])Find the cryptographically strong S-box that can beimplemented most efficiently (cf. [UCI+11])
4-bitFor 4 bits both approaches possible.
Software Masking Hardware Masking
Optimal 4 Bit Solution (I/II)
Class 13 from [UCI+11].
Software Masking Hardware Masking
Optimal 4 Bit Solution (II/II)
MSB LSB
MSB LSB
Used in SKINNY [?]
Software Masking Hardware Masking
Larger S-boxes
TaskHow to construct larger S-boxes?
Idea:
Build on Small OnesUse small Sboxes to construct larger ones.
Software Masking Hardware Masking
For 8-Bit
Possible Constructions (cf. [GLSVar])1
1Thanks to Gaëtan Leurent for the picture
Software Masking Hardware Masking
Choice for ROBIN
Feistel+Class 13.
Software Masking Hardware Masking
The Robin Sbox
00000000→ 0000000010000000→ 1010000101100100→ 0110010011100100→ 1100010100100001→ 0010000110100001→ 1000000001000101→ 0100010111000101→ 11100100
S(∗,a,b,0,0,a,0,a⊕ b) = (∗, α, β,0,0, α, 0, α⊕ β)
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L
L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L
L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L
L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L
L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L
L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L
L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L
L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
A Symmetry in Robin and iScream
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L L L L L L L L
c
* a0 b0 0 0 a0 0 c0
* a1 b1 0 0 a1 0 c1
* a2 b2 0 0 a2 0 c2
* a3 b3 0 0 a3 0 c3
* a4 b4 0 0 a4 0 c4
* a5 b5 0 0 a5 0 c5
* a6 b6 0 0 a6 0 c6
* a7 b7 0 0 a7 0 c7
* α0 β0 0 0 α0 0 γ0
* α1 β1 0 0 α1 0 γ1
* α2 β2 0 0 α2 0 γ2
* α3 β3 0 0 α3 0 γ3
* α4 β4 0 0 α4 0 γ4
* α5 β5 0 0 α5 0 γ5
* α6 β6 0 0 α6 0 γ6
* α7 β7 0 0 α7 0 γ7
ci = ai ⊕ bi γi = αi ⊕ βi
Software Masking Hardware Masking
Take Care
SymmetriesSimple Sbox might allow for symmetries
Easy to avoid by choosing constants wellSimilar attacks on
ScreamZorro...
Improved LS-Designs
XLS - took this into account
Software Masking Hardware Masking
Outline
1 Software Masking
2 Hardware Masking
Software Masking Hardware Masking
TI: Compute on Shares
(Boolean)-Sharing
Split the input x ∈ Fn2 into r shares xi ∈ Fn
2
x = x1 ⊕ x2 ⊕ ...⊕ xr
(n-out-of-n secret sharing).
MPC-like computationNever compute on all shares simultaneously.
Compute on r − 1 shares at a timeMake sure that the computation is correct.
Threshold Implementation [NRR06]is a concrete way to achieve the above.
Software Masking Hardware Masking
TI - In A Picture
x =
f
y =
xa +
fa
ya +
xb +
fb
yb +
xc
fc
yc
22Thanks to J. Daemen for the picture
Software Masking Hardware Masking
TI - More Formally
Given a permutationF : Fn
2 → Fn2
and x = x1 ⊕ . . . xtconstruct t functions
Fi : F(t−1)2 → Fn
2
such that
F1(x2, . . . , xt )⊕· · ·⊕Ft (x1, x2, . . . , xt−1) = F (x1⊕· · ·⊕xt ) = F (x)
(Fi is independent of xi )
Software Masking Hardware Masking
TI - Main Properties
x = (x1, . . . , xt )
For a TI we need three important properties.
CorrectnessNon-CompletenessUniformity
Software Masking Hardware Masking
TI - Correctness
CorrectnessF1(x)⊕ F2(x) · · · ⊕ Ft (x) = F (x)
Easy to achieve.
Software Masking Hardware Masking
TI - In A Picture
x =
f
y =
xa +
fa
ya +
xb +
fb
yb +
xc
fc
yc
33Thanks to J. Daemen for the picture
Software Masking Hardware Masking
TI - Non-Completeness
Non-Completeness
Fi(x) is independent of xi (wlog)
Easy to achieve.
Correctness and Non-Completeness possible ifft ≥ deg(F ) + 1
Software Masking Hardware Masking
TI - Non-Completeness
Non-Completeness
Fi(x) is independent of xi (wlog)
Easy to achieve.Correctness and Non-Completeness possible ifft ≥ deg(F ) + 1
Software Masking Hardware Masking
TI - Non-Completeness
x =
f
y =
xa +
fa
ya +
xb +
fb
yb +
xc
fc
yc
44Thanks to J. Daemen for the picture
Software Masking Hardware Masking
TI - Uniformity
Uniformity
x → (F1(x), . . . ,Ft (x) = F (x)) is a permutation on tn bits.
Easy to achieve on its ownBut: Achieving all at the same time is difficult
Software Masking Hardware Masking
TI - Uniformity
x =
f
y =
xa +
fa
ya +
xb +
fb
yb +
xc
fc
yc
55Thanks to J. Daemen for the picture
Software Masking Hardware Masking
TI - Quadratic Case
Let us focus on the quadratic case.
Q : Fn2 → Fn
2 quadratic
Quadratic⇒ 3.rd derivative is constant zero
∆aQ(x) := Q(x)⊕Q(x ⊕ a) linear
∆a,bQ(x) := ∆b(∆aQ(x)) constant
∆a,b,cQ(x) := ∆c (∆b (∆aQ(x))) constant zero
Why does this help to construct TI?
Software Masking Hardware Masking
TI - Quadratic Case
Let us focus on the quadratic case.
Q : Fn2 → Fn
2 quadratic
Quadratic⇒ 3.rd derivative is constant zero
∆aQ(x) := Q(x)⊕Q(x ⊕ a) linear
∆a,bQ(x) := ∆b(∆aQ(x)) constant
∆a,b,cQ(x) := ∆c (∆b (∆aQ(x))) constant zero
Why does this help to construct TI?
Software Masking Hardware Masking
TI - Quadratic Case
Non-complete and Correct TI
0 = ∆a,b,cQ(x)
= ∆c (∆b (∆aQ(x)))
= ∆c (∆b (Q(x) + Q(x + a)))
= ∆c (Q(x) + Q(x + a) + Q(x + b) + Q(x + a + b))
= Q(x) + Q(x + a) + Q(x + b) + Q(x + a + b)
+Q(x + c) + Q(x + c + a) + Q(x + b + c) + Q(x + a + b + c)
Software Masking Hardware Masking
TI - Quadratic Case
Non-complete and Correct TI
0 = Q(x) + Q(x + a) + Q(x + b) + Q(x + a + b)
+Q(x + c) + Q(x + c + a) + Q(x + b + c) + Q(x + a + b + c)
For x = 0 we get (wlog Q(0) = 0)
Q(a + b + c) = Q(b + c) + Q(c)
+Q(a + c) + Q(a)
+Q(a + b) + Q(b)
Software Masking Hardware Masking
TI - Quadratic Case
Non-complete and Correct TI
Q(a + b + c) = Q(b + c) + Q(c)
+Q(a + c) + Q(a)
+Q(a + b) + Q(b)
For a = xa, b = xb, c = xc and x = xa + xb + xc we get
Q(x) = Q(xb + xc) + Q(xc)
:= fa(xb, xc)
+Q(xa + xc) + Q(xa)
:= fb(xa, xc)
+Q(xa + xb) + Q(xb)
:= fc(xa, xb)
Software Masking Hardware Masking
TI - Quadratic Case
Non-complete and Correct TI
Q(a + b + c) = Q(b + c) + Q(c)
+Q(a + c) + Q(a)
+Q(a + b) + Q(b)
For a = xa, b = xb, c = xc and x = xa + xb + xc we get
Q(x) = Q(xb + xc) + Q(xc) := fa(xb, xc)
+Q(xa + xc) + Q(xa)
:= fb(xa, xc)
+Q(xa + xb) + Q(xb)
:= fc(xa, xb)
Software Masking Hardware Masking
TI - Quadratic Case
Non-complete and Correct TI
Q(a + b + c) = Q(b + c) + Q(c)
+Q(a + c) + Q(a)
+Q(a + b) + Q(b)
For a = xa, b = xb, c = xc and x = xa + xb + xc we get
Q(x) = Q(xb + xc) + Q(xc) := fa(xb, xc)
+Q(xa + xc) + Q(xa) := fb(xa, xc)
+Q(xa + xb) + Q(xb)
:= fc(xa, xb)
Software Masking Hardware Masking
TI - Quadratic Case
Non-complete and Correct TI
Q(a + b + c) = Q(b + c) + Q(c)
+Q(a + c) + Q(a)
+Q(a + b) + Q(b)
For a = xa, b = xb, c = xc and x = xa + xb + xc we get
Q(x) = Q(xb + xc) + Q(xc) := fa(xb, xc)
+Q(xa + xc) + Q(xa) := fb(xa, xc)
+Q(xa + xb) + Q(xb) := fc(xa, xb)
Software Masking Hardware Masking
TI - 2 out of 3
x =
f
y =
xa +
fa
ya +
xb +
fb
yb +
xc
fc
yc
66Thanks to J. Daemen for the picture
Software Masking Hardware Masking
Correction Terms
fa(xb, xc) = Q(xb + xc) + Q(xc)
+ Cb(xb) + Cc(xc)
fb(xa, xc) = Q(xa + xc) + Q(xa)
+ Ca(xa) + Cc(xc)
fc(xa, xb) = Q(xa + xb) + Q(xb)
+ Ca(xa) + Cb(xb)
How To Get UniformityMake this a permutation.
Add Correction Terms.
Keep Non-completenessKeep CorrectnessMight give uniformity.
Software Masking Hardware Masking
Correction Terms
fa(xb, xc) = Q(xb + xc) + Q(xc) + Cb(xb) + Cc(xc)
fb(xa, xc) = Q(xa + xc) + Q(xa) + Ca(xa) + Cc(xc)
fc(xa, xb) = Q(xa + xb) + Q(xb) + Ca(xa) + Cb(xb)
How To Get UniformityMake this a permutation. Add Correction Terms.
Keep Non-completenessKeep CorrectnessMight give uniformity.
Software Masking Hardware Masking
Correction Terms
Finding CT
High complexity. Even for small n ≥ 5.
Possible for n = 3,4 [BNN+12]Sometimes for n = 5.
TaskHow to find TI of larger S-boxes (e.g. n = 8)?
For a given S-box: DecompositionFor some good S-box: As for masking.
Software Masking Hardware Masking
TI - Construction of Larger S-boxes
Possible Constructions (cf. [BGG+16])
Software Masking Hardware Masking
TI - Feistel
FeistelFor Feistel one gets uniformity for free
Use direct sharingResult is a Feistel structure again
Software Masking Hardware Masking
TI - Feistel
f1
f2
f3
x1x2x3 y3 y2 y1
x1 z3 z2 z1x2x3
Software Masking Hardware Masking
Uniformity: Out of the box solution
xa
Sa
ya
rb rc
xb
Sb
yb
Rb
xc
Sc
yc
Rc
Presented by J. Daemen in [Dae17].
Software Masking Hardware Masking
Uniformity: Out of the box solution
a0
Sa
A0
rb rc b0
Sb
B0
c0
Sc
C0
a1
Sa
A1
b1
Sb
B1
c1
Sc
C1
a2
Sa
A2
b2
Sb
B2 Rc
c2
Sc
C2 Rb
7
7Thanks to J. Daemen for the picture
Software Masking Hardware Masking
References I
Erik Boss, Vincent Grosso, Tim Güneysu, Gregor Leander,Amir Moradi, and Tobias Schneider, Strong 8-bit Sboxeswith Efficient Masking in Hardware, CHES 2016, 2016.
Begül Bilgin, Svetla Nikova, Ventzislav Nikov, VincentRijmen, and Georg Stütz, Threshold Implementations of All3 × 3 and 4 × 4 S-Boxes, CHES 2012, Lecture Notes inComputer Science, vol. 7428, Springer, 2012, pp. 76–91.
Joan Daemen, Changing of the guards: A simple andefficient method for achieving uniformity in thresholdsharing, Cryptographic Hardware and Embedded Systems- CHES 2017 - 19th International Conference, Taipei,Taiwan, September 25-28, 2017, Proceedings (WielandFischer and Naofumi Homma, eds.), Lecture Notes in
Software Masking Hardware Masking
References II
Computer Science, vol. 10529, Springer, 2017,pp. 137–153.
Vincent Grosso, Gaëtan Leurent, François-XavierStandaert, and Kerem Varıcı, LS-Designs: BitsliceEncryption for Efficient Masked Software Implementations,Fast Software Encryption (FSE), LNCS, Springer, 2014, toappear.
Svetla Nikova, Christian Rechberger, and Vincent Rijmen,Threshold implementations against side-channel attacksand glitches, Information and Communications Security, 8thInternational Conference, ICICS 2006, Raleigh, NC, USA,December 4-7, 2006, Proceedings (Peng Ning, Sihan Qing,and Ninghui Li, eds.), Lecture Notes in Computer Science,vol. 4307, Springer, 2006, pp. 529–545.
Software Masking Hardware Masking
References III
Ko Stoffelen, Optimizing s-box implementations for severalcriteria using SAT solvers, Fast Software Encryption - 23rdInternational Conference, FSE 2016, Bochum, Germany,March 20-23, 2016, Revised Selected Papers (ThomasPeyrin, ed.), Lecture Notes in Computer Science, vol. 9783,Springer, 2016, pp. 140–160.
Markus Ullrich, Christophe De Cannière, SebastiaanIndesteege, , Özgül Küçük, Nicky Mouha, and BartPreneel, Finding Optimal Bitsliced Implementations of 4 x 4bit S-boxes, SKEW, 2011.
Software Masking Hardware Masking
The End
Thank you very much.