approachessss17.com
sss17.com 时间:2021-03-19 阅读:(
)
ProtectingAESwithShamir'sSecretSharingSchemeLouisGoubin1andAngeMartinelli1,21VersaillesSaint-Quentin-en-YvelinesUniversityLouis.
Goubin@prism.
uvsq.
fr2ThalesCommunicationsjean.
martinelli@fr.
thalesgroup.
comAbstract.
CryptographicalgorithmsembeddedonphysicaldevicesareparticularlyvulnerabletoSideChannelAnalysis(SCA).
Themostcom-moncountermeasureforblockcipherimplementationsismasking,whichrandomizesthevariablestobeprotectedbycombiningthemwithoneorseveralrandomvalues.
Inthispaper,weproposeanoriginalmaskingschemebasedonShamir'sSecretSharingscheme[23]asanalternativetoBooleanmasking.
WedetailitsimplementationfortheAESusingthesametoolthanRivainandProuinCHES2010[17]:multi-partycomputation.
Wethenconductasecurityanalysisofourschemeinor-dertocompareittoBooleanmasking.
Ourresultsshowthatforagivenamountofnoisetheproposedscheme-implementedtotherstorder-providesthesamesecuritylevelas3rdupto4thorderbooleanmasking,togetherwithabettereciency.
Keywords:SideChannelAnalysis(SCA),Masking,AESImplementa-tion,Shamir'sSecretSharing,Multi-partycomputation.
1IntroductionSideChannelAnalysisisacryptanalyticmethodinwhichanattackeranalyzesthesidechannelleakage(e.
g.
thepowerconsumption,producedduringtheexecutionofacryptographicalgorithmembeddedonaphysicaldevice.
SCAexploitsthefactthatthisleakageisstatisticallydependentontheintermediatevariablesthatareinvolvedinthecomputation.
Someofthesevariablesarecalledsensitiveinthattheyarerelatedtoasecretdata(e.
g.
thekey)andaknowndata(e.
g.
theplaintext),andrecoveringinformationonthemthereforeenablesecientkeyrecoveryattacks[12,3,9].
ThemostcommoncountermeasuretoprotectimplementationsofblockciphersagainstSCAistousemaskingtechniques[4,10]torandomizethesensitivevari-ables.
Theprincipleistocombineoneorseveralrandomvalues,calledmasks,witheveryprocessedsensitivevariable.
MasksandmaskedvariablespropagateFullversionofthepaperpublishedintheproceedingsofCHES2011throughoutthecipherinsuchawaythatanyintermediatevariableisindepen-dentofanysensitivevariable.
Thismethodensuresthattheleakageataninstanttisindependentofanysensitivevariable,thusrenderingSCAdiculttoper-form.
Themaskingcanbeimprovedbyincreasingthenumberofrandommasksthatareusedpersensitivevariable.
Amaskingthatinvolvesdrandommasksiscalledadth-ordermaskingandcanalwaysbetheoreticallybrokenbya(d+1)th-orderSCA,namelyanSCAthattargetsd+1intermediatevariablesatthesametime[14,22,19].
However,thenoiseeectsimplythatthecomplexityofadth-orderSCAincreasesexponentiallywithdinpractice[4].
Thedth-orderSCAresistance(foragivend)isthusagoodsecuritycriterionforimplementationsofblockciphers.
In[18]RivainandProugiveageneralmethodtoimplementadth-ordermaskingschemetotheAESusingsecureMulti-PartyComputation.
Insteadoflookingforperfecttheoreticalsecurityagainstdth-orderSCAasdonein[18],analternativeapproachconsistsinlookingforpracticalresistancetotheseattacks.
Itmayforinstancebeobservedthattheeciencyofhigher-orderSCAisrelatedtothewaythemasksareintroducedtorandomizesensitivevari-ables.
ThemostwidelystudiedmaskingschemesarebasedonBooleanmaskingwheremasksareintroducedbyexclusive-or(XOR).
Firstorderbooleanmaskingenablessecuringimplementationsagainstrst-orderSCAquiteeciently[1,17].
Itishoweverespeciallyvulnerabletohigher-orderSCA[14]duetotheintrinsicphysicalpropertiesofelectronicdevices.
Othermaskingschemesmayprovidebetterresistanceagainsttheseattacksusingvariousoperationstorandomizesensitivevariables.
Thisapproachwillbefurtherinvestigatedinthispaper.
Relatedwork.
In[26,6],theauthorsproposetouseananefunctioninsteadofjustXORtomasksensitivevariables,thusimprovingthesecurityoftheschemeforalowcomplexityoverhead.
However,thiscountermeasureisdevel-opedonlytothe1thorderanditisnotclearhowitcanbeextendedtohigherorders.
In[11,17]theauthorsexplainhowtousesecureMulti-PartyComputa-tiontoprocessthecipheronsharedvariables.
TheyuseasharingschemebasedonXOR,implementingbooleanmaskingtoanyordertosecuretheAESblockcipher.
Atlast,in[20],ProuandRochegiveahardwareorientedglitchfreewaytoimplementblockciphersusingShamir'sSecretSharingschemeandBen-Oretal.
securemulti-partycomputation[2]protocoloperatingon2d+1sharestothwartd-thorderSCA.
Ourcontribution.
Inthispaper,weproposetocombinebothapproachesinim-plementingamaskingschemebaseduponShamir'sSecretSharingscheme[23],calledSSSmaskingandprocessedusingMulti-partyComputationmethods.
Namely,wepresentanimplementationoftheblockciphersuchthatevery8-bitintermediateresultz∈GF(256)ismanipulatedundertheform(xi,P(xi))i=0.
.
d,wherexi∈GF(256)isarandomvaluegeneratedbeforeeachnewexecutionofthealgorithmandP(X)∈GF(256)[X]isapolynomialofdegreedsuchthatP(0)=z.
OurschememaintainsthesamecompatibilityasBooleanmaskingwiththelineartransformationsofthealgorithm.
Moreover,thefactthatthemasksareneverprocessedalonepreventsthemtobetargetedbyahigher-orderSCA,thusgreatlyimprovestheresistanceoftheschemetosuchattacks.
Organizationofthepaper.
WestrecalltheAESandShamir'ssecretshar-ingschemeinSect.
2.
InSect.
3,weshowhowSSSmaskingcanbeappliedtotheAESandgivesomeimplementationresults.
Sect.
4analyzestheresistanceofourmethodtohigh-orderSCAandSect.
5concludesthepaper.
2Preliminaries2.
1TheAdvancedEncryptionStandardTheAdvancedEncryptionStandard(AES)isablockcipherthatiterate10timesaroundtransformation.
Eachoftheseinvolvesfourstages:AddRoundKey,ShiftRows,MixColumn,andSubByte,thatensurethesecurityofthescheme.
Inthissection,werecallthefourmainoperationsinvolvedintheAESencryptionAlgorithm.
Foreachofthem,wedenotebys=(si,j)0≤i,j≤3thestateattheinputofthetransformation,andbys=(si,j)0≤i,j≤3thestateattheoutputofthetransformation.
1.
AddRoundKey:Letk=(ki,j)0≤i,j≤3denotetheroundkey.
EachbyteofthestateisXOR-edwiththecorrespondingroundkeybyte:(si,j)←(si,j)(ki,j).
2.
SubBytes:eachbyteofthestatepassesthroughthe8-bitAESS-boxS:si,j←S(si,j).
3.
ShiftRows:eachrowofthestateiscyclicallyshiftedbyacertainoset:si,j←si,jimod4.
4.
MixColumns:eachcolumnofthestateismodiedasfollows:(s0,c,s1,c,s2,c,s3,c)←MixColumnsc(s0,c,s1,c,s2,c,s3,c)whereMixColumnscimplementsthefollowingoperations:s0,c←(02·s0,c)(03·s1,c)s2,cs3,cs1,c←s0,c(02·s1,c)(03·s2,c)s3,cs2,c←s0,cs1,c(02·s2,c)(03·s3,c)s3,c←(03·s0,c)s1,cs2,c(02·s3,c),where·andrespectivelydenotethemultiplicationandtheadditionintheeldGF(2)[X]/p(X)withp(X)=X8+X4+X3+X+1,andwhere02and03respectivelydenotetheelementsXandX+1.
Inthefollowing,wewillassumethatMixColumnscisimplementedass0,c←xtimes(s0,cs1,c)tmps0,cs1,c←xtimes(s1,cs2,c)tmps1,cs2,c←xtimes(s2,cs3,c)tmps2,cs3,c←s0,cs1,cs2,ctmp,wheretmp=s0,cs1,cs2,cs3,candwherethextimesfunctionisimple-mentedasalook-uptablefortheapplicationx→02·x.
2.
2Shamir'sSecretSharingschemeInsomecryptographiccontextonesmayneedtoshareasecretbetween(atleast)duserswithoutanyk1063O-MIAon2OBooleanMasking160160000650000>106>106AttacksagainstSSSMasking2O-DPAon1OSSSMasking>106>106>106>106>1062O-MIAon1OSSSMasking500000>106>106>106>1063O-DPAon2OSSSMasking>106>106>106>106>1063O-MIAon2OSSSMasking>106>106>106>106>1065ConclusionInthispaperweproposeanewalternativetobooleanmaskingtosecureimple-mentationsofAESagainstsidechannelattacksusingShamir'sSecretSharingschemetosharesensitivevariables.
Wegiveimplementationresultsandcon-ductasecurityanalysisthatclearlyshowthatourschemecanprovideagoodcomplexity-securitytrade-ocomparedtobooleanmasking.
Inparticular,onsmartcardimplementation,whereSNRvalueisaround1/2,1OSSSmaskingprovidesbothabettersecurityandcomplexitythan3Obooleanmasking.
Onhardwareimplementationswherethenoisecanbedrasticallyreduced,1OSSSmaskingistobecomparedto4thorderbooleanmasking,whichincreasethead-vantageofSSSmasking.
Table6resumethecomplexitoftheinversionalgorithminthesescnarii.
MaskingschemeXORmultiplications2jRandombytesRAMO1-SSS(Algo.
2)5872181818O1-SSS(Algo.
3)365414620O3-boolean(σ=2)10864122018O4-boolean(σ≈0)176100154825Table6.
ComplexityofinversionalgorithmsforsimilarsecuritylevelsTheseresultsshowthattheopeningtosecretsharingandsecuremulti-partycomputationcanprovideagoodalternativetobooleanmasking.
ThismaybeaninterestingwaytothwartHO-SCA.
Itisanopenresearchtopictotrythesecurityandcomplexityofsuchamaskingusingotherkindsofsecretsharingscheme.
References1.
Mehdi-LaurentAkkarandC.
Giraud.
AnImplementationofDESandAES,SecureagainstSomeAttacks.
InC.
K.
Koc,D.
Naccache,andC.
Paar,editors,Crypto-graphicHardwareandEmbeddedSystems–CHES2001,volume2162ofLectureNotesinComputerScience,pages309–318.
Springer,2001.
2.
MichaelBen-Or,ShaGoldwasser,andAviWigderson.
Completenesstheoremsfornon-cryptographicfault-tolerantdistributedcomputation(extendedabstract).
InSTOC,pages1–10.
ACM,1988.
3.
E.
Brier,C.
Clavier,andF.
Olivier.
CorrelationPowerAnalysiswithaLeakageModel.
InM.
JoyeandJ.
-J.
Quisquater,editors,CryptographicHardwareandEm-beddedSystems–CHES2004,volume3156ofLectureNotesinComputerScience,pages16–29.
Springer,2004.
4.
S.
Chari,C.
S.
Jutla,J.
R.
Rao,andP.
Rohatgi.
TowardsSoundApproachestoCounteractPower-AnalysisAttacks.
InWiener[27],pages398–412.
5.
ChristopheClavierandKrisGaj,editors.
CryptographicHardwareandEmbed-dedSystems–CHES2009,volume5747ofLectureNotesinComputerScience.
Springer,2009.
6.
GuillaumeFumaroli,AngeMartinelli,EmmanuelProu,andMatthieuRivain.
Anemaskingagainsthigher-ordersidechannelanalysis.
InSelectedAreasinCryptography,volume6544ofLectureNotesinComputerScience.
Springer,2010.
7.
RosarioGennaro,MichaelO.
Rabin,andTalRabin.
Simpliedvssandfact-trackmultipartycomputationswithapplicationstothresholdcryptography.
InPODC,pages101–111,1998.
8.
BenediktGierlichs,LejlaBatina,BartPreneel,andIngridVerbauwhede.
RevisitingHigher-OrderDPAAttacks:MultivariateMutualInformationAnalysis.
Cryptol-ogyePrintArchive,Report2009/228,2009.
http://eprint.
iacr.
org/.
9.
BenediktGierlichs,LejlaBatina,PimTuyls,andBartPreneel.
MutualInforma-tionAnalysis.
InElisabethOswaldandPankajRohatgi,editors,CryptographicHardwareandEmbeddedSystems–CHES2008,volume5154ofLectureNotesinComputerScience,pages426–442.
Springer,2008.
10.
L.
GoubinandJ.
Patarin.
DESandDierentialPowerAnalysis–TheDuplicationMethod.
InC.
K.
KocandC.
Paar,editors,CryptographicHardwareandEmbeddedSystems–CHES'99,volume1717ofLectureNotesinComputerScience,pages158–172.
Springer,1999.
11.
YuvalIshai,AmitSahai,andDavidWagner.
PrivateCircuits:SecuringHardwareagainstProbingAttacks.
InD.
Boneh,editor,AdvancesinCryptology–CRYPTO2003,volume2729ofLectureNotesinComputerScience,pages463–481.
Springer,2003.
12.
P.
Kocher,J.
Jae,andB.
Jun.
DierentialPowerAnalysis.
InWiener[27],pages388–397.
13.
StefanMangard,ElisabethOswald,andThomasPopp.
PowerAnalysisAttacks–RevealingtheSecretsofSmartcards.
Springer,2007.
14.
T.
S.
Messerges.
UsingSecond-orderPowerAnalysistoAttackDPAResistantSoftware.
InC.
K.
KocandC.
Paar,editors,CryptographicHardwareandEmbeddedSystems–CHES2000,volume1965ofLectureNotesinComputerScience,pages238–251.
Springer,2000.
15.
D.
Pointcheval,editor.
TopicsinCryptology–CT-RSA2006,volume3860ofLectureNotesinComputerScience.
Springer,2006.
16.
EmmanuelProuandMatthieuRivain.
TheoreticalandPracticalAspectsofMutualInformationBasedSideChannelAnalysis.
InMichelAbdalla,DavidPointcheval,Pierre-AlainFouque,andDamienVergnaud,editors,AppliedCryp-tographyandNetworkSecurity–ANCS2009,volume5536ofLectureNotesinComputerScience,pages499–518.
Springer,2009.
17.
EmmanuelProuandMatthieuRivain.
ProvablySecureHigher-OrderMaskingofAES.
InStefanMangardandFranois-XavierStandaert,editors,CryptographicHardwareandEmbeddedSystems–CHES2010,volume6225ofLectureNotesinComputerScience,pages413–427.
Springer,2010.
18.
EmmanuelProuandMatthieuRivain.
TheoreticalandPracticalAspectsofMutualInformationBasedSideChannelAnalysis(ExtendedVersion).
ToappearintheInt.
JournalofAppliedCryptography(IJACT),2010.
19.
EmmanuelProu,MatthieuRivain,andRegisBevan.
StatisticalAnalysisofSec-ondOrderDierentialPowerAnalysis.
IEEETrans.
Comput.
,58(6):799–811,2009.
20.
EmmanuelProuandThomasRoche.
Higher-orderglitchesfreeimplementationoftheaesusingsecuremulti-partycomputationprotocols.
InCryptographicHard-wareandEmbeddedSystems–CHES2011,LectureNotesinComputerScience.
Springer.
21.
MatthieuRivain,EmmanuelProu,andJulienDoget.
Higher-OrderMaskingandShuingforSoftwareImplementationsofBlockCiphers.
InClavierandGaj[5],pages171–188.
22.
KaiSchrammandChristofPaar.
HigherOrderMaskingoftheAES.
InPointcheval[15],pages208–225.
23.
AdiShamir.
HowtoShareaSecret.
CommunicationsoftheACM,22(11):612–613,November1979.
24.
Francois-XavierStandaert,TalMalkin,andMotiYung.
AUniedFrameworkfortheAnalysisofSide-ChannelKeyRecoveryAttacks.
InAntoineJoux,editor,AdvancesinCryptology–EUROCRYPT2009,volume5479ofLectureNotesinComputerScience,pages443–461.
Springer,2009.
25.
Francois-XavierStandaert,NicolasVeyrat-Charvillon,ElisabethOswald,BenediktGierlichs,MarcelMedwed,MarkusKasper,andStefanMangard.
Theworldisnotenough:Anotherlookonsecond-orderdpa.
CryptologyePrintArchive,Report2010/180,2010.
http://eprint.
iacr.
org/.
26.
ManfredvonWillich.
Atechniquewithaninformation-theoreticbasisforprotect-ingsecretdatafromdierentialpowerattacks.
InIMAint.
Conf.
,volume2260ofLectureNotesinComputerScience,pages44–62.
Springer,2001.
27.
M.
J.
Wiener,editor.
AdvancesinCryptology–CRYPTO'99,volume1666ofLectureNotesinComputerScience.
Springer,1999.
AComputingtheproductinGF(256)TheSSSmaskingandtheprocessingoftheAESinvolvesmultiplicationsintheeldGF(28).
Insoftwareapplications,themostecientwaytoimplementtheproductintheeldGF(256)istouseprecomputedlog/alogtables.
Theconstructionofthesetablesisbasedonthefactthatallnon-zeroelementsinaniteeldGF(2n)canbeobtainedbyexponentiationofageneratorinthiseld.
LetαbeageneratorofGF(256).
Wedenelog(αi)=iandalog(i)=αi.
Theseresultsarestoredintwotablesof2n1wordsofnbits.
Ifa,barenon-zero,thentheproducta·bcanbecomputedusinglog/alogtablesasa·b=alog[(log(a)+log(b))mod(2n1)].
(13)Inordertocomputetheadditionmodulo2n1,leta,b∈GF(2n),andletcdenotethecarryassociatedwiththeoperationa+bmod(2n).
Then,a+bmod(2n1)canbecomputedfroma+bmod(2n)andcasfollows.
Algorithm6Input:a,b∈GF(2n)Output:s=a+bmod(2n1)1.
s←a+bmod2n2.
s←s+cmod2n3.
ifs=2n1thens=04.
ReturnsSimilarlytheinversionofanon-zeroelementa∈GF(2n)canbeimplementedusinglog/alogtablesasa1=alog[log(a)mod(2n1)].
(14)
hostwebis怎么样?hostwebis昨天在webhosting发布了几款美国高配置大硬盘机器,但报价需要联系客服。看了下该商家的其它产品,发现几款美国服务器、法国服务器还比较实惠,100Mbps不限流量,高配置大硬盘,$44/月起,有兴趣的可以关注一下。HostWebis是一家国外主机品牌,官网宣称1998年就成立了,根据目标市场的不同,以不同品牌名称提供网络托管服务。2003年,通过与W...
DogYun是一家2019年成立的国人主机商,提供VPS和独立服务器租用等,数据中心包括中国香港、美国洛杉矶、日本、韩国、德国、荷兰等,其中VPS包括常规VPS(经典云)和按小时计费VPS(动态云),使用自行开发的面板和管理系统,支持自定义配置,动态云各个硬件独立按小时计费,带宽按照用户使用量计费(不使用不计费)或者购买流量包,线路也可以自行切换。目前商家发布了6.18促销方案,新购动态云7折,经...
CloudCone是一家成立于2017年的国外VPS主机商,提供独立服务器租用和VPS主机,其中VPS基于KVM架构,多个不同系列,譬如常规VPS、大硬盘VPS等等,数据中心在洛杉矶MC机房。商家2021年Flash Sale活动继续,最低每月1.99美元,支持7天退款到账户,支持使用PayPal或者支付宝付款,先充值后下单的方式。下面列出几款VPS主机配置信息。CPU:1core内存:768MB...
sss17.com为你推荐
2020双十一成绩单2020年12月四级考试什么时候出成绩咏春大师被ko八极拳大师真的被咏春叶问打败了吗?八极咏春比优劣如何?谢谢.老虎数码1200万相素的数码相机都有哪些款?大概价钱是多少?www.983mm.comwww.47683.com原代码源代码是什么336.com求一个游戏的网站 你懂得ip在线查询我要用eclipse做个ip在线查询功能,用QQwry数据库,可是我不知道怎么把这个数据库放到我的程序里面去,高手帮忙指点下,小弟在这谢谢了抓站工具仿站必备软件有哪些工具?最好好用的仿站工具是那个几个?partnersonlinecashfiesta 该怎么使用啊~~baqizi.cc曹操跟甄洛是什么关系
视频空间租用 主机测评 flashfxp怎么用 buyvm arvixe 狗爹 12306抢票攻略 建站代码 发包服务器 刀片服务器的优势 免费活动 linux使用教程 上海电信测速网站 电信宽带测速软件 阿里云邮箱个人版 存储服务器 reboot 游戏服务器 热云 linuxvi命令 更多