Changing of the Guards .
Joan Daemen CHES 2017 Taipei, September 26, 2017
Radboud University
STMicroelectronics
1 / 18 Disclaimer .
This is not a talk about higher-order countermeasures
2 / 18 Iterative cryptographic permutation .
3 / 18 Three-stage round function: wide trail .
4 / 18 X[i]^=(~X[i+1])&X[i+2]
xi ← xi + (xi+1 + 1)xi+2
Invertible for odd length n
Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257)
[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]
Nonlinear layer χ .
5 / 18 X[i] ^= (~X[i+1]) & X[i+2]
xi ← xi + (xi+1 + 1)xi+2
Invertible for odd length n
Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257)
[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]
Nonlinear layer χ .
5 / 18 X[i] ^= (~X[i+1]) & X[i+2]
xi ← xi + (xi+1 + 1)xi+2
Invertible for odd length n
Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257)
[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]
Nonlinear layer χ .
5 / 18 X[i] ^= (~X[i+1]) & X[i+2]
xi ← xi + (xi+1 + 1)xi+2
Invertible for odd length n
Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257)
[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]
Nonlinear layer χ .
5 / 18 xi ← xi + (xi+1 + 1)xi+2
Invertible for odd length n
Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257)
[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]
Nonlinear layer χ .
X[i] ^= (~X[i+1]) & X[i+2]
5 / 18 Invertible for odd length n
Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257)
[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]
Nonlinear layer χ .
X[i] ^= (~X[i+1]) & X[i+2]
xi ← xi + (xi+1 + 1)xi+2
5 / 18 Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257)
[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]
Nonlinear layer χ .
X[i] ^= (~X[i+1]) & X[i+2]
xi ← xi + (xi+1 + 1)xi+2
Invertible for odd length n
5 / 18 RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257)
[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]
Nonlinear layer χ .
X[i] ^= (~X[i+1]) & X[i+2]
xi ← xi + (xi+1 + 1)xi+2
Invertible for odd length n
Used in Ketje, Keyak, Keccak (n = 5)
5 / 18 Nonlinear layer χ .
X[i] ^= (~X[i+1]) & X[i+2]
xi ← xi + (xi+1 + 1)xi+2
Invertible for odd length n
Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257)
[Daemen, Govaerts, Vandewalle, WIC Benelux 1991]
5 / 18 ai + bi = xi with ai random
a0 ←a0 + (a1 + 1)a2 + a1b2
b0 ←b0 + (b1 + 1)b2 + b1a2
[Daemen, Peeters, Van Assche, FSE 2000]
Masking of χ as DPA/DEMA countermeasure .
x0 ← x0 + (x1 + 1)x2
6 / 18 a0 ←a0 + (a1 + 1)a2 + a1b2
b0 ←b0 + (b1 + 1)b2 + b1a2
[Daemen, Peeters, Van Assche, FSE 2000]
Masking of χ as DPA/DEMA countermeasure .
x0 ← x0 + (x1 + 1)x2
ai + bi = xi with ai random
6 / 18 Masking of χ as DPA/DEMA countermeasure .
x0 ← x0 + (x1 + 1)x2
ai + bi = xi with ai random
a0 ←a0 + (a1 + 1)a2 + a1b2
b0 ←b0 + (b1 + 1)b2 + b1a2
[Daemen, Peeters, Van Assche, FSE 2000]
6 / 18 a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1
b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1
c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1
[Bertoni, Daemen, Peeters, Van Assche, 2nd SHA-3, 2010]
χ′: a three-share masking of χ .
x0 ← x0 + (x1 + 1)x2
ai + bi + ci = xi with ai and bi random
7 / 18 χ′: a three-share masking of χ .
x0 ← x0 + (x1 + 1)x2
ai + bi + ci = xi with ai and bi random
a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1
b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1
c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1
[Bertoni, Daemen, Peeters, Van Assche, 2nd SHA-3, 2010]
7 / 18 I (fa, fb, fc) is a correct sharing of f I ≥ (fa, fb, fc) is incomplete: requires # shares d + 1 I (xa, xb, xc) is a uniform sharing of x: • all values (xa, xb, xc) with xa + xb + xc = x equiprobable • ∈ { } x = 0 : (xa, xb, xc) (0, 0, 0)(1, 1, 0)(1, 0, 1)(0, 1, 1) • ∈ { } x = 1 : (xa, xb, xc) (1, 1, 1)(0, 0, 1)(0, 1, 0)(1, 0, 0)
Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] .
x � x� � x� � x�
f f� f� f�
y � y� � y� � y�
Scheme at the right computes f securely against 1st order DPA if:
8 / 18 I ≥ (fa, fb, fc) is incomplete: requires # shares d + 1 I (xa, xb, xc) is a uniform sharing of x: • all values (xa, xb, xc) with xa + xb + xc = x equiprobable • ∈ { } x = 0 : (xa, xb, xc) (0, 0, 0)(1, 1, 0)(1, 0, 1)(0, 1, 1) • ∈ { } x = 1 : (xa, xb, xc) (1, 1, 1)(0, 0, 1)(0, 1, 0)(1, 0, 0)
Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] .
x � x� � x� � x�
f f� f� f�
y � y� � y� � y�
Scheme at the right computes f securely against 1st order DPA if: I (fa, fb, fc) is a correct sharing of f
8 / 18 I (xa, xb, xc) is a uniform sharing of x: • all values (xa, xb, xc) with xa + xb + xc = x equiprobable • ∈ { } x = 0 : (xa, xb, xc) (0, 0, 0)(1, 1, 0)(1, 0, 1)(0, 1, 1) • ∈ { } x = 1 : (xa, xb, xc) (1, 1, 1)(0, 0, 1)(0, 1, 0)(1, 0, 0)
Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] .
x � x� � x� � x�
f f� f� f�
y � y� � y� � y�
Scheme at the right computes f securely against 1st order DPA if: I (fa, fb, fc) is a correct sharing of f I ≥ (fa, fb, fc) is incomplete: requires # shares d + 1
8 / 18 • ∈ { } x = 0 : (xa, xb, xc) (0, 0, 0)(1, 1, 0)(1, 0, 1)(0, 1, 1) • ∈ { } x = 1 : (xa, xb, xc) (1, 1, 1)(0, 0, 1)(0, 1, 0)(1, 0, 0)
Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] .
x � x� � x� � x�
f f� f� f�
y � y� � y� � y�
Scheme at the right computes f securely against 1st order DPA if: I (fa, fb, fc) is a correct sharing of f I ≥ (fa, fb, fc) is incomplete: requires # shares d + 1 I (xa, xb, xc) is a uniform sharing of x: • all values (xa, xb, xc) with xa + xb + xc = x equiprobable
8 / 18 Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] .
x � x� � x� � x�
f f� f� f�
y � y� � y� � y�
Scheme at the right computes f securely against 1st order DPA if: I (fa, fb, fc) is a correct sharing of f I ≥ (fa, fb, fc) is incomplete: requires # shares d + 1 I (xa, xb, xc) is a uniform sharing of x: • all values (xa, xb, xc) with xa + xb + xc = x equiprobable • ∈ { } x = 0 : (xa, xb, xc) (0, 0, 0)(1, 1, 0)(1, 0, 1)(0, 1, 1) • ∈ { } x = 1 : (xa, xb, xc) (1, 1, 1)(0, 0, 1)(0, 1, 0)(1, 0, 0) 8 / 18 I If f is invertible, for (fa, fb, fc) uniformity = invertibility
Uniformity of a threshold masking scheme .
x x� x� x�
f f� f� f�
y y� y� y�
f f� f� f�
z z� z� z�
I Sharing (fa, fb, fc) of f is called uniform if it preserves uniformity
9 / 18 Uniformity of a threshold masking scheme .
x x� x� x�
f f� f� f�
y y� y� y�
f f� f� f�
z z� z� z�
I Sharing (fa, fb, fc) of f is called uniform if it preserves uniformity I If f is invertible, for (fa, fb, fc) uniformity = invertibility
9 / 18 I Correct? Yes! I Incomplete? Yes! I Uniform? Yes! …but wait …we may have a problem here it isn’t
In general, for many S-boxes:
I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise
Back to χ′ .
a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1
b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1
c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1
Is this a secure threshold masking scheme of χ?
10 / 18 Yes! I Incomplete? Yes! I Uniform? Yes! …but wait …we may have a problem here it isn’t
In general, for many S-boxes:
I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise
Back to χ′ .
a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1
b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1
c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1
Is this a secure threshold masking scheme of χ?
I Correct?
10 / 18 I Incomplete? Yes! I Uniform? Yes! …but wait …we may have a problem here it isn’t
In general, for many S-boxes:
I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise
Back to χ′ .
a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1
b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1
c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1
Is this a secure threshold masking scheme of χ?
I Correct? Yes!
10 / 18 Yes! I Uniform? Yes! …but wait …we may have a problem here it isn’t
In general, for many S-boxes:
I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise
Back to χ′ .
a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1
b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1
c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1
Is this a secure threshold masking scheme of χ?
I Correct? Yes! I Incomplete?
10 / 18 I Uniform? Yes! …but wait …we may have a problem here it isn’t
In general, for many S-boxes:
I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise
Back to χ′ .
a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1
b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1
c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1
Is this a secure threshold masking scheme of χ?
I Correct? Yes! I Incomplete? Yes!
10 / 18 Yes! …but wait …we may have a problem here it isn’t
In general, for many S-boxes:
I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise
Back to χ′ .
a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1
b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1
c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1
Is this a secure threshold masking scheme of χ?
I Correct? Yes! I Incomplete? Yes! I Uniform?
10 / 18 …but wait …we may have a problem here it isn’t
In general, for many S-boxes:
I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise
Back to χ′ .
a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1
b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1
c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1
Is this a secure threshold masking scheme of χ?
I Correct? Yes! I Incomplete? Yes! I Uniform? Yes!
10 / 18 …we may have a problem here it isn’t
In general, for many S-boxes:
I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise
Back to χ′ .
a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1
b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1
c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1
Is this a secure threshold masking scheme of χ?
I Correct? Yes! I Incomplete? Yes! I Uniform? Yes! …but wait
10 / 18 it isn’t
In general, for many S-boxes:
I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise
Back to χ′ .
a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1
b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1
c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1
Is this a secure threshold masking scheme of χ?
I Correct? Yes! I Incomplete? Yes! I Uniform? Yes! …but wait …we may have a problem here
10 / 18 In general, for many S-boxes:
I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise
Back to χ′ .
a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1
b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1
c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1
Is this a secure threshold masking scheme of χ?
I Correct? Yes! I Incomplete? Yes! I Uniform? Yes! …but wait …we may have a problem here it isn’t
10 / 18 Back to χ′ .
a0 ←b0 + (b1 + 1)b2 + b1c2 + b2c1
b0 ←c0 + (c1 + 1)c2 + c1a2 + c2a1
c0 ←a0 + (a1 + 1)a2 + a1b2 + a2b1
Is this a secure threshold masking scheme of χ?
I Correct? Yes! I Incomplete? Yes! I Uniform? Yes! …but wait …we may have a problem here it isn’t
In general, for many S-boxes:
I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise 10 / 18 (2) Mask output with (rb, rc) that has uniform distribution • correctness and incompleteness are preserved • output (ya, yb, yc) becomes uniform sharing of y (3) Chain this
But where does leftmost (rb, rc) come from?
An out-of-the-box approach to achieving uniformity .
x� x� x�
r� r� S� S� S� R� R�
y� y� y�
(1) Build (Sa, Sb, Sc): a correct and incomplete sharing of S • straightforward and generalizes to d + 1 shares for d > 2
11 / 18 • correctness and incompleteness are preserved • output (ya, yb, yc) becomes uniform sharing of y (3) Chain this
But where does leftmost (rb, rc) come from?
An out-of-the-box approach to achieving uniformity .
x� x� x�
r� r� S� S� S� R� R�
y� y� y�
(1) Build (Sa, Sb, Sc): a correct and incomplete sharing of S • straightforward and generalizes to d + 1 shares for d > 2
(2) Mask output with (rb, rc) that has uniform distribution
11 / 18 • output (ya, yb, yc) becomes uniform sharing of y (3) Chain this
But where does leftmost (rb, rc) come from?
An out-of-the-box approach to achieving uniformity .
x� x� x�
r� r� S� S� S� R� R�
y� y� y�
(1) Build (Sa, Sb, Sc): a correct and incomplete sharing of S • straightforward and generalizes to d + 1 shares for d > 2
(2) Mask output with (rb, rc) that has uniform distribution • correctness and incompleteness are preserved
11 / 18 (3) Chain this
But where does leftmost (rb, rc) come from?
An out-of-the-box approach to achieving uniformity .
x� x� x�
r� r� S� S� S� R� R�
y� y� y�
(1) Build (Sa, Sb, Sc): a correct and incomplete sharing of S • straightforward and generalizes to d + 1 shares for d > 2
(2) Mask output with (rb, rc) that has uniform distribution • correctness and incompleteness are preserved • output (ya, yb, yc) becomes uniform sharing of y
11 / 18 But where does leftmost (rb, rc) come from?
An out-of-the-box approach to achieving uniformity .
a b c a b c a b c � � � � � � � � �
r r � � S S S S S S S S S � � � � � � � � � R R � �
A B C A B C A B C � � � � � � � � �
(1) Build (Sa, Sb, Sc): a correct and incomplete sharing of S • straightforward and generalizes to d + 1 shares for d > 2
(2) Mask output with (rb, rc) that has uniform distribution • correctness and incompleteness are preserved • output (ya, yb, yc) becomes uniform sharing of y (3) Chain this
11 / 18 An out-of-the-box approach to achieving uniformity .
a b c a b c a b c � � � � � � � � �
r r � � S S S S S S S S S � � � � � � � � � R R � �
A B C A B C A B C � � � � � � � � �
(1) Build (Sa, Sb, Sc): a correct and incomplete sharing of S • straightforward and generalizes to d + 1 shares for d > 2
(2) Mask output with (rb, rc) that has uniform distribution • correctness and incompleteness are preserved • output (ya, yb, yc) becomes uniform sharing of y (3) Chain this
But where does leftmost (rb, rc) come from? 11 / 18 I (rb, rc) are generated freshly every round I For n-bit S-box, this requires 2n random bits per round I Downsides: • real-world: requires random generation during operation • academic: no uniform sharing is obtained
[Bilgin, Daemen, Nikova, Nikov, Rijmen, Van Assche, Cardis ’13]
Attempt 1: injecting fresh randomness .
a b c a b c a b c � � � � � � � � �
r r � � S S S S S S S S S � � � � � � � � �
A B C A B C A B C � � � � � � � � �
12 / 18 I For n-bit S-box, this requires 2n random bits per round I Downsides: • real-world: requires random generation during operation • academic: no uniform sharing is obtained
[Bilgin, Daemen, Nikova, Nikov, Rijmen, Van Assche, Cardis ’13]
Attempt 1: injecting fresh randomness .
a b c a b c a b c � � � � � � � � �
r r � � S S S S S S S S S � � � � � � � � �
A B C A B C A B C � � � � � � � � �
I (rb, rc) are generated freshly every round
12 / 18 I Downsides: • real-world: requires random generation during operation • academic: no uniform sharing is obtained
[Bilgin, Daemen, Nikova, Nikov, Rijmen, Van Assche, Cardis ’13]
Attempt 1: injecting fresh randomness .
a b c a b c a b c � � � � � � � � �
r r � � S S S S S S S S S � � � � � � � � �
A B C A B C A B C � � � � � � � � �
I (rb, rc) are generated freshly every round I For n-bit S-box, this requires 2n random bits per round
12 / 18 [Bilgin, Daemen, Nikova, Nikov, Rijmen, Van Assche, Cardis ’13]
Attempt 1: injecting fresh randomness .
a b c a b c a b c � � � � � � � � �
r r � � S S S S S S S S S � � � � � � � � �
A B C A B C A B C � � � � � � � � �
I (rb, rc) are generated freshly every round I For n-bit S-box, this requires 2n random bits per round I Downsides: • real-world: requires random generation during operation • academic: no uniform sharing is obtained
12 / 18 Attempt 1: injecting fresh randomness .
a b c a b c a b c � � � � � � � � �
r r � � S S S S S S S S S � � � � � � � � �
A B C A B C A B C � � � � � � � � �
I (rb, rc) are generated freshly every round I For n-bit S-box, this requires 2n random bits per round I Downsides: • real-world: requires random generation during operation • academic: no uniform sharing is obtained
[Bilgin, Daemen, Nikova, Nikov, Rijmen, Van Assche, Cardis ’13]
12 / 18 I No more need for generating randomness during operation I The remaining amount of non-uniformity is negligible I Downsides: • real-world: hard to explain why that is the case … • academic: it is simply not uniform!
I presented this at [Shonan, Sep.’14] [ESC, Jan.’15] [TI Day, May’15]
Attempt 2: cycling randomness .
a b c a b c a b c � � � � � � � � �
S S S S S S S S S � � � � � � � � �
A B C A B C A B C � � � � � � � � �
I S-boxes are arranged in circle: (rb, rc) = (Rb, Rc)
13 / 18 I The remaining amount of non-uniformity is negligible I Downsides: • real-world: hard to explain why that is the case … • academic: it is simply not uniform!
I presented this at [Shonan, Sep.’14] [ESC, Jan.’15] [TI Day, May’15]
Attempt 2: cycling randomness .
a b c a b c a b c � � � � � � � � �
S S S S S S S S S � � � � � � � � �
A B C A B C A B C � � � � � � � � �
I S-boxes are arranged in circle: (rb, rc) = (Rb, Rc) I No more need for generating randomness during operation
13 / 18 I presented this at [Shonan, Sep.’14] [ESC, Jan.’15] [TI Day, May’15]
Attempt 2: cycling randomness .
a b c a b c a b c � � � � � � � � �
S S S S S S S S S � � � � � � � � �
A B C A B C A B C � � � � � � � � �
I S-boxes are arranged in circle: (rb, rc) = (Rb, Rc) I No more need for generating randomness during operation I The remaining amount of non-uniformity is negligible I Downsides: • real-world: hard to explain why that is the case … • academic: it is simply not uniform!
13 / 18 Attempt 2: cycling randomness .
a b c a b c a b c � � � � � � � � �
S S S S S S S S S � � � � � � � � �
A B C A B C A B C � � � � � � � � �
I S-boxes are arranged in circle: (rb, rc) = (Rb, Rc) I No more need for generating randomness during operation I The remaining amount of non-uniformity is negligible I Downsides: • real-world: hard to explain why that is the case … • academic: it is simply not uniform!
I presented this at [Shonan, Sep.’14] [ESC, Jan.’15] [TI Day, May’15]
13 / 18 I We make (Rb, Rc) part of the shared state: the Guards I input Guards (rb, rc) are previous-round output Guards (Rb, Rc) I Achieves uniformity if S-box is invertible I Cost: • 4 additional XORs per native bit • shared state extended by 2n additional bits (for n-bit S-box)
Attempt 3: recycling randomness .
r r a b c a b c a b c � � � � � � � � � � �
S S S S S S S S S � � � � � � � � �
A B C A B C A B C R R � � � � � � � � � � �
14 / 18 I Achieves uniformity if S-box is invertible I Cost: • 4 additional XORs per native bit • shared state extended by 2n additional bits (for n-bit S-box)
Attempt 3: recycling randomness .
r r a b c a b c a b c � � � � � � � � � � �
S S S S S S S S S � � � � � � � � �
A B C A B C A B C R R � � � � � � � � � � �
I We make (Rb, Rc) part of the shared state: the Guards I input Guards (rb, rc) are previous-round output Guards (Rb, Rc)
14 / 18 I Cost: • 4 additional XORs per native bit • shared state extended by 2n additional bits (for n-bit S-box)
Attempt 3: recycling randomness .
r r a b c a b c a b c � � � � � � � � � � �
S S S S S S S S S � � � � � � � � �
A B C A B C A B C R R � � � � � � � � � � �
I We make (Rb, Rc) part of the shared state: the Guards I input Guards (rb, rc) are previous-round output Guards (Rb, Rc) I Achieves uniformity if S-box is invertible
14 / 18 Attempt 3: recycling randomness .
r r a b c a b c a b c � � � � � � � � � � �
S S S S S S S S S � � � � � � � � �
A B C A B C A B C R R � � � � � � � � � � �
I We make (Rb, Rc) part of the shared state: the Guards I input Guards (rb, rc) are previous-round output Guards (Rb, Rc) I Achieves uniformity if S-box is invertible I Cost: • 4 additional XORs per native bit • shared state extended by 2n additional bits (for n-bit S-box)
14 / 18 I ← ← Initial step: b2 Rc and c2 Rb
I Iteration: compute (ai, bi−1, ci−1) from (Ai, Bi, Ci) and (bi, ci) −1 • ai = S (Ai + Bi + Ci) + bi + ci • bi−1 = Sc(ai, bi) + Ci • ci−1 = Sb(ai, bi) + Bi I ← ← Final step: rb b−1 and rc c−1 I Invertibility implies uniformity: QED
Proof of uniformity .
r r a b c a b c a b c � � � � � � � � � � �
S S S S S S S S S � � � � � � � � �
A B C A B C A B C R R � � � � � � � � � � �
Computing (a, b, c) and (rb, rc) from (A, B, C) and (Rb, Rc)
15 / 18 Proof of uniformity .
r r a b c a b c a b c � � � � � � � � � � �
S S S S S S S S S � � � � � � � � �
A B C A B C A B C R R � � � � � � � � � � �
Computing (a, b, c) and (rb, rc) from (A, B, C) and (Rb, Rc) I ← ← Initial step: b2 Rc and c2 Rb
I Iteration: compute (ai, bi−1, ci−1) from (Ai, Bi, Ci) and (bi, ci) −1 • ai = S (Ai + Bi + Ci) + bi + ci • bi−1 = Sc(ai, bi) + Ci • ci−1 = Sb(ai, bi) + Bi I ← ← Final step: rb b−1 and rc c−1 I Invertibility implies uniformity: QED 15 / 18 I Assume we know • bits of (a, b, c) with indices 0 and 1 • bits of (A, B, C) with indices 2, 3, ... m I then we can compute bits of (a, b, c) with index m, m − 1, …2
Am =bm + (b0 + 1)b1 + b0c1 + b1c0
Bm =cm + (c0 + 1)c1 + c0a1 + c1a0
Cm =am + (a0 + 1)a1 + a0b1 + a1b0
I This allows us to • reduce output masking to bits with indices in 0 and 1 • shrink rb and rc to two bits each
Optimization for χ′ . ′ Multi-transformation property of χ :
16 / 18 I then we can compute bits of (a, b, c) with index m, m − 1, …2
Am =bm + (b0 + 1)b1 + b0c1 + b1c0
Bm =cm + (c0 + 1)c1 + c0a1 + c1a0
Cm =am + (a0 + 1)a1 + a0b1 + a1b0
I This allows us to • reduce output masking to bits with indices in 0 and 1 • shrink rb and rc to two bits each
Optimization for χ′ . ′ Multi-transformation property of χ :
I Assume we know • bits of (a, b, c) with indices 0 and 1 • bits of (A, B, C) with indices 2, 3, ... m
16 / 18 I This allows us to • reduce output masking to bits with indices in 0 and 1 • shrink rb and rc to two bits each
Optimization for χ′ . ′ Multi-transformation property of χ :
I Assume we know • bits of (a, b, c) with indices 0 and 1 • bits of (A, B, C) with indices 2, 3, ... m I then we can compute bits of (a, b, c) with index m, m − 1, …2
Am =bm + (b0 + 1)b1 + b0c1 + b1c0
Bm =cm + (c0 + 1)c1 + c0a1 + c1a0
Cm =am + (a0 + 1)a1 + a0b1 + a1b0
16 / 18 Optimization for χ′ . ′ Multi-transformation property of χ :
I Assume we know • bits of (a, b, c) with indices 0 and 1 • bits of (A, B, C) with indices 2, 3, ... m I then we can compute bits of (a, b, c) with index m, m − 1, …2
Am =bm + (b0 + 1)b1 + b0c1 + b1c0
Bm =cm + (c0 + 1)c1 + c0a1 + c1a0
Cm =am + (a0 + 1)a1 + a0b1 + a1b0
I This allows us to • reduce output masking to bits with indices in 0 and 1 • shrink rb and rc to two bits each
16 / 18 • feedforward: 2d XORs per native bit • state expansion by d × n bits I Cost is reduced if shared S-box has multi-transformation property
Generalization for invertible n-bit S-box of degree d .
I Guards: d shares of n bits I each guard share of S-box i − 1 is added to 2 shares of S-box i I Total cost (worst case)
17 / 18 • state expansion by d × n bits I Cost is reduced if shared S-box has multi-transformation property
Generalization for invertible n-bit S-box of degree d .
I Guards: d shares of n bits I each guard share of S-box i − 1 is added to 2 shares of S-box i I Total cost (worst case) • feedforward: 2d XORs per native bit
17 / 18 I Cost is reduced if shared S-box has multi-transformation property
Generalization for invertible n-bit S-box of degree d .
I Guards: d shares of n bits I each guard share of S-box i − 1 is added to 2 shares of S-box i I Total cost (worst case) • feedforward: 2d XORs per native bit • state expansion by d × n bits
17 / 18 Generalization for invertible n-bit S-box of degree d .
I Guards: d shares of n bits I each guard share of S-box i − 1 is added to 2 shares of S-box i I Total cost (worst case) • feedforward: 2d XORs per native bit • state expansion by d × n bits I Cost is reduced if shared S-box has multi-transformation property 17 / 18 I Real-world relevance: ′ • sharing χ (Keccak) made uniform at little overhead I Academic relevance: • non-uniformity problem essentially solved • search multi-transformation sharing of low-degree S-boxes
Thanks for your attention! Q?
Conclusions .
I Solution for achieving uniformity for invertible S-box layers • only d + 1 shares for S-boxes of degree d • uniformity achieved outside the S-box
18 / 18 I Academic relevance: • non-uniformity problem essentially solved • search multi-transformation sharing of low-degree S-boxes
Thanks for your attention! Q?
Conclusions .
I Solution for achieving uniformity for invertible S-box layers • only d + 1 shares for S-boxes of degree d • uniformity achieved outside the S-box I Real-world relevance: ′ • sharing χ (Keccak) made uniform at little overhead
18 / 18 • non-uniformity problem essentially solved • search multi-transformation sharing of low-degree S-boxes
Thanks for your attention! Q?
Conclusions .
I Solution for achieving uniformity for invertible S-box layers • only d + 1 shares for S-boxes of degree d • uniformity achieved outside the S-box I Real-world relevance: ′ • sharing χ (Keccak) made uniform at little overhead I Academic relevance:
18 / 18 • search multi-transformation sharing of low-degree S-boxes
Thanks for your attention! Q?
Conclusions .
I Solution for achieving uniformity for invertible S-box layers • only d + 1 shares for S-boxes of degree d • uniformity achieved outside the S-box I Real-world relevance: ′ • sharing χ (Keccak) made uniform at little overhead I Academic relevance: • non-uniformity problem essentially solved
18 / 18 Thanks for your attention! Q?
Conclusions .
I Solution for achieving uniformity for invertible S-box layers • only d + 1 shares for S-boxes of degree d • uniformity achieved outside the S-box I Real-world relevance: ′ • sharing χ (Keccak) made uniform at little overhead I Academic relevance: • non-uniformity problem essentially solved • search multi-transformation sharing of low-degree S-boxes
18 / 18 Conclusions .
I Solution for achieving uniformity for invertible S-box layers • only d + 1 shares for S-boxes of degree d • uniformity achieved outside the S-box I Real-world relevance: ′ • sharing χ (Keccak) made uniform at little overhead I Academic relevance: • non-uniformity problem essentially solved • search multi-transformation sharing of low-degree S-boxes
Thanks for your attention! Q?
18 / 18