Changing of the Guards . Joan Daemen CHES 2017 Taipei, September 26, 2017 Radboud University STMicroelectronics 1 / 18 Disclaimer . This is not a talk about higher-order countermeasures 2 / 18 Iterative cryptographic permutation . 3 / 18 Three-stage round function: wide trail . 4 / 18 X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . 5 / 18 X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . 5 / 18 X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . 5 / 18 X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . 5 / 18 xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . X[i] ^= (~X[i+1]) & X[i+2] 5 / 18 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 5 / 18 Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n 5 / 18 RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) 5 / 18 Nonlinear layer c . X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] 5 / 18 ai + bi = xi with ai random a0 a0 + (a1 + 1)a2 + a1b2 b0 b0 + (b1 + 1)b2 + b1a2 [Daemen, Peeters, Van Assche, FSE 2000] Masking of c as DPA/DEMA countermeasure . x0 x0 + (x1 + 1)x2 6 / 18 a0 a0 + (a1 + 1)a2 + a1b2 b0 b0 + (b1 + 1)b2 + b1a2 [Daemen, Peeters, Van Assche, FSE 2000] Masking of c as DPA/DEMA countermeasure . x0 x0 + (x1 + 1)x2 ai + bi = xi with ai random 6 / 18 Masking of c as DPA/DEMA countermeasure . x0 x0 + (x1 + 1)x2 ai + bi = xi with ai random a0 a0 + (a1 + 1)a2 + a1b2 b0 b0 + (b1 + 1)b2 + b1a2 [Daemen, Peeters, Van Assche, FSE 2000] 6 / 18 a0 b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 a0 + (a1 + 1)a2 + a1b2 + a2b1 [Bertoni, Daemen, Peeters, Van Assche, 2nd SHA-3, 2010] c0: a three-share masking of c . x0 x0 + (x1 + 1)x2 ai + bi + ci = xi with ai and bi random 7 / 18 c0: a three-share masking of c . x0 x0 + (x1 + 1)x2 ai + bi + ci = xi with ai and bi random a0 b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 a0 + (a1 + 1)a2 + a1b2 + a2b1 [Bertoni, Daemen, Peeters, Van Assche, 2nd SHA-3, 2010] 7 / 18 I (fa, fb, fc) is a correct sharing of f I ≥ (fa, fb, fc) is incomplete: requires # shares d + 1 I (xa, xb, xc) is a uniform sharing of x: • all values (xa, xb, xc) with xa + xb + xc = x equiprobable • 2 f g x = 0 : (xa, xb, xc) (0, 0, 0)(1, 1, 0)(1, 0, 1)(0, 1, 1) • 2 f g x = 1 : (xa, xb, xc) (1, 1, 1)(0, 0, 1)(0, 1, 0)(1, 0, 0) Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] . x = xa + xb + xc f fa fb fc y = ya + yb + yc Scheme at the right computes f securely against 1st order DPA if: 8 / 18 I ≥ (fa, fb, fc) is incomplete: requires # shares d + 1 I (xa, xb, xc) is a uniform sharing of x: • all values (xa, xb, xc) with xa + xb + xc = x equiprobable • 2 f g x = 0 : (xa, xb, xc) (0, 0, 0)(1, 1, 0)(1, 0, 1)(0, 1, 1) • 2 f g x = 1 : (xa, xb, xc) (1, 1, 1)(0, 0, 1)(0, 1, 0)(1, 0, 0) Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] . x = xa + xb + xc f fa fb fc y = ya + yb + yc Scheme at the right computes f securely against 1st order DPA if: I (fa, fb, fc) is a correct sharing of f 8 / 18 I (xa, xb, xc) is a uniform sharing of x: • all values (xa, xb, xc) with xa + xb + xc = x equiprobable • 2 f g x = 0 : (xa, xb, xc) (0, 0, 0)(1, 1, 0)(1, 0, 1)(0, 1, 1) • 2 f g x = 1 : (xa, xb, xc) (1, 1, 1)(0, 0, 1)(0, 1, 0)(1, 0, 0) Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] . x = xa + xb + xc f fa fb fc y = ya + yb + yc Scheme at the right computes f securely against 1st order DPA if: I (fa, fb, fc) is a correct sharing of f I ≥ (fa, fb, fc) is incomplete: requires # shares d + 1 8 / 18 • 2 f g x = 0 : (xa, xb, xc) (0, 0, 0)(1, 1, 0)(1, 0, 1)(0, 1, 1) • 2 f g x = 1 : (xa, xb, xc) (1, 1, 1)(0, 0, 1)(0, 1, 0)(1, 0, 0) Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] . x = xa + xb + xc f fa fb fc y = ya + yb + yc Scheme at the right computes f securely against 1st order DPA if: I (fa, fb, fc) is a correct sharing of f I ≥ (fa, fb, fc) is incomplete: requires # shares d + 1 I (xa, xb, xc) is a uniform sharing of x: • all values (xa, xb, xc) with xa + xb + xc = x equiprobable 8 / 18 Threshold masking schemes [Nikova, Rijmen, Rechberger, Schläffer, ’06 - ’08] . x = xa + xb + xc f fa fb fc y = ya + yb + yc Scheme at the right computes f securely against 1st order DPA if: I (fa, fb, fc) is a correct sharing of f I ≥ (fa, fb, fc) is incomplete: requires # shares d + 1 I (xa, xb, xc) is a uniform sharing of x: • all values (xa, xb, xc) with xa + xb + xc = x equiprobable • 2 f g x = 0 : (xa, xb, xc) (0, 0, 0)(1, 1, 0)(1, 0, 1)(0, 1, 1) • 2 f g x = 1 : (xa, xb, xc) (1, 1, 1)(0, 0, 1)(0, 1, 0)(1, 0, 0) 8 / 18 I If f is invertible, for (fa, fb, fc) uniformity = invertibility Uniformity of a threshold masking scheme . x xa xb xc f fa fb fc y ya yb yc f fa fb fc z za zb zc I Sharing (fa, fb, fc) of f is called uniform if it preserves uniformity 9 / 18 Uniformity of a threshold masking scheme . x xa xb xc f fa fb fc y ya yb yc f fa fb fc z za zb zc I Sharing (fa, fb, fc) of f is called uniform if it preserves uniformity I If f is invertible, for (fa, fb, fc) uniformity = invertibility 9 / 18 I Correct? Yes! I Incomplete? Yes! I Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise Back to c0 . a0 b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 a0 + (a1 + 1)a2 + a1b2 + a2b1 Is this a secure threshold masking scheme of c? 10 / 18 Yes! I Incomplete? Yes! I Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise Back to c0 . a0 b0 + (b1 + 1)b2 + b1c2 + b2c1 b0 c0 + (c1 + 1)c2 + c1a2 + c2a1 c0 a0 + (a1 + 1)a2 + a1b2 + a2b1 Is this a secure threshold masking scheme of c? I Correct? 10 / 18 I Incomplete? Yes! I Uniform? Yes! …but wait …we may have a problem here it isn’t In general, for many S-boxes: I no uniform d + 1-share threshold schemes are known I it is an active research area to find the best compromise Back to c0 .