Changing of the Guards: A Simple and Efficient Method for Achieving Uniformity in Threshold Sharing

Since they were first proposed as a countermeasure against differential power analysis (DPA) and differential electromagnetic analysis (DEMA) in 2006, threshold schemes have attracted a lot of attention from the community concentrating on cryptographic im

  • PDF / 823,825 Bytes
  • 17 Pages / 439.37 x 666.142 pts Page_size
  • 65 Downloads / 217 Views

DOWNLOAD

REPORT

Radboud University, Nijmegen, The Netherlands [email protected] 2 STMicroelectronics, Diegem, Belgium

Abstract. Since they were first proposed as a countermeasure against differential power analysis (DPA) and differential electromagnetic analysis (DEMA) in 2006, threshold schemes have attracted a lot of attention from the community concentrating on cryptographic implementations. What makes threshold schemes so attractive from an academic point of view is that they come with an information-theoretic proof of resistance against a specific subset of side-channel attacks: first-order DPA. From an industrial point of view they are attractive as a careful threshold implementation forces adversaries to DPA of higher order, with all its problems such as noise amplification. A threshold scheme that offers the mentioned provable security must exhibit three properties: correctness, incompleteness and uniformity. A threshold scheme becomes more expensive with the number of shares that must be implemented and the required number of shares is lower bound by the algebraic degree of the function being shared plus 1. Defining a correct and incomplete sharing of a function of degree d in d + 1 shares is straightforward. However, up to now there is no generic method to achieve uniformity and finding uniform sharings of degree-d functions with d + 1 shares has been an active research area. In this paper we present a generic, simple and potentially cheap method to find a correct, incomplete and uniform d + 1-share threshold scheme of any S-box layer consisting of degree-d invertible S-boxes. The uniformity is not implemented in the sharings of the individual S-boxes but rather at the S-box layer level by the use of feedforward and some expansion of shares. When applied to the Keccak-p nonlinear step χ, its cost is very small. Keywords: Side-channel attacks Keccak

1

·

Threshold schemes

·

Uniformity

·

Introduction

Systems such as digital rights management (DRM) or banking cards try to offer protection against adversaries that have physical access to platforms performing cryptographic computations, allowing them to measure computation time, power c International Association for Cryptologic Research 2017  W. Fischer and N. Homma (Eds.): CHES 2017, LNCS 10529, pp. 137–153, 2017. DOI: 10.1007/978-3-319-66787-4 7

138

J. Daemen

consumption or electromagnetic radiation. Adversaries can use this side channel information to retrieve cryptographic keys. A particularly powerful attack against implementations of cryptographic algorithms is differential power analysis (DPA) introduced by Kocher et al. [20]. This attack can exploit even the weakest dependence of the power consumption (or electromagnetic radiation) on the value of the manipulated data by combining the measurements of many computations to improve the signal-to-noise ratio. The simplest form of DPA is first-order DPA, that exploits the correlation between the data and the power consumption. To make side channel attacks impractical, system builders implement countermeasures, often mul

Data Loading...

Recommend Documents
A simple method for the manufacture of mesoscopic metal wires

193 56 129KB

Optimal Threshold Changeable Secret Sharing with New Threshold Change Range

193 6 12MB

A simple method for evaluating cemented carbides

245 79 702KB

A Simple and Efficient Method for Quantitative Synthesis of Cu (II) Complexes in Presence of SiO 2 : Structure Elucidati

132 32 2MB

Simple and Efficient Tracking Differentiator

181 68 4MB

A simple efficient method for solving sixth-order nonlinear boundary value problems

146 69 514KB

Practical Threshold Password-Authenticated Secret Sharing Protocol

174 85 434KB

Threshold Secret Sharing Requires a Linear Size Alphabet

146 10 262KB

Efficient Forward-Secure Threshold Signatures

182 57 13MB

Correction to: Simple and efficient pose-based gait recognition method for challenging environments

158 74 339KB

Threshold Accepting Method

161 110 239KB

The Threshold for the Efficient Scale of Vietnamese Commercial Banks: A Study Based on Bayesian Model

158 85 13MB