![Page 1: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/1.jpg)
Masking vs. Multiparty Computation:How Large is the Gap for AES?
Vincent Grosso1, Francois-Xavier Standaert1, Sebastian Faust2.
1 ICTEAM/ELEN/Crypto Group, Universite catholique de Louvain, Belgium.2 Ecole Polytechnique Federale de Lausanne, 1015 Lausanne, Switzerland.
CHES 2013, Santa Barbara, California, USA.
![Page 2: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/2.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 1 / 29
Secret Sharing
P( | )=P( )
![Page 3: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/3.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 1 / 29
Secret Sharing
P( | )=P( )
![Page 4: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/4.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 1 / 29
Secret Sharing
P( | )=P( )
![Page 5: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/5.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 2 / 29
Masking ' Computing on Shared Values
Traces contain information plus some noise.
![Page 6: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/6.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 2 / 29
Masking ' Computing on Shared Values
Unprotected device: the leakage of 1 share is needed tomount an attack.
![Page 7: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/7.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 2 / 29
Masking ' Computing on Shared Values
Protected device with 2 shares: ideally the leakage of 2shares is needed to mount an attack.
![Page 8: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/8.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 2 / 29
Masking ' Computing on Shared Values
Protected device with 3 shares: ideally the leakage of 3shares is needed to mount an attack.
![Page 9: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/9.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 2 / 29
Masking ' Computing on Shared Values
Masking order: minimal number of shares of which theleakage has to be exploited minus 1.
![Page 10: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/10.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 3 / 29
Intuition
We have to combine leakage of shares ⇒ multiplicationnoise.
The data complexity of attacks against masking is ideally(' independent leakages) exponential in the masking orderwith noise as a basis.
![Page 11: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/11.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 4 / 29
Masking Schemes
B Re-computation
B Additive
B Multiplicative
B Affine
B Polynomial/MPC
B Threshold
![Page 12: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/12.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 4 / 29
Masking Schemes
B Re-computation: not higher-order
B Additive
B Multiplicative
B Affine: not higher-order
B Polynomial/MPC
B Threshold: not higher-order
![Page 13: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/13.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 4 / 29
Masking Schemes
B Re-computation: not higher-order
B Boolean
B Multiplicative
B Affine: not higher-order
B Polynomial/MPC
B Threshold: not higher-order
![Page 14: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/14.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 4 / 29
Masking Schemes
B Re-computation: not higher-order
B Boolean
B Switch
B Affine: not higher-order
B Polynomial/MPC
B Threshold: not higher-order
![Page 15: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/15.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 4 / 29
Masking Schemes
B Re-computation: not higher-orderB Boolean
◦ Rivain Prouff’10 secure multiplication◦ Kim Hong Lim’11 subfield
B Switch
B Affine: not higher-order
B Polynomial/MPC
B Threshold: not higher-order
![Page 16: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/16.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 4 / 29
Masking Schemes
B Re-computation: not higher-orderB Boolean
◦ Rivain Prouff’10 secure multiplication◦ Kim Hong Lim’11 subfield
B Switch◦ Genelle Prouff Quisquater’11
B Affine: not higher-order
B Polynomial/MPC
B Threshold: not higher-order
![Page 17: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/17.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 4 / 29
Masking Schemes
B Re-computation: not higher-orderB Boolean
◦ Rivain Prouff’10 secure multiplication◦ Kim Hong Lim’11 subfield
B Switch◦ Genelle Prouff Quisquater’11
B Affine: not higher-orderB Polynomial/MPC
◦ Prouff Roche’11
B Threshold: not higher-order
![Page 18: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/18.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 5 / 29
Pros and ConsB Masking (RP’10, KHL’11, GPQ’11):
Pros:
◦ efficiency
◦ well studied
Cons:
◦ sensitive to glitches
B MPC (PR’11):Pros:
◦ leaks less information
◦ glitch-resistance(independent leakage)
◦ error detection?
Cons:
◦ more expensive in time
◦ more expensive inmemory
◦ not clear how much
![Page 19: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/19.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 5 / 29
Pros and ConsB Masking (RP’10, KHL’11, GPQ’11):
Pros:
◦ efficiency
◦ well studied
Cons:
◦ sensitive to glitches
B MPC (PR’11):Pros:
◦ leaks less information
◦ glitch-resistance(independent leakage)
◦ error detection?
Cons:
◦ more expensive in time
◦ more expensive inmemory
◦ not clear how much
![Page 20: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/20.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 6 / 29
Contribution
1. What is the cost for each scheme?Unified comparison of existing schemes.
2. Can we improve the MPC technique?Packed secret sharing.
3. How good must be the randomness?Requirements and impact on efficiency.
![Page 21: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/21.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 7 / 29
Methodology
B Target device: ATMEGA644p
B Generic description in C, compiled with avr gcc
B Supported by assembly subroutines
B Maximum overhead: < 2× compared to previous work
B Sufficient to obtain an idea on the efficiency of eachscheme
![Page 22: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/22.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 8 / 29
Outline
1. Unified comparison of existing schemes
2. Efficiency improvement with packed secret sharing
3. Randomness requirements and impact on efficiency ofmasking schemes
![Page 23: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/23.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 9 / 29
Existing Schemes
2 3 4 5 6
2
4
6
8
·106
masking order
num
ber
ofcy
cles
GPQ
GPQ’11: The most efficient masking scheme for AES,since multiplicative and linear parts are well separated.
![Page 24: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/24.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 9 / 29
Existing Schemes
2 3 4 5 6
2
4
6
8
·106
masking order
num
ber
ofcy
cles
GPQRP’10
RP’10: secure multiplication with quadratic cost.
![Page 25: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/25.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 9 / 29
Existing Schemes
2 3 4 5 6
2
4
6
8
·106
masking order
num
ber
ofcy
cles
GPQRP’10
KHL’11
KHL’11 improvement of RP’10 by using subfield, securemultiplication with quadratic cost.
![Page 26: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/26.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 9 / 29
Existing Schemes
2 3 4 5 6
2
4
6
8
·106
masking order
num
ber
ofcy
cles
GPQRP’10
KHL’11PR’11
PR’11 glitches-free solution, secure multiplication withcubic cost.
![Page 27: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/27.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 10 / 29
Outline
1. Unified comparison of existing schemes
2. Efficiency improvement with packed secret sharing
3. Randomness requirements and impact on efficiency ofmasking schemes
![Page 28: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/28.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 11 / 29
Polynomial Sharing
P(X ) = S + r1X + . . . rdXd
ri random values.
S = P(0).
Shares: P(ti).
![Page 29: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/29.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 12 / 29
Interpolation
−1x2−3x+5
−5 −4 −3 −2 −1 1 2 3 4 5
−8
8
16
d + 1 points are sufficient to recover the polynomial.
![Page 30: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/30.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 13 / 29
Addition
−1x2−3x+5
2x2+3x−4
−5 −4 −3 −2 −1 1 2 3 4 5
−8
8
16
The sum of each couple of shares (located on the samepoint)
![Page 31: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/31.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 13 / 29
Addition
1x2 + 0x + 1
−5 −4 −3 −2 −1 1 2 3 4 5
−8
8
16
The sum of each couple of shares (located on the samepoint), is sufficient to sum the secrets.
![Page 32: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/32.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 14 / 29
Multiplication
2x4 − 3x3 − 3x2
+3x−20
−5 −4 −3 −2 −1 1 2
−40
−32
−24
−16
−8
8
16
24
32
40
To recover the secret we need 2d + 1 points, since thedegree of the polynomial product is 2d .
![Page 33: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/33.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 14 / 29
Multiplication
5x2+2x−20
−5 −4 −3 −2 −1 1 2
−40
−32
−24
−16
−8
8
16
24
32
40
And a secure way to reduce the degree of the polynomial.
![Page 34: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/34.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 15 / 29
Motivation
B 2d + 1 points of the polynomial are used for the shares,1 point is used for the secret, all others are unused.
B Hide several, say t, secrets in the polynomial and have2(d + t)− 1 shares and keep the d-order masking.
B Secrets are hidden in different locations.
![Page 35: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/35.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 16 / 29
Packed Secret Polynomial
−5 −4 −3 −2 −1 1 2 3
−32
−24
−16
−8
8
16
![Page 36: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/36.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 17 / 29
Intuition
Perform the computation on the secrets in “parallel” ratherthan sequentially.
Let t be the number of secrets, packed secret sharing isinteresting when:
Cost(t packed) < t× Cost(single secret)
Let d be the masking order and the cost of the algorithmbe quadratic in the number of shares.
(t + d)2 < t × (d + 1)2
![Page 37: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/37.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 17 / 29
Intuition
Perform the computation on the secrets in “parallel” ratherthan sequentially.
Let t be the number of secrets, packed secret sharing isinteresting when:
Cost(t packed) < t× Cost(single secret)
Let d be the masking order and the cost of the algorithmbe quadratic in the number of shares.
(t + d)2 < t × (d + 1)2
![Page 38: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/38.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 17 / 29
Intuition
Perform the computation on the secrets in “parallel” ratherthan sequentially.
Let t be the number of secrets, packed secret sharing isinteresting when:
Cost(t packed) < t× Cost(single secret)
Let d be the masking order and the cost of the algorithmbe quadratic in the number of shares.
(t + d)2 < t × (d + 1)2
![Page 39: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/39.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 18 / 29
Example: Fixed Masking Order, d = 4
Cost(t packed)
t × Cost(single secret)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
number of secrets
cost
For any fixed masking order, there exists an interval ofnumber of secrets for which packing is interesting.
![Page 40: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/40.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 19 / 29
Example: Fixed Number of Secrets, t = 4
Cost(t packed)
t × Cost(single secret)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
masking order
cost
For any fixed number of secrets, the bigger the maskingorder is, the more interesting is the packing technique.
![Page 41: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/41.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 20 / 29
Issues
B PR’11 multiplication is not suitable for packing, useDamgard et al. multiplication
B ShiftRows: how to move location of secrets
B MixColumns: how to combine sensitive values hiddenin the same polynomial
![Page 42: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/42.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 21 / 29
Switch
B Solution switch between packed and single secretpolynomials
B Packed polynomials for the inversion
B Single secret polynomials for the linear parts
![Page 43: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/43.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 22 / 29
Packed Secrets Sharing vs. Single Secret
2 4 6 8 10 120
10
20
30
40·106
masking order
num
ber
ofcy
cles
PR’11
PR’11 cubic complexity.
![Page 44: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/44.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 22 / 29
Packed Secrets Sharing vs. Single Secret
2 4 6 8 10 120
10
20
30
40·106
masking order
num
ber
ofcy
cles
PR’11Damgard
New multiplication method has quadratic complexity.
![Page 45: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/45.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 22 / 29
Packed Secrets Sharing vs. Single Secret
2 4 6 8 10 120
10
20
30
40·106
masking order
num
ber
ofcy
cles
DamgardPacked 2Packed 4Packed 8
Packed 16
Packed for number of secrets 16’s divisor. As expected thebest t depends on d .
![Page 46: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/46.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 22 / 29
Packed Secrets Sharing vs. Single Secret
2 4 6 8 10 120
10
20
30
40·106
masking order
num
ber
ofcy
cles
DamgardBest packed
Minimum of packed secrets have quasi-linear complexity.
![Page 47: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/47.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 22 / 29
Packed Secrets Sharing vs. Single Secret
2 4 6 8 10 120
10
20
30
40·106
masking order
num
ber
ofcy
cles
DamgardBest Packed
Cross around 10, unrealistic for contemporary devices.
![Page 48: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/48.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 23 / 29
Outline
1. Unified comparison of existing schemes
2. Efficiency improvement with packed secret sharing
3. Randomness requirements and impact on efficiency ofmasking schemes
![Page 49: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/49.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 24 / 29
Motivation
B In the previous experiment, we considered “free”random generator.
B Proof of security requires uniform randomness.
B In embedded systems, uniform randomness isexpensive.
![Page 50: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/50.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 25 / 29
Intuition
What happen when of using non uniform randomness?
B predictable randomness, such as counter, such animperfection of the randomness is that for low noiselevels, all the masks will be recovered with probabilityone.
B slightly biased randomness, such biases directly createa lower-order weakness.
⇒ Compute mutual information between subkey andleakage.
![Page 51: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/51.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 25 / 29
Intuition
What happen when of using non uniform randomness?
B predictable randomness, such as counter, such animperfection of the randomness is that for low noiselevels, all the masks will be recovered with probabilityone.
B slightly biased randomness, such biases directly createa lower-order weakness.
⇒ Compute mutual information between subkey andleakage.
![Page 52: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/52.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 25 / 29
Intuition
What happen when of using non uniform randomness?
B predictable randomness, such as counter, such animperfection of the randomness is that for low noiselevels, all the masks will be recovered with probabilityone.
B slightly biased randomness, such biases directly createa lower-order weakness.
⇒ Compute mutual information between subkey andleakage.
![Page 53: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/53.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 25 / 29
Intuition
What happen when of using non uniform randomness?
B predictable randomness, such as counter, such animperfection of the randomness is that for low noiselevels, all the masks will be recovered with probabilityone.
B slightly biased randomness, such biases directly createa lower-order weakness.
⇒ Compute mutual information between subkey andleakage.
![Page 54: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/54.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 26 / 29
Non Uniform Randomness
Black curve unprotected case, blue curve curve expectedfrom first order masking.
![Page 55: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/55.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 26 / 29
Non Uniform Randomness
Red curve predictable case, combined attacks, reduce thenoise, recover the masks values, similar to unprotected.
![Page 56: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/56.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 26 / 29
Non Uniform Randomness
Green curves biased generator, first order leaks, like zerovalue issue.
![Page 57: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/57.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 27 / 29
Cost for the Implementation?
B How to produce uniform random values:◦ wait values from a TRNG◦ few rounds of a good permutation◦ hash function◦ . . .
B Cost: around 10 clock cycles per random byte.
![Page 58: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/58.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 27 / 29
Cost for the Implementation?
B How to produce uniform random values:◦ wait values from a TRNG◦ few rounds of a good permutation◦ hash function◦ . . .
B Cost: around 10 clock cycles per random byte.
![Page 59: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/59.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 28 / 29
Randomness Impact
2 4 6 8 10 12
0
10
20
30
40
50
·106
masking order
num
ber
ofcy
cles
RP’10GPQ’11KHL’11
The order of schemes does not change. We just add a littleoverhead on performances < 5/4.
![Page 60: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/60.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 28 / 29
Randomness Impact
2 4 6 8 10 12
0
10
20
30
40
50
·106
masking order
num
ber
ofcy
cles
RP’10GPQ’11KHL’11
Damgard
The MPC stays far from masking, even with quadraticmultiplication.
![Page 61: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/61.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 28 / 29
Randomness Impact
2 4 6 8 10 12
0
10
20
30
40
50
·106
masking order
num
ber
ofcy
cles
RP’10GPQ’11KHL’11
DamgardBest packed
Packed technique is interesting shortly after. Due to theswitch between packed and single secret polynomials thatuses lot of randomness.
![Page 62: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/62.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 29 / 29
Conclusion
B Unified comparison of masking scheme ⇒ allowsdesigners to choose a scheme in function of securityand performance.
B Packing technique theoretically interesting, butconcrete gains only appear for large order (maybeinteresting in the longer term).
B Randomness is not the most expensive part of maskedimplementation, but is not negligible.
![Page 63: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/63.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 29 / 29
Conclusion
B Unified comparison of masking scheme ⇒ allowsdesigners to choose a scheme in function of securityand performance.
B Packing technique theoretically interesting, butconcrete gains only appear for large order (maybeinteresting in the longer term).
B Randomness is not the most expensive part of maskedimplementation, but is not negligible.
![Page 64: Masking vs. Multiparty Computation: How Large is the Gap for … · 2013-08-22 · Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso1, Fran˘cois-Xavier](https://reader034.vdocuments.us/reader034/viewer/2022042321/5f0af8627e708231d42e3b59/html5/thumbnails/64.jpg)
UCL Crypto GroupUCL/ICTEAM/ELEN
Masking vs. Multiparty Computation 29 / 29
Conclusion
B Unified comparison of masking scheme ⇒ allowsdesigners to choose a scheme in function of securityand performance.
B Packing technique theoretically interesting, butconcrete gains only appear for large order (maybeinteresting in the longer term).
B Randomness is not the most expensive part of maskedimplementation, but is not negligible.