shuffle and mix: on the diffusion of randomness in ti of keccak · 2019-04-08 · shuffle and mix:...
TRANSCRIPT
![Page 1: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/1.jpg)
Shuffle and Mix:On the Diffusion of Randomness in TI of Keccak
COSADE 2019, Darmstadt
Felix Wegener, Christian Baiker, Amir MoradiRuhr University Bochum, Horst Görtz Institute for IT-Security, Germany
![Page 2: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/2.jpg)
2Shuffle and Mix | COSADE 2019 | Darmstadt
Motivation
MAC
𝐾
𝑚𝑠𝑔 𝑚𝑎𝑐
![Page 3: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/3.jpg)
3Shuffle and Mix | COSADE 2019 | Darmstadt
Motivation
MAC
𝐾
𝑚𝑠𝑔
𝑙(𝑚𝑠𝑔, 𝐾)
𝑚𝑎𝑐
![Page 4: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/4.jpg)
4Shuffle and Mix | COSADE 2019 | Darmstadt
Motivation
MAC
𝐾
𝑚𝑠𝑔 𝑚𝑎𝑐 = 𝐻(𝐾||𝑚𝑠𝑔)
𝑙(𝑚𝑠𝑔, 𝐾)
Countermeasures
Masking: Make intermediate value independent of secretHiding: Lower SNR
![Page 5: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/5.jpg)
5Shuffle and Mix | COSADE 2019 | Darmstadt
Masking
![Page 6: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/6.jpg)
6Shuffle and Mix | COSADE 2019 | Darmstadt
• Core Idea: Secret 𝑥 multiple shares X = 𝑎, 𝑏, 𝑐 :
𝑥 = 𝑎 ⊕ 𝑏⊕ 𝑐
Boolean Masking
![Page 7: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/7.jpg)
7Shuffle and Mix | COSADE 2019 | Darmstadt
• Core Idea: Secret 𝑥 multiple shares X = 𝑎, 𝑏, 𝑐 :
𝑥 = 𝑎 ⊕ 𝑏⊕ 𝑐
Boolean Masking
𝑎 𝑏 𝑐
![Page 8: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/8.jpg)
8Shuffle and Mix | COSADE 2019 | Darmstadt
• Core Idea: Secret 𝑥 multiple shares X = 𝑎, 𝑏, 𝑐 :
𝑥 = 𝑎 ⊕ 𝑏⊕ 𝑐
• Problem: How to compute a function 𝑓 on shared values?
Boolean Masking
𝑎 𝑏 𝑐
![Page 9: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/9.jpg)
9Shuffle and Mix | COSADE 2019 | Darmstadt
• Core Idea: Secret 𝑥 multiple shares X = 𝑎, 𝑏, 𝑐 :
𝑥 = 𝑎 ⊕ 𝑏⊕ 𝑐
• Problem: How to compute a function 𝑓 on shared values?
• In Hardware: Even more difficult due to glitches
Boolean Masking
𝑎 𝑏 𝑐
![Page 10: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/10.jpg)
10Shuffle and Mix | COSADE 2019 | Darmstadt
• Core Idea: Secret 𝑥 multiple shares X = 𝑎, 𝑏, 𝑐 :
𝑥 = 𝑎 ⊕ 𝑏⊕ 𝑐
• Problem: How to compute a function 𝑓 on shared values?
• In Hardware: Even more difficult due to glitches
Boolean Masking
𝑎 𝑏 𝑐
Solution:Threshold Implementations
![Page 11: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/11.jpg)
11Shuffle and Mix | COSADE 2019 | Darmstadt
Three properties for first-order securecomputations
• Correctness𝐴, 𝐵, 𝐶 = 𝐹(𝑎, 𝑏, 𝑐)𝑓(𝑥) = 𝐴⊕𝐵⊕ 𝐶
Threshold Implementations
Nikova, Rechberger, Rijmen. Threshold Implementations Against Side-Channel Attacks and Glitches, ICICS 2006
![Page 12: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/12.jpg)
12Shuffle and Mix | COSADE 2019 | Darmstadt
Three properties for first-order securecomputations
• Correctness𝐴, 𝐵, 𝐶 = 𝐹(𝑎, 𝑏, 𝑐)𝑓(𝑥) = 𝐴⊕𝐵⊕ 𝐶
• Non-completeness
Threshold Implementations
Nikova, Rechberger, Rijmen. Threshold Implementations Against Side-Channel Attacks and Glitches, ICICS 2006
𝑎
𝑏
𝑐
𝐹𝐴
𝐹𝐵
𝐹𝐶
𝐴
𝐵
𝐶
![Page 13: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/13.jpg)
13Shuffle and Mix | COSADE 2019 | Darmstadt
Three properties for first-order securecomputations
• Correctness𝐴, 𝐵, 𝐶 = 𝐹(𝑎, 𝑏, 𝑐)𝑓(𝑥) = 𝐴⊕𝐵⊕ 𝐶
• Non-completeness
Threshold Implementations
Nikova, Rechberger, Rijmen. Threshold Implementations Against Side-Channel Attacks and Glitches, ICICS 2006
• Uniformity
𝑎
𝑏
𝑐
𝐹𝐴
𝐹𝐵
𝐹𝐶
𝐴
𝐵
𝐶
masks
#
masks
#𝐹
𝑥
𝑓(𝑥)
![Page 14: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/14.jpg)
14Shuffle and Mix | COSADE 2019 | Darmstadt
• Locally:
Why Uniformity?
Theorem: If 𝐹 is• correct• non-complete• Input is masked uniformlyThen:
Evaluation is first-order secure
![Page 15: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/15.jpg)
15Shuffle and Mix | COSADE 2019 | Darmstadt
• Locally:
Why Uniformity?
Theorem: If 𝐹 is• correct• non-complete• Input is masked uniformlyThen:
Evaluation is first-order secure
Uniform output not needed
![Page 16: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/16.jpg)
16Shuffle and Mix | COSADE 2019 | Darmstadt
• Locally:
Why Uniformity?
• Globally:
Iterated Round-function
Theorem: If 𝐹 is• correct• non-complete• Input is masked uniformlyThen:
Evaluation is first-order secure
Uniform output not needed
𝐹
![Page 17: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/17.jpg)
17Shuffle and Mix | COSADE 2019 | Darmstadt
• Locally:
Why Uniformity?
• Globally:
Iterated Round-function
Theorem: If 𝐹 is• correct• non-complete• Input is masked uniformlyThen:
Evaluation is first-order secure
Uniform output not needed
𝐹
Uniform output needed
![Page 18: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/18.jpg)
18Shuffle and Mix | COSADE 2019 | Darmstadt
Keccak
![Page 19: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/19.jpg)
19Shuffle and Mix | COSADE 2019 | Darmstadt
• Sponge-based Hashfunction
• SHA3 in 2015
Keccak
Bertoni et al. Cryptographic Sponge Functions. Keccak.team
![Page 20: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/20.jpg)
20Shuffle and Mix | COSADE 2019 | Darmstadt
• Sponge-based Hashfunction
• SHA3 in 2015
Keccak
Bertoni et al. Cryptographic Sponge Functions. Keccak.team
Keccak-f[b]:
• 𝑏 = 25 ⋅ 2𝑙 , 𝑙 = 0,… , 6
• 𝑛𝑟 = 12 + 2𝑙
• 𝑅 = 𝜄 ∘ 𝜒 ∘ 𝜋 ∘ 𝜌 ∘ 𝜃
![Page 21: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/21.jpg)
21Shuffle and Mix | COSADE 2019 | Darmstadt
• Sponge-based Hashfunction
• SHA3 in 2015
Keccak
Bertoni et al. Cryptographic Sponge Functions. Keccak.team
Keccak-f[b]:
• 𝑏 = 25 ⋅ 2𝑙 , 𝑙 = 0,… , 6
• 𝑛𝑟 = 12 + 2𝑙
• 𝑅 = 𝜄 ∘ 𝜒 ∘ 𝜋 ∘ 𝜌 ∘ 𝜃
Here:Keccak-f[200]
18 rounds
![Page 22: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/22.jpg)
22Shuffle and Mix | COSADE 2019 | Darmstadt
How to mask Keccak-f?
![Page 23: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/23.jpg)
23Shuffle and Mix | COSADE 2019 | Darmstadt
Linear Layer
𝜃
𝜌 𝜋
𝜄
![Page 24: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/24.jpg)
24Shuffle and Mix | COSADE 2019 | Darmstadt
Linear Layer
𝜃
𝜌 𝜋
𝜄
Use linearity:𝐿 𝑥1 ⊕𝑥2 ⊕𝑥3 =𝐿 𝑥1) ⊕ 𝐿(𝑥2) ⊕ 𝐿(𝑥3
Replication without modification
![Page 25: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/25.jpg)
25Shuffle and Mix | COSADE 2019 | Darmstadt
Non-linear Layer
𝝌
![Page 26: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/26.jpg)
26Shuffle and Mix | COSADE 2019 | Darmstadt
Non-linear Layer
![Page 27: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/27.jpg)
27Shuffle and Mix | COSADE 2019 | Darmstadt
Non-linear Layer
One Coordinate function:𝑦0 = 𝑥0 ⊕ [ 1⊕ 𝑥1 ∧ 𝑥2]
= 𝑥0 ⊕ (𝑥1 ∧ 𝑥2) ⊕ 𝑥2
![Page 28: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/28.jpg)
28Shuffle and Mix | COSADE 2019 | Darmstadt
Non-linear Layer
One Coordinate function:𝑦0 = 𝑥0 ⊕ [ 1⊕ 𝑥1 ∧ 𝑥2]
= 𝑥0 ⊕ (𝑥1 ∧ 𝑥2) ⊕ 𝑥2
Bertoni, Daemen, Peeters, Van Assche: Keccak. EUROCRYPT 2013
Direct Sharing of 𝜒:𝐴𝑖 = 𝑏𝑖 ⊕ 𝑏𝑖+1 ∧ 𝑏𝑖+2 ⊕ 𝑏𝑖+1 ∧ 𝑐𝑖+2 ⊕ 𝑐𝑖+1 ∧ 𝑏𝑖+2 ⊕𝑏𝑖+2𝐵𝑖 = 𝑐𝑖 ⊕ 𝑐𝑖+1 ∧ 𝑐𝑖+2 ⊕ 𝑐𝑖+1 ∧ 𝑎𝑖+2 ⊕ 𝑎𝑖+1 ∧ 𝑐𝑖+2 ⊕ 𝑐𝑖+2𝐶𝑖= 𝑎𝑖 ⊕ 𝑎𝑖+1 ∧ 𝑎𝑖+2 ⊕ 𝑎𝑖+1 ∧ 𝑏𝑖+2 ⊕ 𝑏𝑖+1 ∧ 𝑎𝑖+2 ⊕𝑎𝑖+2
![Page 29: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/29.jpg)
29Shuffle and Mix | COSADE 2019 | Darmstadt
Non-linear Layer
Bertoni, Daemen, Peeters, Van Assche: Keccak. EUROCRYPT 2013
Direct Sharing of 𝜒:𝐴𝑖 = 𝑏𝑖 ⊕ 𝑏𝑖+1 ∧ 𝑏𝑖+2 ⊕ 𝑏𝑖+1 ∧ 𝑐𝑖+2 ⊕ 𝑐𝑖+1 ∧ 𝑏𝑖+2 ⊕𝑏𝑖+2𝐵𝑖 = 𝑐𝑖 ⊕ 𝑐𝑖+1 ∧ 𝑐𝑖+2 ⊕ 𝑐𝑖+1 ∧ 𝑎𝑖+2 ⊕ 𝑎𝑖+1 ∧ 𝑐𝑖+2 ⊕ 𝑐𝑖+2𝐶𝑖= 𝑎𝑖 ⊕ 𝑎𝑖+1 ∧ 𝑎𝑖+2 ⊕ 𝑎𝑖+1 ∧ 𝑏𝑖+2 ⊕ 𝑏𝑖+1 ∧ 𝑎𝑖+2 ⊕𝑎𝑖+2
Non-complete✔
![Page 30: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/30.jpg)
30Shuffle and Mix | COSADE 2019 | Darmstadt
Non-linear Layer
Bertoni, Daemen, Peeters, Van Assche: Keccak. EUROCRYPT 2013
Direct Sharing of 𝜒:𝐴𝑖 = 𝑏𝑖 ⊕ 𝑏𝑖+1 ∧ 𝑏𝑖+2 ⊕ 𝑏𝑖+1 ∧ 𝑐𝑖+2 ⊕ 𝑐𝑖+1 ∧ 𝑏𝑖+2 ⊕𝑏𝑖+2𝐵𝑖 = 𝑐𝑖 ⊕ 𝑐𝑖+1 ∧ 𝑐𝑖+2 ⊕ 𝑐𝑖+1 ∧ 𝑎𝑖+2 ⊕ 𝑎𝑖+1 ∧ 𝑐𝑖+2 ⊕ 𝑐𝑖+2𝐶𝑖= 𝑎𝑖 ⊕ 𝑎𝑖+1 ∧ 𝑎𝑖+2 ⊕ 𝑎𝑖+1 ∧ 𝑏𝑖+2 ⊕ 𝑏𝑖+1 ∧ 𝑎𝑖+2 ⊕𝑎𝑖+2
Non-complete✔
NOT Uniform ✖
![Page 31: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/31.jpg)
31Shuffle and Mix | COSADE 2019 | Darmstadt
Non-linear Layer
Bertoni, Daemen, Peeters, Van Assche: Keccak. EUROCRYPT 2013
Direct Sharing of 𝜒:𝐴𝑖 = 𝑏𝑖 ⊕ 𝑏𝑖+1 ∧ 𝑏𝑖+2 ⊕ 𝑏𝑖+1 ∧ 𝑐𝑖+2 ⊕ 𝑐𝑖+1 ∧ 𝑏𝑖+2 ⊕𝑏𝑖+2𝐵𝑖 = 𝑐𝑖 ⊕ 𝑐𝑖+1 ∧ 𝑐𝑖+2 ⊕ 𝑐𝑖+1 ∧ 𝑎𝑖+2 ⊕ 𝑎𝑖+1 ∧ 𝑐𝑖+2 ⊕ 𝑐𝑖+2𝐶𝑖= 𝑎𝑖 ⊕ 𝑎𝑖+1 ∧ 𝑎𝑖+2 ⊕ 𝑎𝑖+1 ∧ 𝑏𝑖+2 ⊕ 𝑏𝑖+1 ∧ 𝑎𝑖+2 ⊕𝑎𝑖+2
Non-complete✔
NOT Uniform ✖Partially Uniform
![Page 32: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/32.jpg)
32Shuffle and Mix | COSADE 2019 | Darmstadt
Non-linear Layer
Non-complete✔
NOT Uniform ✖Partially Uniform
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
![Page 33: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/33.jpg)
33Shuffle and Mix | COSADE 2019 | Darmstadt
Non-linear Layer
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
1 single bit: uniform
![Page 34: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/34.jpg)
34Shuffle and Mix | COSADE 2019 | Darmstadt
Non-linear Layer
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
2 bits: jointly uniform
![Page 35: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/35.jpg)
35Shuffle and Mix | COSADE 2019 | Darmstadt
Non-linear Layer
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
3 bits: jointly uniform
![Page 36: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/36.jpg)
36Shuffle and Mix | COSADE 2019 | Darmstadt
Non-linear Layer
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
4 bits: not jointly uniform
![Page 37: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/37.jpg)
37Shuffle and Mix | COSADE 2019 | Darmstadt
Non-linear Layer
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
2 out of 5 bits not jointly uniform*
*Bilgin et al. Efficient and First-Order DPA Resistant Implementations of Keccak, CARDIS 2013
![Page 38: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/38.jpg)
38Shuffle and Mix | COSADE 2019 | Darmstadt
Refresh with 4 bits of fresh randomness*
Fixing Non-Uniformity
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
𝑟0 𝑟1
**Daemen. Changing of the Guards: A Simple and Efficient Method for Achieving Uniformity in Threshold Sharings. CHES 2017
*Bilgin et al. Efficient and First-Order DPA Resistant Implementations of Keccak, CARDIS 2013
![Page 39: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/39.jpg)
39Shuffle and Mix | COSADE 2019 | Darmstadt
Refresh with 4 bits of fresh randomness*
Use 4 shares*
Fixing Non-Uniformity
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
𝑟0 𝑟1
𝜒′′
𝑎
𝑏
𝑐
𝑑
𝐴
𝐵
𝐶
𝐷
**Daemen. Changing of the Guards: A Simple and Efficient Method for Achieving Uniformity in Threshold Sharings. CHES 2017
*Bilgin et al. Efficient and First-Order DPA Resistant Implementations of Keccak, CARDIS 2013
![Page 40: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/40.jpg)
40Shuffle and Mix | COSADE 2019 | Darmstadt
Refresh with 4 bits of fresh randomness* Changing of the Guards**
Use 4 shares*
Fixing Non-Uniformity
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
𝑟0 𝑟1
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
𝑟0 𝑟1
𝜒′′
𝑎
𝑏
𝑐
𝑑
𝐴
𝐵
𝐶
𝐷
**Daemen. Changing of the Guards: A Simple and Efficient Method for Achieving Uniformity in Threshold Sharings. CHES 2017
*Bilgin et al. Efficient and First-Order DPA Resistant Implementations of Keccak, CARDIS 2013
![Page 41: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/41.jpg)
41Shuffle and Mix | COSADE 2019 | Darmstadt
Refresh with 4 bits of fresh randomness* Changing of the Guards**
Use 4 shares*
Fixing Non-Uniformity
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
𝑟0 𝑟1
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
𝜒‘
𝑎
𝑏
𝑐
𝐴
𝐵
𝐶
𝑟0 𝑟1
𝜒′′
𝑎
𝑏
𝑐
𝑑
𝐴
𝐵
𝐶
𝐷
**Daemen. Changing of the Guards: A Simple and Efficient Method for Achieving Uniformity in Threshold Sharings. CHES 2017
*Bilgin et al. Efficient and First-Order DPA Resistant Implementations of Keccak, CARDIS 2013
This Work: Don‘t fix it.Consequences?
![Page 42: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/42.jpg)
42Shuffle and Mix | COSADE 2019 | Darmstadt
Hardware Target
![Page 43: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/43.jpg)
43Shuffle and Mix | COSADE 2019 | Darmstadt
Hardware Architecture
How many parallel S-boxes?
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
Serialized Round-based
![Page 44: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/44.jpg)
44Shuffle and Mix | COSADE 2019 | Darmstadt
Hardware Architecture
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
Serialized Round-basedSlice-based
How many parallel S-boxes?
![Page 45: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/45.jpg)
45Shuffle and Mix | COSADE 2019 | Darmstadt
Hardware Architecture
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
Serialized Round-basedSlice-based
How many parallel S-boxes?
![Page 46: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/46.jpg)
46Shuffle and Mix | COSADE 2019 | Darmstadt
Hardware Architecture
• Slice-Serial: 5 parallel 𝜒 evaluations
• Special treatment: 𝜃 applied to slice 0
Bilgin et al. Efficient and First-Order DPA Resistant Implementations of Keccak, CARDIS 2013
![Page 47: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/47.jpg)
47Shuffle and Mix | COSADE 2019 | Darmstadt
Leakage Evaluation
![Page 48: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/48.jpg)
48Shuffle and Mix | COSADE 2019 | Darmstadt
Evaluation methodology: – Non-specific T-test „fixed vs. Random“
• over entire 200bit state
• with 100 million traces
– Each trace: entire last round
SCA-Measurements
Measurement Setup:– SAKURA-G board @ 1.5Mhz
– Picoscope 6402 @ 625 MS/s
– Amplifier: ZFL-100LN+ (Mini-Circuits)
Schneider, Moradi. Leakage Assessment Methodology - a clear roadmap for side-channel evaluations, CHES 2015
![Page 49: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/49.jpg)
49Shuffle and Mix | COSADE 2019 | Darmstadt
18 Rounds of Keccak
1. order over time
2. order over time
3. order over time
![Page 50: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/50.jpg)
50Shuffle and Mix | COSADE 2019 | Darmstadt
18 Rounds of Keccak
1. order over time
1. order over traces
![Page 51: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/51.jpg)
51Shuffle and Mix | COSADE 2019 | Darmstadt
18 Rounds of Keccak
1. order over time
1. order over traces
Works fine.More rounds?
![Page 52: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/52.jpg)
52Shuffle and Mix | COSADE 2019 | Darmstadt
1800 Rounds of Keccak
1. order over time
2. order over time
3. order over time
![Page 53: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/53.jpg)
53Shuffle and Mix | COSADE 2019 | Darmstadt
1800 Rounds of Keccak
1. order over time
1. order over traces
![Page 54: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/54.jpg)
54Shuffle and Mix | COSADE 2019 | Darmstadt
1800 Rounds of Keccak
1. order over time
1. order over tracesOrigin of entropy?
![Page 55: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/55.jpg)
55Shuffle and Mix | COSADE 2019 | Darmstadt
Source of Diffusion: Linear Layer
𝜒‘
𝐿
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝐿
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝐿
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝐿
𝜒‘
𝜒‘
𝜒‘
![Page 56: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/56.jpg)
56Shuffle and Mix | COSADE 2019 | Darmstadt
Experiment: Remove Linear Layer
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
𝜒‘
![Page 57: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/57.jpg)
57Shuffle and Mix | COSADE 2019 | Darmstadt
• Compute one instance of 𝜒′ on all 215 inputs
• Feed outputs back into it
• Stop when plateau reached
Simulation Part I
𝜒‘
![Page 58: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/58.jpg)
58Shuffle and Mix | COSADE 2019 | Darmstadt
• Compute one instance of 𝜒′ on all 215 inputs
• Feed outputs back into it
• Stop when plateau reached
Simulation Part I
𝜒‘
Result:
![Page 59: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/59.jpg)
59Shuffle and Mix | COSADE 2019 | Darmstadt
18 Rounds of 𝜒′
1. order over time
2. order over time
3. order over time
![Page 60: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/60.jpg)
60Shuffle and Mix | COSADE 2019 | Darmstadt
18 Rounds of 𝜒′
1. order over time
1. order over traces
![Page 61: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/61.jpg)
61Shuffle and Mix | COSADE 2019 | Darmstadt
18 Rounds of 𝜒′
1. order over time
1. order over traces
How much diffusionis needed?
![Page 62: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/62.jpg)
62Shuffle and Mix | COSADE 2019 | Darmstadt
Linear Layer: Shuffling and Mixing
𝜃
𝜌 𝜋
𝜄
![Page 63: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/63.jpg)
63Shuffle and Mix | COSADE 2019 | Darmstadt
Linear Layer: Shuffling and Mixing
𝜃
𝜋
𝜄
Bertoni et al. The Keccak Reference
![Page 64: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/64.jpg)
64Shuffle and Mix | COSADE 2019 | Darmstadt
Linear Layer: Shuffling and Mixing
𝜃 𝜄
Bertoni et al. The Keccak Reference
![Page 65: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/65.jpg)
65Shuffle and Mix | COSADE 2019 | Darmstadt
Linear Layer: Shuffling and Mixing
𝜄
Bertoni et al. The Keccak Reference
![Page 66: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/66.jpg)
66Shuffle and Mix | COSADE 2019 | Darmstadt
Linear Layer: Shuffling and Mixing
round constant
Bertoni et al. The Keccak Reference
![Page 67: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/67.jpg)
67Shuffle and Mix | COSADE 2019 | Darmstadt
Linear Layer: Shuffling and Mixing
round constant
Bertoni et al. The Keccak Reference
![Page 68: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/68.jpg)
68Shuffle and Mix | COSADE 2019 | Darmstadt
Linear Layer: Shuffling and Mixing
𝜌, 𝜋: shuffling
𝜃: mixing
Bertoni et al. The Keccak Reference
![Page 69: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/69.jpg)
69Shuffle and Mix | COSADE 2019 | Darmstadt
How to simulate entropy of masked Keccak-f[200]?
Simulation Part II
Exhaustive Testing:2600 states - impossible
![Page 70: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/70.jpg)
70Shuffle and Mix | COSADE 2019 | Darmstadt
How to simulate entropy of masked Keccak-f[200]?
Simulation Part II
Exhaustive Testing:2600 states - impossible
Sampling:„fixed vs. random“
without power model
![Page 71: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/71.jpg)
71Shuffle and Mix | COSADE 2019 | Darmstadt
Group 0: all zero plaintext
Simulation Part II
masks
# 𝑠𝑒𝑐𝑟𝑒𝑡 = 0
masks
# 𝑠𝑒𝑐𝑟𝑒𝑡 = rand
Comparedistribution.
De Meyer, Bilgin, Reparaz. Consolidating Security Notions in Hardware Masking.
Group 1: random plaintext
![Page 72: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/72.jpg)
72Shuffle and Mix | COSADE 2019 | Darmstadt
Group 0: all zero plaintext
Simulation Part II
masks
# 𝑠𝑒𝑐𝑟𝑒𝑡 = 0
masks
# 𝑠𝑒𝑐𝑟𝑒𝑡 = rand
𝜒2 test
De Meyer, Bilgin, Reparaz. Consolidating Security Notions in Hardware Masking.
Group 1: random plaintext
![Page 73: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/73.jpg)
73Shuffle and Mix | COSADE 2019 | Darmstadt
Next Design: Mix Only
𝜒‘
MIX
𝜒‘
𝜒‘
𝜒‘
𝜒‘
MIX
𝜒‘
𝜒‘
𝜒‘
𝜒‘
MIX
𝜒‘
𝜒‘
𝜒‘
𝜒‘
MIX
𝜒‘
𝜒‘
𝜒‘
![Page 74: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/74.jpg)
74Shuffle and Mix | COSADE 2019 | Darmstadt
Next Design: Mix Only
𝜒‘
MIX
𝜒‘
𝜒‘
𝜒‘
𝜒‘
MIX
𝜒‘
𝜒‘
𝜒‘
𝜒‘
MIX
𝜒‘
𝜒‘
𝜒‘
𝜒‘
MIX
𝜒‘
𝜒‘
𝜒‘
Simulation predicts:No leakage
![Page 75: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/75.jpg)
75Shuffle and Mix | COSADE 2019 | Darmstadt
18 Rounds of Mixing: 𝝌′, 𝜽
1. order over time
2. order over time
3. order over time
![Page 76: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/76.jpg)
76Shuffle and Mix | COSADE 2019 | Darmstadt
18 Rounds of Mixing: 𝝌′, 𝜽
1. order over time
1. order over traces
![Page 77: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/77.jpg)
77Shuffle and Mix | COSADE 2019 | Darmstadt
Next Design: Shuffle Only
𝜒‘SHUFFLE
𝜒‘
𝜒‘
𝜒‘
𝜒‘SHUFFLE
𝜒‘
𝜒‘
𝜒‘
𝜒‘SHUFFLE
𝜒‘
𝜒‘
𝜒‘
𝜒‘SHUFFLE
𝜒‘
𝜒‘
𝜒‘
![Page 78: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/78.jpg)
78Shuffle and Mix | COSADE 2019 | Darmstadt
Next Design: Shuffle Only
𝜒‘SHUFFLE
𝜒‘
𝜒‘
𝜒‘
𝜒‘SHUFFLE
𝜒‘
𝜒‘
𝜒‘
𝜒‘SHUFFLE
𝜒‘
𝜒‘
𝜒‘
𝜒‘SHUFFLE
𝜒‘
𝜒‘
𝜒‘
Simulation predicts:No leakage
![Page 79: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/79.jpg)
79Shuffle and Mix | COSADE 2019 | Darmstadt
18 Rounds of Shuffling: 𝝌′, 𝝆, 𝝅
1. order over time
2. order over time
3. order over time
![Page 80: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/80.jpg)
80Shuffle and Mix | COSADE 2019 | Darmstadt
18 Rounds of Shuffling: 𝝌′, 𝝆, 𝝅
1. order over time
1. order over traces
![Page 81: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/81.jpg)
81Shuffle and Mix | COSADE 2019 | Darmstadt
Practical Measurements
Summary of Results
Simulations
Active Layers DetectableLeakage?
Sbox𝜒′
Yes!
Mix𝜒′, 𝜃
No.
Shuffle𝜒′, 𝜌, 𝜋
Yes.
Shuffle and Mix𝜒′, 𝜌, 𝜋, 𝜃
No.
Active Layers DetectableLeakage?
Sbox𝜒′
Yes!
Mix𝜒′, 𝜃
No.
Shuffle𝜒′, 𝜌, 𝜋
No.
Shuffle and Mix𝜒′, 𝜌, 𝜋, 𝜃
No.
![Page 82: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/82.jpg)
82Shuffle and Mix | COSADE 2019 | Darmstadt
Practical Measurements
Summary of Results
Simulations
Active Layers DetectableLeakage?
Sbox𝜒′
Yes!
Mix𝜒′, 𝜃
No.
Shuffle𝜒′, 𝜌, 𝜋
Yes.
Shuffle and Mix𝜒′, 𝜌, 𝜋, 𝜃
No.
Active Layers DetectableLeakage?
Sbox𝜒′
Yes!
Mix𝜒′, 𝜃
No.
Shuffle𝜒′, 𝜌, 𝜋
No.
Shuffle and Mix𝜒′, 𝜌, 𝜋, 𝜃
No.
![Page 83: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/83.jpg)
83Shuffle and Mix | COSADE 2019 | Darmstadt
Takeaways:
• Use Shuffle and Mix for entropy diffusion
• Combine simulations with practical evaluations
Caveats:
• Uniformity is essential in decomposed S-boxes:
Future Work:
• Evaluation of exploitable leakage
• Diffusion in other ciphers (e.g. ASCON)
• Quality criteria for RNG
Conclusion
![Page 84: Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak · 2019-04-08 · Shuffle and Mix: On the Diffusion of Randomness in TI of Keccak COSADE 2019, Darmstadt Felix Wegener,](https://reader033.vdocuments.us/reader033/viewer/2022060514/5f83a349f846d74b2d282155/html5/thumbnails/84.jpg)
Thanks! Any questions? Grant. Nr. 16KIS0666SYSKIT_HW
Felix Wegener, Christian Baiker, Amir MoradiRuhr University Bochum, Horst Görtz Institute for IT-Security, Germany