Join Log in
Score:2
Evgeni Vaknin avatar Crypto

Threshold implementation of ciphers

za flag
Evgeni Vaknin

What is the principle behind threshold implementation of block ciphers and how is this protecting against side channel attacks?

53
0 + 0
kodlu avatar
sa flag
kodlu
Nice question Can you give a reference which discusses this topic?
0
Reply
Evgeni Vaknin avatar
za flag
Evgeni Vaknin
look at: "Threshold Implementations Against Side-Channel Attacks and Glitches" , @ https://www.esat.kuleuven.be/cosic/publications/article-847.pdf
2
Reply
Score:3
poncho avatar Crypto
my flag
poncho

What is the principle behind threshold implementation of block ciphers

The idea is that we take every secret state of the cipher (be it the key itself or an internal state value) and convert that into a "threshold" representation, where the logical value of the secret state $s$ is actually implemented by $t$ different physical values $s_0, s_1, \dots, s_{t-1}$, in such as way that knowledge of $t-1$ of the physical values gives no information about the logical value $s$.

The most common way to implement this is with xor-sharing; if $t=2$, then each logical state $s$ is represented by $s = s_0 \oplus s_1$; if $s_0, s_1$ can both 1 with probability $0.5$, then learning just one of them gives no information about $s$.

The obvious question is "how do you do operations with these threshold representations?". Linear/affine operations are easy: to negate, you just flip one of the physical components. To xor, you xor the two values component-wise: $(s_0, s_1) \oplus (t_0, t_1) = (s_0 \oplus t_0, s_1 \oplus t_1$)

Nonlinear operations are a tad trickier; to perform an AND operation, what we can do is pick a fresh random value $r$, and compute $(s_0, s_1) \land (t_0, t_1) = (s_0 \land t_0 \oplus (s_1 \land t_1 \oplus r), s_0 \land t_1 \oplus (s_1 \land t_0 \oplus r))$. This works because we have DeMorgan's theorem: $(s_0 \oplus s_1) \land (t_0 \oplus t_1) = (s_0 \land t_0) \oplus (s_0 \land t_1) \land (s_1 \land t_0) \oplus (s_1 \land t_1)$ (which generalizes to arbitrary threshold values. And, we stir in fresh randomness $r$ because otherwise the physical values would no longer be equidistributed.

With NOT, XOR and AND operations, any block cipher can be constructed.

how is this protecting against side channel attacks?

The idea is that even if the attacker can get some information about the state of $t-1$ secret values simultaneously from a side-channel attack, that doesn't tell him anything about what's going on with the cipher itself.

I was asked to put in a reference; the earliest general reference I know is Toward Sound Approaches to Counteract Power-Analysis Attacks by Chari et al; in particular, see section 3.3 "Encoding"

0 + 0
Evgeni Vaknin avatar
za flag
Evgeni Vaknin
Thanks! I must admit I sow some answers, but non of them was that clear crystal
0
Reply
Evgeni Vaknin avatar
za flag
Evgeni Vaknin
So, please correct me if I'm wrong, in order to implement, say, AES S-BOX with threshold logic, I can add the mask in the input, and then create a new S-BOX, say T-BOX, such that T(x+s) = S(x), and generate new s and new T each time I need to calculate S(x). Is that right?
0
Reply
poncho avatar
my flag
poncho
@EvgeniVaknin: that'd be expensive - creating a fresh SBox each time would be costly. One way I've seen is to implement a threshold implementation of $x^{254}$ (the nonlinear part of the sbox) based on the threshold multiplication identity $(s_0 + s_1)\times(t_0 + t_1) = (s_0 \times t_0) + (s_0 \times t_1) + (s_1 \times t_0) + (s_1 \times t_1)$ (where $+, \times$ are $GF(256)$ operations); still rather costly, but better than rebuilding the sbox each time...
1
Reply
poncho avatar
my flag
poncho
@EvgeniVaknin: actually, as squaring in $GF(256)$ is linear, you can implement $x^{254}$ with 7 squarings (cheap) and 4 threshold multiplies...
1
Reply
kodlu avatar
sa flag
kodlu
Can you give a reference to put this question and your nice answer into context? I asked the OP as well.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.