![Page 1: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/1.jpg)
11th October 2017
Leakage Resilience from Lattices
Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam
University of Bristol
![Page 2: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/2.jpg)
Leaky Lattices
11th October 2017
HIGHLIGHTS 09/16 – 09/17I went to NXP for my secondment;
I started to write a draft of my long-lasting project;
I presented my first paper.
Marco 3 - 0∗ PhD
∗Events that might have increased this score are out of scope.
![Page 3: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/3.jpg)
Leaky Lattices
11th October 2017
Frodo meets ELMO
Joint work with Joppe Bos, Simon Friedberger (ESR12), Martijn Stam andElisabeth Oswald.
(a) Frodo (b) ELMO
![Page 4: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/4.jpg)
Leaky Lattices
11th October 2017
Introducing: ELMO
Emulator for power Leakages for the M0
is a tool for simulating power consumption for side-channel measurements;
allows evaluating attacks on software running on an ARM Cortex-M0without requiring a hardware measurement setup;
simulates leakage with instruction accuracy;
was checked against real leakage measured on an STM32F0 DiscoveryBoard.
Available at https://github.com/bristol-sca/ELMO.
![Page 5: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/5.jpg)
Leaky Lattices
11th October 2017
Introducing: Frodo
Available at https://github.com/lwe-frodo/lwe-frodo.
![Page 6: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/6.jpg)
Leaky Lattices
11th October 2017
ProfilingA[0, 0] A[0, 1] A[0, 2]A[1, 0] A[1, 1] A[1, 2]A[2, 0] A[2, 1] A[2, 2]
·S[0, 0] S[0, 1] S[0, 2]S[1, 0] S[1, 1] S[1, 2]S[2, 0] S[2, 1] S[2, 2]
![Page 7: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/7.jpg)
Leaky Lattices
11th October 2017
ProfilingA[0, 0] A[0, 1] A[0, 2]A[1, 0] A[1, 1] A[1, 2]A[2, 0] A[2, 1] A[2, 2]
·S[0, 0] S[0, 1] S[0, 2]S[1, 0] S[1, 1] S[1, 2]S[2, 0] S[2, 1] S[2, 2]
![Page 8: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/8.jpg)
Leaky Lattices
11th October 2017
ProfilingA[0, 0] A[0, 1] A[0, 2]A[1, 0] A[1, 1] A[1, 2]A[2, 0] A[2, 1] A[2, 2]
·S[0, 0] S[0, 1] S[0, 2]S[1, 0] S[1, 1] S[1, 2]S[2, 0] S[2, 1] S[2, 2]
![Page 9: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/9.jpg)
Leaky Lattices
11th October 2017
ProfilingA[0, 0] A[0, 1] A[0, 2]A[1, 0] A[1, 1] A[1, 2]A[2, 0] A[2, 1] A[2, 2]
·S[0, 0] S[0, 1] S[0, 2]S[1, 0] S[1, 1] S[1, 2]S[2, 0] S[2, 1] S[2, 2]
![Page 10: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/10.jpg)
Leaky Lattices
11th October 2017
Attack techniques
LWE-based key agreement protocol implies:
weakly non-linear operations;
internal secrets must be freshly regenerated at every invocation.
DPA-style attacks need a lot of traces which are not provided. But secrets aresmall, hence there is a very small number of possible guesses to build templatefor.
![Page 11: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/11.jpg)
Leaky Lattices
11th October 2017
Template profiles
q = 211, n = 352, S[0, 0] ∈ {0,±1,±2,±3} ← χ
![Page 12: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/12.jpg)
Leaky Lattices
11th October 2017
Template profiles: loading
−1 11111111111−2 11111111110−3 11111111101+3 00000000011+2 00000000010+1 000000000010 00000000000
Depends on S[0, 0] only,constant with varying A[0, 0].
![Page 13: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/13.jpg)
Leaky Lattices
11th October 2017
Template profiles: multiplication
−1 11111111111−3 11111111101−2 11111111110+3 00000000011+1 00000000001+2 000000000100 00000000000
A[0, 0] contributes to powerconsumption too.
![Page 14: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/14.jpg)
Leaky Lattices
11th October 2017
Signal variance
![Page 15: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/15.jpg)
Leaky Lattices
11th October 2017
SNR comparison
![Page 16: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/16.jpg)
Leaky Lattices
11th October 2017
SCA of Frodo
Where we are:
set up simulations and profiling;
template matching in noiseless case;
analysis of noise in PoI;
template attack for first order recovery;
alternative implementations;
shuffling;
including leakage in BKZ to boost lattice attacks.
![Page 17: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/17.jpg)
Leaky Lattices
11th October 2017
SCA of Frodo
Where we are:
set up simulations and profiling;
template matching in noiseless case;
analysis of noise in PoI;
template attack for first order recovery;
alternative implementations;
shuffling;
including leakage in BKZ to boost lattice attacks.
![Page 18: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/18.jpg)
Leaky Lattices
11th October 2017
SCA of Frodo
Where we are:
set up simulations and profiling;
template matching in noiseless case;
analysis of noise in PoI;
template attack for first order recovery;
alternative implementations;
shuffling;
including leakage in BKZ to boost lattice attacks.
![Page 19: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/19.jpg)
Leaky Lattices
11th October 2017
Totally non singular key update mechanismJoint work with Martijn Stam and Elisabeth Oswald. Setting is continuousd-probing model.
s ← KeyGen(n)
(s0, s0) ← Share(s)
(si, Oi) ← ˙Update(si−1)si ← ¨Update(si−1, Oi)
s ← Recombine(si, si)
![Page 20: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/20.jpg)
Leaky Lattices
11th October 2017
Totally non singular KU mechanism
Target is LWE public key encryption scheme over Zq for a prime q, secret iss ∈ Zn
q . Share(s) = (s, s) such that�
︸ ︷︷ ︸s
=
︸ ︷︷ ︸
B
���
︸ ︷︷ ︸
s
+
�
︸ ︷︷ ︸s
B needs to be TNS to avoid linear dependencies among positions of the secret.
![Page 21: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/21.jpg)
Leaky Lattices
11th October 2017
TNS KU mechanism
Where we are:
Share is secure;
leak-free Update is secure;
Update is secure;
composition of KU + Dec is secure;
![Page 22: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/22.jpg)
Leaky Lattices
11th October 2017
TNS KU mechanism
Where we are:
Share is secure;
leak-free Update is secure;
Update is secure;
composition of KU + Dec is secure;
![Page 23: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/23.jpg)
Leaky Lattices
11th October 2017
TNS KU mechanism
Where we are:
Share is secure;
leak-free Update is secure;
Update is secure;
composition of KU + Dec is secure;
![Page 24: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/24.jpg)
Leaky Lattices
11th October 2017
Future work and more ideas
Finalise side-channel analysis of Frodo and TNS KU mechanism.
Glitchtool, joint work with Erik Boss (ESR6), Dusan Bozilov (ESR13),Miroslav Knezevic, Ventzi Nikov.
Involutory SBoxes, joint work with Erik Boss (ESR6), Ralph Ankele (ESR7).
BKZ on leaky lattices, joint work with Matthias Minihold (ESR5).
![Page 25: Leakage Resilience from Lattices - Hyperelliptic11th October 2017 Leakage Resilience from Lattices Marco Martinoli (ESR10)Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam](https://reader033.vdocument.in/reader033/viewer/2022060215/5f05bcfb7e708231d41474bb/html5/thumbnails/25.jpg)
Leaky Lattices
11th October 2017
Related activities
Secondment: NXP Semiconductors, Leuven (BE) ;
Outreach: Digimaker on 11th November, Bristol;
Teaching: Security 101, Cryptography A;
Travels: SPACE16, RWC17, School on lattices in Oxford, Eurocrypt17,second London Crypto day.
Subreviewer: Crypto17, Asiacrypt17, SPACE17, Transaction onComputers 2017, CT-RSA17.