faster secure multi-party computation of aes and des using ... · faster secure multi-party...
TRANSCRIPT
Faster Secure Multi-Party Computation of AESand DES Using Lookup Tables
Marcel Keller, Emmanuela Orsini, Dragos Rotaru, Peter Scholl,
Eduardo Soria-Vazquez, and Srinivas Vivek
ACNS 2017
1
Multi-Party Computation
Dragos Rotaru 54
Goal: Compute F(a, b, c).
ac
b
Multi-Party Computation
Dragos Rotaru 55
Goal: Compute F(a, b, c).
ac
b
Bob has problems.
Dragos Rotaru 56
Bob has problems?
Dragos Rotaru 57
Look-up tables are everywhere in MPC.
Floating Point
Oblivious RAM
Non-linear functions
Bob has problems?
Dragos Rotaru 58
Look-up tables are everywhere in MPC.
Floating Point
Oblivious RAM
Non-linear functions
Non-linear? AES and 3-DES
Dragos Rotaru 59
42 42 42
Non-linear? AES and 3-DES
Dragos Rotaru 60
42 42 42 42
Non-linear? AES and 3-DES
Dragos Rotaru 61
42 42 42 42
Enc Enc Enc
Non-linear? AES and 3-DES
Dragos Rotaru 62
42 42 42
Enc(42)
System researched inBrandeis JANA project.
Fastest AES and 3-DES in MPC with malicious security
Dragos Rotaru 63
• Apply side-channel countermeasures in the MPC land.
• Improve on previous AES TinyTable by at least 50 times.
• 3-DES has now 100 times faster online time.
Concurrent Work
Dragos Rotaru 64
• [DNNR16] – TinyTable. Improved version now at CRYPTO17.
• [DKS+17] – Dessouky et al. in NDSS17. Semi-Honest setting based on 1-out-of-N OT. Also built a compiler which can be used with our protocol.
MPC with Secret Sharing
Dragos Rotaru 65
𝑥 = 𝑥1 +⋯+ 𝑥𝑛Each 𝑃𝑖 has 𝑥 ← 𝑥𝑖
𝑥 ← 𝑥1
𝑥 ← 𝑥2
𝑥 ← 𝑥3
MPC Preprocessing Phase
Dragos Rotaru 66
Generate Triples.[c] = [a][b]
MPC Preprocessing Phase
Dragos Rotaru 67
Generate Triples.[c] = [a][b]
MPC Preprocessing Phase
Dragos Rotaru 68
MPC Preprocessing Phase
Dragos Rotaru 69
MPC Online Phase
Dragos Rotaru 70
Use Triples.
MPC Online Phase
Dragos Rotaru 71
Use Triples.
MPC Circuit Evaluation
Dragos Rotaru 72
MPC Circuit Evaluation
Dragos Rotaru 73
MPC Circuit Evaluation
Dragos Rotaru 74
MPC Circuit Evaluation
Dragos Rotaru 75
MPC Circuit Evaluation
Dragos Rotaru 76
3 triples.2 rounds.
Side-Channel inspired
Dragos Rotaru 77
• Write Sbox(x) as a poly with minimal non-linear multiplications, i.e. squares are (almost) for free
• AES Sbox requires 4 non-linear mults [RP10].
[x] [Sbox(x)]
Side-Channel inspired
Dragos Rotaru 78
• Write Sbox(x) as a poly with minimal non-linear multiplications, i.e. squares are (almost) for free
• AES Sbox requires 4 non-linear mults [RP10].• DES Sbox requires 3 non-linear mults [PV16].
[x] [Sbox(x)]
Side-Channel inspired
Dragos Rotaru 79
• [RR16] - AES latency around 15-20ms in 1GB/s LAN.• Our AES-RP has 23ms over 1GB/s LAN network.
[x] [Sbox(x)]
16 Sbox([x])
…16
Sbox([x])
AES-128
Dragos Rotaru 80
10 rounds
Dragos Rotaru 81
[x] [Sbox(x)]
How to Sbox – online
How to Sbox – online
Dragos Rotaru 82
[x] [Sbox(x)]
How to Sbox – online
Dragos Rotaru 83
[x] [Sbox(x)]
[r] [Sbox(r)] … [Sbox(r+255)]
How to Sbox – online
Dragos Rotaru 84
[x] [Sbox(x)]
[r] [Sbox(r)] … [Sbox(r+255)]
x+r [Sbox(x)]
How to Sbox – online
Dragos Rotaru 85
[x] [Sbox(x)]
[r] [Sbox(r)] … [Sbox(r+255)]
x+r [Sbox(x)]
At pos (x+r) => Sbox(r + x + r)
How to Sbox - preprocessing
Dragos Rotaru 86
Take random [r].Compute [Sbox(r)], … [Sbox(r+255)]
[r] [Sbox(r)] … [Sbox(r+255)]
How to Sbox - preprocessing
Dragos Rotaru 87
Take random [r].Compute [Sbox(r)], … [Sbox(r+255)]
7 mults.
[r] [Sbox(r)] … [Sbox(r+255)]
How to Sbox - preprocessing
Dragos Rotaru 88
Take random [r].Compute [Sbox(r)], … [Sbox(r+255)]
7 mults. 7 mults.
[r] [Sbox(r)] … [Sbox(r+255)]
How to Sbox - preprocessing
Dragos Rotaru 89
Take random [r].Compute [Sbox(r)], … [Sbox(r+255)]
7 mults. 7 mults. 1792 mults.
[r] [Sbox(r)] … [Sbox(r+255)]
How to Sbox - preprocessing
Dragos Rotaru 90
Take random [r].Compute [Sbox(r)], … [Sbox(r+255)]
7 mults. 7 mults. 1792 mults.
[r] [Sbox(r)] … [Sbox(r+255)]
How to Sbox - preprocessing
Dragos Rotaru 91
Take random [r].Compute [Sbox(r)], … [Sbox(r+255)]
7 mults. 7 mults. 1792 mults. 11 mults.
[r] [Sbox(r)] … [Sbox(r+255)]
How to Sbox - preprocessing
Dragos Rotaru 92
[r] [Sbox(r)] … [Sbox(r+255)]
How to Sbox - preprocessing
Dragos Rotaru 93
[r] [Sbox(r)] … [Sbox(r+255)]
• Demultiplex on secret data with few multiplications. • Multiplex Sbox is (almost) for free
How to Sbox - preprocessing
Dragos Rotaru 94
[r] [Sbox(r)] … [Sbox(r+255)]
[2**r]
[𝑋𝑟] = [2𝑟] ∈ 𝐺𝐹(2𝑛)
[1] [0] [1] … [1]
How to Sbox - preprocessing
Dragos Rotaru 95
[r] [Sbox(r)] … [Sbox(r+255)]
[2**r]
[r]
[𝑋𝑟] = [2𝑟] ∈ 𝐺𝐹(2𝑛)
[1] [0] [1] … [1]
𝑋20[1] 𝑋22
… 𝑋27
How to Sbox - preprocessing
Dragos Rotaru 96
[r] [Sbox(r)] … [Sbox(r+255)]
[2**r]
[r]
[𝑋𝑟] = [2𝑟] ∈ 𝐺𝐹(2𝑛)
[1] [0] [1] … [1]
𝑋20[1] 𝑋22
… 𝑋277 mults in 𝐺𝐹(2256)
How to Sbox - preprocessing
Dragos Rotaru 97
[r] [Sbox(r)] … [Sbox(r+255)]
[2**r]
[r]
How to Sbox - preprocessing
Dragos Rotaru 98
[r] [Sbox(r)] … [Sbox(r+255)]
[2**r]
How to Sbox - preprocessing
Dragos Rotaru 99
[r] [Sbox(r)] … [Sbox(r+255)]
[2**r]
[0] … [1] … [0]
How to Sbox - preprocessing
Dragos Rotaru 100
[r] [Sbox(r)] … [Sbox(r+255)]
[2**r]
[0] … [1] … [0]
Sbox(0) … Sbox(r) … Sbox(255)
[Sbox(r)]Mult. with
public scalars is cheap
How to Sbox - preprocessing
Dragos Rotaru 101
[r] [Sbox(r)] … [Sbox(r+255)]
[2**r]
[0] … [1] … [0]
Sbox(0) … Sbox(r) … Sbox(255)
[Sbox(r)]
Sbox(1) … Sbox(r+1) … Sbox(0)
[Sbox(r+1)] …Mult. with
public scalars is cheap
How to Sbox - preprocessing
Dragos Rotaru 102
[r] [Sbox(r)] … [Sbox(r+255)]
7 mults. in 𝐺𝐹(2256)[KOS16]7 mults. in 𝐺𝐹 2256
850kB
How to Sbox - preprocessing
Dragos Rotaru 103
[r] [Sbox(r)] … [Sbox(r+255)]
7 mults. in 𝐺𝐹 2256
850kB
View ops. as polys in 𝐺𝐹(2𝑘)
11 mults. in 𝐺𝐹(240)47kB
[KOS16]
TL;DR
Dragos Rotaru 104
So many choices…
Dragos Rotaru 105
Faster is…faster.
Dragos Rotaru 106
Faster is…faster.
Dragos Rotaru 107
Faster is…faster.
Dragos Rotaru 108
Faster is…faster.
Dragos Rotaru 109
Thank you! #triples
Dragos Rotaru 110
LAN results.
Dragos Rotaru 111
2 parties:
#party #party #party
Dragos Rotaru 112