TY - GEN
T1 - Packed Multiplication
T2 - 26th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2020
AU - Wang, Weijia
AU - Guo, Chun
AU - Standaert, François Xavier
AU - Yu, Yu
AU - Cassiers, Gaëtan
N1 - Publisher Copyright:
© 2020, International Association for Cryptologic Research.
PY - 2020
Y1 - 2020
N2 - Higher-order masking countermeasures provide strong provable security against side-channel attacks at the cost of incurring significant overheads, which largely hinders its applicability. Previous works towards remedying cost mostly concentrated on “local” calculations, i.e., optimizing the cost of computation units such as a single AND gate or a field multiplication. This paper explores a complementary “global” approach, i.e., considering multiple operations in the masked domain as a batch and reducing randomness and computational cost via amortization. In particular, we focus on the amortization of ℓ parallel field multiplications for appropriate integer ℓ> 1, and design a kit named packed multiplication for implementing such a batch. For ℓ+ d≤ 2m, when ℓ parallel multiplications over F2m with d-th order probing security are implemented, packed multiplication consumes d2+ 2 ℓd+ ℓ bilinear multiplications and 2 d2+ d(d+ 1 ) / 2 random field variables, outperforming the state-of-the-art results with O(ℓd2) multiplications and ℓ⌊d2/ 4 ⌋ + ℓd randomness. To prove d-probing security for packed multiplications, we introduce some weaker security notions for multiple-inputs-multiple-outputs gadgets and use them as intermediate steps, which may be of independent interest. As parallel field multiplications exist almost everywhere in symmetric cryptography, lifting optimizations from “local” to “global” substantially enlarges the space of improvements. To demonstrate, we showcase the method on the AES Subbytes step, GCM and TET (a popular disk encryption). Notably, when d= 8, our implementation of AES Subbytes in ARM Cortex M architecture achieves a gain of up to 33 % in total speeds and saves up to 68 % random bits than the state-of-the-art bitsliced implementation reported at ASIACRYPT 2018.
AB - Higher-order masking countermeasures provide strong provable security against side-channel attacks at the cost of incurring significant overheads, which largely hinders its applicability. Previous works towards remedying cost mostly concentrated on “local” calculations, i.e., optimizing the cost of computation units such as a single AND gate or a field multiplication. This paper explores a complementary “global” approach, i.e., considering multiple operations in the masked domain as a batch and reducing randomness and computational cost via amortization. In particular, we focus on the amortization of ℓ parallel field multiplications for appropriate integer ℓ> 1, and design a kit named packed multiplication for implementing such a batch. For ℓ+ d≤ 2m, when ℓ parallel multiplications over F2m with d-th order probing security are implemented, packed multiplication consumes d2+ 2 ℓd+ ℓ bilinear multiplications and 2 d2+ d(d+ 1 ) / 2 random field variables, outperforming the state-of-the-art results with O(ℓd2) multiplications and ℓ⌊d2/ 4 ⌋ + ℓd randomness. To prove d-probing security for packed multiplications, we introduce some weaker security notions for multiple-inputs-multiple-outputs gadgets and use them as intermediate steps, which may be of independent interest. As parallel field multiplications exist almost everywhere in symmetric cryptography, lifting optimizations from “local” to “global” substantially enlarges the space of improvements. To demonstrate, we showcase the method on the AES Subbytes step, GCM and TET (a popular disk encryption). Notably, when d= 8, our implementation of AES Subbytes in ARM Cortex M architecture achieves a gain of up to 33 % in total speeds and saves up to 68 % random bits than the state-of-the-art bitsliced implementation reported at ASIACRYPT 2018.
UR - https://www.scopus.com/pages/publications/85097842014
U2 - 10.1007/978-3-030-64837-4_28
DO - 10.1007/978-3-030-64837-4_28
M3 - 会议稿件
AN - SCOPUS:85097842014
SN - 9783030648367
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 851
EP - 880
BT - Advances in Cryptology – ASIACRYPT 2020 - 26th International Conference on the Theory and Application of Cryptology and Information Security, 2020, Proceedings
A2 - Moriai, Shiho
A2 - Wang, Huaxiong
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 7 December 2020 through 11 December 2020
ER -