Cryptanalysis of CLT13 Multilinear Maps with Independent Slots

Speeches/Talks (2019)

On Kilian's Randomization of Multilinear Map Encodings

in Coron, Jean-Sébastien; Pereira, Vitor (Eds.) On Kilian's Randomization of Multilinear Map Encodings (2019)

Zeroizing Attacks on Indistinguishability Obfuscation over CLT13

in Proceedings of PKC 2017 (2017)

Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme

in Proceedings of CHES 2016 (2016)

Zeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations

in Proceedings of Crypto 2015 (2015)

Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity

in Leander, Gregor (Ed.) Fast Software Encryption, 22nd International Workshop, FSE 2015, Istanbul, Turkey, March 8-11, 2015, Revised Selected Papers (2015, March)

A general technique to protect a cryptographic algorithm against side-channel attacks consists in masking all intermediate variables with a random value. For cryptographic algorithms combining Boolean ... [more ▼]

A general technique to protect a cryptographic algorithm against side-channel attacks consists in masking all intermediate variables with a random value. For cryptographic algorithms combining Boolean operations with arithmetic operations, one must then perform conversions between Boolean masking and arithmetic masking. At CHES 2001, Goubin described a very elegant algorithm for converting from Boolean masking to arithmetic masking, with only a constant number of operations. Goubin also described an algorithm for converting from arithmetic to Boolean masking, but with O(k) operations where k is the addition bit size. In this paper we describe an improved algorithm with time complexity O(log k) only. Our new algorithm is based on the Kogge-Stone carry look-ahead adder, which computes the carry signal in O(log k) instead of O(k) for the classical ripple carry adder. We also describe an algorithm for performing arithmetic addition modulo 2^k directly on Boolean shares, with the same complexity O(log k) instead of O(k). We prove the security of our new algorithm against first-order attacks. Our algorithm performs well in practice, as for k=64 we obtain a 23% improvement compared to Goubin’s algorithm. [less ▲]

Higher Order Masking of Look-Up Tables

in Proceedings of Eurocrypt 2014 (2014)

A Note on the Bivariate Coppersmith Theorem

in Journal of Cryptology (2013), 26(2), 246-250

Batch Fully Homomorphic Encryption over the Integers

in EUROCRYPT (2013)

Conversion of Security Proofs from One Leakage Model to Another: A New Issue

in Proceedings of COSADE 2012 (2012)

To guarantee the security of a cryptographic implementation against Side Channel Attacks, a common approach is to formally prove the security of the corresponding scheme in a model as pertinent as ... [more ▼]

To guarantee the security of a cryptographic implementation against Side Channel Attacks, a common approach is to formally prove the security of the corresponding scheme in a model as pertinent as possible. Nowadays, security proofs for masking schemes in the literature are usually conducted for models where only the manipulated data are assumed to leak. However in practice, the leakage is better modeled encompassing the memory transitions as e.g. the Hamming distance model. From this observation, a natural question is to decide at which extent a countermeasure proved to be secure in the first model stays secure in the second. In this paper, we look at this issue and we show that it must definitely be taken into account. Indeed, we show that a countermeasure proved to be secure against second-order side-channel attacks in the first model becomes vulnerable against a first-order side-channel attack in the second model. Our result emphasize the issue of porting an implementation from devices leaking only on the manipulated data to devices leaking on the memory transitions. [less ▲]