屏蔽防禦Falcon浮點數乘法與加法

陳耕宇; Keng-Yu Chen

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/91420

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	陳君朋	zh_TW
dc.contributor.advisor	Jiun-Peng Chen	en
dc.contributor.author	陳耕宇	zh_TW
dc.contributor.author	Keng-Yu Chen	en
dc.date.accessioned	2024-01-26T16:25:38Z	-
dc.date.available	2024-01-27	-
dc.date.copyright	2024-01-26	-
dc.date.issued	2024	-
dc.date.submitted	2024-01-05	-
dc.identifier.citation	[1] G. Barthe, S. Belaïd, F. Dupressoir, P.-A. Fouque, B. Grégoire, P.-Y. Strub, and R. Zucchini. Strong non-interference and type-directed higher-order masking. In E. R. Weippl, S. Katzenbeisser, C. Kruegel, A. C. Myers, and S. Halevi, editors, ACM CCS 2016: 23rd Conference on Computer and Communications Security, pages 116–129, Vienna, Austria, Oct. 24–28, 2016. ACM Press. [2] G. Barthe, S. Belaïd, T. Espitau, P.-A. Fouque, B. Grégoire, M. Rossi, and M. Tibouchi. Masking the GLP lattice-based signature scheme at any order. In J. B. Nielsen and V. Rijmen, editors, Advances in Cryptology – EUROCRYPT 2018, Part II, volume 10821 of Lecture Notes in Computer Science, pages 354–384, Tel Aviv, Israel, Apr. 29 – May 3, 2018. Springer, Heidelberg, Germany. [3] L. Bettale, J.-S. Coron, and R. Zeitoun. Improved high-order conversion from Boolean to arithmetic masking. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018(2):22–45, 2018. https://tches.iacr.org/index.php/TCHES/article/view/873. [4] J. W. Bos, M. Gourjon, J. Renes, T. Schneider, and C. van Vredendaal. Masking kyber: First- and higher-order implementations. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021(4):173–214, 2021. https://tches.iacr.org/index.php/TCHES/article/view/9064. [5] L. G. Bruinderink, A. Hülsing, T. Lange, and Y. Yarom. Flush, gauss, and reload - A cache attack on the BLISS lattice-based signature scheme. In B. Gierlichs and A. Y. Poschmann, editors, Cryptographic Hardware and Embedded Systems – CHES 2016, volume 9813 of Lecture Notes in Computer Science, pages 323–345, Santa Barbara, CA, USA, Aug. 17–19, 2016. Springer, Heidelberg, Germany. [6] J.-S. Coron, J. Großschädl, M. Tibouchi, and P. K. Vadnala. Conversion from arithmetic to Boolean masking with logarithmic complexity. In G. Leander, editor, Fast Software Encryption – FSE 2015, volume 9054 of Lecture Notes in Computer Science, pages 130–149, Istanbul, Turkey, Mar. 8–11, 2015. Springer, Heidelberg, Germany. [7] W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644–654, 1976. [8] A. A. Ding, L. Zhang, F. Durvaux, F. Standaert, and Y. Fei. Towards sound and optimal leakage detection procedure. In T. Eisenbarth and Y. Teglia, editors, Smart Card Research and Advanced Applications - 16th International Conference, CARDIS 2017, Lugano, Switzerland, November 13-15, 2017, Revised Selected Papers, volume 10728 of Lecture Notes in Computer Science, pages 105–122. Springer, 2017. [9] L. Ducas and T.Prest. Fast fourier orthogonalization. In Proceedings of the ACM on International Symposium on Symbolic and Algebraic Computation, pages 191–198, 2016. [10] T. Elgamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31(4):469–472, 1985. [11] T. Espitau, P.-A. Fouque, B. Gérard, and M. Tibouchi. Side-channel attacks on BLISS lattice-based signatures: Exploiting branch tracing against strongSwan and electromagnetic emanations in microcontrollers. In B. M. Thuraisingham, D. Evans, T. Malkin, and D. Xu, editors, ACM CCS 2017: 24th Conference on Computer and Communications Security, pages 1857–1874, Dallas, TX, USA, Oct. 31 – Nov. 2, 2017. ACM Press. [12] T. Espitau, P.-A. Fouque, F. Gérard, M. Rossi, A. Takahashi, M. Tibouchi, A. Wallet, and Y. Yu. Mitaka: A simpler, parallelizable, maskable variant of falcon. In O. Dunkelman and S. Dziembowski, editors, Advances in Cryptology – EUROCRYPT 2022, Part III, volume 13277 of Lecture Notes in Computer Science, pages 222–253, Trondheim, Norway, May 30 – June 3, 2022. Springer, Heidelberg, Germany. [13] T. Fritzmann, M. V. Beirendonck, D. B. Roy, P. Karl, T. Schamberger, I. Verbauwhede, and G. Sigl. Masked accelerators and instruction set extensions for post-quantum cryptography. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2022(1):414–460, 2022. [14] C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In R. E. Ladner and C. Dwork, editors, 40th Annual ACM Symposium on Theory of Computing, pages 197–206, Victoria, BC, Canada, May 17–20, 2008. ACM Press. [15] B. J. Gilbert Goodwill, J. Jaffe, P. Rohatgi, et al. A testing methodology for side-channel resistance validation. In NIST non-invasive attack testing workshop, volume 7, pages 115–136, 2011. [16] M. Guerreau, A. Martinelli, T. Ricosset, and M. Rossi. The hidden parallelepiped is back again: Power analysis attacks on falcon. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2022(3):141–164, 2022. [17] D. Heinz, M. J. Kannwischer, G. Land, T. Pöppelmann, P. Schwabe, and A. Sprenkels. First-order masked kyber on ARM cortex-M4. Cryptology ePrint Archive, Report 2022/058, 2022. https://eprint.iacr.org/2022/058. [18] J. Howe, T. Prest, T. Ricosset, and M. Rossi. Isochronous gaussian sampling: From inception to implementation. In J. Ding and J.-P. Tillich, editors, Post-Quantum Cryptography - 11th International Conference, PQCrypto 2020, pages 53–71, Paris, France, Apr. 15–17, 2020. Springer, Heidelberg, Germany. [19] N.T.Inc.Chipwhisperer-pro (complete level 3 starter kit). https://store.newae.com/chipwhisperer-pro-complete-level-3-starter-kit/. [20] Y. Ishai, A. Sahai, and D. Wagner. Private circuits: Securing hardware against probing attacks. In D. Boneh, editor, Advances in Cryptology – CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 463–481, Santa Barbara, CA, USA, Aug. 17–21, 2003. Springer, Heidelberg, Germany. [21] D. Johnson, A. Menezes, and S. Vanstone. The elliptic curve digital signature algorithm (ecdsa). International journal of information security, 1(1):36–63, 2001. [22] E. Karabulut and A. Aysu. Falcon down: Breaking falcon post-quantum signature scheme through side-channel attacks. In 2021 58th ACM/IEEE Design Automation Conference (DAC), pages 691–696, 2021. [23] S. Mangard, E. Oswald, and T. Popp. Power analysis attacks - revealing the secrets of smart cards. Springer, 2007. [24] S. McCarthy, J. Howe, N. Smyth, S. Brannigan, and M. O’Neill. BEARZ attack FALCON: Implementation attacks with countermeasures on the FALCON signature scheme. Cryptology ePrint Archive, Report 2019/478, 2019. https://eprint.iacr.org/2019/478. [25] V. Migliore, B. Gérard, M. Tibouchi, and P.-A. Fouque. Masking Dilithium - efficient implementation and side-channel evaluation. In R. H. Deng, V. Gauthier- Umaña, M. Ochoa, and M. Yung, editors, ACNS 19: 17th International Conference on Applied Cryptography and Network Security, volume 11464 of Lecture Notes in Computer Science, pages 344–362, Bogota, Colombia, June 5–7, 2019. Springer, Heidelberg, Germany. [26] N. I. of Standards and Technology. Post-quantum cryptography standardization. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization. [27] N. I. of Standards and Technology. Post-quantum cryptography standardization. https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022. [28] P. Pessl, L. G. Bruinderink, and Y. Yarom. To BLISS-B or not to be: Attacking strongSwan’s implementation of post-quantum signatures. In B. M. Thuraisingham, D. Evans, T. Malkin, and D. Xu, editors, ACM CCS 2017: 24th Conference on Computer and Communications Security, pages 1843–1855, Dallas, TX, USA, Oct. 31 – Nov. 2, 2017. ACM Press. [29] T. Prest, P.-A. Fouque, J. Hoffstein, P. Kirchner, V. Lyubashevsky, T. Pornin, T. Ricosset, G. Seiler, W. Whyte, and Z. Zhang. FALCON. Technical report, National Institute of Standards and Technology, 2020. avail-able at https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions. [30] R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the Association for Computing Machinery, 21(2):120–126, Feb. 1978. [31] T. Schneider, C. Paglialonga, T. Oder, and T. Güneysu. Efficiently masking binomial sampling at arbitrary orders for lattice-based crypto. In D. Lin and K. Sako, editors, PKC 2019: 22nd International Conference on Theory and Practice of Public Key Cryptography, Part II, volume 11443 of Lecture Notes in Computer Science, pages 534–564, Beijing, China, Apr. 14–17, 2019. Springer, Heidelberg, Germany. [32] P. W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing, 26(5):1484–1509, oct 1997. [33] S. Zhang, X. Lin, Y. Yu, and W. Wang. Improved power analysis attacks on falcon. In C. Hazay and M. Stam, editors, Advances in Cryptology – EUROCRYPT 2023, Part IV, volume 14007 of Lecture Notes in Computer Science, pages 565–595, Lyon, France, Apr. 23–27, 2023. Springer, Heidelberg, Germany.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/91420	-
dc.description.abstract	旁通道分析已對包含FALCON等許多後量子密碼演算法造成威脅。儘管屏蔽防禦是最有效抵禦旁通道威脅的手段一，由於FALCON實作使用密碼運算中少見的浮點數運算，要屏蔽防禦FALCON較為困難。浮點數運算缺乏結合率與分配率，因此若要屏蔽防禦FALCON，勢必得設計新的浮點數乘法與加法。本論文設計了第一個浮點數乘法與加法的屏蔽防禦機制，用以保護FALCON的原像向量運算抵禦旁通道攻擊。此方法包含設計一個新的屏蔽非零檢測演算法，用以安全地確認一個分散的值是否是零。這項演算法可被應用於湊整尾數、計算黏滯位、確認兩個分散值的相等以及正規化等。為屏蔽防禦浮點數加法，此論文也設計了屏蔽防禦的移位與正規化演算法。此方法提供一階與更高階的防禦，並藉由(Strong)-Non-Interference驗證其在probing模型的理論安全性。本論文亦在Arm Cortex-M4處理器上實作無防禦、一階與二階防禦後的演算法以進行效率比較。除此之外，此方法進行TVLA洩漏監測，其二階防禦成功在十萬條功率消耗軌跡圖中通過測試。	zh_TW
dc.description.abstract	Side-channel attacks have posed threats to many post-quantum cryptographic schemes including FALCON. While masking is one of the most effective countermeasures against such threats, it is challenging to apply masking to FALCON due to its floating-point number arithmetic in its implementation. The lack of the associative law and distribution law leads to the necessity of devising new ways to do multiplication and addition. In this paper, we present the first masking scheme for floating-point number multiplication and addition to defend against recent side-channel attacks on FALCON’s pre-image vector computation. Our approach involves a masked nonzero check gadget that securely identifies whether a shared value is zero. This gadget can be utilized for various computations such as rounding the mantissa, computing the sticky bit, checking the equality of two values, and normalizing a number. To support the masked floating-point number addition, we also developed a masked shift and a masked normalization gadget. Our masking design provides both first- and higher-order mask protection, and we demonstrate the theoretical security by proving the (Strong)-Non-Interference properties in the probing model. To evaluate the performance of our approach, we implemented unmasked, first-order, and second-order algorithms on an Arm Cortex-M4 processor, providing cycle counts and the number of random bytes used. We also report the time for one complete signing process with our countermeasure on an Intel-Core CPU. In addition, we assessed the practical security of our approach by conducting the test vector leakage assessment (TVLA) to validate the effectiveness of our protection. Specifically, our TVLA experiment results for second-order masking passed the test in 100,000 measured traces.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2024-01-26T16:25:38Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2024-01-26T16:25:38Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	致謝 v 摘要 vii Abstract ix Contents xi List of Figures xiii List of Tables xv Chapter 1 Introduction 1 Chapter 2 Preliminaries 7 2.1 Notation 7 2.2 Falcon Signature Scheme 8 2.3 Floating-Point Number Multiplication and Addition 13 2.4 Attacks on the Pre-image Vector Computation 16 2.5 Masking 19 2.6 Test Vector Leakage Assessment 21 Chapter 3 Masked Floating-Point Number Multiplication and Addition 23 3.1 Masked Nonzero Check 24 3.2 Masked Unsigned Right-Shift 27 3.3 Masked 64-bit Normalization 28 3.4 Masked Floating-Point Number Rounding and Packing 29 3.5 Masked Floating-Point Number Multiplication 30 3.6 Masked Floating-Point Number Addition 33 Chapter 4 Security Proof 37 Chapter 5 Implementation and Evaluation 49 5.1 Performance Evaluation 50 5.2 Security Evaluation 52 Chapter 6 Conclusion 55 References 57 Appendix A — Gadgets Used in This Work 65	-
dc.language.iso	en	-
dc.subject	旁通道分析	zh_TW
dc.subject	屏蔽防禦	zh_TW
dc.subject	後量子密碼學	zh_TW
dc.subject	Falcon	zh_TW
dc.subject	浮點數運算	zh_TW
dc.subject	Floating-Point Arithmetic	en
dc.subject	Side-Channel Analysis	en
dc.subject	Masking	en
dc.subject	Post-Quantum Cryptography	en
dc.subject	Falcon	en
dc.title	屏蔽防禦Falcon浮點數乘法與加法	zh_TW
dc.title	Masking Floating-Point Number Multiplication and Addition of Falcon	en
dc.type	Thesis	-
dc.date.schoolyear	112-1	-
dc.description.degree	碩士	-
dc.contributor.coadvisor	陳和麟	zh_TW
dc.contributor.coadvisor	Ho-Lin Chen	en
dc.contributor.oralexamcommittee	雷欽隆;陳君明;楊柏因	zh_TW
dc.contributor.oralexamcommittee	Chin-Laung Lei;Jimmy Chen;Bo-Yin Yang	en
dc.subject.keyword	旁通道分析,屏蔽防禦,後量子密碼學,Falcon,浮點數運算,	zh_TW
dc.subject.keyword	Side-Channel Analysis,Masking,Post-Quantum Cryptography,Falcon,Floating-Point Arithmetic,	en
dc.relation.page	69	-
dc.identifier.doi	10.6342/NTU202304508	-
dc.rights.note	同意授權(限校園內公開)	-
dc.date.accepted	2024-01-08	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	電機工程學系	-
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-112-1.pdf 授權僅限NTU校內IP使用（校園外請利用VPN校外連線服務）	2.01 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。