During the last 15 years there have been intensive research efforts in constructing cryptographic algorithms resilient to the side-channel leakage. The most fundamental part of every such construction are the leakage-resilient encoding schemes. Usually the cryptographic secrets encoded by them are assumed to belong to some finite group (G,+). The most common encoding scheme is the n-out-of-n additive secret sharing: a secret X is encoded as (X_1,...,X_n) such that X_1 + ...X_n = X. Intuitively, if an adversary receives only small partial independent information about each X_i then his information about X should be even smaller, and should decrease (i.e. the noise should amplify) when n grows. However, of course, the concrete parameters (the amount of leakage that can be tolerated, and the number of shares needed to achieve a given level of security) depend on the exact model that is used. One of the most prominent models used in this area is the so-called noisy-leakage model (Chari et al., CRYPTO'99, and Prouff and Rivain, EUROCRYPT'13), which is believed to correspond well to the real-life engineering experience, where the information that the adversary receives is always "noisy". In the Prouff and Rivain model the amount of information that the noise provides is measured using a parameter 5 that is equal to 0 when the noise is "full", and equal to 1 when there is no noise. It is natural to ask how small 5 needs to be to achieve the amplification of noise (in the additive encoding scheme described above). Until now it was known that such amplification can be achieved for δ < 1/16. In this paper we show that: 1. in the prime order groups G it suffices that δ < 1 - 1/|G|, 2. in general it suffices that 6 < 1/2. We also prove that these bounds are optimal. We then analyze the number n of shares needed to achieve security ∈ of the encoded value X (where ∈ is also defined in terms of "noisy information" that the adversary obtains about X). We give close lower and upper bounds on this value (that differ only in factor polylogarithmic in |G|). We achieve our results using techniques from the additive combinatorics, the harmonic analysis, and the convex optimization.
展开▼
机译:在过去的15年中,在构建对侧信道泄漏具有弹性的加密算法方面进行了深入的研究。每种此类构造中最基本的部分是防回弹编码方案。通常,假定由它们编码的密码机密属于某个有限组(G,+)。最常见的编码方案是n个n的n个附加秘密共享:秘密X被编码为(X_1,...,X_n),使得X_1 + ... X_n =X。关于每个X_i的信息只有很小的部分独立信息,那么他关于X的信息就应该更小,并且当n增大时应减小(即噪声应放大)。但是,当然,具体参数(可以容忍的泄漏量以及达到给定安全级别所需的份额数)取决于所使用的确切模型。在该领域中使用的最著名的模型之一是所谓的噪声泄漏模型(Chari等,CRYPTO'99,以及Prouff和Rivain,EUROCRYPT'13),据信它与现实生活非常吻合。工程经验,对手收到的信息总是“嘈杂”。在Prouff和Rivain模型中,使用参数5来测量噪声提供的信息量,该参数在噪声“满”时等于0,而在没有噪声时等于1。很自然地要问达到噪声放大需要5个多小(在上述加法编码方案中)。迄今为止,已知对于δ<1/16可以实现这种放大。在本文中,我们表明:1.在素数阶组G中,δ<1-1 / | G |就足够了; 2.在一般情况下,6 <1/2就足够了。我们还证明了这些界限是最优的。然后,我们分析实现编码值X的安全性所需的股份数量n(其中ε也根据对手获得的有关X的“嘈杂信息”来定义)。我们给出该值的上下限(仅在| G |中的因子对数上有所不同)。我们使用加法组合,谐波分析和凸优化技术来获得结果。
展开▼
