Entrust Crypto Health Check and Crypto Governance Consulting
Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto...
Transcript of Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto...
![Page 1: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/1.jpg)
Masking and MPC
When Crypto Theory Meets Crypto Practice
Nigel SmartUniversity of Bristol
![Page 2: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/2.jpg)
Basic ProblemSide channels are a big problem for designers of cryptographic integrated circuits
We want to design systems which resist various (strong) forms of leakage.
A traditional method in the side-channel community is called “masking”.
But masking is (sometimes) “Multi-Party Computation” in disguise.
![Page 3: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/3.jpg)
Simple Model
To make this simple we will assume a chip is just a circuit with various “areas” being denoted by boxes
Input Output
![Page 4: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/4.jpg)
Simple Model
Assume the attacker can target a component of the chip for side-channel leakage, and this side-channel is perfect
i.e. All the data in that component leaks
Input Output
![Page 5: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/5.jpg)
Simple Model
If the secret input can be deduced from the data obtained in this component of the chip then the attacker has won
Input Output
![Page 6: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/6.jpg)
Masking : Basic Idea
The basic idea is to operate on a “splitting” of the data
We want to computey = f(x)
We writex = x1+ x2
And come up with two “functions” f1 and f2 such that y can be recovered from
y1 = f1(x1)y2 = f2(x2)
Note x1 is like a one-time pad encryption
of x by the key x2
Computing f1(x1) can reveal nothing
about x.
![Page 7: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/7.jpg)
Side Channel Reveals Nothing
So even if the adversary compromises an entire chip portion, no data is revealed.
x
x1
y
x2y2
y1y1 = f1 (x1)
y2 = f2 (x2)
This is (essentially) a variant of the wire probe model of Ishai, Sahai and Wagner
![Page 8: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/8.jpg)
Complex Functions
The previous idea only works for very, very simple functions.
To compute more complex functions we need to concatenate various of these small boxes together and allow some “cross talk”
We can split the data into more than two chunks if needs be.
We allow the adversary to “leak” all the data on a given path/paths
![Page 9: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/9.jpg)
Complex Functions
![Page 10: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/10.jpg)
Complex FunctionsProbing could be adaptive
A “proactive” adversary in the MPC jargon
![Page 11: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/11.jpg)
“Wires” vs “Cores”
• Literature is divided into two variants– The device is a circuit and probes are on wires– The device is a set of communicating cores, and probes are
on entire cores
• The former produces ideas very different from MPC, the latter is just “MPC on a chip”
• We will look at the communicating core model first, then turn to the wire model.
![Page 12: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/12.jpg)
“Communicating Core” Model
![Page 13: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/13.jpg)
Multi-Party Computation
If we treat each row as a computing party then the previous slides diagram is just a three party secure computation with one bad guy
![Page 14: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/14.jpg)
MPC
So basically Masking = MPC in disguise.
In MPC data is secret shared between n parties
Parties compute a function on the shared data
Function input is secure even if a certain threshold t is corrupt
![Page 15: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/15.jpg)
Passive vs Active
In the context of side-channels we are looking to protect against passive eavesdroppers, i.e. those that passively listen to the side-channel from a given component
In MPC these are called semi-honest/passive adversaries
Most MPC literature is about active adversaries, i.e. ones that can deviate from the protocol
This would correspond to protecting against malware, or fault injection attacks in the side-channel world.
![Page 16: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/16.jpg)
Passive AdversariesSo lets just consider passive adversaries.
Basic MPC theory tells us....
1. We can construct information theoretically secure protocols if
t < n/2
2. If we allow “cryptography” then we can construct secure protocols if
t < n
![Page 17: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/17.jpg)
Passive Security With t<n/2
Some people have proposed using the MPC protocol of CCD/BGW to do this
– The basic idea on a wire level was proposed by Ishai, Sahaiand Wagner– Usually proposed at a higher level than wires though– Hardware designs for AES have been proposed using this– We only need the semi-honest/passively secure variant
The protocol/idea is very elegant and very easy to explain....
![Page 18: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/18.jpg)
I.T. Protocols (t<n/2)We secret share using Shamir using polynomials of degree t
– Any shared data is secure as long as only t shares are leaked.– Need t+1 shares to reconstruct the data– Write [x] for the sharing, and each share is xi
– We can compute arbitrary linear functions for free• To compute [L(x,y)] from [x] and [y] each party computes L(xi, yi)
Only problem then is to compute non-linear functions– This is done by a method of
• Schur multiply, reshare and combine–See the next slides...
![Page 19: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/19.jpg)
I.T. Protocols (t<n/2)Take n=3, t=1 and we want to multiply [x] by [y]
[x] is shared by the polynomial f = x + a*X– x1 = f(1) = x + a– x2 = f(2) = x + 2 a– x3 = f(3) = x + 3 a
[y] is shared by the polynomial g = y + b*X– y1 = f(1) = y + b– y2 = f(2) = y + 2 b– y3 = f(3) = y + 3 b
![Page 20: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/20.jpg)
I.T. Protocols (t<n/2)
Step 1 : Schur Multiply
Each party forms si = xi * yi
This is a degree 2t=2 sharing of x*y as if we setS = f * g = (x+a*X)*(y+b*X)
= x*y + (a*y+b*a) * X + (a*b)*X2
then si = S(i)Note that (as 2*t<n) there is a linear function L such that
x*y = L(s1,s2,s3)
![Page 21: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/21.jpg)
I.T. Protocols (t<n/2)
The si values are a degree 2t sharing of x*y, this is represented by the linear function L
We want a degree t sharing
To convert from 2t to t, we share the si via a degree t sharing, then evaluate L, which is linear.
![Page 22: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/22.jpg)
I.T. Protocols (t<n/2)
Step 2: Resharing
Each party shares si out using a degree t sharing
Party i generates a random ci and shares si by computingsi,j = si + ci * j
i.e. Using the polynomial Ti = si + ci X
The value si,j is sent to party j. So all parties hold a sharing [si]
![Page 23: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/23.jpg)
I.T. Protocols (t<n/2)
Step 3: RecombineAll parties hold a degree t sharing [si]
We know x*y = L(s1,s2,s3)
So to get a degree t sharing of x*y by computing[x*y] = L([s1],[s2],[s3])
locally.
![Page 24: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/24.jpg)
I.T. Protocols (t<n/2)
Given we can compute linear functions and multiplication we can then compute any function.
The resulting protocol is secure as long as no more than t parties are corrupted
• Or no more than t “on chip units” leak data• Giving t’th order side-channel protection
But each “unit” needs a source of good randomness to perform the resharing
![Page 25: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/25.jpg)
Reducing RandomnessCan we improve on this?
– Compute arbitrary functions– With Full Threshold (t<n)?
We clearly need to assume something– Theory tells us we could assume “cryptography”
The SPDZ protocol family uses cryptography to produce “Beaver triples” to enable this
– The Beaver triples are where the randomness is – Perhaps assume a “trusted component” which produces Beaver triples?– Isolating the randomness in this single component.
![Page 26: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/26.jpg)
SPDZ LikeTo isolate the need for randomness we can consider (forexposition) a chip/protocol with three parties/units.
One unit R has access to a good source of randomness, but doesnot see any data dependent items.
Two units P1 and P2 are deterministic and use a simple additivesharing.
Adversary can corrupt/obtain full leakage of R, P1 or P2; but nottwo.
![Page 27: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/27.jpg)
SPDZ Like
Data is shared between P1 and P2 in an additive manner– P1 holds x1
– P2 holds x2
– Data is x = x1+x2
Again computing linear functions come for free, so the only problem is non-linear functions (i.e. Multiplication)
![Page 28: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/28.jpg)
SPDZ LikeParty R has the job of helping P1 and P2 compute multiplications.
It does this by using its random source to sample a1, a2, b1, b2, c1, and c2 such that
– a = a1+a2
– b = b1+b2
– c = c1+c2
– c = a*bThe values (a1,b1,c1) are sent to P1 and (a2,b2,c2) are sent to P2
One pair of triples per multiplication “gate” in the function
![Page 29: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/29.jpg)
SPDZ LikeP1 and P2 use the triples to perform secure multiplications via some communication
P1 P2
R
Note P1 and P2 never send any data to R• R corresponds to the SPDZ offline phase• ie. Where “cryptography” is used in the real MPC protocol
![Page 30: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/30.jpg)
SPDZ Like
We want to compute [x*y] given [x] and [y]
They have a triple ([a],[b],[c]) such that c=a*b
Parties “open” [x-a] to obtain e = x - aParties “open” [y-b] to obtain d = y - b
Note e is a one-time pad encryption of x under the key aDitto for d, y, and b
![Page 31: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/31.jpg)
SPDZ Like
Parties then locally compute the linear function[z] = [c] + e * [b] + d * [a] + e*d
We have[z] = [c] + e * [b] + d * [a] + e*d
= [a*b] + (x-a) * [b] + (y-b) * [a] + (x-a)*(y-b)= [a*b] + [x*b-a*b] + [y*a-b*a] + [x*y –a*y –b*x + a*b]= [x*y]
So this computes the multiplication gate
![Page 32: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/32.jpg)
SPDZ Like
Could generalise this to n+1 parties, P1,...,Pn and R.
Adversary can corruptThe single party ROr any subset of n-1 of the P1,...,Pn computing parties
Thus the party R needs to be highly protectedIn a traditional MPC protocol R is split into another sub-protocol run between P1,...,PnBut we wanted to isolate the randomness use on the chip.
![Page 33: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/33.jpg)
“Wire” Model
With the wire model we just want a circuit which computes on sharings of data.
Investigated in series of papers by Nikova, Nikov, Rijmen, and co-authors
Want to reduce the amount of randomness used
![Page 34: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/34.jpg)
Wire ModelRecall the basic setup, we want to compute
y = f(x)We write
x = x1+ x2 + x3
And come up with three “functions” f1 , f2 and f3 such that y can be recovered from (encoding the cross-talk)
y1 = f1(x1, x2, x3,r)y2 = f2(x1, x2, x3,r)y3 = f3(x1, x2, x3,r)
The three functions will be randomized by an input r– Qu: What properties do they need to ensure security
![Page 35: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/35.jpg)
Wire Model
Nikova, Nikov, Rijmen et al identify three properties
1) CorrectnessFor all (y,x) such that
y=f(x) and all (x1,x2) such that
x = x1 + x2 + x3
we havey = f1(x1, x2, x3,r) + f2(x1, x2, x3,r) + f3(x1, x2, x3,r)
![Page 36: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/36.jpg)
Wire Model
Nikova, Nikov, Rijmen et al identify three properties
2) Non-CompletenessThe function fi should be independent of xi
i.e. We actually havey = f1(x2, x3,r) + f2(x1, x3,r) + f3(x1, x2,r)
This means if party i+1 executes function i, then they learn nothing as they do not see the data from party i at all.
![Page 37: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/37.jpg)
Wire ModelNikova, Nikov, Rijmen et al identify three properties
3) UniformityFor all y1, y2, y3 satisfying
y = y1 + y2 + y3
the number of x1, x2, x3,r such thatyi = fi(x1, x2, x3,r)
depends only on the number of values of x such thaty = f(x)
This means that we can compose the functions.
![Page 38: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/38.jpg)
Wire Model
This seems to give information theoretic security, and is in the full threshold case, i.e.
t < nWhich contradicts the theory of needing
t < n/2But this is OK, as the method only computes restricted functions
– It is not general (see next slides)– Amazingly though can be used to compute some S-Boxes
of some ciphers
![Page 39: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/39.jpg)
Examples
Does not seem to work for n=2For n=3 we can do this over GF(2) using the following functions for multiplication (addition is trivial)
F1 = a2*b2 + a2*b3 + a3*b2 + r F2 = a3*b3 + a1*b3 + a3*b1 + (a1 + b1)*r F3 = a1*b1 + a1*b2 + a2*b1 + (a1 + b1)*r + r
So we require one random bit per AND gate.
![Page 40: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/40.jpg)
Examples
With n=4 we can dispense with the random bit
F1 = (a3 + a4)*(b2 + b3) + a2 + a4F2 = (a1 + a3)*(b1 + b4) + b1 + a4F3 = (a2 + a4)*(b1 + b4) + a2F4 = (a1 + a2)*(b2 + b3) + b1
![Page 41: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/41.jpg)
Summary
We can use MPC idea to implement masking for side-channel protection
There are issues and trade-offs with respect to1. What functions we can compute2. The threshold (a.k.a. resistance to nth order DPA)3. How much randomness is needed, and by what units
![Page 42: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/42.jpg)
Other Issues
There is a big difference between MPC and using threshold cryptography to protect against side-channels
– Non-ideal secret sharing schemes cost hardware for each variable– Networking for free in hardware (just wires)– No need to worry about asynchronous networks– No need to worry about active adversaries– More concern re proactive security
![Page 43: Masking and MPC When Crypto Theory Meets Crypto Practice · When Crypto Theory Meets Crypto Practice Nigel Smart University of Bristol. Basic Problem Side channels are a big problem](https://reader034.fdocuments.in/reader034/viewer/2022042517/5f3f566e1680133ad63e3726/html5/thumbnails/43.jpg)
Questions?