Abstract: Recent attacks show that there is a need for protecting implementations jointly against side-channel and fault attacks. Analogously, modern MPC protocols consider active security, i.e. against malicious parties which do not only passively eavesdrop but also actively deviate from the protocol. This provides an opportunity for the field of threshold implementations to evolve with MPC and achieve provable secure implementations against combined passive and active physical attacks.
In this talk we will first introduce Threshold Implementations applied to protect various ciphers against SCA. After that we will discuss two recent proposals for combined countermeasures: CAPA and M&M, which both start from passively secure threshold schemes and extend those with information-theoretic MAC tags for protection against active adversaries. While similar in their most basic structure, the two proposals explore very different adversary models and thus employ completely different implementation techniques. CAPA considers the field-probe-and-fault model, which is the embedded analogue of multiple parties jointly computing a function with at least one of the parties honest. Accordingly, CAPA is strongly based on the actively secure MPC protocol SPDZ and inherits its provable security properties in this model. Since this results in very expensive implementations, M&M works in a similar but more realistic adversary model and uses existing building blocks from previous passively secure implementations to build more efficient actively secure threshold cryptography.
The slide is available here