Abstract
Recent attacks such as [AVFM07] and [CFGR10] show that there is a need for protecting implementations jointly against side-channel and fault attacks.
Analogously, modern MPC protocols consider active security, i.e. against malicious parties which do not only passively evesdrop but also actively deviate from
the protocol. This provides an opportunity for the eld of threshold implementations to evolve with MPC and achieve provable secure implementations against
combined passive and active physical attacks.
In this talk we will discuss two recent proposals in this area: CAPA and M&M, which both start from passively secure threshold schemes
and extend those with information-theoretic MAC tags for protection against active adversaries. While similar in their most basic structure, the two proposals
explore very dierent adversary models and thus employ completely different implementation techniques. CAPA considers the eld-probe-and-fault model,
which is the embedded analogue of multiple parties jointly computing a function with at least one of the parties honest. Accordingly, CAPA is strongly based on the
actively secure MPC protocol SPDZ [DPSZ12] and inherits its provable security properties in this model. Since this results in very expensive implementations,
M&M works in a similar but more realistic adversary model and uses existing building blocks from previous passively secure implementations to build more
ecient actively secure threshold cryptography.