and an application to masking in hardware
play

and an Application to Masking in Hardware Gatan Cassiers, - PowerPoint PPT Presentation

Oct 15, 2022 β€’720 likes β€’1.48k views

From Trivial Composition to Full Verification and an Application to Masking in Hardware Gatan Cassiers, Franois-Xavier Standaert UCLouvain (Belgium) VeriSiCC Seminar, Paris, France, September 2019 Side-Channel Analysis Side-Channel

  1. From Trivial Composition to Full Verification and an Application to Masking in Hardware Gaëtan Cassiers, François-Xavier Standaert UCLouvain (Belgium) VeriSiCC Seminar, Paris, France, September 2019

  2. Side-Channel Analysis

  3. Side-Channel Analysis

  4. Side-Channel Analysis

  5. Side-Channel Analysis

  6. Side-Channel Analysis

  7. Side-Channel Analysis

  8. Masking (e.g., Boolean 𝑦 = 𝑦 0 + 𝑦 1 + β‹― + 𝑦 𝑒 ) 𝑑 Noisy leakages security: 𝑂 ∝ MI (π‘Œ;𝑴) MI π‘Œ; 𝑴 < MI π‘Œ 𝑗 ; 𝑀 𝑗 𝑒 Goal (ideally):

  9. Masking (e.g., Boolean 𝑦 = 𝑦 0 + 𝑦 1 + β‹― + 𝑦 𝑒 ) Bounded moment security: ΰ·‘ 𝑀 𝑗 π‘Œ 𝑗 1 ,𝑗 2 ,…,𝑗 π‘’βˆ’1 ( 𝑒 -1)th order statistical moment (ideally) 𝑑 Noisy leakages security: 𝑂 ∝ MI (π‘Œ;𝑴) MI π‘Œ; 𝑴 < MI π‘Œ 𝑗 ; 𝑀 𝑗 𝑒 Goal (ideally):

  10. Masking (e.g., Boolean 𝑦 = 𝑦 0 + 𝑦 1 + β‹― + 𝑦 𝑒 ) 𝑦 = 𝑦 0 + 𝑦 1 + β‹― + 𝑦 𝑒 Probing security: Sets of ( 𝑒 -1) probes are of π‘Œ (ideally) Bounded moment security: ΰ·‘ 𝑀 𝑗 π‘Œ 𝑗 1 ,𝑗 2 ,…,𝑗 π‘’βˆ’1 ( 𝑒 -1)th order statistical moment (ideally) 𝑑 Noisy leakages security: 𝑂 ∝ MI (π‘Œ;𝑴) MI π‘Œ; 𝑴 < MI π‘Œ 𝑗 ; 𝑀 𝑗 𝑒 Goal (ideally):

  11. Security reductions abstract-qualitative 𝑦 = 𝑦 0 + 𝑦 1 + β‹― + 𝑦 𝑒 probing [Barthe et al., Eurocrypt 2017] bounded moment physical-qualitative [Duc et al., Eurocrypt 2014] physical-quantitative noisy leakages

  12. What can go wrong? (e.g., when computing 𝑏. 𝑐 ) Issue #1. Lack of randomness (can break the independence assumption) 𝑑 1 𝑏 1 𝑐 1 𝑏 1 𝑐 2 𝑏 1 𝑐 3 Example: probing 𝑑 1 = 𝑏 1 . 𝑐 1 + 𝑐 2 + 𝑐 3 𝑑 2 𝑏 2 𝑐 1 𝑏 2 𝑐 2 𝑏 2 𝑐 3 β‡’ reveals information on 𝑐 (when 𝑑 1 = 1) 𝑑 3 𝑏 3 𝑐 1 𝑏 3 𝑐 2 𝑏 3 𝑐 3

  13. What can go wrong? (e.g., when computing 𝑏. 𝑐 ) Issue #1. Lack of randomness (can break the independence assumption) β€’ mitigated by adding 𝑑 1 𝑏 1 𝑐 1 𝑏 1 𝑐 2 𝑏 1 𝑐 3 0 𝑠 𝑠 1 2 Β«refreshing gadgets Β» 𝑑 2 𝑏 2 𝑐 1 𝑏 2 𝑐 2 𝑏 2 𝑐 3 𝑠 0 𝑠 + β‡’ 2 3 β€’ can be analyzed in 𝑑 3 𝑠 𝑠 0 𝑏 3 𝑐 1 𝑏 3 𝑐 2 𝑏 3 𝑐 3 2 3 the probing model

  14. What can go wrong? (e.g., when computing 𝑏. 𝑐 ) Issue #1. Lack of randomness (can break the independence assumption) β€’ mitigated by adding 𝑑 1 𝑏 1 𝑐 1 𝑏 1 𝑐 2 𝑏 1 𝑐 3 0 𝑠 𝑠 1 2 Β«refreshing gadgets Β» 𝑑 2 𝑏 2 𝑐 1 𝑏 2 𝑐 2 𝑏 2 𝑐 3 𝑠 0 𝑠 + β‡’ 2 3 β€’ can be analyzed in 𝑑 3 𝑠 𝑠 0 𝑏 3 𝑐 1 𝑏 3 𝑐 2 𝑏 3 𝑐 3 2 3 the probing model Issue #2. Physical defaults (can break the independence assumption) Example: glitches (transcient values) Β« re-combine Β» the shares such that: 𝑀 𝑗 = πœ€(𝑦 1 βˆ™ 𝑦 2 βˆ™ 𝑦 3 ) (detected in the bounded moment model)

  15. What can go wrong? (e.g., when computing 𝑏. 𝑐 ) Issue #1. Lack of randomness (can break the independence assumption) β€’ mitigated by adding 𝑑 1 𝑏 1 𝑐 1 𝑏 1 𝑐 2 𝑏 1 𝑐 3 0 𝑠 𝑠 1 2 Β«refreshing gadgets Β» 𝑑 2 𝑏 2 𝑐 1 𝑏 2 𝑐 2 𝑏 2 𝑐 3 𝑠 0 𝑠 + β‡’ 2 3 β€’ can be analyzed in 𝑑 3 𝑠 𝑠 0 𝑏 3 𝑐 1 𝑏 3 𝑐 2 𝑏 3 𝑐 3 2 3 the probing model Issue #2. Physical defaults (can break the independence assumption) β€’ mitigated by adding a Β« non- completeness Β» property [ β‰ˆ Theshold Implementations] β€’ abstract property: can be analyzed in the probing model!

  16. Technical challenge: scalability 𝒓 -probing security [ISW, 2004] : any π‘Ÿ -tuple of shares in the protected circuit is independent of any sensitive variable

  17. Technical challenge: scalability 𝒓 -probing security [ISW, 2004] : any π‘Ÿ -tuple of shares in the protected circuit is independent of any sensitive variable Problem: the cost of testing probing security increases (very) fast with circuit size and the # of shares (since βˆƒ many tuples)

  18. Technical challenge: scalability 𝒓 -probing security [ISW, 2004] : any π‘Ÿ -tuple of shares in the protected circuit is independent of any sensitive variable Problem: the cost of testing probing security increases (very) fast with circuit size and the # of shares (since βˆƒ many tuples) β€’ Solution #1: direct verification of (weaker) circuit properties β€’ [Barthe et al., 2015/2019], [Bloem et al., 2018] β€’ Solution #2: composable verification with (stronger) properties β€’ [Barthe et al., 2016] – but limited to β€œabstract” circuits β€’ Solution #3: test more specific properties [Arribas et al., 2018]

  19. Technical challenge: scalability 𝒓 -probing security [ISW, 2004] : any π‘Ÿ -tuple of shares in the protected circuit is independent of any sensitive variable Problem: the cost of testing probing security increases (very) fast with circuit size and the # of shares (since βˆƒ many tuples) β€’ Solution #1: direct verification of (weaker) circuit properties β€’ [Barthe et al., 2015/2019], [Bloem et al., 2018] β€’ Solution #2: composable verification with (stronger) properties β€’ [Barthe et al., 2016] – but limited to β€œabstract” circuits β€’ Can be complementary: use #1 for gadgets, #2 for circuits

  20. Does it go wrong (for hardware masking) ? β€’ State-of-the-art hardware-oriented masking schemes β€’ Consolidating Masking Scheme (CMS, 2015) β€’ Domain-Oriented Masking (DOM, 2016) β€’ Unified Masking Approach (UMA, 2017) β€’ Generic Low-Latency Masking (GLM, 2018)

  21. Does it go wrong (for hardware masking) ? β€’ State-of-the-art hardware-oriented masking schemes β€’ Consolidating Masking Scheme (CMS, 2015) β€’ Domain-Oriented Masking (DOM, 2016) β€’ Unified Masking Approach (UMA, 2017) β€’ Generic Low-Latency Masking (GLM, 2018) β€’ Intuitively appealing constructions β€’ But no probing security proof at high orders β€’ Theoretical concern or practical risk?

  22. Does it go wrong (for hardware masking) ? β€’ State-of-the-art hardware-oriented masking schemes β€’ Consolidating Masking Scheme (CMS, 2015) β€’ Domain-Oriented Masking (DOM, 2016) β€’ Unified Masking Approach (UMA, 2017) β€’ Generic Low-Latency Masking (GLM, 2018) β€’ Intuitively appealing constructions β€’ But no probing security proof at high orders β€’ Theoretical concern or practical risk? β€’ [Moos et al., 2019]: all the higher-order extensions of these schemes are affected by concrete flaws β€’ Next: CMS (local) and DOM (composability) examples…

  23. Consolidating Masking Scheme β€’ Local flaw in the β€œring refreshing” algorithm β€’ Attack with 3 probes for any d >3 shares Problem: most of the randomness cancels out…

  24. Consolidating Masking Scheme β€’ Local flaw in the β€œring refreshing” algorithm β€’ Attack with 3 probes for any d >3 shares Problem: most of the randomness cancels out… Fix proposed by De Cnudde ( β‡’ CMS more similar to DOM) Composability remains unclear

  25. Composability requirements (example) π‘Ÿ 1 + π‘Ÿ 2 ≀ π‘Ÿ π‘Ÿ 1 internal probes π‘Ÿ 2 output probes 𝒓 -(Strong) Non Interference [Barthe et al., CCS 2016] : a circuit gadget (e.g., f 1 ) is NI (SNI) any set of π‘Ÿ 1 + π‘Ÿ 2 probes can be simulated with at most π‘Ÿ 1 + π‘Ÿ 2 (only π‘Ÿ 1 ) shares of each input D(input shares||probes) β‰ˆ D(input shares||simulation)

  26. Composability requirements (example) π‘Ÿ 1 + π‘Ÿ 2 ≀ π‘Ÿ π‘Ÿ 1 internal probes π‘Ÿ 2 output probes Theorem [trivial composition] β‰ˆ any composition of q -SNI gadget is q -SNI 𝒓 -(Strong) Non Interference [Barthe et al., CCS 2016] : a circuit gadget (e.g., f 1 ) is NI (SNI) any set of π‘Ÿ 1 + π‘Ÿ 2 probes can be simulated with at most π‘Ÿ 1 + π‘Ÿ 2 (only π‘Ÿ 1 ) shares of each input D(input shares||probes) β‰ˆ D(input shares||simulation)

  27. Domain Oriented Masking β€’ Two algorithms: DOM-indep and DOM-dep β€’ DOM-indep not sufficient to compose, e.g., z=x βŠ— x

  28. Domain Oriented Masking β€’ Two algorithms: DOM-indep and DOM-dep β€’ DOM-indep not sufficient to compose, e.g., z=x βŠ— x β‡’ DOM-dep critical to compose but broken (& no fix)

  29. Domain Oriented Masking β€’ Two algorithms: DOM-indep and DOM-dep β€’ DOM-indep not sufficient to compose, e.g., z=x βŠ— x β‡’ DOM-dep critical to compose but broken (& no fix) β€’ SOTA (2018): βˆƒ composable masking schemes that ignore physical defaults such as glitches & hardware- oriented masking schemes that mitigate glitches but are at best probing secure ( so not provably composable )

  30. (Refined) model and security definition π‘ž 1 Glitch-extended probes: probing any output of a combinatorial circuit allows the adversary to observe all the circuit inputs Example: π‘ž 1 gives 𝑏, 𝑐 and 𝑑

  31. (Refined) model and security definition π‘ž 1 Glitch-extended probes: probing any output of a combinatorial circuit allows the adversary to observe all the circuit inputs Example: π‘ž 1 gives 𝑏, 𝑐 and 𝑑 π‘ž 2 (SNI-related) clarification : the adversary can also probe the stable register output 𝑒 so both π‘ž 1 and π‘ž 2 appear in proofs

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin,

Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin,

Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin, Oscar Reparaz P ROBLEM : SIDE - CHANNEL ANALYSIS S OLUTION : M ASKING P ROBING MODEL [ISW03] Adversary can probe up to intermediate values

885 views β€’ 34 slides
Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl Bilgin P ROBLEM : SIDE - CHANNEL ANALYSIS 2 S OLUTION : M ASKING 3 E XTRA P ROBLEM : G LITCHES ! 4 B OOLEAN M ASKING ! = # $ , # &amp; , , # (

473 views β€’ 43 slides
Application Change Management and Data Masking Strategies for DBAs Jagan Athreya Ravi Pattabhi

Application Change Management and Data Masking Strategies for DBAs Jagan Athreya Ravi Pattabhi

&lt;Insert Picture Here&gt; Application Change Management and Data Masking Strategies for DBAs Jagan Athreya Ravi Pattabhi Director of Product Mgmt Consulting Member of Tech Staff Oracle Oracle The following is intended to outline our

685 views β€’ 42 slides
Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views β€’ 48 slides
Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on the spatial attribute type. Proposal part 2 Details of the masking attribute addition. Table 3-13 - S100_GF_SpatialAttributeType Role Name

558 views β€’ 8 slides
Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views β€’ 45 slides
Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1 Overview Masking,

785 views β€’ 46 slides
Chapter 13: I/O Systems I/O Hardware Application I/O Interface Kernel I/O Subsystem

Chapter 13: I/O Systems I/O Hardware Application I/O Interface Kernel I/O Subsystem

Chapter 13: I/O Systems I/O Hardware Application I/O Interface Kernel I/O Subsystem Transforming I/O Requests to Hardware Operations Streams Performance Operating System Concepts 13.1 Silberschatz, Galvin and Gagne

661 views β€’ 31 slides
Module 12: I/O Systems I/O Hardware Application I/O Interface Kernel I/O Subsystem

Module 12: I/O Systems I/O Hardware Application I/O Interface Kernel I/O Subsystem

' $ Module 12: I/O Systems I/O Hardware Application I/O Interface Kernel I/O Subsystem Transforming I/O Requests to Hardware Operations Performance &amp; % Operating System Concepts 12.1 Silberschatz and Galvin c 1998

123 views β€’ 11 slides
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views β€’ 42 slides
Virtualization The concept of using less hardware for the same application 27-6-2018

Virtualization The concept of using less hardware for the same application 27-6-2018

Virtualization The concept of using less hardware for the same application 27-6-2018 info@iautomation.nl 1 What is it Virtualization is the concept of allowing software to use very powerful hardware. This is done IT environments because

303 views β€’ 18 slides
Hardware Accelerated Application Integration: Challenges and Opportunities Active @

Hardware Accelerated Application Integration: Challenges and Opportunities Active @

Hardware Accelerated Application Integration: Challenges and Opportunities Active @ ACM/IFIP/USENIX Middleware 2017 Daniel Ritter Application Integration - De-coupling apps - Solving n-square connection and variety problems (for textual

490 views β€’ 24 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views β€’ 38 slides
Application of CADP to Hardware Validation Abderahman KRIOUILE and Massimo ZENDRI

Application of CADP to Hardware Validation Abderahman KRIOUILE and Massimo ZENDRI

Application of CADP to Hardware Validation Abderahman KRIOUILE and Massimo ZENDRI STMicroelectronics Forum Mthodes Formelles &quot;Le Model-Checking en action&quot; Toulouse, France, Oct 2014 Agenda 2 20 years of Hardware Validation

569 views β€’ 33 slides
Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

6/8/2017 Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we Quantify Masking Risk? co-founder and shareholder Qview Medical (Los Altos, CA) Nico Karssemeijer consultant, co-founder and

883 views β€’ 18 slides
Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble Alpes in

Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble Alpes in

Understanding the Masking-Shadowing Function in Understanding the Masking-Shadowing Function in Microfacet-Based BRDFs 2014-09-01 Microfacet-Based BRDFs Eric Heitz Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble

808 views β€’ 77 slides
The Colored Refresh Server for DRAM Xing Pan, Frank Mueller North Carolina State University

The Colored Refresh Server for DRAM Xing Pan, Frank Mueller North Carolina State University

The Colored Refresh Server for DRAM Xing Pan, Frank Mueller North Carolina State University North Carolina State University 1 Real-time system Real-Time System requires: Logical Correctness: Produces correct outputs. Temporal

483 views β€’ 36 slides
Cleaning Up the Clutter: Refresh Your MadCap Flare Project Design PRESENTED BY Nate Wolf

Cleaning Up the Clutter: Refresh Your MadCap Flare Project Design PRESENTED BY Nate Wolf

Cleaning Up the Clutter: Refresh Your MadCap Flare Project Design PRESENTED BY Nate Wolf AGENDA Signs of Needing a Refresh 1 Global Project Linking 2 Refreshing Your Project 3 Staying On Track 4 Questions 5 SIGNS YOUR PROJECT NEEDS A

638 views β€’ 38 slides
EMF-IncQuery gets Sirius: faster and better diagrams kos Horvth , bel H egeds , Zoltn

EMF-IncQuery gets Sirius: faster and better diagrams kos Horvth , bel H egeds , Zoltn

EMF-IncQuery gets Sirius: faster and better diagrams kos Horvth , bel H egeds , Zoltn Ujhelyi IncQuery Labs Ltd. dm Lengyel, Istvn Rth , Dniel Varr Budapest University of Technology and Economics Budapest University of

598 views β€’ 21 slides
Refresh with Encouraged Hearts Philemon 7 Time for refreshments ! a quiet place Jesus

Refresh with Encouraged Hearts Philemon 7 Time for refreshments ! a quiet place Jesus

Refresh with Encouraged Hearts Philemon 7 Time for refreshments ! a quiet place Jesus Great Invitation How others are refreshed! Above and beyond the call of duty! Scriptures to take away Exodus 31:17 It will be a sign

192 views β€’ 15 slides
Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A

Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A

Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A b e 1 LWE (decision version): (A,A s + e ) (A, r ), where A random m n , s uniform, e has small entries from a matrix in A Z q

514 views β€’ 12 slides
Trend Lines, Pivot Tables, and Pivot Charts Objectives Create a line chart and trendline Create

Trend Lines, Pivot Tables, and Pivot Charts Objectives Create a line chart and trendline Create

Trend Lines, Pivot Tables, and Pivot Charts Objectives Create a line chart and trendline Create a pivottable Change the layout and view of a pivottable Filter a pivottable Format a pivottable Create a pivotchart Change a pivotchart view and

319 views β€’ 15 slides
ADU-Things to Know DEC. 2017 Example Timeline for full scale architectural &amp; Interior Design

ADU-Things to Know DEC. 2017 Example Timeline for full scale architectural &amp; Interior Design

BLEND DESIGN LA is your neighborhood architectural &amp; interior design studio located in highland park. We strive to help Los Angeles home &amp; business owners realize the best potential for their properties. We provide design services for

303 views β€’ 4 slides
AJAX, fetch, and Axios Asynchronous JavaScript? HTTP Requests in the Browser URL bar

AJAX, fetch, and Axios Asynchronous JavaScript? HTTP Requests in the Browser URL bar

AJAX, fetch, and Axios Asynchronous JavaScript? HTTP Requests in the Browser URL bar Links JavaScript window.location.href = http://www.google.com' Submitting forms (GET/POST) All of the above make the browser navigate

760 views β€’ 16 slides

More recommend