and the Bounded Moment Leakage Model G. Barthe, F. Dupressoir, S. - - PowerPoint PPT Presentation

SLIDE 1

Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model

• G. Barthe, F. Dupressoir, S. Faust,
• B. Grégoire, F.-X. Standaert, P.-Y. Strub

IMDEA (Spain), Univ. Surrey (UK), Univ. Bochum (Germany), INRIA Sophia- Antipolis (France), UCL (Belgium), Ecole Polytechnique (France)

EUROCRYPT 2017, Paris, France

SLIDE 2

Outline

• Introduction / motivation
• Side-channel attacks and noise
• Masking and leakage models
• Bounded moment model
• Masking intuition & BMM definition
• Probing security ⇒ BM security
• Parallel multiplication (& refreshing)
• BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
• Conclusions

SLIDE 3

Outline

• Introduction / motivation
• Side-channel attacks and noise
• Masking and leakage models
• Bounded moment model
• Masking intuition & BMM definition
• Probing security ⇒ BM security
• Parallel multiplication (& refreshing)
• BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
• Conclusions

SLIDE 4

Side-channel attacks

• ≈ physical attacks that decreases security

exponentially in the # of measurements

1

𝟑𝟐𝟑𝟗 264 20

computation

𝟐𝟑𝟗 64 32

# of measurements success probability

96

SLIDE 5

Noise (hardware countermeasures) 2

SLIDE 6

Noise (hardware countermeasures) 2

SLIDE 7

Noise (hardware countermeasures)

• Additive noise ≈ cost × 2 ⇒ security × 2

⇒ not a good (crypto) security parameter

2

SLIDE 8

Outline

• Introduction / motivation
• Side-channel attacks and noise
• Masking and leakage models
• Bounded moment model
• Masking intuition & BMM definition
• Probing security ⇒ BM security
• Parallel multiplication (& refreshing)
• BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
• Conclusions

SLIDE 9

Masking (≈ noise amplification)

• Example: Boolean encoding
• With 𝑧1, 𝑧2, … , 𝑧𝑒−2, 𝑧𝑒−1 ← {0,1}𝑜

3

𝑧 = 𝑧1 ⊕ 𝑧2 ⊕ ⋯ ⊕ 𝑧𝑒−1 ⊕ 𝑧𝑒

SLIDE 10

Masking (abstract view)

• Probing security (Ishai, Sahai, Wagner 2003)

4

𝑧 = 𝑧1 ⊕ 𝑧2 ⊕ ⋯ ⊕ 𝑧𝑒−1 ⊕ 𝑧𝑒

?

SLIDE 11

Masking (abstract view)

• Probing security (Ishai, Sahai, Wagner 2003)
• 𝑒 − 1 probes do not reveal anything on 𝑧

4

𝑧 = 𝑧1 ⊕ 𝑧2 ⊕ ⋯ ⊕ 𝑧𝑒−1 ⊕ 𝑧𝑒

?

SLIDE 12

Masking (abstract view)

• Probing security (Ishai, Sahai, Wagner 2003)
• But 𝑒 probes completely reveal 𝑧

4

𝑧 = 𝑧1 ⊕ 𝑧2 ⊕ ⋯ ⊕ 𝑧𝑒−1 ⊕ 𝑧𝑒

y

SLIDE 13

• Probing security (Ishai, Sahai, Wagner 2003)
• Bounded information leakage MI(𝑍

𝑗; 𝑀)𝑒

Masking (concrete view) 5

𝑧 = 𝑧1 ⊕ 𝑧2 ⊕ ⋯ ⊕ 𝑧𝑒−1 ⊕ 𝑧𝑒

?

SLIDE 14

• Probing security (Ishai, Sahai, Wagner 2003)
• Noisy leakage security (Prouff, Rivain 2013)

Masking (concrete view) 5

𝑧 = 𝑧1 ⊕ 𝑧2 ⊕ ⋯ ⊕ 𝑧𝑒−1 ⊕ 𝑧𝑒

?

SLIDE 15

• Probing security (Ishai, Sahai, Wagner 2003)
• Noisy leakage security (Prouff, Rivain 2013)

Masking (concrete view) 5

𝑧 = 𝑧1 ⊕ 𝑧2 ⊕ ⋯ ⊕ 𝑧𝑒−1 ⊕ 𝑧𝑒

noise and independence

(Duc, Dziembwski, Faust 2014)

SLIDE 16

Motivation / open questions

• 1. What happens with parallel implementations?
• For example: one probe reveals the shares’ sum

6

SLIDE 17

Motivation / open questions

• 1. What happens with parallel implementations?
• For example: one probe reveals the shares’ sum
• 2. How to test physical independence? (consolidating)

6

? ?

SLIDE 18

Motivation / open questions

• 1. What happens with parallel implementations?
• For example: one probe reveals the shares’ sum
• 2. How to test physical independence? (consolidating)
• W/O directly working in the noisy leakage model

6

? ?

SLIDE 19

Outline

• Introduction / motivation
• Side-channel attacks and noise
• Masking and leakage models
• Bounded moment model
• Masking intuition & BMM definition
• Probing security ⇒ BM security
• Parallel multiplication (& refreshing)
• BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
• Conclusions

SLIDE 20

Masking statistical intuition

• 2-share / 1-bit example, serial implementation

7

𝑀1 = 𝑧1 + 𝑜1 𝑀2 = 𝑧2 + 𝑜2

SLIDE 21

Masking statistical intuition

• 2-share / 1-bit example, parallel implementation

7

𝑀 = 𝑧1 + 𝑧2 + 𝑜 𝑀1 = 𝑧1 + 𝑜1 𝑀2 = 𝑧2 + 𝑜2

SLIDE 22

Masking statistical intuition

• 2-share / 1-bit example, parallel implementation

7

𝑀 = 𝑧1 + 𝑧2 + n 𝑀1 = 𝑧1 + 𝑜1 𝑀2 = 𝑧2 + 𝑜2

Definition (informal). An implementation is secure at order 𝑝 in the bounded moment model if all mixed statistical moments of order up to 𝑝 of its leakage vectors are independent

• f any sensitive variable manipulated

SLIDE 23

Outline

• Introduction / motivation
• Side-channel attacks and noise
• Masking and leakage models
• Bounded moment model
• Masking intuition & BMM definition
• Probing security ⇒ BM security
• Parallel multiplication (& refreshing)
• BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
• Conclusions

SLIDE 24

Abstract reduction (answer to Q1)

• Theorem (informal). A parallel implementation is

secure at order 𝑝 in the BMM if its serialization is secure at order 𝑝 in the probing model where

• Adv𝑞𝑠 can (typically) probe 𝑝 = 𝑒 − 1 wires
• Adv𝑐𝑛 can observe any 𝑀 = 𝑗=1

𝑒

𝛽𝑗 ∙ 𝑧𝑗

8

SLIDE 25

Abstract reduction

• Theorem (informal). A parallel implementation is

secure at order 𝑝 in the BMM if its serialization is secure at order 𝑝 in the probing model where

• Adv𝑞𝑠 can (typically) probe 𝑝 = 𝑒 − 1 wires
• Adv𝑐𝑛 can observe any 𝑀 = 𝑗=1

𝑒

𝛽𝑗 ∙ 𝑧𝑗

• Intuition: summing the shares (in ℝ) does not

break the independent leakage assumption

8

SLIDE 26

Abstract reduction

• Theorem (informal). A parallel implementation is

secure at order 𝑝 in the BMM if its serialization is secure at order 𝑝 in the probing model where

• Adv𝑞𝑠 can (typically) probe 𝑝 = 𝑒 − 1 wires
• Adv𝑐𝑛 can observe any 𝑀 = 𝑗=1

𝑒

𝛽𝑗 ∙ 𝑧𝑗

• Intuition: summing the shares (in ℝ) does not

break the independent leakage assumption

• Main ≠ between probing and BM security
• Adv𝑐𝑛 can sum over all the shares!
• BM security is weaker (moments vs. distributions)

8

SLIDE 27

Concrete consequence

• If physically independent leakages, BM security

extends to actual measurements (e.g., 𝑒 = 3)

9

SLIDE 28

Concrete consequence (answer to Q2)

• If physically independent leakages, BM security

extends to actual measurements (e.g., 𝑒 = 3)

• If not, leakages are not independent

9

SLIDE 29

Outline

• Introduction / motivation
• Side-channel attacks and noise
• Masking and leakage models
• Bounded moment model
• Masking intuition & BMM definition
• Probing security ⇒ BM security
• Parallel multiplication (& refreshing)
• BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
• Conclusions

SLIDE 30

Serial multiplication

• ISW 2003: multiplication 𝑑 = 𝑏 × 𝑐

10

𝒃𝟐𝒄𝟐 𝒃𝟐𝒄𝟑 𝒃𝟐𝒄𝟒 𝒃𝟑𝒄𝟐 𝒃𝟑𝒄𝟑 𝒃𝟑𝒄𝟒 𝒃𝟒𝒄𝟐 𝒃𝟒𝒄𝟑 𝒃𝟒𝒄𝟒 ⊕ 𝟏 𝒔𝟐 𝒔𝟑 −𝒔𝟐 𝟏 𝒔𝟒 −𝒔𝟑 −𝒔𝟒 𝟏 ⇒ 𝒅𝟐 𝒅𝟑 𝒅𝟒 partial products refresh compress

SLIDE 31

Serial multiplication

• ISW 2003: multiplication 𝑑 = 𝑏 × 𝑐
• AES S-box (𝑜 = 8) implementation
• 𝑏 = 𝑏1 ⊕ 𝑏2 ⊕ ⋯ ⊕ 𝑏𝑒 (e.g., 𝑒 = 8)
• Each register stores an 𝑏𝑗 (i.e., a GF 28 element)
• Memory ∝ 𝑜 ∙ 𝑒, Time: ∝ 𝒆𝟑 GF 28 mult.
• AES S-box ≈ 3 multiplications (& 4 squarings)

10

𝒃𝟐𝒄𝟐 𝒃𝟐𝒄𝟑 𝒃𝟐𝒄𝟒 𝒃𝟑𝒄𝟐 𝒃𝟑𝒄𝟑 𝒃𝟑𝒄𝟒 𝒃𝟒𝒄𝟐 𝒃𝟒𝒄𝟑 𝒃𝟒𝒄𝟒 ⊕ 𝟏 𝒔𝟐 𝒔𝟑 −𝒔𝟐 𝟏 𝒔𝟒 −𝒔𝟑 −𝒔𝟒 𝟏 ⇒ 𝒅𝟐 𝒅𝟑 𝒅𝟒 partial products refresh compress

SLIDE 32

Parallel multiplication

• Main tweak: interleave & regularize

11

𝒃𝟐𝒄𝟐 𝒃𝟑𝒄𝟑 𝒃𝟒𝒄𝟒 ⊕ 𝒔𝟐 𝒔𝟑 𝒔𝟒 ⊕ 𝒃𝟐𝒄𝟒 𝒃𝟒𝒄𝟐 𝒃𝟑𝒄𝟐 𝒃𝟐𝒄𝟑 𝒃𝟒𝒄𝟑 𝒃𝟑𝒄𝟒 ⊕ 𝒔𝟒 𝒔𝟐 𝒔𝟑 ⇒ 𝒅𝟐 𝒅𝟑 𝒅𝟒 refresh

SLIDE 33

Parallel multiplication

• Main tweak: interleave & regularize
• AES S-box (𝑜 = 8) implementation
• 𝑏 = 𝑏1 ⊕ 𝑏2 ⊕ ⋯ ⊕ 𝑏𝑒 (e.g., 𝑒 = 8)
• Each register stores 𝑜 𝑏𝑗’s (i.e., GF 2 elements)
• Memory ∝ 𝑜 ∙ 𝑒, Time: ∝ 𝒆 GF 2 mult. (i.e., ANDs)
• AES bitslice S-box ≈ 32 AND gates (& 83 XORs)

11

refresh 𝒃𝟐𝒄𝟐 𝒃𝟑𝒄𝟑 𝒃𝟒𝒄𝟒 ⊕ 𝒔𝟐 𝒔𝟑 𝒔𝟒 ⊕ 𝒃𝟐𝒄𝟒 𝒃𝟒𝒄𝟐 𝒃𝟑𝒄𝟐 𝒃𝟐𝒄𝟑 𝒃𝟒𝒄𝟑 𝒃𝟑𝒄𝟒 ⊕ 𝒔𝟒 𝒔𝟐 𝒔𝟑 ⇒ 𝒅𝟐 𝒅𝟑 𝒅𝟒

SLIDE 34

Parallel multiplication

• Main tweak: interleave & regularize
• AES S-box (𝑜 = 8) implementation
• 𝑏 = 𝑏1 ⊕ 𝑏2 ⊕ ⋯ ⊕ 𝑏𝑒 (e.g., 𝑒 = 8)
• Each register stores 𝑜 𝑏𝑗’s (i.e., GF 2 elements)
• Memory ∝ 𝑜 ∙ 𝑒, Time: ∝ 𝒆 GF 2 mult. (i.e., ANDs)
• AES bitslice S-box ≈ 32 AND gates (& 83 XORs)

⇒ Performance gains with large 𝑒’s (8, 16, 32)

11

refresh 𝒃𝟐𝒄𝟐 𝒃𝟑𝒄𝟑 𝒃𝟒𝒄𝟒 ⊕ 𝒔𝟐 𝒔𝟑 𝒔𝟒 ⊕ 𝒃𝟐𝒄𝟒 𝒃𝟒𝒄𝟐 𝒃𝟑𝒄𝟐 𝒃𝟐𝒄𝟑 𝒃𝟒𝒄𝟑 𝒃𝟑𝒄𝟒 ⊕ 𝒔𝟒 𝒔𝟐 𝒔𝟑 ⇒ 𝒅𝟐 𝒅𝟑 𝒅𝟒

SLIDE 35

Security analysis

• We analyzed the SNI security of the gadgets

≈ composable probing security (Barthe et al. 2016)

12

SLIDE 36

Security analysis

• We analyzed the SNI security of the gadgets

≈ composable probing security (Barthe et al. 2016)

• Iterating (𝑒 − 1)/3 refresh is SNI for 𝑒 < 12

12

SLIDE 37

Security analysis

• We analyzed the SNI security of the gadgets

≈ composable probing security (Barthe et al. 2016)

• Iterating (𝑒 − 1)/3 refresh is SNI for 𝑒 < 12
• Multiplication is more tricky…

12

SLIDE 38

Outline

• Introduction / motivation
• Side-channel attacks and noise
• Masking and leakage models
• Bounded moment model
• Masking intuition & BMM definition
• Probing security ⇒ BM security
• Parallel multiplication (& refreshing)
• BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
• Conclusions

SLIDE 39

Specialized encodings

• Probing security is stronger than BM security
• (And also stronger than noisy leakage security)
• Is it sometimes “too strong”?
• i.e., breaks designs that are secure against DPA

13

SLIDE 40

Specialized encodings

• Probing security is stronger than BM security
• (And also stronger than noisy leakage security)
• Is it sometimes “too strong”?
• i.e., breaks designs that are secure against DPA
• Example: Boolean encoding (2 shares)

13

𝑧 = 𝑧1 ⊕ 𝑧2

SLIDE 41

Specialized encodings

• Probing security is stronger than BM security
• (And also stronger than noisy leakage security)
• Is it sometimes “too strong”?
• i.e., breaks designs that are secure against DPA
• Example: Boolean encoding (2 shares)
• IP masking in GF(28) with “non-mixing” leakages

13

𝑧 =

𝑗=1 2

𝑞𝑗 × 𝑡𝑗 𝑧 = 𝑧1 ⊕ 𝑧2

𝑞2 = 1 𝑞2 = 5 𝑞2 = 7

SLIDE 42

Outline

• Introduction / motivation
• Side-channel attacks and noise
• Masking and leakage models
• Bounded moment model
• Masking intuition & BMM definition
• Probing security ⇒ BM security
• Parallel multiplication (& refreshing)
• BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
• Conclusions

SLIDE 43

Continuous security

• So far we discussed “one-shot” probing attacks

14

SLIDE 44

Continuous security

• So far we discussed “one-shot” probing attacks
• Yet, side-channel attacks are usually continuous
• i.e, accumulate information

from multiple executions

14

SLIDE 45

Continuous security

• So far we discussed “one-shot” probing attacks
• Yet, side-channel attacks are usually continuous
• i.e, accumulate information

from multiple executions

• Typical issue: refreshing by add a share of 0
• Frequently used in practice
• Yet insecure in the continuous probing model
• What does it mean concretely?
• i.e., can we (sometimes) use such a refreshing?

14

SLIDE 46

Continuous probing attack 15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

Accumulated knowledge: ∅

• Target: refresh(𝑏) = 𝑏 ⊕ 𝑠 ⊕ rot(𝑠)

SLIDE 47

Continuous probing attack 15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

Accumulated knowledge: ∅

• Target: refresh(𝑏) = a ⊕ 𝑠 ⊕ rot(𝑠)

SLIDE 48

Continuous probing attack 15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

Accumulated knowledge: 𝑏1

(1)

• Target: refresh(𝑏) = a ⊕ 𝑠 ⊕ rot(𝑠)

SLIDE 49

Continuous probing attack 15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

Accumulated knowledge: 𝑏1

(1)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑠

4 (2)

𝑠

4 (2)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑏1

(2)

𝑏2

(2)

𝑏3

(2)

𝑏4

(2)

step 2

• Target: refresh(𝑏) = a ⊕ 𝑠 ⊕ rot(𝑠)

SLIDE 50

Continuous probing attack 15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

Accumulated knowledge: 𝑏1

(1)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑠

4 (2)

𝑠

4 (2)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑏1

(2)

𝑏2

(2)

𝑏3

(2)

𝑏4

(2)

step 2

• Target: refresh(𝑏) = a ⊕ 𝑠 ⊕ rot(𝑠)

SLIDE 51

Continuous probing attack 15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

Accumulated knowledge: 𝑏1

(1)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑠

4 (2)

𝑠

4 (2)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑏1

(2)

𝑏2

(2)

𝑏3

(2)

𝑏4

(2)

step 2

• Target: refresh(𝑏) = a ⊕ 𝑠 ⊕ rot(𝑠)

SLIDE 52

Continuous probing attack 15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

Accumulated knowledge: 𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑠

4 (2)

𝑠

4 (2)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑏1

(2)

𝑏2

(2)

𝑏3

(2)

𝑏4

(2)

step 2

𝑏1

(2) ⊕ 𝑏2 (2)

• Target: refresh(𝑏) = a ⊕ 𝑠 ⊕ rot(𝑠)

SLIDE 53

Continuous probing attack 15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

Accumulated knowledge: 𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑠

4 (2)

𝑠

4 (2)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑏1

(2)

𝑏2

(2)

𝑏3

(2)

𝑏4

(2)

step 2

𝑏1

(2) ⊕ 𝑏2 (2)

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑠

4 (3)

𝑠

4 (3)

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑏1

(3)

𝑏2

(3)

𝑏3

(3)

𝑏4

(3)

step 3

• Target: refresh(𝑏) = a ⊕ 𝑠 ⊕ rot(𝑠)

SLIDE 54

Continuous probing attack 15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

Accumulated knowledge: 𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑠

4 (2)

𝑠

4 (2)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑏1

(2)

𝑏2

(2)

𝑏3

(2)

𝑏4

(2)

step 2

𝑏1

(2) ⊕ 𝑏2 (2)

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑠

4 (3)

𝑠

4 (3)

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑏1

(3)

𝑏2

(3)

𝑏3

(3)

𝑏4

(3)

step 3

• Target: refresh(𝑏) = a ⊕ 𝑠 ⊕ rot(𝑠)

SLIDE 55

Continuous probing attack 15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

Accumulated knowledge: 𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑠

4 (2)

𝑠

4 (2)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑏1

(2)

𝑏2

(2)

𝑏3

(2)

𝑏4

(2)

step 2

𝑏1

(2) ⊕ 𝑏2 (2)

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑠

4 (3)

𝑠

4 (3)

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑏1

(3)

𝑏2

(3)

𝑏3

(3)

𝑏4

(3)

step 3

• Target: refresh(𝑏) = a ⊕ 𝑠 ⊕ rot(𝑠)

SLIDE 56

Continuous probing attack 15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

Accumulated knowledge: 𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑠

4 (2)

𝑠

4 (2)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑏1

(2)

𝑏2

(2)

𝑏3

(2)

𝑏4

(2)

step 2

𝑏1

(3) ⊕ 𝑏2 (3) ⊕ 𝑏3 (3)

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑠

4 (3)

𝑠

4 (3)

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑏1

(3)

𝑏2

(3)

𝑏3

(3)

𝑏4

(3)

step 3

• Target: refresh(𝑏) = a ⊕ 𝑠 ⊕ rot(𝑠)

SLIDE 57

Continuous probing attack 15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

⇒ After 𝑒 iterations, 𝑏 is learned in full by Adv𝑞𝑠 𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑠

4 (2)

𝑠

4 (2)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑏1

(2)

𝑏2

(2)

𝑏3

(2)

𝑏4

(2)

step 2 step 3

…

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑠

4 (3)

𝑠

4 (3)

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑏1

(3)

𝑏2

(3)

𝑏3

(3)

𝑏4

(3)

• Target: refresh(𝑏) = a ⊕ 𝑠 ⊕ rot(𝑠)

SLIDE 58

Continuous probing attack

• Target: refresh(𝑏) = a ⊕ 𝑠 ⊕ rot(𝑠)
• Not possible in the BMM. Intuition: adaptation does

not help since Adv𝑐𝑛 can anyway sum over all shares!

15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

⇒ After 𝑒 iterations, 𝑏 is learned in full by Adv𝑞𝑠 𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑠

4 (2)

𝑠

4 (2)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑏1

(2)

𝑏2

(2)

𝑏3

(2)

𝑏4

(2)

step 2 step 3

…

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑠

4 (3)

𝑠

4 (3)

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑏1

(3)

𝑏2

(3)

𝑏3

(3)

𝑏4

(3)

SLIDE 59

Continuous probing attack

• Target: refresh(𝑏) = a ⊕ 𝑠 ⊕ rot(𝑠)
• Impact: refresh( . ) can be used to refresh the key of a

key homomorphic primitive (⇒ fully linear overheads)

15

𝑏1

(1)

𝑏2

(1)

𝑏3

(1)

𝑏4

(1)

step 1

⇒ After 𝑒 iterations, 𝑏 is learned in full by Adv𝑞𝑠 𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑠

4 (2)

𝑠

4 (2)

𝑠

1 (2)

𝑠

2 (2)

𝑠

3 (2)

𝑏1

(2)

𝑏2

(2)

𝑏3

(2)

𝑏4

(2)

step 2 step 3

…

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑠

4 (3)

𝑠

4 (3)

𝑠

1 (3)

𝑠

2 (3)

𝑠

3 (3)

𝑏1

(3)

𝑏2

(3)

𝑏3

(3)

𝑏4

(3)

SLIDE 60

Outline

• Introduction / motivation
• Side-channel attacks and noise
• Masking and leakage models
• Bounded moment model
• Masking intuition & BMM definition
• Probing security ⇒ BM security
• Parallel multiplication (& refreshing)
• BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
• Conclusions

SLIDE 61

Conclusions

• Probing security is relevant to parallel implem.

16

SLIDE 62

Conclusions

• Probing security is relevant to parallel implem.
• BMM suggests a principled path to security eval.

16

probing security

noisy leakages security bounded moment security

[DDF14] + noise,

SLIDE 63

Conclusions

• Probing security is relevant to parallel implem.
• BMM suggests a principled path to security eval.
• Parallel implem. are appealing for masking
• Leverage the memory needed to store shares

16

probing security

noisy leakages security bounded moment security

[DDF14] + noise,

SLIDE 64

Conclusions

• Probing security is relevant to parallel implem.
• BMM suggests a principled path to security eval.
• Parallel implem. are appealing for masking
• Leverage the memory needed to store shares
• Cont. probing security sometimes “too strong”

16

probing security

noisy leakages security bounded moment security

[DDF14] + noise,

SLIDE 65

THANKS

http://perso.uclouvain.be/fstandae/