consolidating security notions in hardware masking
play

Consolidating Security Notions in Hardware Masking CHES 2019 - PowerPoint PPT Presentation

Jan 28, 2024 •535 likes •885 views

Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin, Oscar Reparaz P ROBLEM : SIDE - CHANNEL ANALYSIS S OLUTION : M ASKING P ROBING MODEL [ISW03] Adversary can probe up to intermediate values

  1. Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begül Bilgin, Oscar Reparaz

  2. P ROBLEM : SIDE - CHANNEL ANALYSIS

  3. S OLUTION : M ASKING

  4. P ROBING MODEL [ISW03] • Adversary can probe up to 𝑒 intermediate values • ”Ideal circuit”: probes are exact and instantaneous and independent • Basis for many proofs in SCA Source: [BDF+17] [ISW03] Yuval Ishai, Amit Sahai, David A. Wagner: Private Circuits: Securing Hardware against Probing Attacks. CRYPTO 2003: 463-481 4 [BDF+17] Gilles Barthe, François Dupressoir, Sebastian Faust, Benjamin Grégoire, François-Xavier Standaert, Pierre-Yves Strub: Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model. EUROCRYPT (1) 2017: 535-566

  5. M ASKING • Goal: no correlation between any 𝑒 wires and the secret • Split sensitive intermediates into 𝑒 + 1 shares • 𝑦 = 𝑦 & ∎𝑦 ( ∎𝑦 ) ⇒ 𝑧 = 𝐺 𝑦 = 𝑧 & ∎𝑧 ( ∎𝑧 ) 5

  6. E XTRA P ROBLEM IN HW: G LITCHES ! 6

  7. G LITCH - EXTENDED PROBING MODEL [RBN+15] • 𝑒 probes • Assume a glitch on combinational logic 𝐷 . can reveal any of it inputs • à Includes worst-case glitch Glitch- extended probe 7 [RBN+15] Oscar Reparaz, Begül Bilgin, Svetla Nikova, Benedikt Gierlichs, Ingrid Verbauwhede: Consolidating Masking Schemes. CRYPTO (1) 2015: 764-783

  8. 𝐽( ; ) = 0

  9. 𝐽( ; ) = 0 • Simple • Versatile o Probing/NI/SNI o Different models (with/without glitches, …) o Any type of masking (Boolean, multiplicative, arithmetic, …) o Non-uniformity possible o Information-theoretic vs practical security o Leakage functions (identity, Hamming, …) 9

  10. T HE STORY

  11. CHES ’18: M ULTIPLICATIVE M ASKING Boolean to Multiplicative Local Multiplicative Inversion to Boolean 𝜀 𝑦 Not Boolean masking Randomness recycling 11 [DRB18] Lauren De Meyer, Oscar Reparaz, Begül Bilgin: Multiplicative Masking for AES in Hardware. IACR Trans. Cryptogr. Hardw. Embed. Syst.2018(3): 431-468 (2018)

  12. H OW T O V ERIFY ? 🤰 12

  13. T OOL FROM [R EP 16] 0x31 0x9A 0xF5 0x3F 0xB5 0x8A • Simulated traces of intermediates • Random inputs • à TVLA (t-test) to detect flaws • Higher orders: combine probes (e.g. centered product) • Only for software (no glitches L ) 13 [Rep16] Oscar Reparaz: Detecting Flawed Masking Schemes with Leakage Detection Tests. FSE 2016: 204-222

  14. I DEA : G LITCH - EXTENDED PROBES 0x31 0x9A 0xF5 0x319A 0x31F5 0x3FB5 • Replace regular probes with glitch-extended probes • à TVLA to detect flaws • Higher orders: ? 14

  15. I DEA : G LITCH - EXTENDED P ROBES • Higher orders: concatenate extended probes à 𝜓 ) test to detect flaws • 0x9A31F5 0x31F53FB5 0x319A3FB5 15

  16. E SSENTIALLY : 𝐽( ℛ ; 𝑦 ) = 0 16 [BBF+18] Gilles Barthe, Sonia Belaïd, Pierre-Alain Fouque, Benjamin Grégoire: maskVerif: a formal tool for analyzing software and hardware masked implementations.IACR Cryptology ePrint Archive 2018: 562 (2018)

  17. P ROBING S ECURITY WITH / WITHOUT G LITCHES

  18. G LITCH - EXTENDED PROBING SECURITY [GM10] Given 𝑒 wires 𝒭 = 𝑟 ( , … , 𝑟 ; 𝐽( 𝒭 ; 𝑦 ) = 0 18 [GM10] Berndt M. Gammel, Stefan Mangard: On the Duality of Probing and Fault Attacks. J. Electronic Testing 26(4): 483-493 (2010)

  19. G LITCH - EXTENDED PROBING SECURITY Given 𝑒 wires 𝒭 = 𝑟 ( , … , 𝑟 ; with glitch-extended probes ℛ = ℛ ( , … , ℛ ; 𝐽( ℛ ; 𝑦 ) = 0 19

  20. T HRESHOLD I MPLEMENTATIONS

  21. T HRESHOLD I MPLEMENTATIONS [NRS11] • Non-Completeness 𝑦 & 𝑔 𝑧 & & 𝑦 ( 𝑔 𝑧 ( ( 𝑦 ) 𝑔 𝑧 ) ) • Uniformity ∀ 𝑦 & , 𝑦 ( , 𝑦 ) s.t. 𝑦 & ⊕ 𝑦 ( ⊕ 𝑦 ) = 𝑦: Pr 𝑦 & , 𝑦 ( , 𝑦 ) 𝑦 = 𝑞 21 [NRS11] Svetla Nikova, Vincent Rijmen, Martin Schläffer: Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches. J. Cryptology 24(2): 292-321 (2011)

  22. T HRESHOLD I MPLEMENTATIONS [NRS11] • Non-Completeness 𝑦 & 𝑔 𝑧 & & 𝑦 ( 𝑔 𝑧 ( 1-Glitch Extended ( Probing Security 𝑦 ) 𝑔 𝑧 ) ) 𝐽( ℛ ; 𝑦 ) = 0 • Uniformity ∀ 𝑦 & , 𝑦 ( , 𝑦 ) s.t. 𝑦 & ⊕ 𝑦 ( ⊕ 𝑦 ) = 𝑦: (Not sufficient for higher-order Pr 𝑦 & , 𝑦 ( , 𝑦 ) 𝑦 = 𝑞 probing security [RBN+15]) 22 [NRS11] Svetla Nikova, Vincent Rijmen, Martin Schläffer: Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches. J. Cryptology 24(2): 292-321 (2011) [RBN+15] Oscar Reparaz, Begül Bilgin, Svetla Nikova, Benedikt Gierlichs, Ingrid Verbauwhede: Consolidating Masking Schemes. CRYPTO (1) 2015: 764-783

  23. T HRESHOLD I MPLEMENTATIONS [NRS11] Non- 𝐽 ℛ; 𝑦 = 0 Uniformity Completeness Sufficient Necessary Efficient [ANR18] Verification Multi-variate Knowledge required 23 [NRS11] Svetla Nikova, Vincent Rijmen, Martin Schläffer: Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches. J. Cryptology 24(2): 292-321 (2011) [ANR18] Victor Arribas, Svetla Nikova, Vincent Rijmen: VerMI: Verification Tool for Masked Implementations. ICECS 2018: 381-384

  24. (S TRONG ) N ON -I NTERFERENCE

  25. (S TRONG ) N ON -I NTERFERENCE [BBD+16] • Notions introduced for composable security • More efficient verification (MaskVerif [BBF+18]) • Based on simulatability: ℐ 𝒯 𝒫 ℐ 𝒯 Gadget Simulator 𝒫 |𝒯| ≤ ℐ +| 𝒫 | (NI) |𝒯| ≤ ℐ (SNI) • Implies t-probing security [BBD+16] Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire, Pierre-Yves Strub, Rébecca Zucchini: Strong Non-Interference and Type-Directed Higher-Order Masking. ACM Conference on Computer and Communications Security 2016: 116-129 25 [BBF+18] Gilles Barthe, Sonia Belaïd, Pierre-Alain Fouque, Benjamin Grégoire: maskVerif: a formal tool for analyzing software and hardware masked implementations.IACR Cryptology ePrint Archive 2018: 562 (2018)

  26. (S TRONG ) N ON -I NTERFERENCE [BBD+16] • Originally without glitches • Extended by robust probing model [FGD+18] • Unify with mutual information framework: ℐ 𝒯 𝒫 Gadget 26 [FGD+18] Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert: Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3): 89-120 (2018)

  27. (S TRONG ) N ON -I NTERFERENCE [BBD+16] • Originally without glitches • Extended by robust probing model [FGD+18] • Unify with mutual information framework: ℐ 𝒯 𝒫 𝐽 ℐ, 𝒫 ; 𝒚 ̅ 𝒯 𝒚 𝒯 ) = 0 Gadget 27 [FGD+18] Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert: Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3): 89-120 (2018)

  28. (S TRONG ) N ON -I NTERFERENCE [BBD+16] • Originally without glitches • Extended by robust probing model [FGD+18] • Unify with mutual information framework: ℐ 𝒯 𝒫 𝐽 ℐ, 𝒫 ; 𝒚 ̅ 𝒯 𝒚 𝒯 ) = 0 Gadget o Example: output probes & SNI: 𝒯 = 0 ⇒ 𝐽 𝒫; 𝒚 = 0 28 [FGD+18] Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert: Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3): 89-120 (2018)

  29. (S TRONG ) N ON -I NTERFERENCE [BBD+16] • Originally without glitches • Extended by robust probing model [FGD+18] • Unify with mutual information framework: ℐ 𝒯 𝒫 𝐽 ℐ, 𝒫 ; 𝒚 ̅ 𝒯 𝒚 𝒯 ) = 0 Gadget o Example: output probes & SNI: 𝒯 = 0 ⇒ 𝐽 𝒫; 𝒚 = 0 • Glitches? à replace probes with glitch-extended probes 29 [FGD+18] Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert: Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3): 89-120 (2018)

  30. E XTENDING THE MODELS

  31. B EYOND G LITCHES • Gap between theory and practice o Coupling [DEM18] o CPU leaks [PV17] o … (Source: [DeC18]) • Robust Probing Model [FGD+18] In the same framework: 𝐽 ; = 0 • o New probe definitions: X-extended probes o Same tools!! [DEM18] Thomas De Cnudde, Maik Ender, Amir Moradi: Hardware Masking, Revisited. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(2): 123-148 (2018) [DeC18] T. De Cnudde: Cryptography Secured Against Side-Channel Attacks. PhD thesis, KU Leuven, S. Nikova, and V. Rijmen (promotors): 168 pages (2018) [PV17] Kostas Papagiannopoulos, Nikita Veshchikov: Mind the Gap: Towards Secure 1st-Order Masking in Software. COSADE 2017: 282-297 31 [FGD+18] Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert: Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3): 89-120 (2018)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

SP SPACE ACE 201 2016 Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security Security: : New Front New Frontiers iers Swarup Bhunia Professor Electrical & Computer Engineering SPACE | Dec 2016 1

607 views • 29 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1 Overview Masking,

785 views • 46 slides
and an Application to Masking in Hardware Gatan Cassiers, Franois-Xavier Standaert UCLouvain

and an Application to Masking in Hardware Gatan Cassiers, Franois-Xavier Standaert UCLouvain

From Trivial Composition to Full Verification and an Application to Masking in Hardware Gatan Cassiers, Franois-Xavier Standaert UCLouvain (Belgium) VeriSiCC Seminar, Paris, France, September 2019 Side-Channel Analysis Side-Channel

1.48k views • 74 slides
Endorse Brand - free Hardware Security Web + Hardware Security is much, much more than just:

Endorse Brand - free Hardware Security Web + Hardware Security is much, much more than just:

Why W3C needs to Remain Neutral and Endorse Brand - free Hardware Security Web + Hardware Security is much, much more than just: Image source: halfelf.org It is about decentralizing ID validation and key storage (my religion)

522 views • 16 slides
Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl Bilgin P ROBLEM : SIDE - CHANNEL ANALYSIS 2 S OLUTION : M ASKING 3 E XTRA P ROBLEM : G LITCHES ! 4 B OOLEAN M ASKING ! = # $ , # & , , # (

473 views • 43 slides
Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth Oswald March, 2013 Michael Tunstall (University of Bristol) Masking Tables March, 2013 1 / 21 Introduction Differential Power Analysis exploits

249 views • 21 slides
HARDSPLOIT Framework for Hardware Security Audit a bridge between hardware & a so0ware

HARDSPLOIT Framework for Hardware Security Audit a bridge between hardware & a so0ware

HARDSPLOIT Framework for Hardware Security Audit a bridge between hardware & a so0ware pentester Who am I ? Julien Moinard - Electronic engineer @opale-security (French company) - Security consultant, Hardware & SoDware pentester -

803 views • 40 slides
New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran &

New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran &

New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran & Amit Sahai Princeton University To appear in STOC04 Defining Security Central Problem in Cryptography Understanding what we want and what we

1.13k views • 34 slides
Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017

Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017

Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017 Tokyo, Japan 1 / 11 Outline Secure channels and how they are modeled Security notions for bidirectional channels Analysis of bidirectional

602 views • 39 slides
CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing. These

977 views • 34 slides
Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands June 21, 2018 Outline 1 Masking Countermeasure 2 Control Flow Integrity 3 Intrusion Detection 2 / 22 Rotating S-box Masking

540 views • 22 slides
Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson -

Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson -

Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson - @kennyog Based on joint work with Martin Albrecht, Jean Paul Degabriele and Torben Hansen Information Security Group Overview 1. Introducing SSH 2. SSH

817 views • 52 slides
Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB

Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB

Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB https://github.com/secworks IT security Embedded systems ASIC, FPGA Biometrics Open Crypto Hardware CPU design Assembly hacking Hardware Security

896 views • 50 slides
Making the Mul-lingual Web work: with Open Standards and

Making the Mul-lingual Web work: with Open Standards and

Making the Mul-lingual Web work: with Open Standards and CMS Bryan Schnabel bschnabel@bschnabel.com @bryanschnabel A few things about me Content

752 views • 53 slides
EFFECT OF BINARIES ON DARK MATTER ESTIMATES IN DWARF GALAXIES Caveats to Dwarf Galaxy Indirect

EFFECT OF BINARIES ON DARK MATTER ESTIMATES IN DWARF GALAXIES Caveats to Dwarf Galaxy Indirect

EFFECT OF BINARIES ON DARK MATTER ESTIMATES IN DWARF GALAXIES Caveats to Dwarf Galaxy Indirect Detection Limits L A U R A J . C H A N G P R I N C E T O N U N I V E R S I T Y S m a l l G a l a x i e s , C o s m i c Q u e s t i o n s J u l

1.14k views • 48 slides
P Probing High z Universe with GRB bi Hi h U i ith GRB GRB Afterglows as Cosmic

P Probing High z Universe with GRB bi Hi h U i ith GRB GRB Afterglows as Cosmic

P Probing High z Universe with GRB bi Hi h U i ith GRB GRB Afterglows as Cosmic Lighthouses detect highest z GRBs AG at their brightest phase GRB as the tracer of high z star formation What are the GRB precursors? p

361 views • 35 slides
Lecture 11 - GPU Ray Tracing (1) Welcome! , = (, )

Lecture 11 - GPU Ray Tracing (1) Welcome! , = (, )

INFOMAGR Advanced Graphics Jacco Bikker - November 2017 - February 2018 Lecture 11 - GPU Ray Tracing (1) Welcome! , = (, ) , + , , ,

778 views • 50 slides
Scippa: System-Centric IPC Provenance on Android Michael Backes, Sven Bugiel, Sebastian Gerling

Scippa: System-Centric IPC Provenance on Android Michael Backes, Sven Bugiel, Sebastian Gerling

Scippa: System-Centric IPC Provenance on Android Michael Backes, Sven Bugiel, Sebastian Gerling Saarland Univeristy, Germany 2014 Annual Computer Security Applications Conference Presenter: Qi Wang 1 Android application separation One

661 views • 22 slides
Galera 4 in MariaDB 10.4 And a little bit in MySQL Seppo Jaakola Codership 1 CEO Codership

Galera 4 in MariaDB 10.4 And a little bit in MySQL Seppo Jaakola Codership 1 CEO Codership

Galera 4 in MariaDB 10.4 And a little bit in MySQL Seppo Jaakola Codership 1 CEO Codership Developer role, 15 yrs with MySQL engineering Background: DBMS Engineering Data Security Seppo Jaakola www.galeracluster.com C o d e r s h i p

1.01k views • 75 slides
P EERING : An AS for Us Ethan Katz-Bassett (University of Southern California) with: Brandon

P EERING : An AS for Us Ethan Katz-Bassett (University of Southern California) with: Brandon

1 P EERING : An AS for Us Ethan Katz-Bassett (University of Southern California) with: Brandon Schlinker and Kyriakos Zarifis (USC) Italo Cunha (UFMG Brazil) Nick Feamster (Georgia Tech) Supported By: P EERING : An AS for Us (and You) 2 We

616 views • 58 slides
Transactional Locking II Nir Shavit, Dave Dice and Ori Shalev Scalable Synchronization Group

Transactional Locking II Nir Shavit, Dave Dice and Ori Shalev Scalable Synchronization Group

Transactional Locking II Nir Shavit, Dave Dice and Ori Shalev Scalable Synchronization Group Sun Labs Transactional Memory [HerlihyMoss93] 1993 Lock-free 1997 STM (Shavit,Touitou) Trans Support TM (Moir) The Brief History of STM 2003

682 views • 29 slides

More recommend