formal analysis of the entropy security trade off in
play

Formal Analysis of the Entropy / Security Trade-off in First-Order - PowerPoint PPT Presentation

Jan 12, 2023 •153 likes •539 views

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

  1. Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures against Side-Channel Attacks Maxime Nassar, Sylvain Guilley and Jean-Luc Danger Bull TrustWay, Rue Jean Jaur` es, B.P. 68, 78 340 Les Clayes-sous-Bois, France. Institut TELECOM / TELECOM ParisTech, 46 rue Barrault, 75 634 Paris Cedex, France. Secure-IC S.A.S., 80 avenue des Buttes de Co¨ esmes, 35700 Rennes, France. Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 1

  2. Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Introduction 1 Side-Channel Analysis (SCA) Countermeasures Goal of the Presentation RSM: Rotating Sboxes Masking 2 Rationale of the Countermeasure RSM Modelization Information Theoretic Evaluation of RSM 3 Security Evaluation of RSM against CPA and 2O-CPA 4 Optimal HO-CPA Expression of ρ (1 , 2) opt Conclusions and Perspectives 5 Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 2

  3. Introduction RSM: Rotating Sboxes Masking Side-Channel Analysis (SCA) Information Theoretic Evaluation of RSM Countermeasures Security Evaluation of RSM against CPA and 2O-CPA Goal of the Presentation Conclusions and Perspectives Introduction 1 Side-Channel Analysis (SCA) Countermeasures Goal of the Presentation RSM: Rotating Sboxes Masking 2 Rationale of the Countermeasure RSM Modelization Information Theoretic Evaluation of RSM 3 Security Evaluation of RSM against CPA and 2O-CPA 4 Optimal HO-CPA Expression of ρ (1 , 2) opt Conclusions and Perspectives 5 Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 3

  4. Side-channel measurement cryptographic Encryption system requests containing a secret key 0110100010010010011 Energy on-duty Timing reference

  5. Side-channel measurement Encryption requests Energy Timing reference

  6. Electromagnetic probe I/Os: USB socket Power supply Ground Trigger probe

  7. Introduction RSM: Rotating Sboxes Masking Side-Channel Analysis (SCA) Information Theoretic Evaluation of RSM Countermeasures Security Evaluation of RSM against CPA and 2O-CPA Goal of the Presentation Conclusions and Perspectives Protection against side-channel attacks Extrinsic countermeasures Noise addition . . makes the attack difficult but not impossible Internal powering . . . . . . . . . . . . . . . . . . . . .can be tampered with Internal countermeasures Make the power constant . . require design skills [DGBN09] ✖ Masking the power . . . . . . . . . . . . . . . susceptible to HO-SCA ✔ Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 7

  8. Introduction RSM: Rotating Sboxes Masking Side-Channel Analysis (SCA) Information Theoretic Evaluation of RSM Countermeasures Security Evaluation of RSM against CPA and 2O-CPA Goal of the Presentation Conclusions and Perspectives Security Evaluation of Countermeasures Off-the-shelf platforms, e.g. the Smart-SIC Analyzer Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 8

  9. Introduction RSM: Rotating Sboxes Masking Side-Channel Analysis (SCA) Information Theoretic Evaluation of RSM Countermeasures Security Evaluation of RSM against CPA and 2O-CPA Goal of the Presentation Conclusions and Perspectives Context + Security � = ⇒ + Costs � Trade-offs? Maximal security within a given budget Minimal spendings for a target security level (CC EALx?) Formal analysis: sound and realistic metrics for both security and cost. Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 9

  10. Introduction RSM: Rotating Sboxes Masking Side-Channel Analysis (SCA) Information Theoretic Evaluation of RSM Countermeasures Security Evaluation of RSM against CPA and 2O-CPA Goal of the Presentation Conclusions and Perspectives Context − Costs � = ⇒ − Security � Trade-offs? Maximal security within a given budget Minimal spendings for a target security level (CC EALx?) Formal analysis: sound and realistic metrics for both security and cost. Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 9

  11. Introduction RSM: Rotating Sboxes Masking Rationale of the Countermeasure Information Theoretic Evaluation of RSM RSM Modelization Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Introduction 1 Side-Channel Analysis (SCA) Countermeasures Goal of the Presentation RSM: Rotating Sboxes Masking 2 Rationale of the Countermeasure RSM Modelization Information Theoretic Evaluation of RSM 3 Security Evaluation of RSM against CPA and 2O-CPA 4 Optimal HO-CPA Expression of ρ (1 , 2) opt Conclusions and Perspectives 5 Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 10

  12. Introduction RSM: Rotating Sboxes Masking Rationale of the Countermeasure Information Theoretic Evaluation of RSM RSM Modelization Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Masking with two (or more) paths Message k i IP IP Left Left Right Right masked mask mask masked data ( L i ) ( ML i ) ( MR i ) data ( R i ) Feistel function f m m ′ P S’ E x m S ( x ⊕ k c ) P S E ⊕ m ′ k c FP Ciphertext Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 11 This operation is costly in general [SRQ06], especially for the

  13. Introduction RSM: Rotating Sboxes Masking Rationale of the Countermeasure Information Theoretic Evaluation of RSM RSM Modelization Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Masking with one path: Z → Z ⊕ M (ex. AES) Pool of masks Base masks M 0 − 15 MC(SR( M i )) ⊕ M i MMS 0 − 15 SR( M i ) MS 0 − 15 1280 bytes InvMC(InvSR( M i )) ⊕ M i IMMS 0 − 15 InvSR( M i ) IMS 0 − 15 Homomorphic computation. This masking is the less costly in the litterature [NGDS12]. Requires leak-free ROMs (well suited for ASIC & FPGA). Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 12

  14. Introduction RSM: Rotating Sboxes Masking Rationale of the Countermeasure Information Theoretic Evaluation of RSM RSM Modelization Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Performances Table: Implementation results for reference and protected AES Unprotected RSM Overhead Number of ALUTs (%) 2136 (8%) 2734 (10%) 28% Number of M4K ROM Blocs (%) 20 (14%) 24 (17%) 20% Frequency (MHz) 133 88 34% Setting: n = 8 bit, 16 masks only, and (Price metric) provable security up to 2nd-order attacks (Security metric) Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 13

  15. Introduction RSM: Rotating Sboxes Masking Rationale of the Countermeasure Information Theoretic Evaluation of RSM RSM Modelization Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives RSM mode of operation SB ′ 0 128 4 Barrel shifter j ∈ { 0 − 15 } S ′ S ′ S ′ 0 1 15 m 0 m 1 m 15 M 0 . . . SubBytes SubBytes SubBytes m 1 m 2 m 0 M 1 Barrel shifter j ∈ { 0 − 15 } 4 128 Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 14

  16. Introduction RSM: Rotating Sboxes Masking Rationale of the Countermeasure Information Theoretic Evaluation of RSM RSM Modelization Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives RSM leakage Masked sboxes Z �→ M out ⊕ S ( Z ⊕ M in ). L ( Z , M ) = L ( Z ⊕ M ) . In this expression, Z and M are n -bit vectors, i.e. live in F n 2 . The leakage function L : F n 2 → R depends on the hardware. In a conservative perspective, L is assumed to be bijective. In a realistic perspective, L is assumed to non-injective. Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 15

  17. Introduction RSM: Rotating Sboxes Masking Rationale of the Countermeasure Information Theoretic Evaluation of RSM RSM Modelization Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Metrics 1 Cost : Card[ M ] ∈ { 1 , · · · , 2 n } . 2 Security : Leakage: mutual information. Attack: resistance against HO-CPA. Modelization that bridges both notions: � 1 / Card[ M ] if m ∈ M , and P[ M = m ] = 0 otherwise. Sylvain Guilley, < sylvain.guilley@TELECOM-ParisTech.fr > Entropy / Security Trade-off | INDOCRYPT’2011 | 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Entropy Entropy Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1 Entropy Entropy and Information Joint Entropy Frank Keller Conditional Entropy School of Informatics University of Edinburgh

81 views • 4 slides
Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile devices Carlos Luna Grupo de Seguridad Inform atica, InCo Facultad de Ingenier a, Universidad de la Rep ublica, Uruguay Formal analysis

751 views • 56 slides
Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) &gt;= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA IIT Delhi, Fall 2010 Lecture 1: WriCng Secure Web ApplicaCons

472 views • 25 slides
Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based NFC M-coupon Protocol Ali Alshehri and Steve Schneider Agenda Introduc?on. Approach

498 views • 25 slides
Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy

Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy

Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy The Maximum Entropy (MaxEnt) method is a methodology to assign or update probability distributions to describe systems which are not completely

202 views • 17 slides
Formal security analysis of authentication in an asynchronous communication model Bsc thesis

Formal security analysis of authentication in an asynchronous communication model Bsc thesis

Formal security analysis of authentication in an asynchronous communication model Bsc thesis presentation Jacob Wahlgren &amp; Sam Hedin June 18 KTH 1 Outline Introduction Background Secure Data Sharing Methods Results Owner event

1.71k views • 124 slides
Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Formal Analysis of Key Integrity in PKCS#11 Andrea Falcone 1 Riccardo Focardi 1 1 Universit` a Ca Foscari di Venezia, Italy focardi@dsi.unive.it ARSPA-WITS10 Paphos, Cyprus March 27-28, 2010 Work partially supported by: Miur07

729 views • 17 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 4: Security

348 views • 34 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
Methods and tools for design time and runtime formal analysis of security protocols and web

Methods and tools for design time and runtime formal analysis of security protocols and web

Methods and tools for design time and runtime formal analysis of security protocols and web applications Marco Rocchetto REsearch Group in I nformation S ecurity Department of Computer Science University of Verona, Italy Verona, May 8, 2015

731 views • 62 slides
On the Security of Election Audits with Low Entropy Randomness Eric Rescorla ekr@rtfm.com

On the Security of Election Audits with Low Entropy Randomness Eric Rescorla ekr@rtfm.com

On the Security of Election Audits with Low Entropy Randomness Eric Rescorla ekr@rtfm.com EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 1 Overview Secure auditing requires random sampling The units to be

478 views • 23 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 3: Coding

527 views • 36 slides
Entropy and Uncertainty Appendix C Computer Security: Art and Science, 2 nd Edition Version 1.0

Entropy and Uncertainty Appendix C Computer Security: Art and Science, 2 nd Edition Version 1.0

Entropy and Uncertainty Appendix C Computer Security: Art and Science, 2 nd Edition Version 1.0 Slide B-1 Outline Random variables Joint probability Conditional probability Entropy (or uncertainty in bits) Joint entropy

463 views • 17 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 7: Using

393 views • 38 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 2: A

530 views • 41 slides
A machine learning approach against a masked AES L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI,

A machine learning approach against a masked AES L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI,

A machine learning approach against a masked AES A machine learning approach against a masked AES L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH Universit Libre de Bruxelles Faculty of Sciences Department of Computer

349 views • 20 slides
1. procedure ONE TO ALL BC( d , my id , X ) 2. begin mask := 2 d 1; 3. /* Set all d bits of

1. procedure ONE TO ALL BC( d , my id , X ) 2. begin mask := 2 d 1; 3. /* Set all d bits of

1. procedure ONE TO ALL BC( d , my id , X ) 2. begin mask := 2 d 1; 3. /* Set all d bits of mask to 1 */ 4. for i := d 1 downto 0 do /* Outer loop */ mask := mask XOR 2 i ; 5. /* Set bit i of mask to 0 */ 6. if ( my id AND mask ) = 0

494 views • 10 slides
Travel Sentiment Study Wave 16 JULY 21, 2020 COVID-19 TRAVEL SENTIMENT STUDY WAVE 16 Fielded

Travel Sentiment Study Wave 16 JULY 21, 2020 COVID-19 TRAVEL SENTIMENT STUDY WAVE 16 Fielded

Travel Sentiment Study Wave 16 JULY 21, 2020 COVID-19 TRAVEL SENTIMENT STUDY WAVE 16 Fielded July 15, 2020 U.S. National Sample of 1,000 adults 18+ IMPACT ON TRAVEL PLANS Canceled trip completely 43% 77% Reduced travel plans 41% Changed

411 views • 17 slides
Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with Emmanuel Prouff EUROCRYPT 2013 May 27th Outline 1 Introduction and Previous Works 2 Our Contribution 3 Model of Leaking Computation 4

526 views • 36 slides
The journey to open-sourcing the code and models FOSDEM 2020 Anis Khlif, Flix Voituret

The journey to open-sourcing the code and models FOSDEM 2020 Anis Khlif, Flix Voituret

The journey to open-sourcing the code and models FOSDEM 2020 Anis Khlif, Flix Voituret Whos been involved Romain Hennequin - Lead research scientist Laure Prtet - Former intern Anis Khlif - Research Engineer Flix Voituret - Research

798 views • 45 slides
for Sound Object Initialization Xin Qi and Andrew C. Myers Cornell University Friday, June 3,

for Sound Object Initialization Xin Qi and Andrew C. Myers Cornell University Friday, June 3,

for Sound Object Initialization Xin Qi and Andrew C. Myers Cornell University Friday, June 3, 2011 Fix the initialization problem Current mechanisms for object initialization are unsound This talk: a lightweight type system for sound

365 views • 22 slides
Image Masking Schemes for Local Manifold Learning Methods Marco F. Duarte Joint work with

Image Masking Schemes for Local Manifold Learning Methods Marco F. Duarte Joint work with

Image Masking Schemes for Local Manifold Learning Methods Marco F. Duarte Joint work with Hamid Dadkhahi IEEE ICASSP - April 23 2015 Manifold Learning Given training points in , learn the mapping to the underlying K -dimensional

404 views • 22 slides
An Approximate Perspective on Word Prediction in Context: Ontological Semantics meets BERT

An Approximate Perspective on Word Prediction in Context: Ontological Semantics meets BERT

An Approximate Perspective on Word Prediction in Context: Ontological Semantics meets BERT Kanishka Misra and Julia Taylor Rayz Purdue University NAFIPS 2020 Virtually, from West Lafayette, IN, USA Summary and Takeaways Neural Networks

448 views • 26 slides

More recommend