formal verification of masked implementations
play

Formal Verification of Masked Implementations Sonia Bela d - PowerPoint PPT Presentation

Apr 09, 2023 •263 likes •1.24k views

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order 3 Formal Tools

  1. Formal Verification of Masked Implementations Sonia Bela¨ ıd Benjamin Gr´ egoire CHES 2018 - Tutorial September 9th 2018 1 / 47

  2. 1 � Side-Channel Attacks and Masking 2 � Formal Tools for Verification at Fixed Order 3 � Formal Tools for Verification of Generic Implementations 2 / 47

  3. 1 � Side-Channel Attacks and Masking 2 � Formal Tools for Verification at Fixed Order 3 � Formal Tools for Verification of Generic Implementations 3 / 47

  4. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-channel analysis c = 011100110101010110001010 Alice Bob k k m c c m ENC DEC 4 / 47

  5. Cryptanalysis ➜ Black-box cryptanalysis: A ← ( m, c ) ➜ Side-Channel Analysis c = 011100110101010110001010 Alice Bob k k m c c m ENC DEC 4 / 47

  6. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  7. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  8. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  9. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  10. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  11. Example of SPA Algorithm 1 Example for i = 1 to n do if key [ i ] = 0 then do treatment 0 else do treatment 1 end if end for SPA: one single trace to recover the secret key 5 / 47

  12. Example of DPA DPA: several traces to recover the secret key 6 / 47

  13. How to thwart SCA? k Issue: leakage L is key-dependent m c L 7 / 47

  14. How to thwart SCA? k Issue: leakage L is key-dependent m c L Idea of masking: make leakage L random sensitive value: v = f ( m, k ) � � � ... v 0 ← v ⊕ v i v 1 ← $ v t ← $ 1 � i � t ➜ any t -uple of v i is independent from v 7 / 47

  15. Masked Implementations � Linear functions: apply the function to each share v ⊕ w → ( v 0 ⊕ w 0 , v 1 ⊕ w 1 , . . . , v t ⊕ w t ) 8 / 47

  16. Masked Implementations � Linear functions: apply the function to each share v ⊕ w → ( v 0 ⊕ w 0 , v 1 ⊕ w 1 , . . . , v t ⊕ w t ) � Non-linear functions: much more complex ∀ 0 ≤ i < j ≤ t − 1 , r i,j ← $ ∀ 0 ≤ i < j ≤ t − 1 , r j,i ← ( r i,j ⊕ v i w j ) ⊕ v j w i � ∀ 0 ≤ i ≤ d − 1 , c i ← v i w i ⊕ r i,j j � = i vw ( c 0 , c 1 , . . . , c t ) → 8 / 47

  17. Leakage Models � Probing model by Ishai, Sahai, and Wagner (Crypto 2003) ◮ a circuit is t -probing secure iff any set composed of the exact values of at most t intermediate variables is independent from the secret 9 / 47

  18. Leakage Models � Probing model by Ishai, Sahai, and Wagner (Crypto 2003) ◮ a circuit is t -probing secure iff any set composed of the exact values of at most t intermediate variables is independent from the secret � Noisy leakage model by Chari, Jutla, Rao, and Rohatgi (Crypto 1999) then Rivain and Prouff (EC 2013) ◮ a circuit is secure in the noisy leakage model iff the adversary cannot recover information on the secret from the noisy values of all the intermediate variables 9 / 47

  19. Leakage Models � Probing model by Ishai, Sahai, and Wagner (Crypto 2003) ◮ a circuit is t -probing secure iff any set composed of the exact values of at most t intermediate variables is independent from the secret � Noisy leakage model by Chari, Jutla, Rao, and Rohatgi (Crypto 1999) then Rivain and Prouff (EC 2013) ◮ a circuit is secure in the noisy leakage model iff the adversary cannot recover information on the secret from the noisy values of all the intermediate variables � Reduction by Duc, Dziembowski, and Faust (EC 2014) ◮ t -probing security ⇒ security in the noisy leakage model for some level of noise 9 / 47

  20. How to Verify Probing Security? � variables: secret, shares, constant � masking order t = 3 function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ y 0 ← x 0 + r 0 y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 10 / 47

  21. How to Verify Probing Security? � variables: secret, shares, constant � masking order t = 3 function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ independent from y 0 ← x 0 + r 0 the secret? y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 10 / 47

  22. How to Verify Probing Security? � variables: secret, shares, constant � masking order t = 3 function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ independent from y 0 ← x 0 + r 0 the secret? y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 10 / 47

  23. Non-Interference (NI) � t -NI ⇒ t -probing secure � a circuit is t -NI iff any set of t intermediate variables can be perfectly simulated with at most t shares of each input function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ can be simulated y 0 ← x 0 + r 0 with x 0 and x 1 y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 11 / 47

  24. Non-Interference (NI) � t -NI ⇒ t -probing secure � a circuit is t -NI iff any set of t intermediate variables can be perfectly simulated with at most t shares of each input x 0 x 1 x 2 x 3 (= x + x 0 + x 1 + x 2 ) Ex-t3 3 observations y 0 y 1 y 2 y 3 12 / 47

  25. 1 � Side-Channel Attacks and Masking 2 � Formal Tools for Verification at Fixed Order 3 � Formal Tools for Verification of Generic Implementations 13 / 47

  26. State-Of-The-Art � several tools were built to formally verify security of first-order implementations t = 1 � then a sequence of work tackled higher-order implementations t ≤ 5 ◮ maskVerif from Barthe et al.: first tool to achieve verification at high orders ◮ CheckMasks from Coron: improvements in terms of efficiency ◮ Bloem et al.’s tool: treatment of glitches attacks 14 / 47

  27. State-Of-The-Art � several tools were built to formally verify security of first-order implementations t = 1 � then a sequence of work tackled higher-order implementations t ≤ 5 ◮ maskVerif from Barthe et al.: first tool to achieve verification at high orders ◮ CheckMasks from Coron: improvements in terms of efficiency ◮ Bloem et al.’s tool: treatment of glitches attacks 14 / 47

  28. maskVerif � input: ◮ pseudo-code of a masked implementation ◮ order t � output: ◮ formal proof of t -probing security (or NI, SNI) ◮ potential flaws Gilles Barthe and Sonia Bela¨ ıd and Fran¸ cois Dupressoir and Pierre-Alain Fouque and Benjamin Gr´ egoire and Pierre-Yves Strub Verified Proofs of Higher-Order Masking , EUROCRYPT 2015, Proceedings, Part I, 457–485. 15 / 47

  29. Checking probabilistic independence Problem: Check if a program expression e is probabilistic independent from a secret s Example: e = ( s ⊕ r 1 ) · ( r 1 ⊕ r 2 ) First solution: � for each value of s computes the associate distribution of e � if all the resulting distribution are equals then e is independent of s   r 1 r 2 e r 1 r 2 e         0 0 0 0 0 0   s = 0 0 1 0 s = 1 0 1 1      1 0 1  1 0 0     1 1 0 1 1 0 16 / 47

  30. Checking probabilistic independence Problem: Check if a program expression e is probabilistic independent from a secret s Example: e = ( s ⊕ r 1 ) · ( r 1 ⊕ r 2 ) First solution: � for each value of s computes the associate distribution of e � if all the resulting distribution are equals then e is independent of s � Complete � Exponential in the number of secret and random values 16 / 47

  31. Checking probabilistic independence Second solution, using simple rules: � Rule 1: If e does not use s then it is independent 17 / 47

  32. Checking probabilistic independence Second solution, using simple rules: � Rule 1: If e does not use s then it is independent � Rule 2: If e can be written as C [ f ⊕ r ] and r does not occur in C and f then it is sufficient to test the independence of C [ r ] The distribution of f ⊕ r is equal to the distribution of r 17 / 47

  33. Checking probabilistic independence Second solution, using simple rules: � Rule 1: If e does not use s then it is independent � Rule 2: If e can be written as C [ f ⊕ r ] and r does not occur in C and f then it is sufficient to test the independence of C [ r ] � Rule 3: If Rules 1 and 2 do not apply then use the first solution (when possible) 17 / 47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

VerMI &amp; VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas

VerMI &amp; VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas

VerMI &amp; VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas COSIC, KULeuven Joint work with Vincent Rijmen (KU Leuven), Felix Wegener, Amir Moradi (RU Bochum) 1 Verification Tools Why do we need

782 views • 50 slides
Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Crypto. group SWORD Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an Explanation Based on Externally-Amplified Couplings Itamar Levi, Davide Bellizia and Franois-Xavier Standaert Aug. 2018 Moti

298 views • 27 slides
End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About

End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About

End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About RISC-V RISC-V is an Open Instruction Set Architecture (ISA) Can be freely used for any purpose Many implementations are available from

677 views • 22 slides
LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

1 / 20 Conclusion FSE 2014 LS-Designs G. Leurent (UCL,Inria) Motivation LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security Analysis LS-Designs . . . . . . . . . . . . . . . . . . Vincent

638 views • 27 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
Formal verification of an implementation of CRT-RSA Vigilants algorithm Maria CHRISTOFI Joint

Formal verification of an implementation of CRT-RSA Vigilants algorithm Maria CHRISTOFI Joint

Formal verification of an implementation of CRT-RSA Vigilants algorithm Maria CHRISTOFI Joint work with Boutheina CHETALI, Louis GOUBIN and David VIGILANT PROOFS 2012, September 13 th 2012 Introduction Implementations of cryptosystems can

612 views • 29 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
Verification of Protocol Implementations by Typechecking Cdric Fournet Microsoft Research w

Verification of Protocol Implementations by Typechecking Cdric Fournet Microsoft Research w

Formal/Computational Verification of Protocol Implementations by Typechecking Cdric Fournet Microsoft Research w ith Karthik Bhargavan, Andy Gordon, http://research.microsoft.com/~fournet http://msr-inria.inria.fr/projects/sec

1.28k views • 101 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal Verification Yosys-STMBMC iCE40 FPGAs Bounded Model Checking (Project IceStorm) Using any SMT-LIB2 solver (using QF_AUFBV logic) Xilinx

706 views • 56 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
A first glimpse into 'R.ff' (a package that virtually removes R's memory limit) Oehlschlgel,

A first glimpse into 'R.ff' (a package that virtually removes R's memory limit) Oehlschlgel,

DISCLOSED A first glimpse into 'R.ff' (a package that virtually removes R's memory limit) Oehlschlgel, Adler, Nenadic, Zucchini Munich, Gttingen August 2008 This report contains public intellectual property. It may be used, circulated,

356 views • 17 slides
Sections 9.1 and 9.2 HYPOTHESIS TESTS FOR PROPORTIONS Inferential Statistics Two important

Sections 9.1 and 9.2 HYPOTHESIS TESTS FOR PROPORTIONS Inferential Statistics Two important

Sections 9.1 and 9.2 HYPOTHESIS TESTS FOR PROPORTIONS Inferential Statistics Two important features Information is obtained from a sample This information is used to draw a conclusion (an inference ) about the entire population from

1.03k views • 47 slides
MA207 The Normal Distribution (Diez et. al. Ch. 3) Sullivan T HE N ORMAL D ISTRIBUTION 2

MA207 The Normal Distribution (Diez et. al. Ch. 3) Sullivan T HE N ORMAL D ISTRIBUTION 2

MA207 The Normal Distribution (Diez et. al. Ch. 3) Sullivan T HE N ORMAL D ISTRIBUTION 2 Features of normal distributions: 1. Normal distributions are symmetric around their mean. (where are the median and mode?) 2. Defined by the mean ( )

667 views • 17 slides
Review IMGD 2905 What are two main sources for data What steps are in the game analytics for

Review IMGD 2905 What are two main sources for data What steps are in the game analytics for

4/30/2018 What are two main sources for data for game analytics? Review IMGD 2905 What are two main sources for data What steps are in the game analytics for game analytics? pipeline? Quantitative instrumented game Qualitative

343 views • 10 slides
parameters in an extension of the exponential distribution A simulation study of the Bayes

parameters in an extension of the exponential distribution A simulation study of the Bayes

A simulation study of the Bayes estimator of parameters in an extension of the exponential distribution A simulation study of the Bayes estimator of parameters in an extension of the exponential distribution Samira Sadeghi An Extension of

625 views • 46 slides
Standard Model vacuum stability with a 125 GeV Higgs Stefano Di Vita Max Planck Institute for

Standard Model vacuum stability with a 125 GeV Higgs Stefano Di Vita Max Planck Institute for

Standard Model vacuum stability with a 125 GeV Higgs Stefano Di Vita Max Planck Institute for Physics, Munich October 9, 2014 Outline Standard Model vacuum stability 1 NNLO analysis: the gruesome details 2 NNLO analysis: the colorful plots

699 views • 47 slides
Chiral Algebras and the Superconformal Bootstrap in Four and Six Dimensions Leonardo Rastelli

Chiral Algebras and the Superconformal Bootstrap in Four and Six Dimensions Leonardo Rastelli

Chiral Algebras and the Superconformal Bootstrap in Four and Six Dimensions Leonardo Rastelli Yang Institute for Theoretical Physics, Stony Brook Based on work with C. Beem, M. Lemos, P. Liendo, W. Peelaers and B. van Rees. Strings 2014,

514 views • 28 slides
Fundamental Symmetries - 5 Vincenzo Cirigliano Los Alamos National Laboratory Plan of the

Fundamental Symmetries - 5 Vincenzo Cirigliano Los Alamos National Laboratory Plan of the

HUGS 2018 Jefferson Lab, Newport News, VA May 29- June 15 2018 Fundamental Symmetries - 5 Vincenzo Cirigliano Los Alamos National Laboratory Plan of the lectures Review symmetry and symmetry breaking Introduce the Standard Model and

735 views • 69 slides

More recommend