glitch resistant masking revisited or why proofs in the
play

Glitch-Resistant Masking Revisited or Why Proofs in the Robust - PowerPoint PPT Presentation

Apr 06, 2023 •223 likes •694 views

Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben Moos 1 , Amir Moradi 1 , Tobias Schneider 2 and Franois-Xavier Standaert 2 Horst Grtz Institute for IT Security, Ruhr-Universitt Bochum,

  1. Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben Moos 1 , Amir Moradi 1 , Tobias Schneider 2 and François-Xavier Standaert 2 ✶ Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany ✷ ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium August 27th, 2019

  2. Section 1 Introduction Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 1

  3. Physical Attacks Introduction ❦ • Physical characteristics used to extract secrets: · · · ❦ ✶ ❦ ✷ Leakage ❦ ♥ • Timing ② ✶ ① ✶ • Power • EM ① ✷ ② ✷ • Countermeasures to increase ② ① ❋ attack complexity: · · · · · · • Masking • Hiding ② ♥ ① ♥ • Re-keying Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 2

  4. Concept of Masking Introduction ❦ • Encode sensitive variables into shares · · · ❦ ✶ ❦ ✷ ❦ ♥ • Compute securely on shares ② ✶ ① ✶ • Decode at end to recover result ① ✷ ② ✷ ② ① ❋ ′ · · · · · · ② ♥ ① ♥ Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 3

  5. Concept of Masking Introduction ❦ • Encode sensitive variables into shares · · · ❦ ✶ ❦ ✷ ❦ ♥ • Compute securely on shares ② ✶ ① ✶ • Decode at end to recover result ① ✷ ② ✷ ② Masking if implemented correctly ① ❋ ′ · · · · · · increases the attack complexity exponentially in the number of shares. (assuming sufficient noise) ② ♥ ① ♥ Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 3

  6. ❋ ✶ ② ① ❋ ✸ ❋ ✷ Security Notions Introduction • Masked algorithms can be proven secure • Common Solution: Probing model 1 Definition ( t -Probing Security) A circuit C is t -probing secure if and only if every t -tuple of its intermediate variables is independent of any sensitive variable. 1 Y. Ishai, A. Sahai and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks , CRYPTO 2003 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 4

  7. Security Notions Introduction • Masked algorithms can be proven secure • Common Solution: Probing model 1 Definition ( t -Probing Security) A circuit C is t -probing secure if and only if every t -tuple of its intermediate variables is independent of any sensitive variable. Example: ❋ ✶ • 3rd-order masking ② ① ❋ ✸ • Any possible combination of three ❋ ✷ probes should not reveal secret 1 Y. Ishai, A. Sahai and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks , CRYPTO 2003 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 4

  8. Security Notions Introduction • Masked algorithms can be proven secure • Common Solution: Probing model 1 Definition ( t -Probing Security) A circuit C is t -probing secure if and only if every t -tuple of its intermediate variables is independent of any sensitive variable. Example: ❋ ✶ • 3rd-order masking ② ① ❋ ✸ • Any possible combination of three ❋ ✷ probes should not reveal secret 1 Y. Ishai, A. Sahai and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks , CRYPTO 2003 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 4

  9. Security Notions Introduction • Masked algorithms can be proven secure • Common Solution: Probing model 1 Definition ( t -Probing Security) A circuit C is t -probing secure if and only if every t -tuple of its intermediate variables is independent of any sensitive variable. Example: ❋ ✶ • 3rd-order masking ② ① ❋ ✸ • Any possible combination of three ❋ ✷ probes should not reveal secret 1 Y. Ishai, A. Sahai and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks , CRYPTO 2003 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 4

  10. ❋ ✶ ❋ ✶ ❋ ✸ ❋ ✶ ❋ ✸ ❋ ✸ ❋ ✷ ❋ ✷ ❋ ✷ t t t t ✶ t ✷ t ✶ t ✷ t t ✶ t ✷ t ✶ Security Notions Introduction • Scales badly with number of probes and complexity of algorithm • Prove smaller sub-gadgets and compose securely 2 G. Barthe, S. Belaïd, F . Dupressoir, P .-A. Fouque, B. Gregoire, P .-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking , CCS 2016 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5

  11. ❋ ✶ ❋ ✸ ❋ ✶ ❋ ✸ ❋ ✷ ❋ ✷ t t t t ✶ t ✷ t ✶ t ✷ t t ✶ t ✷ t ✶ Security Notions Introduction • Scales badly with number of probes and complexity of algorithm • Prove smaller sub-gadgets and compose securely ❋ ✶ ❋ ✸ ❋ ✷ 2 G. Barthe, S. Belaïd, F . Dupressoir, P .-A. Fouque, B. Gregoire, P .-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking , CCS 2016 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5

  12. ❋ ✶ ❋ ✸ ❋ ✷ t t t t ✶ t ✷ t ✶ t ✷ t t ✶ t ✷ t ✶ Security Notions Introduction • Scales badly with number of probes and complexity of algorithm • Prove smaller sub-gadgets and compose securely ❋ ✶ ❋ ✶ ❋ ✸ ❋ ✸ ❋ ✷ ❋ ✷ 2 G. Barthe, S. Belaïd, F . Dupressoir, P .-A. Fouque, B. Gregoire, P .-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking , CCS 2016 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5

  13. t t t t ✶ t ✷ t ✶ t ✷ t t ✶ t ✷ t ✶ Security Notions Introduction • Scales badly with number of probes and complexity of algorithm • Prove smaller sub-gadgets and compose securely ❋ ✶ ❋ ✶ ❋ ✸ ❋ ✶ ❋ ✸ ❋ ✸ ❋ ✷ ❋ ✷ ❋ ✷ 2 G. Barthe, S. Belaïd, F . Dupressoir, P .-A. Fouque, B. Gregoire, P .-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking , CCS 2016 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5

  14. Security Notions Introduction • Scales badly with number of probes and complexity of algorithm • Prove smaller sub-gadgets and compose securely ❋ ✶ ❋ ✶ ❋ ✸ ❋ ✶ ❋ ✸ ❋ ✸ ❋ ✷ ❋ ✷ ❋ ✷ • Common Solution: (Strong) Non-Interference 2 Definition ( t − (Strong) Non-Interference) A circuit gadget G is t − (Strong) Non-Interfering ( t -(S)NI) if and only if for any set of t ✶ probes on its intermediate values and every set of t ✷ probes on its output shares with t ✶ + t ✷ � t , the totality of the probes can be simulated with t ✶ + t ✷ (only t ✶ ) shares of each input. 2 G. Barthe, S. Belaïd, F . Dupressoir, P .-A. Fouque, B. Gregoire, P .-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking , CCS 2016 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5

  15. ❋ ✶ ❋ ✷ Potential Flaws Introduction Local Flaw: Probing security of masked module is reduced. Example: 2nd-order masking ❋ ✶ Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 6

  16. Potential Flaws Introduction Local Flaw: Probing security of masked module is reduced. Example: 2nd-order masking ❋ ✶ Compositional Flaw: Probing security of composition of modules is reduced. Example: 2nd-order masking ❋ ✶ ❋ ✷ Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 6

  17. Robust Probing Introduction • Physical defaults (glitches, transitions, coupling) reduce masking order in practice • Numerous higher-order hardware-oriented masking schemes: • CMS: Consolidated Masking Schemes • DOM: Domain-Oriented Masking • UMA: Unified Masking Approach • GLM: Generic Low-Latency Masking Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 7

  18. Robust Probing Introduction • Physical defaults (glitches, transitions, coupling) reduce masking order in practice • Numerous higher-order hardware-oriented masking schemes: • CMS: Consolidated Masking Schemes • DOM: Domain-Oriented Masking • UMA: Unified Masking Approach • GLM: Generic Low-Latency Masking • Due to lack of model: Mostly focused on glitch-resistant (local) probing security • Dedicated extension of probing model to hardware masking: Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 7

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views • 45 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack Ronald Cramer (CWI) Ivan Damgrd (AU) Chaoping Xing (NTU) ChenYuan (NTU) Eprint 2016/681 Integer One-Way Function (iOWF) maps integers to finite

582 views • 32 slides
Proofs as Programs Revisited Ryota Akiyoshi Waseda Institute for Advanced Study Keio

Proofs as Programs Revisited Ryota Akiyoshi Waseda Institute for Advanced Study Keio

Proofs as Programs Revisited Ryota Akiyoshi Waseda Institute for Advanced Study Keio University July 27th., 2018 1 / 26 Aim of This Talk The aim is to revisit Schwichtenbergs works by focusing on parameter subsystems of

694 views • 47 slides
Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on the spatial attribute type. Proposal part 2 Details of the masking attribute addition. Table 3-13 - S100_GF_SpatialAttributeType Role Name

558 views • 8 slides
Enhanced Target Collision Resistant Hash Functions Revisited Mohammad-Reza Reyhanitabar, Willy

Enhanced Target Collision Resistant Hash Functions Revisited Mohammad-Reza Reyhanitabar, Willy

Centre for Computer and Information Security Research Enhanced Target Collision Resistant Hash Functions Revisited Mohammad-Reza Reyhanitabar, Willy Susilo, and Yi Mu Centre for Computer and Information Security Research University of

230 views • 21 slides
Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture Damage 1 Balanced Mix Design: ETG Definition Asphalt mix design using performance tests on appropriately conditioned specimens that address

480 views • 46 slides
Glitch and veto studies in LIGOs S5 search for gravitational wave bursts Erik Katsavounidis

Glitch and veto studies in LIGOs S5 search for gravitational wave bursts Erik Katsavounidis

Glitch and veto studies in LIGOs S5 search for gravitational wave bursts Erik Katsavounidis MIT for the LIGO Scientific Collaboration 11 th GWDAW, Potsdam, Germany December 19, 2006 LIGO-G060638-00-Z 1 Glitch study requirements Low

481 views • 19 slides
Gravitational waves from the pulsar glitch recovery period Mark Bennett Anthony van Eysden

Gravitational waves from the pulsar glitch recovery period Mark Bennett Anthony van Eysden

Gravitational waves from the pulsar glitch recovery period Mark Bennett Anthony van Eysden Andrew Melatos University of Melbourne Overview Different types of signal from a pulsar glitch Calculate GW signal using simple model of a

404 views • 15 slides
Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1 Overview Masking,

785 views • 46 slides
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Euclid (300 BC) Proofs, Continued Today Proofs : A style guide Proofs should be easy to verify. All the cleverness goes into finding/writing the proof, not reading/verifying it! P vs. NP (informally) : P =

682 views • 21 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

6/8/2017 Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we Quantify Masking Risk? co-founder and shareholder Qview Medical (Los Altos, CA) Nico Karssemeijer consultant, co-founder and

883 views • 18 slides
Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo

Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo

Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Certification: 1 Systems, Components, and Properties Security, for example, is a system property

522 views • 17 slides
Semantics CMSC 723 / LING 723 / INST 725 M ARINE C ARPUAT marine@cs.umd.edu Last week Intro to

Semantics CMSC 723 / LING 723 / INST 725 M ARINE C ARPUAT marine@cs.umd.edu Last week Intro to

Compositional Semantics CMSC 723 / LING 723 / INST 725 M ARINE C ARPUAT marine@cs.umd.edu Last week Intro to Semantics Meaning representations motivated by semantic processing for specific applications 2 approaches to semantic

426 views • 40 slides
Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory

Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory

Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory October 18, 2002 Outline of talk program verification issues the semantic challenge programming languages the logical challenge

854 views • 38 slides
A compositional approach to statistical computing, machine learning, and probabilistic

A compositional approach to statistical computing, machine learning, and probabilistic

A compositional approach to statistical computing, machine learning, and probabilistic programming Darren Wilkinson @darrenjw darrenjw.github.io Newcastle University, UK / The Alan Turing Institute Bristol Data Science Seminar Bristol

687 views • 45 slides
Certifying Compositional Model Checking Algorithms in ACL2 Sandip Ray John Matthews Mark Tuttle

Certifying Compositional Model Checking Algorithms in ACL2 Sandip Ray John Matthews Mark Tuttle

Certifying Compositional Model Checking Algorithms in ACL2 Sandip Ray John Matthews Mark Tuttle ACL2 Workshop Presentation July 14, 2003 Outline Motivation and Goals Technical Background Comments on Our Work Issues and

609 views • 31 slides
Numerical Solution of Compositional Two-Phase Flow in Porous Media P. Bastian Collaborators: M.

Numerical Solution of Compositional Two-Phase Flow in Porous Media P. Bastian Collaborators: M.

Numerical Solution of Compositional Two-Phase Flow in Porous Media P. Bastian Collaborators: M. Blatt, O. Ippisch, R. Neumann Universit at Heidelberg Interdisziplin ares Zentrum f ur Wissenschaftliches Rechnen Im Neuenheimer Feld 368,

567 views • 34 slides
Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs Robert

Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs Robert

Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs Robert Sison 13 Jan 2018 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au A confidentiality-preserving program Cross Domain Desktop Compositor

1.49k views • 118 slides
Compositional Program Analysis using Max-SMT Albert Rubio Cristina Borralleras, Marc

Compositional Program Analysis using Max-SMT Albert Rubio Cristina Borralleras, Marc

Compositional Program Analysis using Max-SMT Albert Rubio Cristina Borralleras, Marc Brockschmidt, Daniel Larraz, Albert Oliveras, Jos Miguel Rivero and Enric Rodrguez-Carbonell Universitat Politcnica de Catalunya - Barcelona Tech UCM

1.2k views • 96 slides

More recommend