higher order side channel security and mask refreshing
play

Higher-Order Side Channel Security and Mask Refreshing J.-S. - PowerPoint PPT Presentation

May 04, 2023 •377 likes •1.14k views

Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T. Roche thomas.roche@ssi.gouv.fr FSE 2013 March 2013 T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing Side Channel Analysis

  1. Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T. Roche thomas.roche@ssi.gouv.fr FSE 2013 – March 2013 T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  2. Side Channel Analysis Side Channel Attacks (SCA) appear 15 years ago ◮ 1996 : Timing Attacks ◮ 1998 : Power Analysis ◮ 2000 : Electromagnetic Analysis Numerous attacks ◮ 1998 : (single-bit) DPA KocherJaffeJune1999 ◮ 1999 : (multi-bit) DPA Messerges99 ◮ 2000 : Higher-order SCA Messerges2000 ◮ 2002 : Template SCA ChariRaoRohatgi2002 ◮ 2004 : CPA BrierClavierOlivier2004 ◮ 2005 : Stochastic SCA SchindlerLemkePaar2006 ◮ 2008 : Mutual Information SCA GierlichsBatinaTuyls2008 ◮ etc. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  3. Side Channel Analysis Side Channel Attacks (SCA) appear 15 years ago ◮ 1996 : Timing Attacks ◮ 1998 : Power Analysis ◮ 2000 : Electromagnetic Analysis Numerous attacks ◮ 1998 : (single-bit) DPA KocherJaffeJune1999 ◮ 1999 : (multi-bit) DPA Messerges99 ◮ 2000 : Higher-order SCA Messerges2000 ◮ 2002 : Template SCA ChariRaoRohatgi2002 ◮ 2004 : CPA BrierClavierOlivier2004 ◮ 2005 : Stochastic SCA SchindlerLemkePaar2006 ◮ 2008 : Mutual Information SCA GierlichsBatinaTuyls2008 ◮ etc. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  4. SCA Countermeasures Masking [IBM Team at CRYPTO 1999] . ◮ Efficient against SCA in practice. ◮ Difficult to implement for non-linear transformations. Shuffling [Researchers from Graz University at ACNS 2006] . ◮ Less efficient against SCA in practice. ◮ Easy to implement for every transformation. Whitening [Kocher Jaffe June, CRYPTO 1999] . ◮ Less efficient than masking when used alone and costly in Hardware. ◮ Easy to implement for every transformation. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  5. SCA Countermeasures Masking [IBM Team at CRYPTO 1999] . ◮ Efficient against SCA in practice. ◮ Difficult to implement for non-linear transformations. Shuffling [Researchers from Graz University at ACNS 2006] . ◮ Less efficient against SCA in practice. ◮ Easy to implement for every transformation. Whitening [Kocher Jaffe June, CRYPTO 1999] . ◮ Less efficient than masking when used alone and costly in Hardware. ◮ Easy to implement for every transformation. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  6. SCA Countermeasures Masking [IBM Team at CRYPTO 1999] . ◮ Efficient against SCA in practice. ◮ Difficult to implement for non-linear transformations. Shuffling [Researchers from Graz University at ACNS 2006] . ◮ Less efficient against SCA in practice. ◮ Easy to implement for every transformation. Whitening [Kocher Jaffe June, CRYPTO 1999] . ◮ Less efficient than masking when used alone and costly in Hardware. ◮ Easy to implement for every transformation. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  7. SCA Countermeasures Masking [IBM Team at CRYPTO 1999] . ◮ Efficient against SCA in practice. ◮ Difficult to implement for non-linear transformations. Shuffling [Researchers from Graz University at ACNS 2006] . ◮ Less efficient against SCA in practice. ◮ Easy to implement for every transformation. Whitening [Kocher Jaffe June, CRYPTO 1999] . ◮ Less efficient than masking when used alone and costly in Hardware. ◮ Easy to implement for every transformation. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  8. Masking/Sharing Coutermeasures Idea : consists in securing the implementation using secret sharing techniques. First Ideas in GoubinPatarin99 and ChariJutlaRaoRohatgi99 . Soundness based on the following remark : [Chari-Jutla-Rao-Rohatgi CRYPTO’99] ◮ Bit x masked �→ x 0 , x 1 , . . . , x d ◮ Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � � ◮ # of leakage samples to test ( L i ) i | x = 0 = ( L i ) i | x = 1 : q ≥ O (1) σ d Until now, security proofs are not unconditional and are ”limited” to so-called probing adversaries. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  9. Masking/Sharing Coutermeasures Idea : consists in securing the implementation using secret sharing techniques. First Ideas in GoubinPatarin99 and ChariJutlaRaoRohatgi99 . Soundness based on the following remark : [Chari-Jutla-Rao-Rohatgi CRYPTO’99] ◮ Bit x masked �→ x 0 , x 1 , . . . , x d ◮ Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � � ◮ # of leakage samples to test ( L i ) i | x = 0 = ( L i ) i | x = 1 : q ≥ O (1) σ d Until now, security proofs are not unconditional and are ”limited” to so-called probing adversaries. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  10. Masking/Sharing Coutermeasures Idea : consists in securing the implementation using secret sharing techniques. First Ideas in GoubinPatarin99 and ChariJutlaRaoRohatgi99 . Soundness based on the following remark : [Chari-Jutla-Rao-Rohatgi CRYPTO’99] ◮ Bit x masked �→ x 0 , x 1 , . . . , x d ◮ Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � � ◮ # of leakage samples to test ( L i ) i | x = 0 = ( L i ) i | x = 1 : q ≥ O (1) σ d Until now, security proofs are not unconditional and are ”limited” to so-called probing adversaries. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  11. Masking/Sharing Coutermeasures Idea : consists in securing the implementation using secret sharing techniques. First Ideas in GoubinPatarin99 and ChariJutlaRaoRohatgi99 . Soundness based on the following remark : [Chari-Jutla-Rao-Rohatgi CRYPTO’99] ◮ Bit x masked �→ x 0 , x 1 , . . . , x d ◮ Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � � ◮ # of leakage samples to test ( L i ) i | x = 0 = ( L i ) i | x = 1 : q ≥ O (1) σ d Until now, security proofs are not unconditional and are ”limited” to so-called probing adversaries. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  12. Probing Adversary Notion introduced in IshaiSahaiWagner, CRYPTO 2003 A d th -order probing adversary is allowed to observe at most d intermediate results during the overall algorithm processing. ◮ Hardware interpretation : d is the maximum of wires observed in the circuit. ◮ Software interpretation : d is the maximum of different timings during the processing. d th -order probing adversary = d th -order SCA as introduced in Messerges99 . Countermeasures proved to be secure against a d th -order probing adv. : ◮ d = 1 : KocherJaffeJune99 , Bl¨ omerGuajardoKrummel04 , ProuffRivain07 . ◮ d = 2 : RivainDottaxProuff08 . ◮ d ≥ 1 : IshaiSahaiWagner03 , ProuffRoche11 , GenelleProuffQuisquater11 , CarletGoubinProuffQuisquaterRivain12 . T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  13. Probing Adversary Notion introduced in IshaiSahaiWagner, CRYPTO 2003 A d th -order probing adversary is allowed to observe at most d intermediate results during the overall algorithm processing. ◮ Hardware interpretation : d is the maximum of wires observed in the circuit. ◮ Software interpretation : d is the maximum of different timings during the processing. d th -order probing adversary = d th -order SCA as introduced in Messerges99 . Countermeasures proved to be secure against a d th -order probing adv. : ◮ d = 1 : KocherJaffeJune99 , Bl¨ omerGuajardoKrummel04 , ProuffRivain07 . ◮ d = 2 : RivainDottaxProuff08 . ◮ d ≥ 1 : IshaiSahaiWagner03 , ProuffRoche11 , GenelleProuffQuisquater11 , CarletGoubinProuffQuisquaterRivain12 . T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  14. Higher-Order Masking Schemes Achieving security in the probing adversary model Definition A dth-order masking scheme for an encryption algorithm c ← E ( m , k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) Completeness : there exists R s.t. : R ( c 0 , · · · , c d ) = E ( m , k ) Security : ∀{ iv 1 , iv 2 , . . . , iv d } ⊆ { intermediate var. of E ′ } : � � � � Pr k | iv 1 , iv 2 , . . . , iv d = Pr k For SPN ( eg. DES, AES) the main issue is masking the S-box. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  15. Higher-Order Masking Schemes Achieving security in the probing adversary model Definition A dth-order masking scheme for an encryption algorithm c ← E ( m , k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) Completeness : there exists R s.t. : R ( c 0 , · · · , c d ) = E ( m , k ) Security : ∀{ iv 1 , iv 2 , . . . , iv d } ⊆ { intermediate var. of E ′ } : � � � � Pr k | iv 1 , iv 2 , . . . , iv d = Pr k For SPN ( eg. DES, AES) the main issue is masking the S-box. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid,

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid,

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid, Dahmun Goudarzi, and Matthieu Rivain dahmun.goudarzi@pqshield.com 1 Side-Channel Attacks and Higher-Order Masking in 1 in 2 in 3

655 views • 52 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures Dahmun Goudarzi, Matthieu Rivain, Srinivas Vivek, and Damien Vergnaud Background 2 Secure Software S-box Implementations Higher-Order

636 views • 25 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel Snooping Scenario: Ann the Attacker works in a building across the street from Victor the Victim. Late one night Ann can see Victor hard at work in

727 views • 44 slides
How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

824 views • 54 slides
Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed, F.-X. Standaert , A. Joux NXP & UCL Crypto Group & Univ. Versailles CHES 2012, Leuven, Belgium SCA security (implementation level) 1 SCA

857 views • 70 slides
HO in Coq Guillaume Ambal, Sergue Lenglet and Alan Schmitt Higher-Order -calculus

HO in Coq Guillaume Ambal, Sergue Lenglet and Alan Schmitt Higher-Order -calculus

HO in Coq Guillaume Ambal, Sergue Lenglet and Alan Schmitt Higher-Order -calculus Model of concurrent and communicating systems First-order: inert data (channel names, . . . ) Higher-order: executable processes

866 views • 57 slides
York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

First Order Haskell Neil Mitchell York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order: functions are values Can be passed around Stored in data structure Harder for reasoning and analysis More

483 views • 15 slides
Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI Laboratory for Embedded Security Emmanuel Prouff emmanuel.prouff@ssi.gouv.fr Agence Nationale de la S ecurit e des Syst` emes dInformation

790 views • 68 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel Medwed Franois-Xavier Standaert Johann

814 views • 28 slides
LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me PhD student at Hasselt University since 2014 Since 2016 on FWO SBO research grant Researching wireless security Protocol security,

803 views • 57 slides
Spacing Integers and strings Unplugged activity: Use Mentos and bottle caps to

Spacing Integers and strings Unplugged activity: Use Mentos and bottle caps to

Spacing Integers and strings Unplugged activity: Use Mentos and bottle caps to demonstrate variables Decision Maker (js) CHALLENGE Could you make a magic 8 ball game? Flowchart Decision Maker (no branching) Flowchart

342 views • 32 slides
NADA Algorithm Update and Test Case Evalua9ons

NADA Algorithm Update and Test Case Evalua9ons

NADA Algorithm Update and Test Case Evalua9ons dra:-zhu-rmcat-nada Xiaoqing Zhu, Rong Pan, Michael Ramalho, Sergio Mena, Charles Ganzhorn, Paul

602 views • 36 slides
Legacy is sexy and this room is hot Story Drivers Tips Enterprise SOA / Quality Agile /

Legacy is sexy and this room is hot Story Drivers Tips Enterprise SOA / Quality Agile /

Legacy is sexy and this room is hot Story Drivers Tips Enterprise SOA / Quality Agile / Scrum Solution Coaching Java Integration Viktor Grgi @vgrgic, LeanArch.eu dinsdag 25 juni 13 1 Why this talk? Remove from tech dictionary

831 views • 43 slides
WHO O WE ARE RE Solutio tion Provider er Innovatio tion Par artner er Airline lines

WHO O WE ARE RE Solutio tion Provider er Innovatio tion Par artner er Airline lines

WHO O WE ARE RE Solutio tion Provider er Innovatio tion Par artner er Airline lines Post ost-Book ooking ing COVI VID Throug ough Accele lerate Progr ogram am 12 people le Bas ased ed in Par aris #Rev evenu nueMa

536 views • 18 slides
T15: 402.8.3 Off Detector Electronics Colin Jessop, University of Notre Dame US-MTD Technical

T15: 402.8.3 Off Detector Electronics Colin Jessop, University of Notre Dame US-MTD Technical

T15: 402.8.3 Off Detector Electronics Colin Jessop, University of Notre Dame US-MTD Technical Review 15-16 November 2018 Outline Requirements Design R&D and prototyping plan, maturity, milestones Production-era: QA and QC

317 views • 17 slides
Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes Outline 1 Introduction 2

1.33k views • 98 slides
On the (im-) possibility of cold to warm distillation Henning Struchtrup University of Victoria,

On the (im-) possibility of cold to warm distillation Henning Struchtrup University of Victoria,

xxxx On the (im-) possibility of cold to warm distillation Henning Struchtrup University of Victoria, Canada Signe Kjelstrup & Dick Bedeaux NTNU Trondheim Non-eq. condensation/evaporation [e.g., Kjelstrup & Bedeaux 2010] mass flux j ,

560 views • 17 slides
Decentralized Dynamic Scheduling across Heterogeneous Multi core across Heterogeneous Multi

Decentralized Dynamic Scheduling across Heterogeneous Multi core across Heterogeneous Multi

Decentralized Dynamic Scheduling across Heterogeneous Multi core across Heterogeneous Multi core Desktop Grids J Jaehwan Lee , Pete Keleher, Alan Sussman h L P t K l h Al S Department of Computer Science University of Maryland Multi

357 views • 25 slides

More recommend