m m masks and macs against physical attacks
play

M&M: Masks and Macs against Physical Attacks CHES 2019 Lauren - PowerPoint PPT Presentation

Apr 29, 2023 •42 likes •322 views

M&M: Masks and Macs against Physical Attacks CHES 2019 Lauren De Meyer, Victor Arribas Svetla Nikova, Ventzislav Nikov, Vincent Rijmen B ACK TO THE 90 S Differential Power Analysis (DPA) Paul Kocher et al. 1999 [KJJ99]

  1. M&M: Masks and Macs against Physical Attacks CHES 2019 Lauren De Meyer, Victor Arribas Svetla Nikova, Ventzislav Nikov, Vincent Rijmen

  2. B ACK TO THE 90’ S • Differential Power Analysis (DPA) – Paul Kocher et al. 1999 [KJJ99] • Differential Fault Analysis (DFA) – Biham and Shamir 1997 [BS97] 2 [KJJ99] Paul C. Kocher, Joshua Jaffe, Benjamin Jun: Differential Power Analysis. CRYPTO 1999: 388-397 [BS97] Eli Biham, Adi Shamir: Differential Fault Analysis of Secret Key Cryptosystems. CRYPTO 1997: 513-525

  3. C OUNTERMEASURES • Against side-channel attacks: Masked o Hiding 𝑞 " , … , 𝑞 % 𝑑 " , … , 𝑑 % AES o Masking • Against fault attacks: 𝑞 𝑑 o Repetition, redundancy AES (EDC, tags ), … 𝑆 𝑆 with redundancy o Detection, correction or infection 𝜐 ) 𝜐 * 3

  4. C OMBINED C OUNTERMEASURES 𝑞 " , … , 𝑞 % 𝑑 " , … , 𝑑 % ? 𝑆 𝑆 ) , … , 𝜐 % ) * , … , 𝜐 % * 𝜐 " 𝜐 " 4

  5. T HRESHOLD C RYPTO MPC Embedded Systems Shamir’s Secret Masking Passive SCA Sharing [Sha79] ([ISW03],[NRS11], …) Active …. SCA+FA SPDZ [DPS+12], … [Sha79] Adi Shamir: How to Share a Secret. Commun. ACM 22(11): 612-613 (1979) [DPS+12] Ivan Damgård, Valerio Pastro, Nigel P. Smart, Sarah Zakarias: Multiparty Computation from Somewhat Homomorphic Encryption. CRYPTO 2012: 643-662 5 [NRS11] Svetla Nikova, Vincent Rijmen, Martin Schläffer: Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches. J. Cryptology 24(2): 292-321 (2011) [ISW03] Yuval Ishai, Amit Sahai, David A. Wagner: Private Circuits: Securing Hardware against Probing Attacks. CRYPTO 2003: 463-481

  6. T WO ROUTES Extension of masking schemes: • ParTI [SMG16] • [SFE+18] • New: M&M CAPA [RDB+18]: Based on active MPC protocol SPDZ [RDB+18] Oscar Reparaz, Lauren De Meyer, Begül Bilgin, Victor Arribas, Svetla Nikova, Ventzislav Nikov, Nigel P. Smart: CAPA: The Spirit of Beaver Against Physical Attacks. CRYPTO (1) 2018: 121-151 [SMG16] Tobias Schneider, Amir Moradi, Tim Güneysu: ParTI - Towards Combined Hardware Countermeasures Against Side-Channel and Fault-Injection Attacks. CRYPTO (2) 2016: 302-332 6 [SFE+18] Okan Seker, Abraham Fernandez-Rubio, Thomas Eisenbarth, Rainer Steinwandt: Extending Glitch-Free Multiparty Protocols to Resist Fault Injection Attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3): 394-430 (2018)

  7. M&M The essentials

  8. A DVERSARY M ODEL • Side-Channel Adversary: o 𝑒 -probing model • Faulting Adversary: o Fault = stochastic additive error • Unlimited # bits o Fault = exact • Limited to 𝑒 shares • Combined Adversary 8

  9. I NFORMATION -T HEORETIC MAC TAGS Data block: 𝑦 ∈ 𝐻𝐺(2 1 ) tag: 𝜐 6 ∈ 𝐻𝐺 2 1 2 × × × MAC key: 𝛽 ∈ 𝐻𝐺 2 1 2 • Used 1x! • Secret! Pr[ compromised (𝑦, 𝜐 6 ) = consistent ] = 2 =12 9

  10. I NFORMATION -T HEORETIC MAC TAGS M OTIVATION • Suppose 𝛽 =fixed (not secret) o ~ linear code o ~ ParTI [SMG16] o Fault model: limited in HW • Combined Attacks o Adversary has “some” side-channel information 𝜐 6 → 𝜐 6 ⊕ ? o 𝑦 → 𝑦 ⊕ Δ ⇒ o make 𝛽 secret 10 [SMG16] Tobias Schneider, Amir Moradi, Tim Güneysu: ParTI - Towards Combined Hardware Countermeasures Against Side-Channel and Fault-Injection Attacks. CRYPTO (2) 2016: 302-332

  11. M ASKED M ULTIPLIER 𝒚 𝒚𝒛 × 𝒜 • ISW, TI, DOM, CMS, … 𝒛 • Example ( 𝑒 = 1 ): 𝑨 " = 𝑦 " 𝑧 " ⊕ 𝑦 " 𝑧 I ⊕ 𝑠 𝑨 I = 𝑦 I 𝑧 I ⊕ [𝑦 I 𝑧 " ⊕ 𝑠] 11

  12. M&M M ULTIPLICATION 𝒚 𝒚𝒛 Masks: × 𝒜 𝒛 𝝊 𝒚 𝜷 𝟑 𝒚𝒛 𝝊 𝒜 MACs: × 𝝊 𝒛 12

  13. M&M M ULTIPLICATION 𝒚 𝒚𝒛 Masks: × 𝒜 𝒛 𝝊 𝒚 𝜷 𝟑 𝒚𝒛 𝜷𝒚𝒛 𝝊 𝒜 MACs: × × 𝝊 𝒛 𝜷 =𝟐 13

  14. O R OTHER OPERATIONS … 𝒚 𝟑𝒐Q𝟐 () OPQI Masks: 𝒜 𝒚 𝜷 𝟑𝒐Q𝟐 𝒚 𝟑𝒐Q𝟐 𝜷𝒚 𝟑𝒐Q𝟐 𝝊 𝒚 () OPQI 𝝊 𝒜 MACs: × 𝜷 =𝟑𝒐 14

  15. A ND EVEN … 𝒚 =𝟐 () =I Masks: 𝒜 𝒚 𝜷 =𝟐 𝒚 =𝟐 𝜷𝒚 =𝟐 𝝊 𝒚 () =I 𝝊 𝒜 MACs: × 𝜷 𝟑 15

  16. B UILDING BLOCKS FOR ANY ALGORITHM M ANY FLAVORS OF M ASKING à MANY FLAVORS OF M&M 2

  17. Masked Encryption Datapath 𝐹𝑜𝑑 𝒒 𝒅 Now what? 𝑁𝐵𝐷 𝝊 𝒒 𝐹𝑜𝑑 Z[\ 𝝊 𝒅 Masked Tag Datapath 17

  18. 𝐹𝑜𝑑 𝒒 𝒅 𝜷𝒅 = 𝝊 𝒅 ? 𝑁𝐵𝐷 𝝊 𝒒 𝐹𝑜𝑑 Z[\ 𝝊 𝒅 18

  19. Vulnerable to combined attacks! 𝐹𝑜𝑑 𝒒 𝒅 𝜷𝒅 = 𝝊 𝒅 ? 𝑁𝐵𝐷 𝝊 𝒒 𝐹𝑜𝑑 Z[\ 𝝊 𝒅 19

  20. I NFECTIVE C OMPUTATION [LRT12] PRNG 𝑆 ≠ 0,1 𝑞 𝐹𝑜𝑑 𝑑 𝑑 ⊕ 𝑆 ⋅ (𝑑 ⊕ 𝑑 _ ) Infect 𝐹𝑜𝑑 𝑑′ Broken by [BG13] (bias on 𝑆 ) [LRT12] V. Lomné, T. Roche, and A. Thillard. On the need of randomness in fault attack countermeasures - application to AES. In G. Bertoni and B. Gierlichs, editors, FDTC 2012, pages 85–94. 20 IEEE Computer Society, 2012. [BG13] A. Battistello and C. Giraud. Fault analysis of infective AES computations. In W. Fischer and J. Schmidt, editors, FDTC 2013, pages 101–107. IEEE Computer Society, 2013.

  21. P ROPOSAL PRNG 𝑆 ≠ 0 𝐹𝑜𝑑 𝒒 𝒅 * ) 𝑑 b ⊕ 𝑆 ⋅ ( 𝛽𝑑 b ⊕ 𝜐 b Infect 𝑁𝐵𝐷 Unshared: 𝑑 ⊕ 𝑆 𝛽𝑑 ⊕ 𝜐 * = 𝑑 if tags ok 𝝊 𝒒 𝐹𝑜𝑑 Z[\ 𝝊 𝒅 𝜷 Else random 21

  22. N O B IAS ? • 𝑑 = 𝑑 ⊕ Δ Faulty evaluation gives ̃ • Output: 𝑑 ⊕ Δ ⊕ 𝑆 ⋅ 𝛽 𝑑 ⊕ Δ ⊕ 𝜐 * = 𝑑 ⊕ Δ ⊕ 𝑆 ⋅ 𝛽𝑑 ⊕ 𝛽Δ ⊕ 𝜐 * = 𝑑 ⊕ Δ(1 ⊕ 𝑆𝛽) • Is Δ(1 ⊕ 𝑆𝛽) uniformly random? ∗ • Yes if 𝛽 uniform in 𝔾 e and 𝑆 uniform in 𝔾 e 22

  23. C ASE S TUDY

  24. E XAMPLE : AES • Using S-box from [DRB+16] • Comparing area-overhead to state-of-the-art: Scheme SCA-only [kGE] Combined [kGE] Overhead factor 3.6 30.5 8.47 CAPA [RDB+18] 𝑒 = 1 7.9 20.2 2.56 ParTI [SMG16] 7.6 19.2 𝟑. 𝟔𝟒 M&M 5.9 55.2 9.35 CAPA [RDB+18] 𝑒 = 2 12.6 33.2 𝟑. 𝟕𝟒 M&M [DRB+16] Thomas De Cnudde, Oscar Reparaz, Begül Bilgin, Svetla Nikova, Ventzislav Nikov, Vincent Rijmen: Masking AES with d+1 Shares in Hardware. CHES 2016: 194-212 24 [RDB+18] Oscar Reparaz, Lauren De Meyer, Begül Bilgin, Victor Arribas, Svetla Nikova, Ventzislav Nikov, Nigel P. Smart: CAPA: The Spirit of Beaver Against Physical Attacks. CRYPTO (1) 2018: 121-151 [SMG16] Tobias Schneider, Amir Moradi, Tim Güneysu: ParTI - Towards Combined Hardware Countermeasures Against Side-Channel and Fault-Injection Attacks. CRYPTO (2) 2016: 302-332

  25. S IDE -C HANNEL E VALUATION Masks on 120 100 100 200 • Spartan6 on SAKURA-G 300 80 400 • TVLA [BCD+13] (t-test) 500 60 600 • 50 million traces 40 700 800 20 900 4.5 1000 0 200 400 600 800 1000 Masks off 25 [BCD+13] G. Becker, J. Cooper, E. De Mulder, G. Goodwill, J. Jaffe, G. Kenworthy, T. Kouzminov, A. Leiserson, M. Marson, P. Rohatgi, et al. Test vector leakage assessment (tvla) methodology in practice. In International Cryptographic Module Conference, volume 1001, page 13, 2013.

  26. F AULT E VALUATION • No “standard” methods of verification • Adapt HDL with possibility to inject randomized faults (XOR) • Experiment: 50 000 iterations, 189 faulty ciphertexts not infected à experimental rate of detection/infection = 0.9962 Theoretical rate of detection/infection: 1 − 2 =s = 0.9961 • • Verification methodology extended and automized in VerFI (see poster session) 26

  27. T AKE -A WAY • Cheaper than CAPA and stronger adversary than ParTI • Super versatile: use any existing or future(?) masking scheme • Infective computation can be combined with detection result (see paper) • Future work: o provable security against combined attacks? o Verification tools for combined countermeasures? o Optimization: don’t update tags: 𝛽𝑦 → 𝛽 =I 𝑧 → ⋯ → 𝛽𝑨 27

  28. Thank You

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Masks Masks Masks play a part in almost every culture on the planet from ancient Aztec, medieval

Masks Masks Masks play a part in almost every culture on the planet from ancient Aztec, medieval

Masks Masks Masks play a part in almost every culture on the planet from ancient Aztec, medieval European festivals, Japanese opera and American horror films. Masks Throughout history masks have had many different uses. How many different

813 views • 24 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

1.05k views • 67 slides
Masks Why were masks made? Traditionally for spiritual reasons Celebrations Ceremonies

Masks Why were masks made? Traditionally for spiritual reasons Celebrations Ceremonies

What are African Masks? African Masks Why were masks made? Traditionally for spiritual reasons Celebrations Ceremonies Initiations (when a young person becomes a member of the adult community) To bring peace in troubled times

431 views • 11 slides
Computer Vision Lecture 5: Edges, binary images and blobs Last lecture Convolution masks as

Computer Vision Lecture 5: Edges, binary images and blobs Last lecture Convolution masks as

Computer Vision Lecture 5: Edges, binary images and blobs Last lecture Convolution masks as templates Convolution masks as point-spread functions Special masks: simple differencing masks centre-surround masks averaging

512 views • 13 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

771 views • 59 slides
Water masks from Sentinel-1 : Why ? dynamic water masks (every 12 days) : all weather, night

Water masks from Sentinel-1 : Why ? dynamic water masks (every 12 days) : all weather, night

A step towards the automated production of Water Masks from Sentinel-1 SAR images Pierre Fabry, Nicolas Bercher Brest & Toulouse, France Water masks from Sentinel-1 : Why ? dynamic water masks (every 12 days) : all weather, night and

903 views • 54 slides
Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World Crypto & Privacy ibenik , Croatia Outline Why physical attacks matter Implementation attacks and power analysis Leakage Detection

972 views • 52 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Message Authentication Codes (MACs) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Security Notions of MACs NMACs and HMACs

158 views • 12 slides
The issues with Face Masks All types of medical masks essentially functioned as a low-pass

The issues with Face Masks All types of medical masks essentially functioned as a low-pass

The issues with Face Masks All types of medical masks essentially functioned as a low-pass acoustic filter for speech, attenuating the high frequencies (2000-7000 Hz) spoken by the wearer by 3 to 4 dB for a simple medical mask

169 views • 5 slides
Physical Security Attacks and Defenses for Computing Systems Steve Weingart Senior Engineer

Physical Security Attacks and Defenses for Computing Systems Steve Weingart Senior Engineer

Physical Security Attacks and Defenses for Computing Systems Steve Weingart Senior Engineer c1shw@us.ibm.com (561) 392 6100 Secure Systems and Smart Cards IBM T.J. Watson Research Center Hawthorne, NY Physical Security Attacks &

334 views • 8 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Protection of Arithmetic Circuits against Physical Attacks Arnaud Tisserand CNRS, Lab-STICC LIP

Protection of Arithmetic Circuits against Physical Attacks Arnaud Tisserand CNRS, Lab-STICC LIP

Protection of Arithmetic Circuits against Physical Attacks Arnaud Tisserand CNRS, Lab-STICC LIP Lyon, 2018.11.09 Summary Introduction Physical Attacks Arithmetic Circuits Protections Conclusion and References Arnaud

594 views • 46 slides
Protection of cryptographic keys recodings against physical attacks Supervisor: Author: Simon

Protection of cryptographic keys recodings against physical attacks Supervisor: Author: Simon

Protection of cryptographic keys recodings against physical attacks Supervisor: Author: Simon RASTIKIAN Arnaud TISSERAND 2 = 3 PLAN Introduction Elliptic Curve Cryptography Side Channel Attacks

473 views • 33 slides
China Medical Export Controls for: 1. Non-medical use face masks Non-medical use face masks

China Medical Export Controls for: 1. Non-medical use face masks Non-medical use face masks

China Medical Export Controls for: 1. Non-medical use face masks Non-medical use face masks required to conform with the quality standards of China or other countries, and The Ministry of Commerce provides a list of validated manufacturers for

331 views • 5 slides
Statistical Methods for Infectious Diseases Post-infection Vaccine Effects, VE P M. Elizabeth

Statistical Methods for Infectious Diseases Post-infection Vaccine Effects, VE P M. Elizabeth

Outline VE P Binary: Pertussis Causal Effects Statistical Methods for Infectious Diseases Post-infection Vaccine Effects, VE P M. Elizabeth Halloran Fred Hutchinson Cancer Research Center and University of Washington Seattle, WA, USA March

666 views • 55 slides
OPTIPRIM-ANRS 147 Trial Optimization of Primary HIV Infection Treatment OPTIPRIM-ANRS 147: Study

OPTIPRIM-ANRS 147 Trial Optimization of Primary HIV Infection Treatment OPTIPRIM-ANRS 147: Study

Optimization of Primary HIV Infection Treatment OPTIPRIM-ANRS 147 Trial Optimization of Primary HIV Infection Treatment OPTIPRIM-ANRS 147: Study Design Study Design: OPTIPRIM-ANRS 147 Background : Open label, randomized, phase 3 trial

376 views • 6 slides
When One Has Lemons ... Martin Casado (Stanford) Tal Garfinkel (Stanford) Weidong Cui (Berkeley)

When One Has Lemons ... Martin Casado (Stanford) Tal Garfinkel (Stanford) Weidong Cui (Berkeley)

When One Has Lemons ... Martin Casado (Stanford) Tal Garfinkel (Stanford) Weidong Cui (Berkeley) Vern Paxson (ICSI) Stefan Savage (UCSD) 2005 What this Talk is About .. Spurious Traffic (generally unwanted traffic on the Internet) +

296 views • 26 slides
Information distribution on a bus-based opportunistic network Candidate Supervisor Claudio

Information distribution on a bus-based opportunistic network Candidate Supervisor Claudio

Politecnico di Torino Information distribution on a bus-based opportunistic network Candidate Supervisor Claudio Fiandrino Paolo Giaccone November 26, 2012 Title analysis Information distribution Title analysis Comparison among routing

617 views • 40 slides
alife 2020 Localization, bistability and optimal seeding of contagions on higher-order networks

alife 2020 Localization, bistability and optimal seeding of contagions on higher-order networks

alife 2020 Localization, bistability and optimal seeding of contagions on higher-order networks Guillaume St-Onge , Antoine Allard, Laurent Hbert-Dufresne 2020/07/15 Dpartement de physique, de gnie physique, et doptique Universit

375 views • 14 slides
Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy

Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy

Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy Bulygin (@c7zero) CanSecWest 2013 Outline 1 UEFI BIOS Outline 1 UEFI BIOS 2 Measured/Trusted Boot Outline 1 UEFI BIOS 2 Measured/Trusted Boot 3 The

906 views • 90 slides
Introduction to Risk Management and a Just Culture Mary Coffey Safety in a Radiotherapy

Introduction to Risk Management and a Just Culture Mary Coffey Safety in a Radiotherapy

Introduction to Risk Management and a Just Culture Mary Coffey Safety in a Radiotherapy Department Delivery of the correct treatment to all patients in a safety aware environment Patient Staff Public Safety in a

1.17k views • 85 slides
Cyberwar: How Worried Should We Be? Austin ISSA Dr. Bill Young Department of Computer Science

Cyberwar: How Worried Should We Be? Austin ISSA Dr. Bill Young Department of Computer Science

Cyberwar: How Worried Should We Be? Austin ISSA Dr. Bill Young Department of Computer Science University of Texas at Austin Last updated: May 8, 2013 at 17:09 Dr. Bill Young: 1 Austin ISSA, May 9, 2013 From the Headlines Pentagon accuses

724 views • 34 slides

More recommend