Physical Defaults & the Robust Probing Model Sebastian Faust, - - PowerPoint PPT Presentation

Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model

Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert

TU Darmstadt (Germany), Radbout University Nijmegen (The Netherlands), DarkMatter LLC (UAE), UCLouvain (Belgium)

CHES 2018, Amsterdam, The Netherlands

Masking (e.g., Boolean 𝒚 = 𝒚𝟐 + 𝒚𝟑 + ⋯ + 𝒚𝒆) 1

Noisy leakages security: Goal (ideally): 𝑂 ∝

𝑑

MI(𝑌;𝑴) MI 𝑌; 𝑴 < MI 𝑌𝑗; 𝑀𝑗 𝑒

Masking (e.g., Boolean 𝒚 = 𝒚𝟐 + 𝒚𝟑 + ⋯ + 𝒚𝒆) 1

Noisy leakages security: Goal (ideally): 𝑂 ∝

𝑑

MI(𝑌;𝑴) MI 𝑌; 𝑴 < MI 𝑌𝑗; 𝑀𝑗 𝑒 Bounded moment security:

𝑗1,𝑗2,…,𝑗𝑒−1

𝑀𝑗 𝑌

(𝑒-1)th order statistical moment (ideally)

Bounded moment security:

𝑗1,𝑗2,…,𝑗𝑒−1

𝑀𝑗 𝑌

(𝑒-1)th order statistical moment (ideally)

Masking (e.g., Boolean 𝒚 = 𝒚𝟐 + 𝒚𝟑 + ⋯ + 𝒚𝒆) 1

Noisy leakages security: Goal (ideally): 𝑂 ∝

𝑑

MI(𝑌;𝑴) MI 𝑌; 𝑴 < MI 𝑌𝑗; 𝑀𝑗 𝑒 Probing security: Sets of (𝑒-1) probes are of 𝑌 (ideally)

𝑦 = 𝑦1 + 𝑦2 + ⋯ + 𝑦𝑒

Security reductions 2

noisy leakages bounded moment probing

abstract-qualitative physical-qualitative physical-quantitative

[Barthe et al., Eurocrypt 2017]

[Duc et al., Eurocrypt 2014]

𝑦 = 𝑦1 + 𝑦2 + ⋯ + 𝑦𝑒

What can go wrong? (e.g., when computing 𝒃. 𝒄) 3

𝑏1𝑐1 𝑏1𝑐2 𝑏1𝑐3 𝑏2𝑐1 𝑏2𝑐2 𝑏2𝑐3 𝑏3𝑐1 𝑏3𝑐2 𝑏3𝑐3 ⇒ 𝑑1 𝑑2 𝑑3

Example: probing 𝑑1 = 𝑏1. 𝑐1 + 𝑐2 + 𝑐3 reveals information on 𝑐 (when 𝑑1 = 1) Issue #1. Lack of randomness (can break the independence assumption)

What can go wrong? (e.g., when computing 𝒃. 𝒄) 3

𝑏1𝑐1 𝑏1𝑐2 𝑏1𝑐3 𝑏2𝑐1 𝑏2𝑐2 𝑏2𝑐3 𝑏3𝑐1 𝑏3𝑐2 𝑏3𝑐3 + 𝑠

1

𝑠

2

𝑠

2

𝑠

3

𝑠

2

𝑠

3

⇒ 𝑑1 𝑑2 𝑑3

Issue #1. Lack of randomness (can break the independence assumption)

• mitigated by adding

«refreshing gadgets »

• can be analyzed in

the probing model

• mitigated by adding

«refreshing gadgets »

• can be analyzed in

the probing model

What can go wrong? (e.g., when computing 𝒃. 𝒄) 3

𝑏1𝑐1 𝑏1𝑐2 𝑏1𝑐3 𝑏2𝑐1 𝑏2𝑐2 𝑏2𝑐3 𝑏3𝑐1 𝑏3𝑐2 𝑏3𝑐3 + 𝑠

1

𝑠

2

𝑠

2

𝑠

3

𝑠

2

𝑠

3

⇒ 𝑑1 𝑑2 𝑑3

Issue #1. Lack of randomness (can break the independence assumption) Example: glitches (transcient values) « re-combine » the shares such that:

(detected in the bounded moment model)

𝑀𝑗 = 𝜀(𝑦1 ∙ 𝑦2 ∙ 𝑦3) Issue #2. Physical defaults

(can break the independence assumption)

• mitigated by adding

«refreshing gadgets »

• can be analyzed in

the probing model

What can go wrong? (e.g., when computing 𝒃. 𝒄) 3

𝑏1𝑐1 𝑏1𝑐2 𝑏1𝑐3 𝑏2𝑐1 𝑏2𝑐2 𝑏2𝑐3 𝑏3𝑐1 𝑏3𝑐2 𝑏3𝑐3 + 𝑠

1

𝑠

2

𝑠

2

𝑠

3

𝑠

2

𝑠

3

⇒ 𝑑1 𝑑2 𝑑3

Issue #1. Lack of randomness (can break the independence assumption)

• mitigated by adding a « non-

completeness » property

[≈ Theshold Implementations]

• abstract property: can be

analyzed in the probing model! Issue #2. Physical defaults

(can break the independence assumption)

Security notions (and scalability) 4

𝒓-probing security [ISW, 2004]: any 𝑟-tuple of shares in the protected circuit is independent

• f any sensitive variable

Security notions (and scalability) 4

𝒓-probing security [ISW, 2004]: any 𝑟-tuple of shares in the protected circuit is independent

• f any sensitive variable

Problem: the cost of testing probing security increases (very) fast with circuit size and the # of shares (since ∃ many tuples) [Barthe et al., Eurocrypt 2015]

Security notions (and scalability) 4

𝑟1 internal probes 𝑟2 output probes 𝒓-probing security [ISW, 2004]: any 𝑟-tuple of shares in the protected circuit is independent of any sensitive variable 𝑟1 + 𝑟2 ≤ 𝑟 𝒓-(Strong) Non Interference [Barthe et al., CCS 2016]: a circuit gadget (e.g., f1) is NI (SNI) if any set of 𝑟1 + 𝑟2 probes can be simulated with at most 𝑟1 + 𝑟2 (only 𝑟1) shares of each input D(input shares||probes) ≈ D(input shares||simulation)

Security notions (and scalability) 4

𝑟1 internal probes 𝑟2 output probes 𝒓-probing security [ISW, 2004]: any 𝑟-tuple of shares in the protected circuit is independent of any sensitive variable 𝑟1 + 𝑟2 ≤ 𝑟 𝒓-(Strong) Non Interference [Barthe et al., CCS 2016]: a circuit gadget (e.g., f1) is NI (SNI) if any set of 𝑟1 + 𝑟2 probes can be simulated with at most 𝑟1 + 𝑟2 (only 𝑟1) shares of each input D(input shares||probes) ≈ D(input shares||simulation)

Problem statement (simplified) 5

• Composable masking

schemes ignore physical defaults such as glitches

𝑏1𝑐1 𝑏1𝑐2 𝑏1𝑐3 𝑏2𝑐1 𝑏2𝑐2 𝑏2𝑐3 𝑏3𝑐1 𝑏3𝑐2 𝑏3𝑐3 + 𝑠

1

𝑠

2

𝑠

2

𝑠

3

𝑠

2

𝑠

3

Problem statement (simplified) 5

• Composable masking

schemes ignore physical defaults such as glitches

𝑏1𝑐1 𝑏1𝑐2 𝑏1𝑐3 𝑏2𝑐1 𝑏2𝑐2 𝑏2𝑐3 𝑏3𝑐1 𝑏3𝑐2 𝑏3𝑐3 + 𝑠

1

𝑠

2

𝑠

2

𝑠

3

𝑠

2

𝑠

3

x1 y1 x2 x3 y2 y3 f2 f1 f3

• Treshold implementations

mitigate glitches but are

• nly proven “uniform”

(≈ probing secure) ⇒ testing scales badly

• Treshold implementations

mitigate glitches but are

• nly proven “uniform”

(≈ probing secure) ⇒ testing scales badly

Problem statement (simplified) 5

• Composable masking

schemes ignore physical defaults such as glitches

𝑏1𝑐1 𝑏1𝑐2 𝑏1𝑐3 𝑏2𝑐1 𝑏2𝑐2 𝑏2𝑐3 𝑏3𝑐1 𝑏3𝑐2 𝑏3𝑐3 + 𝑠

1

𝑠

2

𝑠

2

𝑠

3

𝑠

2

𝑠

3

x1 y1 x2 x3 y2 y3 f2 f1 f3

• Design & prove masked implementations that are

(jointly!) robust against glitches and composable

(Refined) model and security definition 6

Glitch-extended probes: probing any output of a combinatorial sub- circuit allows the adversary to

• bserve all the sub-circuit inputs

Example: 𝑞1 gives 𝑏, 𝑐 and 𝑑

𝑞1

(Refined) model and security definition 6

Glitch-extended probes: probing any output of a combinatorial sub- circuit allows the adversary to

• bserve all the sub-circuit inputs

Example: 𝑞1 gives 𝑏, 𝑐 and 𝑑

𝑞1

Technical clarification: non-extended probes on the stable registers’ values have to be considered in the simulation too

𝑞2

(Refined) model and security definition 6

Glitch-extended probes: probing any output of a combinatorial sub- circuit allows the adversary to

• bserve all the sub-circuit inputs

Example: 𝑞1 gives 𝑏, 𝑐 and 𝑑

Definition: a gadget is glitch-robust 𝒓-SNI if it is 𝑟-SNI in the “glitch-extended” probing model

𝑞1

Technical clarification: non-extended probes on the stable registers’ values have to be considered in the simulation too

𝑞2

(Refined) model and security definition 6

Glitch-extended probes: probing any output of a combinatorial sub- circuit allows the adversary to

• bserve all the sub-circuit inputs

Example: 𝑞1 gives 𝑏, 𝑐 and 𝑑

Definition: a gadget is glitch-robust 𝒓-SNI if it is 𝑟-SNI in the “glitch-extended” probing model

𝒒𝟐

Technical clarification: non-extended probes on the stable registers’ values have to be considered in the simulation too

⇒ Shares’ fan in of robust gadgets should be minimum

𝑞2

(Refined) model and security definition 6

Glitch-extended probes: probing any output of a combinatorial sub- circuit allows the adversary to

• bserve all the sub-circuit inputs

Example: 𝑞1 gives 𝑏, 𝑐 and 𝑑

Definition: a gadget is glitch-robust 𝒓-SNI if it is 𝑟-SNI in the “glitch-extended” probing model

𝒒𝟐

Technical clarification: non-extended probes on the stable registers’ values have to be considered in the simulation too

⇒ Shares’ fan in of robust gadgets should be minimum ⇒ Outputs of SNI gadgets should be stored in registers

𝒒𝟑

ISW mult. is glitch-robust 𝒓-SNI in 2 cycles 7

Example with:

• 𝑒 = 3
• 𝑟 = 2

ISW mult. is glitch-robust 𝒓-SNI in 2 cycles 7

The adversary can observe:

• 12 glitch-extended probes
• 𝑣𝑗,𝑘’s and 𝑑𝑗’s
• 3 stable (output) probes 𝑑𝑗’s

⇒ We need to describe a simulator using 𝑟1 shares/input

ISW mult. is glitch-robust 𝒓-SNI in 2 cycles 7

• 1st example: 2 extended probes
• G(𝑣1,2) ≔ 𝑏1, 𝑐2, 𝑠

1,2

• G 𝑑1 ≔ 𝑣1,1, 𝑣2,1, 𝑣3,1

to simul. with 2 shares/input

ISW mult. is glitch-robust 𝒓-SNI in 2 cycles 7

• 1st example: 2 extended probes
• G(𝑣1,2) ≔ 𝑏1, 𝑐2, 𝑠

1,2

• G 𝑑1 ≔ 𝑣1,1, 𝑣2,1, 𝑣3,1
• 𝑏1, 𝑐2: use a 1st share of 𝑏, 𝑐
• 𝑠

1,2: random value

• 𝑣1,1 (𝑏1𝑐1): use a 2nd share of 𝑐
• 𝑣2,1 (𝑏2𝑐1): use a 2nd share of a
• 𝑣3,1 (𝑏3𝑐1 + 𝑠

1,3): random value

ISW mult. is glitch-robust 𝒓-SNI in 2 cycles 7

• 1st example: 2 extended probes
• G(𝑣1,2) ≔ 𝑏1, 𝑐2, 𝑠

1,2

• G 𝑑1 ≔ 𝑣1,1, 𝑣2,1, 𝑣3,1
• 𝑏1, 𝑐2: use a 1st share of 𝑏, 𝑐
• 𝑠

1,2: random value

• 𝑣1,1 (𝑏1𝑐1): use a 2nd share of 𝑐
• 𝑣2,1 (𝑏2𝑐1): use a 2nd share of a
• 𝑣3,1 (𝑏3𝑐1 + 𝑠

1,3): random value

ISW mult. is glitch-robust 𝒓-SNI in 2 cycles 7

• 1st example: 2 extended probes
• G(𝑣1,2) ≔ 𝑏1, 𝑐2, 𝑠

1,2

• G 𝑑1 ≔ 𝑣1,1, 𝑣2,1, 𝑣3,1
• 𝑏1, 𝑐2: use a 1st share of 𝑏, 𝑐
• 𝑠

1,2: random value

• 𝑣1,1 (𝑏1𝑐1): use a 2nd share of 𝑐
• 𝑣2,1 (𝑏2𝑐1): use a 2nd share of a
• 𝑣3,1 (𝑏3𝑐1 + 𝑠

1,3): random value

ISW mult. is glitch-robust 𝒓-SNI in 2 cycles 7

• 1st example: 2 extended probes
• G(𝑣1,2) ≔ 𝑏1, 𝑐2, 𝑠

1,2

• G 𝑑1 ≔ 𝑣1,1, 𝑣2,1, 𝑣3,1
• 𝑏1, 𝑐2: use a 1st share of 𝑏, 𝑐
• 𝑠

1,2: random value

• 𝑣1,1 (𝑏1𝑐1): use a 2nd share of 𝑐
• 𝑣2,1 (𝑏2𝑐1): use a 2nd share of 𝑏
• 𝑣3,1 (𝑏3𝑐1 + 𝑠

1,3): random value

ISW mult. is glitch-robust 𝒓-SNI in 2 cycles 7

• 1st example: 2 extended probes
• G(𝑣1,2) ≔ 𝑏1, 𝑐2, 𝑠

1,2

• G 𝑑1 ≔ 𝑣1,1, 𝑣2,1, 𝑣3,1
• 𝑏1, 𝑐2: use a 1st share of 𝑏, 𝑐
• 𝑠

1,2: random value

• 𝑣1,1 (𝑏1𝑐1): use a 2nd share of 𝑐
• 𝑣2,1 (𝑏2𝑐1): use a 2nd share of 𝑏
• 𝑣3,1 (𝑏3𝑐1 + 𝑠

1,3): random value

ISW mult. is glitch-robust 𝒓-SNI in 2 cycles 7

• 2nd example: 1 extended probe
• G(𝑣1,2) ≔ 𝑏1, 𝑐2, 𝑠

1,2

• Non-extended 𝑑1
• to simul. with 1 share/input

ISW mult. is glitch-robust 𝒓-SNI in 2 cycles 7

• 2nd example: 1 extended probe
• G(𝑣1,2) ≔ 𝑏1, 𝑐2, 𝑠

1,2

• Non-extended 𝑑1
• 𝑏1, 𝑐2: use a 1st share of 𝑏, 𝑐
• 𝑠

1,2: random value

• 𝑑1: random value (simulation

with 1 share/input impossible with an extended probe on 𝑑1)

How to compose (simply) 8

• Multiplications: use only

robust-SNI multiplications with one input refreshed in a robust-SNI manner

• Perform linear operations

independently on each share

[Goudarzi & Rivain, Eurocrypt 2018], [Cassiers & Standaert, ePrint 2018]

How to compose (simply) 8

• Multiplications: use only

robust-SNI multiplications with one input refreshed in a robust-SNI manner

• Perform linear operations

independently on each share

[Goudarzi & Rivain, Eurocrypt 2018], [Cassiers & Standaert, ePrint 2018]

⇒ Allows building arbitrary

circuits without risk of glitches nor compositional flaws

How to compose (simply) 8

• Multiplications: use only

robust-SNI multiplications with one input refreshed in a robust-SNI manner

• Perform linear operations

independently on each share

[Goudarzi & Rivain, Eurocrypt 2018], [Cassiers & Standaert, ePrint 2018]

⇒ Allows building arbitrary

circuits without risk of glitches nor compositional flaws (Sufficient but not necessary!)

Conclusions 9

• Main contributions:
• 1. Robust probing model
• Allows analyzing formally and confirming the

relevance of many designs ideas (e.g., Threshold

Implementations, Domain Oriented Masking, Unified Masking Approach, Generic Low Latency Masking, …)

• Not only a theoretical concern!
• Higher-order flaws in many published designs
• https://eprint.iacr.org/2018/490
• 2. A 1st multiplication algorithm/implementation proven

robust against glitches and composable at any order

Other results 10

• “Glitch Locality Principle”
• Glitch-robust NI + SNI (wo glitches) = glitch-robust SNI
• By contrast, glitch-robust probing security

+ SNI (wo glitches) ≠ glitch-robust SNI

• More general model to capture other physical defaults

(e.g., transitions-based leakages, coupling)

• And a discussion of how they are combined
• Empirical validation (for 2-share and 3-share designs)
• More results on Threshold Implementations
• Pseudo-composability and reduced randomness
• # of cycles vs. randomness tradeoff
• More TI decompositions based on Feistel nets.

THANKS

http://perso.uclouvain.be/fstandae/

Pseudo-composability a

𝑑2 = 𝑦2 ∙ 𝑧2 + 𝑦2 ∙ 𝑧3 + 𝑦3 ∙ 𝑧2 + 𝑨2

• Typical example: Toffoli gate 𝑑 = 𝑦 ∙ 𝑧 + 𝑨
• Threshold implementation:

𝑑1 = 𝑦1 ∙ 𝑧1 + 𝑦1 ∙ 𝑧2 + 𝑦2 ∙ 𝑧1 + 𝑨1 𝑑3 = 𝑦3 ∙ 𝑧3 + 𝑦1 ∙ 𝑧3 + 𝑦3 ∙ 𝑧1 + 𝑨3

Pseudo-composability a

𝑑2 = 𝑦2 ∙ 𝑧2 + 𝑦2 ∙ 𝑧3 + 𝑦3 ∙ 𝑧2 + 𝑨2

• Typical example: Toffoli gate 𝑑 = 𝑦 ∙ 𝑧 + 𝑨
• Threshold implementation:
• Not NI nor SNI (e.g., it is impossible to simulate a probe on

𝑑1 with a single share per input (lack of internal rand)

• But “pseudo-NI/pseudo-SNI” if the monomials of 𝑨 are used
• nce and one assumes that can be considered as random
• Can lead to nice randomness optimizations at low orders!

𝑑1 = 𝑦1 ∙ 𝑧1 + 𝑦1 ∙ 𝑧2 + 𝑦2 ∙ 𝑧1 + 𝑨1 𝑑3 = 𝑦3 ∙ 𝑧3 + 𝑦1 ∙ 𝑧3 + 𝑦3 ∙ 𝑧1 + 𝑨3