Random Probing Security Verification, Composition, Expansion and New - - PowerPoint PPT Presentation

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Verification, Composition, Expansion and New Constructions Sonia Belaïd 1, Jean-Sébastien Coron 2 Emmanuel Prouff 3, Matthieu Rivain 1 and Abdul Rahman Taleb 1

1 CryptoExperts, France 2 University of Luxembourg 3 ANSSI, France

August 7, 2020

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 1 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Side-Channel Attacks

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 2 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Side-Channel Attacks

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 2 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Countermeasure

Higher-order Masking

Sensitive variable x, group (G, ⋆):

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 3 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Countermeasure

Higher-order Masking

Sensitive variable x, group (G, ⋆): x = x0 ⋆ . . . ⋆ xn−2

• ⋆

xn−1

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 3 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Countermeasure

Higher-order Masking

Sensitive variable x, group (G, ⋆): x = x0 ⋆ . . . ⋆ xn−2

• uniformly at random from G

⋆ xn−1

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 3 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Countermeasure

Higher-order Masking

Sensitive variable x, group (G, ⋆): x = x0 ⋆ . . . ⋆ xn−2

• uniformly at random from G

⋆ xn−1

• x⋆x0···⋆xn−2
• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 3 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Countermeasure

Higher-order Masking

Sensitive variable x, group (G, ⋆): x = x0 ⋆ . . . ⋆ xn−2

• uniformly at random from G

⋆ xn−1

• x⋆x0···⋆xn−2

Security of masking schemes?

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 3 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Leakage Models

Definitions Realistic Convenient

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Leakage Models

Definitions Realistic Convenient t-probing model

t leaking variables

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Leakage Models

Definitions Realistic Convenient t-probing model

t leaking variables

Random probing model

each variable leaks with proba. p

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Leakage Models

Definitions Realistic Convenient t-probing model

t leaking variables

Random probing model

each variable leaks with proba. p

Noisy Leakage model

noisy leakage of all the variables

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 4 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Leakage Models

Existing Works

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 5 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Leakage Models

Existing Works

• Reduction property [Duc et al., 2014]

Probing Security = ⇒ Random Probing Security = ⇒ Noisy Leakage Security

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 5 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Leakage Models

Existing Works

• Reduction property [Duc et al., 2014]

Probing Security = ⇒ Random Probing Security = ⇒ Noisy Leakage Security Random Probing Constructions:

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 5 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Leakage Models

Existing Works

• Reduction property [Duc et al., 2014]

Probing Security = ⇒ Random Probing Security = ⇒ Noisy Leakage Security Random Probing Constructions:

• [Ajtai, 2011, Andrychowicz et al., 2016] based on expander

graphs

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 5 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Leakage Models

Existing Works

• Reduction property [Duc et al., 2014]

Probing Security = ⇒ Random Probing Security = ⇒ Noisy Leakage Security Random Probing Constructions:

• [Ajtai, 2011, Andrychowicz et al., 2016] based on expander

graphs

• [Ananth et al., 2018] based on secure multi-party computa-

tions

• O(|C|.poly(κ)) for a circuit C, tolerated leakage proba.≈

2−25 .

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 5 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Model

Contributions

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 6 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Model

Contributions

• VRAPS Tool: (V)erifier of (RA)ndom (P)robing (S)ecurity.
• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 6 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Model

Contributions

• VRAPS Tool: (V)erifier of (RA)ndom (P)robing (S)ecurity.
• Random probing composability / expandability for global

security level amplification (inspired from [Ananth et al., 2018]).

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 6 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Model

Contributions

• VRAPS Tool: (V)erifier of (RA)ndom (P)robing (S)ecurity.
• Random probing composability / expandability for global

security level amplification (inspired from [Ananth et al., 2018]).

• Efficient instantiation from base gadgets in O(|C|.κ7.5)

tolerating leakage probability ≈ 2−8.

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 6 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Definition p p

||

p p

r

p

×

p

+

p

+ + Add × Mult. ||

Copy r Random

(p, ǫ)-Random Probing Security

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Definition p p

||

p p

r

p

×

p

+

p

+ + Add × Mult. ||

Copy r Random

(p, ǫ)-Random Probing Security W set of wires

Failure Probability ǫ

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 7 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Definition p p

||

p p

r

p

×

p

+

p

+ + Add × Mult. ||

Copy r Random

(p, ǫ)-Random Probing Security W set of wires Independent from secret inputs ?

Failure Probability ǫ

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 7 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Definition p p

||

p p

r

p

×

p

+

p

+ + Add × Mult. ||

Copy r Random

(p, ǫ)-Random Probing Security W set of wires Independent from secret inputs ?

yes no

Failure Probability ǫ

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 7 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Definition p p

||

p p

r

p

×

p

+

p

+ + Add × Mult. ||

Copy r Random

(p, ǫ)-Random Probing Security W set of wires Independent from secret inputs ?

yes no

Simulation Success Failure Probability ǫ

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 7 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Definition p p

||

p p

r

p

×

p

+

p

+ + Add × Mult. ||

Copy r Random

(p, ǫ)-Random Probing Security W set of wires Independent from secret inputs ?

yes no

Simulation Success Simulation Failure Failure Probability ǫ

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 7 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Definition p p

||

p p

r

p

×

p

+

p

+ + Add × Mult. ||

Copy r Random

(p, ǫ)-Random Probing Security W set of wires Independent from secret inputs ?

yes no

Simulation Success Simulation Failure Failure Probability ǫ

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 7 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Formal Verification : Method p p

||

p p

r

p

×

p

+

p

+

s: number of wires

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 8 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Formal Verification : Method p p

||

p p

r

p

×

p

+

p

+

s: number of wires

W set of wires Pr(W ) = p|W |(1 − p)s−|W |

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 8 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Formal Verification : Method p p

||

p p

r

p

×

p

+

p

+

s: number of wires

W set of wires Pr(W ) = p|W |(1 − p)s−|W | Failure probability ǫ ǫ = f (p) =

• W

Failure on W

p|W |(1 − p)s−|W |

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 8 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Formal Verification : Method p p

||

p p

r

p

×

p

+

p

+

s: number of wires

W set of wires Pr(W ) = p|W |(1 − p)s−|W | Failure probability ǫ ǫ = f (p) =

• W

Failure on W

p|W |(1 − p)s−|W | ci: number of W of size i with Simulation Failure

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 8 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Formal Verification : Method p p

||

p p

r

p

×

p

+

p

+

s: number of wires

W set of wires Pr(W ) = p|W |(1 − p)s−|W | Failure probability ǫ ǫ = f (p) =

• W

Failure on W

p|W |(1 − p)s−|W | ci: number of W of size i with Simulation Failure ǫ =

s

• i=1

cipi(1 − p)s−i

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 8 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Formal Verification : Algorithm (VRAPS Tool)

Input: circuit with s wires Output: coefficients c1, . . . , cs

1: c ← (0, . . . , 0) 7: return c

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 9 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Formal Verification : Algorithm (VRAPS Tool)

Input: circuit with s wires Output: coefficients c1, . . . , cs

1: c ← (0, . . . , 0) 2: for i = 1 to s do 6: end for 7: return c

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 9 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Formal Verification : Algorithm (VRAPS Tool)

Input: circuit with s wires Output: coefficients c1, . . . , cs

1: c ← (0, . . . , 0) 2: for i = 1 to s do 3:

L ← {all W of size i}

6: end for 7: return c

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 9 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Formal Verification : Algorithm (VRAPS Tool)

Input: circuit with s wires Output: coefficients c1, . . . , cs

1: c ← (0, . . . , 0) 2: for i = 1 to s do 3:

L ← {all W of size i}

4:

Apply rules inspired from maskVerif on L [Barthe et al., 2015]

6: end for 7: return c

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 9 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Security

Formal Verification : Algorithm (VRAPS Tool)

Input: circuit with s wires Output: coefficients c1, . . . , cs

1: c ← (0, . . . , 0) 2: for i = 1 to s do 3:

L ← {all W of size i}

4:

Apply rules inspired from maskVerif on L [Barthe et al., 2015]

5:

ci ← Nb. of failures in L

6: end for 7: return c

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 9 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Composability

Definition

Goal: Achieve global random probing security

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 10 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Composability

Definition

Goal: Achieve global random probing security (t, p, ǫ)-Random probing composable n-share gadgets

Gadd Gcopy Gmult

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 10 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Composability

Definition

Goal: Achieve global random probing security (t, p, ǫ)-Random probing composable n-share gadgets

Gadd Gcopy Gmult

= ⇒ (p, |C|.ǫ)-Random probing secure circuit C

Gadd Gcopy Gmult Gcopy

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 10 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Composability

Definition Input Sharing p p

+

p

||

p p

×

p

||

Output Sharing 1-to-1 3-share gadget s: number of wires

(t,p,ǫ)-Random Probing Composability W set of wires Any set J of ≤ t output wires Simulated from t shares of each secret input ?

Failure Probability ǫ

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 11 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Composability

Definition Input Sharing p p

+

p

||

p p

×

p

||

Output Sharing 1-to-1 3-share gadget s: number of wires

(t,p,ǫ)-Random Probing Composability W set of wires Any set J of ≤ t output wires Simulated from t shares of each secret input ?

yes no

Simulation Success Simulation Failure Failure Probability ǫ

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 11 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Composability

Definition Input Sharing p p

+

p

||

p p

×

p

||

Output Sharing 1-to-1 3-share gadget s: number of wires

(t,p,ǫ)-Random Probing Composability W set of wires Any set J of ≤ t output wires Simulated from t shares of each secret input ?

yes no

Simulation Success Simulation Failure Failure Probability ǫ

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 11 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Composability

Definition Input Sharing p p

+

p

||

p p

×

p

||

Output Sharing 1-to-1 3-share gadget s: number of wires

(t,p,ǫ)-Random Probing Composability W set of wires Any set J of ≤ t output wires Simulated from t shares of each secret input ?

yes no

Simulation Success Simulation Failure Failure Probability ǫ

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 11 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Strategy (Revisited approach from [Ananth et al., 2018])

Using n-share gadgets Gadd, Gcopy, Gmult

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 12 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Strategy (Revisited approach from [Ananth et al., 2018])

Using n-share gadgets Gadd, Gcopy, Gmult

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 12 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Strategy (Revisited approach from [Ananth et al., 2018])

Using n-share gadgets Gadd, Gcopy, Gmult || + x

Leakage probability p

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 12 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Strategy (Revisited approach from [Ananth et al., 2018])

Using n-share gadgets Gadd, Gcopy, Gmult || + x

Leakage probability p

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 12 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Strategy (Revisited approach from [Ananth et al., 2018])

Using n-share gadgets Gadd, Gcopy, Gmult || + x

Leakage probability p

n=2

− − − − − − − − − →

First Expansion

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 12 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Strategy (Revisited approach from [Ananth et al., 2018])

Using n-share gadgets Gadd, Gcopy, Gmult || + x

Leakage probability p

n=2

− − − − − − − − − →

First Expansion

Gcopy Gadd Gmult Simulation Failure ǫ = f (p)

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 12 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Strategy (Revisited approach from [Ananth et al., 2018])

Using n-share gadgets Gadd, Gcopy, Gmult || + x

Leakage probability p

n=2

− − − − − − − − − →

First Expansion

Gcopy Gadd Gmult Simulation Failure ǫ = f (p)

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 12 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Strategy (Revisited approach from [Ananth et al., 2018])

Using n-share gadgets Gadd, Gcopy, Gmult || + x

Leakage probability p

n=2

− − − − − − − − − →

First Expansion

Gcopy Gadd Gmult Simulation Failure ǫ = f (p)

n2=4

− − − − − − − − − − →

Second Expansion

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 12 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Strategy (Revisited approach from [Ananth et al., 2018])

Using n-share gadgets Gadd, Gcopy, Gmult || + x

Leakage probability p

n=2

− − − − − − − − − →

First Expansion

Gcopy Gadd Gmult Simulation Failure ǫ = f (p)

n2=4

− − − − − − − − − − →

Second Expansion

G (2)

copy

G (2)

add

G (2)

mult

ǫ2 = f 2(p)

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 12 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Strategy (Revisited approach from [Ananth et al., 2018])

Using n-share gadgets Gadd, Gcopy, Gmult || + x

Leakage probability p

n=2

− − − − − − − − − →

First Expansion

Gcopy Gadd Gmult Simulation Failure ǫ = f (p)

n2=4

− − − − − − − − − − →

Second Expansion

G (2)

copy

G (2)

add

G (2)

mult

ǫ2 = f 2(p)

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 12 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Strategy (Revisited approach from [Ananth et al., 2018])

Using n-share gadgets Gadd, Gcopy, Gmult || + x

Leakage probability p

n=2

− − − − − − − − − →

First Expansion

Gcopy Gadd Gmult Simulation Failure ǫ = f (p)

n2=4

− − − − − − − − − − →

Second Expansion

G (2)

copy

G (2)

add

G (2)

mult

ǫ2 = f 2(p)

nk

− →

...

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 12 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Strategy (Revisited approach from [Ananth et al., 2018])

Using n-share gadgets Gadd, Gcopy, Gmult || + x

Leakage probability p

n=2

− − − − − − − − − →

First Expansion

Gcopy Gadd Gmult Simulation Failure ǫ = f (p)

n2=4

− − − − − − − − − − →

Second Expansion

G (2)

copy

G (2)

add

G (2)

mult

ǫ2 = f 2(p)

nk

− →

... ǫk

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 12 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Strategy (Revisited approach from [Ananth et al., 2018])

Using n-share gadgets Gadd, Gcopy, Gmult || + x

Leakage probability p

n=2

− − − − − − − − − →

First Expansion

Gcopy Gadd Gmult Simulation Failure ǫ = f (p)

n2=4

− − − − − − − − − − →

Second Expansion

G (2)

copy

G (2)

add

G (2)

mult

ǫ2 = f 2(p)

nk

− →

... ǫk

Condition : f (p) < p

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 12 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Security Input 1 Input 2 p p

+

p p

×

p p

×

p

||

p p

+ r

p p

+

Output 2-to-1 3-share gadget

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 13 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Security Input 1 Input 2 p p

+

p p

×

p p

×

p

||

p p

+ r

p p

+

Output 2-to-1 3-share gadget

(t, ǫ)-Random Probing Expandability W set of wires Any set J of ≤ t output wires and for a chosen set J’ of n − 1 output wires Can be simulated from t shares of 1 and 2 ?

yes no

Simulation Success Simulation Failure Failure Proba. on 1 = ǫ Failure Proba. on 2 = ǫ Failure Proba. on 1 ∧ 2 = ǫ2

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Security Input 1 Input 2 p p

+

p p

×

p p

×

p

||

p p

+ r

p p

+

Output 2-to-1 3-share gadget

(t, ǫ)-Random Probing Expandability W set of wires Any set J of ≤ t output wires and for a chosen set J’ of n − 1 output wires Can be simulated from t shares of 1 and 2 ?

yes no

Simulation Success Simulation Failure Failure Proba. on 1 = ǫ Failure Proba. on 2 = ǫ Failure Proba. on 1 ∧ 2 = ǫ2

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Security Input 1 Input 2 p p

+

p p

×

p p

×

p

||

p p

+ r

p p

+

Output 2-to-1 3-share gadget

(t, ǫ)-Random Probing Expandability W set of wires Any set J of ≤ t output wires and for a chosen set J’ of n − 1 output wires Can be simulated from t shares of 1 and 2 ?

yes no

Simulation Success Simulation Failure Failure Proba. on 1 = ǫ Failure Proba. on 2 = ǫ Failure Proba. on 1 ∧ 2 = ǫ2

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Security Input 1 Input 2 p p

+

p p

×

p p

×

p

||

p p

+ r

p p

+

Output 2-to-1 3-share gadget

(t, ǫ)-Random Probing Expandability W set of wires Any set J of ≤ t output wires and for a chosen set J’ of n − 1 output wires Can be simulated from t shares of 1 and 2 ?

yes no

Simulation Success Simulation Failure Failure Proba. on 1 = ǫ Failure Proba. on 2 = ǫ Failure Proba. on 1 ∧ 2 = ǫ2

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Security Input 1 Input 2 p p

+

p p

×

p p

×

p

||

p p

+ r

p p

+

Output 2-to-1 3-share gadget

(t, ǫ)-Random Probing Expandability W set of wires Any set J of ≤ t output wires and for a chosen set J’ of n − 1 output wires Can be simulated from t shares of 1 and 2 ?

yes no

Simulation Success Simulation Failure Failure Proba. on 1 = ǫ Failure Proba. on 2 = ǫ Failure Proba. on 1 ∧ 2 = ǫ2

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Security Input 1 Input 2 p p

+

p p

×

p p

×

p

||

p p

+ r

p p

+

Output 2-to-1 3-share gadget

(t, ǫ)-Random Probing Expandability W set of wires Any set J of ≤ t output wires and for a chosen set J’ of n − 1 output wires Can be simulated from t shares of 1 and 2 ?

yes no

Simulation Success Simulation Failure Failure Proba. on 1 = ǫ Failure Proba. on 2 = ǫ Failure Proba. on 1 ∧ 2 = ǫ2

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 13 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Security

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 14 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Security

For an n-share gadget G:

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 14 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Security

For an n-share gadget G: G Random Probing Expandable, ǫ = f (p) = ⇒ G (k) Random Probing Expandable, ǫ′ = f k(p)

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 14 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Security

For an n-share gadget G: G Random Probing Expandable, ǫ = f (p) = ⇒ G (k) Random Probing Expandable, ǫ′ = f k(p) G Random Probing Expandable, ǫ = f (p) = ⇒ G Random Probing Composable, ǫ′ = 2f (p)

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 14 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Security

For an n-share gadget G: G Random Probing Expandable, ǫ = f (p) = ⇒ G (k) Random Probing Expandable, ǫ′ = f k(p) G Random Probing Expandable, ǫ = f (p) = ⇒ G Random Probing Composable, ǫ′ = 2f (p) For a circuit C, using Gadd, Gcopy, Gmult:

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 14 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Expansion Security

For an n-share gadget G: G Random Probing Expandable, ǫ = f (p) = ⇒ G (k) Random Probing Expandable, ǫ′ = f k(p) G Random Probing Expandable, ǫ = f (p) = ⇒ G Random Probing Composable, ǫ′ = 2f (p) For a circuit C, using Gadd, Gcopy, Gmult: Gadd, Gcopy, Gmult Random Probing Expandable, ǫ = f (p) = ⇒ Compiled circuit (p, 2.f (k))-Random Probing Secure

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 14 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

3-share gadgets Construction

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 15 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

3-share gadgets Construction Gcopy : v0 ← x0 + r0 + r1; w0 ← x0 + r3 + r4 v1 ← x1 + r1 + r2; w1 ← x1 + r4 + r5 v2 ← x2 + r2 + r0; w2 ← x2 + r5 + r3

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 15 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

3-share gadgets Construction Gcopy : v0 ← x0 + r0 + r1; w0 ← x0 + r3 + r4 v1 ← x1 + r1 + r2; w1 ← x1 + r4 + r5 v2 ← x2 + r2 + r0; w2 ← x2 + r5 + r3 Gadd : z0 ← x0 + r0 + r4 + y0 + r1 + r3 z1 ← x1 + r1 + r5 + y1 + r2 + r4 z2 ← x2 + r2 + r3 + y2 + r0 + r5

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

3-share gadgets Construction Gcopy : v0 ← x0 + r0 + r1; w0 ← x0 + r3 + r4 v1 ← x1 + r1 + r2; w1 ← x1 + r4 + r5 v2 ← x2 + r2 + r0; w2 ← x2 + r5 + r3 Gadd : z0 ← x0 + r0 + r4 + y0 + r1 + r3 z1 ← x1 + r1 + r5 + y1 + r2 + r4 z2 ← x2 + r2 + r3 + y2 + r0 + r5 Gmult : u0 ← x0 + r5 + r6; u1 ← x1 + r6 + r7; u2 ← x2 + r7 + r5 v0 ← y0 + r8 + r9; v1 ← y1 + r9 + r10; v2 ← y2 + r10 + r8

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

3-share gadgets Construction Gcopy : v0 ← x0 + r0 + r1; w0 ← x0 + r3 + r4 v1 ← x1 + r1 + r2; w1 ← x1 + r4 + r5 v2 ← x2 + r2 + r0; w2 ← x2 + r5 + r3 Gadd : z0 ← x0 + r0 + r4 + y0 + r1 + r3 z1 ← x1 + r1 + r5 + y1 + r2 + r4 z2 ← x2 + r2 + r3 + y2 + r0 + r5 Gmult : u0 ← x0 + r5 + r6; u1 ← x1 + r6 + r7; u2 ← x2 + r7 + r5 v0 ← y0 + r8 + r9; v1 ← y1 + r9 + r10; v2 ← y2 + r10 + r8 z0 ←

• u0 · v0 + r0
• +
• u0 · v1 + r1
• +
• u0 · v2 + r2
• z1 ←
• u1 · v0 + r1
• +
• u1 · v1 + r4
• +
• u1 · v2 + r3
• z2 ←
• u2 · v0 + r2
• +
• u2 · v1 + r3
• +
• u2 · v2 + r0
• + r4
• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 15 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

3-share gadgets Construction Gcopy : v0 ← x0 + r0 + r1; w0 ← x0 + r3 + r4 v1 ← x1 + r1 + r2; w1 ← x1 + r4 + r5 v2 ← x2 + r2 + r0; w2 ← x2 + r5 + r3 Gadd : z0 ← x0 + r0 + r4 + y0 + r1 + r3 z1 ← x1 + r1 + r5 + y1 + r2 + r4 z2 ← x2 + r2 + r3 + y2 + r0 + r5 Gmult : u0 ← x0 + r5 + r6; u1 ← x1 + r6 + r7; u2 ← x2 + r7 + r5 v0 ← y0 + r8 + r9; v1 ← y1 + r9 + r10; v2 ← y2 + r10 + r8 z0 ←

• u0 · v0 + r0
• +
• u0 · v1 + r1
• +
• u0 · v2 + r2
• z1 ←
• u1 · v0 + r1
• +
• u1 · v1 + r4
• +
• u1 · v2 + r3
• z2 ←
• u2 · v0 + r2
• +
• u2 · v1 + r3
• +
• u2 · v2 + r0
• + r4

t = 1, f (p) ≤ √ 83p3/2 + O(p2), pmax ≈ 2−8

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 15 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Asymptotic Complexity

N = (Nadd, Ncopy, Nmult, Nrand)

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 16 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Asymptotic Complexity

N = (Nadd, Ncopy, Nmult, Nrand) On previous 3-share gadgets:

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 16 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Asymptotic Complexity

N = (Nadd, Ncopy, Nmult, Nrand) On previous 3-share gadgets: M = NT

Gadd

NT

Gcopy

NT

Gmult

NT

rand

      15 12 28 6 9 23 9 6 6 11 3

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 16 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Asymptotic Complexity

N = (Nadd, Ncopy, Nmult, Nrand) On previous 3-share gadgets: M = NT

Gadd

NT

Gcopy

NT

Gmult

NT

rand

      15 12 28 6 9 23 9 6 6 11 3 = Q.Λ.Q−1

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 16 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Asymptotic Complexity

N = (Nadd, Ncopy, Nmult, Nrand) On previous 3-share gadgets: M = NT

Gadd

NT

Gcopy

NT

Gmult

NT

rand

      15 12 28 6 9 23 9 6 6 11 3 = Q.Λ.Q−1 Compiling a circuit C: N ˆ

C = MkNC = Q.Λk.Q−1.NC

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 16 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Asymptotic Complexity

N = (Nadd, Ncopy, Nmult, Nrand) On previous 3-share gadgets: M = NT

Gadd

NT

Gcopy

NT

Gmult

NT

rand

      Mac 28 23 Nm 6 6 1 3 = Q.Λ.Q−1 Compiling a circuit C: N ˆ

C = MkNC = Q.Λk.Q−1.NC

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 16 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Asymptotic Complexity

N = (Nadd, Ncopy, Nmult, Nrand) On previous 3-share gadgets: M = NT

Gadd

NT

Gcopy

NT

Gmult

NT

rand

      Mac 28 23 Nm 6 6 1 3 = Q.Λ.Q−1 Compiling a circuit C: N ˆ

C = MkNC = Q.Λk.Q−1.NC

| ˆ C| = O(|C|.Nk

max),

Nmax = max

• eigenvalues(Mac), Nmult
• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 16 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Asymptotic Complexity

For a security parameter κ, and f (p) = cdpd + O(pd+1) of ampli- fication order d,

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 17 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Asymptotic Complexity

For a security parameter κ, and f (p) = cdpd + O(pd+1) of ampli- fication order d, we need f (k)(p) ≤ 2−κ :

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 17 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Asymptotic Complexity

For a security parameter κ, and f (p) = cdpd + O(pd+1) of ampli- fication order d, we need f (k)(p) ≤ 2−κ : | ˆ C| = O(|C|.κe), e = log(Nmax) log(d)

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 17 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Asymptotic Complexity

For a security parameter κ, and f (p) = √ 83p3/2 + O(p2) of ampli- fication order 3/2, we need f (k)(p) ≤ 2−κ : | ˆ C| = O(|C|.κ7.5), e = log(21) log(3/2)

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 17 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Comparison with [Ananth et al., 2018]

Our Expansion Strategy [Ananth et al., 2018] Strategy

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 18 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Comparison with [Ananth et al., 2018]

Our Expansion Strategy (t, f )-RPE Security [Ananth et al., 2018] Strategy (p, ǫ)-Composable Security

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 18 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Comparison with [Ananth et al., 2018]

Our Expansion Strategy (t, f )-RPE Security Secure (t, f )-RPE gadgets [Ananth et al., 2018] Strategy (p, ǫ)-Composable Security (m, c)-MPC protocols

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 18 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Comparison with [Ananth et al., 2018]

Our Expansion Strategy (t, f )-RPE Security Secure (t, f )-RPE gadgets Instantiation with (1, f )-RPE 3-share Gadd, Gcopy, Gmult [Ananth et al., 2018] Strategy (p, ǫ)-Composable Security (m, c)-MPC protocols Instantiation with [Maurer, 2006] (m = 5, c = 2)-MPC protocol

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 18 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Comparison with [Ananth et al., 2018]

Our Expansion Strategy (t, f )-RPE Security Secure (t, f )-RPE gadgets Instantiation with (1, f )-RPE 3-share Gadd, Gcopy, Gmult O(|C|.κ7.5) [Ananth et al., 2018] Strategy (p, ǫ)-Composable Security (m, c)-MPC protocols Instantiation with [Maurer, 2006] (m = 5, c = 2)-MPC protocol O(|C|.κ7.87)

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 18 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Random Probing Expandability

Comparison with [Ananth et al., 2018]

Our Expansion Strategy (t, f )-RPE Security Secure (t, f )-RPE gadgets Instantiation with (1, f )-RPE 3-share Gadd, Gcopy, Gmult O(|C|.κ7.5) pmax ≈ 2−8 [Ananth et al., 2018] Strategy (p, ǫ)-Composable Security (m, c)-MPC protocols Instantiation with [Maurer, 2006] (m = 5, c = 2)-MPC protocol O(|C|.κ7.87) pmax ≈ 2−25

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 18 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Conclusion

• VRAPS tool for verification of Random Probing Security:

https://github.com/CryptoExperts/VRAPS

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 19 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Conclusion

• VRAPS tool for verification of Random Probing Security:

https://github.com/CryptoExperts/VRAPS

• New gadget composition / expansion properties for random

probing security

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 19 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Conclusion

• VRAPS tool for verification of Random Probing Security:

https://github.com/CryptoExperts/VRAPS

• New gadget composition / expansion properties for random

probing security

• New 3-share construction achieving random probing security

with tolerated leakage proba. ≈ 2−8, and a complexity of O(|C|.κ7.5)

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 19 / 20

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion

Conclusion

• VRAPS tool for verification of Random Probing Security:

https://github.com/CryptoExperts/VRAPS

• New gadget composition / expansion properties for random

probing security

• New 3-share construction achieving random probing security

with tolerated leakage proba. ≈ 2−8, and a complexity of O(|C|.κ7.5)

• Implementation of the expansion strategy, and an

implementation of a secure nk-share AES128: https: //github.com/CryptoExperts/poc-expanding-compiler

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 19 / 20

References

References

Miklós Ajtai. Secure computation with information leaking to an adversary. In Proceedings of the forty-third annual ACM symposium on Theory of computing, pages 715–724, 2011. Prabhanjan Ananth, Yuval Ishai, and Amit Sahai. Private circuits: A modular approach. In Annual International Cryptology Conference, pages 427–455. Springer, 2018. Marcin Andrychowicz, Stefan Dziembowski, and Sebastian Faust. Circuit compilers with o(1/log (n)) leakage rate. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 586–615. Springer, 2016. Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire, and Pierre-Yves Strub. Verified proofs of higher-order masking. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 457–485. Springer, 2015. Alexandre Duc, Stefan Dziembowski, and Sebastian Faust. Unifying leakage models: From probing attacks to noisy leakage. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 423–440. Springer, 2014. Ueli Maurer. Secure multi-party computation made simple. Discrete Applied Mathematics, 154(2): 370–381, 2006.

• S. Belaid, JS. Coron, E. Prouff, M. Rivain, A. Taleb

Random Probing Security 20 / 20