vermi verfi verification tools for masked implementations
play

VerMI & VerFI Verification Tools for Masked Implementations - PowerPoint PPT Presentation

Aug 10, 2023 •264 likes •782 views

VerMI & VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas COSIC, KULeuven Joint work with Vincent Rijmen (KU Leuven), Felix Wegener, Amir Moradi (RU Bochum) 1 Verification Tools Why do we need

  1. VerMI & VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas COSIC, KULeuven Joint work with Vincent Rijmen (KU Leuven), Felix Wegener, Amir Moradi (RU Bochum) 1

  2. Verification Tools • Why do we need verification tools? • When should we test implementations? • What kind of tools we need? 2

  3. Side-channel attacks: what to verify? (Source: [DBR19]) Necessary conditions [ANR18] vs. Sufficient conditions [DBR19] e.g.: Non-completeness e.g.: !" (glitch-extended probes, secret) = 0 #/'+-& #$%&'('%) %* $+%,-& ≈ &-01+'(2 %+3-+ 3 3

  4. SCA verification tools Noise free Noisy Technology independent Technology specific As accurate as the model Closer to reality Complete [BCD+13, MRS+18] ciphers Efficient [SBY+18] [ANR18] [DBR19] Exhaustive Small [BGI+18, BBF+18, C18] gadgets Reality Theory

  5. SCA verification: how-to Verification mechanisms – the more the better! One does NOT suffice Complete [BCD+13, MRS+18] ciphers [SBY+18] Design & Implementation [ANR18] [DBR19] Small [BGI+18, BBF+18, C18] gadgets Reality Theory

  6. References [ANR18] V. Arribas, S. Nikova, V. Rijmen: VerMI: Verification Tool for Masked Implementations. ICECS 2018 [BCD+13] G. Becker, J. Cooper, E. De Mulder, et al: Test vector leakage assessment (TVLA) methodology in practice. ICMC 2013 [BBF+18] G. Barthe, S. Belaid, P.-A. Fouque, B. Gregoire: maskVerif: a formal tool for analyzing software and hardware masked implementations. ESORICS 2019 [BGI+18] R. Bloem, H. Gros, R. Iusupov, B. Konighofer, S. Mangard, J. Winter: Formal Verification of Masked Hardware Implementations in the Presence of Glitches. EUROCRYPT 2018 [C18] J.-S. Coron: Formal Verication of Side-channel Countermeasures via Elementary Circuit Transformations. ACNS 2018 [DBR19] L. De Meyer, B. Bilgin, O. Reparaz: Consolidating Security Notions in Hardware Masking. CHES 2019 [MRS+18] A. Moradi, B. Richter, T. Schneider, F.-X. Standaert: Leakage Detection with the chi-squared-Test. CHES 2018 [SBY+18] D. Sijacic, J. Balasch, B. Yang, S. Ghosh, I. Verbauwhede: Towards Efficient and Automated Side Channel Evaluations at Design Time. PROOFS@CHES 2018

  7. VerMI Verification Tool for Masked Implementations

  8. VerMI - outline • VerMI • Threshold Implementations • Non-Completeness • Sequential Logic • Uniformity 8

  9. VerMI 9

  10. Verification Tool - C++ - Synopsys DC Compiler FPGA ASIC 10

  11. Structural Model 11

  12. Threshold Implementations Side-Channel Analysis (SCA) countermeasure Provable security with minimal assumptions on the HW Security in the presence of glitches 12

  13. Threshold Implementations (1 st order) Boolean masking scheme Secret sharing and multi-party computation techniques S 1 (x 1 ,y 1 ,z 1 , ... ) (a 1 ,b 1 ,c 1 , ... ) • Correctness ⊕ ⊕ S 2 (x 2 ,y 2 ,z 2 , ... ) (a 2 ,b 2 ,c 2 , ... ) ⊕ ⊕ • Non-completeness … … … ⊕ ⊕ • S s Uniformity (x s ,y s ,z s , ... ) (a s ,b s ,c s , ... ) = = (x, y, z , ... ) (a, b, c , ... ) S (x, y, z , ... ) (a, b, c , ... ) 13

  14. Tree Search 1 14

  15. Non-completeness 1 15

  16. Non-completeness E.g.: Multiplier ! " = $ " % " , % ' , ( " , ( ' = % " ( " ⊕ % " ( ' ⊕ % ' ( " ! ' = $ ' % ' , % * , ( ' , ( * = % ' ( ' ⊕ % ' ( * ⊕ % * ( ' ! * = $ * % " , % * , ( " , ( * = % * ( * ⊕ % " ( * ⊕ % * ( " Sensitive data Dependencies ! " ! ' ! * Shares % * % * % " % ' % * % " % ' % ' % " Vars. ( " ( ' ( * ( " ( ' ( ' ( * ( " ( * 16

  17. Non-completeness E.g.: Multiplier ! " = $ " % " , % ' , ( " , ( ' = % " ( " ⊕ % " ( ' ⊕ % * ( " ! ' = $ ' % ' , % * , ( ' , ( * = % ' ( ' ⊕ % ' ( * ⊕ % * ( ' ! * = $ * % " , % * , ( " , ( * = % * ( * ⊕ % " ( * ⊕ % ' ( " Sensitive data Dependencies ! " ! ' ! * Shares % * % * % " % ' % * % " % * % ' % " % ' Vars. ( " ( ' ( * ( " ( ' ( ' ( * ( " ( * 17

  18. HO Non-completeness E.g.: Multiplier (1st order) ! " = $ " % " , % ' , ( " , ( ' = % " ( " ⊕ % " ( ' ⊕ % ' ( " ! ' = $ ' % ' , % * , ( ' , ( * = % ' ( ' ⊕ % ' ( * ⊕ % * ( ' ! * = $ * % " , % * , ( " , ( * = % * ( * ⊕ % " ( * ⊕ % * ( " Sensitive data Dependencies ( ! ", , ! ' ) (! " , ! * ) (! ' , ! * ) Shares % * % * % * % " % ' % * % " % ' % " % ' % " % ' Vars. ( " ( ' ( * ( " ( ' ( * ( " ( ' ( * ( " ( ' ( * 18

  19. HO Non-completeness E.g.: Multiplier (2nd order) ) " = ! # ( # ⊕ ! " ( # ⊕ ! # ( " ⊕ ! " ( $ ⊕ ! $ ( " ⊕ ! # ( $ ⊕ ! $ ( # ) # = ! $ ( $ ⊕ ! $ ( % ⊕ ! % ( $ ⊕ ! $ ( & ⊕ ! & ( $ ) $ = ! % ( % ⊕ ! # ( % ⊕ ! % ( # ⊕ ! # ( ' ⊕ ! ' ( # ) % = ! & ( & ⊕ ! " ( % ⊕ ! % ( " ⊕ ! " ( & ⊕ ! & ( " ) & = ! # ( & ⊕ ! & ( # ⊕ ! % ( & ⊕ ! & ( % ) ' = ! ' ( ' ⊕ ! $ ( ' ⊕ ! ' ( $ ⊕ ! % ( ' ⊕ ! ' ( % Sensitive data ) , = ! " ( " ⊕ ! " ( ' ⊕ ! ' ( " ⊕ ! & ( ' ⊕ ! ' ( & Shares ! " ! # ! $ ! % ! & ! ' Vars. ( " ( # ( $ ( % ( & ( ' 19 [BGN+] B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, V. Rijmen, Higher-Order Threshold Implementations. In Asiacryopt 2014

  20. HO Non-completeness E.g.: Multiplier (2nd order) [BGN+] ! " = $ % & % ⊕ $ " & % ⊕ $ % & " ⊕ $ " & ( ⊕ $ ( & " ⊕ $ % & ( ⊕ $ ( & % ! % = $ ( & ( ⊕ $ ( & ) ⊕ $ ) & ( ⊕ $ ( & * ⊕ $ * & ( Dependencies ! ( = $ ) & ) ⊕ $ % & ) ⊕ $ ) & % ⊕ $ % & + ⊕ $ + & % (! " , ! % ) ! ) = $ * & * ⊕ $ " & ) ⊕ $ ) & " ⊕ $ " & * ⊕ $ * & " ! * = $ % & * ⊕ $ * & % ⊕ $ ) & * ⊕ $ * & ) $ " $ % $ ( $ ) $ * ! + = $ + & + ⊕ $ ( & + ⊕ $ + & ( ⊕ $ ) & + ⊕ $ + & ) & " & % & ( & ) & * ! , = $ " & " ⊕ $ " & + ⊕ $ + & " ⊕ $ * & + ⊕ $ + & * ALL possible combinations must be checked (! % , ! * ) (! ) , ! , ) $ % $ ( $ ) $ * $ " $ ) $ * $ + & % & ( & ) & * & " & ) & * & + 20 [BGN+] B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, V. Rijmen, Higher-Order Threshold Implementations. In Asiacryopt 2014

  21. Subcircuit 21

  22. AES Sbox [CRB+] [CRB+] T. D. Cnudde, O. Reparaz, B. Bilgin, S. Nikova, V. Nikov, and V. Rijmen. 22 Masking aes with d+1 shares in hardware. In CHES 2016.

  23. AES Sbox Shares !"3_1 0 !"3_2 0 !"3_3 0 !"3_4 0 !"3_1 1 !"3_2 1 !"3_3 1 !"3_4 1 !"3_1 2 !"3_2 2 !"3_3 2 !"3_4 2 !"3_1 3 !"3_2 3 !"3_3 3 !"3_4 3 !"3_)*+_1 0 !"3_)*+_2 0 Variables !"3_)*+_1 1 !"3_)*+_2 1 !"3_)*+_1 2 !"3_)*+_2 2 !"3_)*+_1 3 !"3_)*+_2 3 !"3_,*"_1 0 !"3_,*"_2 0 !"3_,*"_1 1 !"3_,*"_2 1 !"3_,*"_1 2 !"3_,*"_2 2 !"3_)*+_1 3 !"3_)*+_2 3 23

  24. Uniformity (1 st order) E.g.: Multiplier ! " = $ " % " , % ' , ( " , ( ' = % " ( " ⊕ % " ( ' ⊕ % ' ( " ! ' = $ ' % ' , % * , ( ' , ( * = % ' ( ' ⊕ % ' ( * ⊕ % * ( ' ! * = $ * % " , % * , ( " , ( * = % * ( * ⊕ % " ( * ⊕ % * ( " 24

  25. Simulation Event-Driven simulation Flip-Flops treated as buffers 25

  26. Uniformity Three shares implementation by G. Bertoni et. al. [BDP+] Changing of the Guards by J. Daemen [Daemen] Four shares implementation by B. Bilgin et. al. [BDN+] [BDP+] G. Bertoni, J. Daemen, M. Peeters, and G. V. Assche. Building power analysis resistant implementations of Keccak. Second SHA-3 candidate conference, August 2010. [BDN+] B. Bilgin, J. Daemen, V. Nikov, S. Nikova, V. Rijmen, and G. V. Assche. Efficient and First-order DPA resistant implementations of Keccak. In CARDIS, volume 8419 of LNCS. June 2014. [Daemen] J. Daemen. Changing of the guards: A simple and efficient method for achieving uniformity in threshold sharing. In CHES, volume 10529 of LNCS. September 2017. 26

  27. Uniformity 27

  28. VerFI Verification Tool for Fault Injection

  29. Evaluation FAULT EVALUATION SIDE-CHANNEL EVALUATION maskVerif: automated analysis of Framework for the analysis and software and hardware higher-order evaluation of algebraic fault attacks masked implementations [Zhang et al. IEEE Trans. on Information [Barthe et al. ePrint 2018/562] Forensics And Security 2016] Formal Verification of Masked Hardware XFC: A Framework for eXploitable Implementations in the Presence of Fault Characterization in Block Ciphers. Glitches [Khanna et al. DAC 2017] [Bloem et al. EUROCRYPT2018] VerMI: Verification Tool for Masked ExpFault: An Automated Framework for Implementations Exploitable Fault Characterization in [Arribas et al. ICECS 2018] Block Ciphers [Saha et al. CHES 2018] Towards Efficient and Automated Side Channel Evaluations at Design Time CASCADE [Šija č i ć et al. PROOFS 2018] TVLA [Cooper et al. International Cryptographic Module Conference 2013] 29

  30. Framework VerFI 30

  31. Faults Machine Ø Create faults Ø Fault free simulation Ø Fault injection Ø Fault simulation Ø Fault classification 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order 3 Formal Tools

1.24k views • 97 slides
Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Crypto. group SWORD Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an Explanation Based on Externally-Amplified Couplings Itamar Levi, Davide Bellizia and Franois-Xavier Standaert Aug. 2018 Moti

298 views • 27 slides
LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

1 / 20 Conclusion FSE 2014 LS-Designs G. Leurent (UCL,Inria) Motivation LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security Analysis LS-Designs . . . . . . . . . . . . . . . . . . Vincent

638 views • 27 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox, Doug Woos, Zachary Tatlock, and Karl Palmskog We should verify implementations of distributed systems... ...and we have! Framework Prover

1.41k views • 86 slides
WP verification methodology and tools Paul Jackson School of Informatics University of Edinburgh

WP verification methodology and tools Paul Jackson School of Informatics University of Edinburgh

WP verification methodology and tools Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2017 Levels of formal verification Checking freedom from run-time exceptions Dominant level for Spark tools

263 views • 8 slides
MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 TLS Handshakes ''''''ClientHello''''''''''''''''''99999999>'

744 views • 73 slides
Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1

Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1

Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1 Andrew Gordon 23 urjens 4 Jan J 1 The Open University 2 Microsoft Research Cambridge 3 University of Edinburgh 4 Dortmund University October 2012

426 views • 28 slides
Bricks and Tools for Secure Hardware Implementations Francesco Regazzoni Francesco Regazzoni 06

Bricks and Tools for Secure Hardware Implementations Francesco Regazzoni Francesco Regazzoni 06

Bricks and Tools for Secure Hardware Implementations Francesco Regazzoni Francesco Regazzoni 06 June 2014, ibenik, Croatia P. 1 Why Electronic Design Automation? Surely the purpose of science is to ease human hardship Galileo,

846 views • 82 slides
Verification and Validation Steven Zeil February 13, 2013 Verification and Validation

Verification and Validation Steven Zeil February 13, 2013 Verification and Validation

Verification and Validation Verification and Validation Steven Zeil February 13, 2013 Verification and Validation Outline The Process 1 Non-Testing V&V 2 Code Review Mathematically-based verification Static analysis tools

790 views • 55 slides
Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (April 13, 2000 6:35 pm) I E S R

UMBC A B M A L T F O U M B C I M Y O R T 1 (April 13, 2000 6:35 pm) I E S R

Advanced VLSI Design VLSI Simulation CMPE 414/CMSC 691x Overview Design Automation is essential in dealing with the complexity of IC design and verification. There are a wide range of tools available: Analysis and verification tools to

388 views • 16 slides
Verification of Protocol Implementations by Typechecking Cdric Fournet Microsoft Research w

Verification of Protocol Implementations by Typechecking Cdric Fournet Microsoft Research w

Formal/Computational Verification of Protocol Implementations by Typechecking Cdric Fournet Microsoft Research w ith Karthik Bhargavan, Andy Gordon, http://research.microsoft.com/~fournet http://msr-inria.inria.fr/projects/sec

1.28k views • 101 slides
A machine learning approach against a masked AES L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI,

A machine learning approach against a masked AES L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI,

A machine learning approach against a masked AES A machine learning approach against a masked AES L. LERMAN , S. FERNANDES MEDEIROS, G. BONTEMPI, and O. MARKOWITCH Universit Libre de Bruxelles Faculty of Sciences Department of Computer

349 views • 20 slides
Synthesis Tools for White-box Implementations Aleksei Udovenko SnT, University of Luxembourg

Synthesis Tools for White-box Implementations Aleksei Udovenko SnT, University of Luxembourg

Synthesis Tools for White-box Implementations Aleksei Udovenko SnT, University of Luxembourg WhibOx Workshop May 19, 2019 Introduction Circuit Construction Compilation Attacks Conclusion Plan Introduction Circuit Construction

690 views • 30 slides
+ Device Management for OSGi IoT Gateways Luca uca Dazi @ Eurotech Julien ien Vermi rmilla

+ Device Management for OSGi IoT Gateways Luca uca Dazi @ Eurotech Julien ien Vermi rmilla

+ Device Management for OSGi IoT Gateways Luca uca Dazi @ Eurotech Julien ien Vermi rmilla llard @ Sierra Wireless +Agenda Introduction to IoT Gateways and Kura Device Management for OSGi Which Protocols? MQTT LwM2M/CoAP

443 views • 25 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
Practical Object Detection and Segmentation Vincent Chen and Edward Chou Agenda Why would

Practical Object Detection and Segmentation Vincent Chen and Edward Chou Agenda Why would

Practical Object Detection and Segmentation Vincent Chen and Edward Chou Agenda Why would understanding different architectures be useful? Modular Frameworks Describe Modern Frameworks Detection Segmentation

641 views • 38 slides
Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

S C I E N C E P A S S I O N T E C H N O L O G Y Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl, Stefan Mangard IAIK, Graz University of Technology, Austria CHES 2017,

753 views • 58 slides
Publishing while female Are women held to higher standards? Evidence from peer review. Erin

Publishing while female Are women held to higher standards? Evidence from peer review. Erin

Publishing while female Are women held to higher standards? Evidence from peer review. Erin Hengel University of Liverpool Gender and Career Progression Conference 14 May 2018 Background Women are underrepresented in economics (2016):

811 views • 44 slides
Fast Software Cache Design for Network Appliances Dong Zhou, Huacheng Yu, Michael Kaminsky,

Fast Software Cache Design for Network Appliances Dong Zhou, Huacheng Yu, Michael Kaminsky,

Fast Software Cache Design for Network Appliances Dong Zhou, Huacheng Yu, Michael Kaminsky, David G. Andersen Flow Caching in Open vSwitch Microflow Cache Exact Match Single Hash Table 2 Flow Caching in Open vSwitch srcAddr=10.1.2.3,

570 views • 28 slides
Updated on reconstruction of ProtoDUNE DP data Vyacheslav Galymov IP2I Lyon Matching in 3D

Updated on reconstruction of ProtoDUNE DP data Vyacheslav Galymov IP2I Lyon Matching in 3D

Updated on reconstruction of ProtoDUNE DP data Vyacheslav Galymov IP2I Lyon Matching in 3D problem Have been using the proper PDDP geometry, i.e., with the drift along Y and 3D matching was not failing completely (0 matchted

479 views • 7 slides
Improving PixelCNN Vertical stack oblem with this m of masked convolution. Blind spot

Improving PixelCNN Vertical stack oblem with this m of masked convolution. Blind spot

Improving PixelCNN Vertical stack oblem with this m of masked convolution. Blind spot Horizontal stack Solution: use two stacks of Stacking layers of masked convolution, convolution creates convolution creates a blindspot a blindspot a

489 views • 48 slides
Compiler Assisted Masking A. Moss, E. Oswald, D. Page and M. Tunstall School of Computing,

Compiler Assisted Masking A. Moss, E. Oswald, D. Page and M. Tunstall School of Computing,

Compiler Assisted Masking A. Moss, E. Oswald, D. Page and M. Tunstall School of Computing, Blekinge Institute of Technology, Karlskrona, Sweden. andrew.moss@bth.se Department of Computer Science, University of Bristol, Merchant Venturers

522 views • 38 slides

More recommend