very high order masking efficient
play

Very High-Order Masking: Efficient Implementation and Security - PowerPoint PPT Presentation

Jul 03, 2023 •118 likes •614 views

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

  1. Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and François-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan

  2. Outline • Background  Masking  Barthe et al. masking scheme • How fast can be very high-order masking ?  Data representation  AES results and discussion • How can we evaluate security at very high order ?  Limitation of leakage detection strategy  Multi-model approach • Conclusion/Open problems

  3. Outline • Background  Masking  Barthe et al. masking scheme • How fast can be very high-order masking ?  Data representation  AES results and discussion • How can we evaluate security at very high order ?  Limitation of leakage detection strategy  Multi-model approach • Conclusion/Open problems

  4. Masking 1 • Masking (e.g. Boolean encoding) 𝑏 = 𝑏 1 ⨁𝑏 2 ⨁ ⋯ ⨁𝑏 𝑒 • With 𝑏 2 , ⋯ , 𝑏 𝑒 random

  5. Masking 1 • Masking (e.g. Boolean encoding) 𝑏 = 𝑏 1 ⨁𝑏 2 ⨁ ⋯ ⨁𝑏 𝑒 • With 𝑏 2 , ⋯ , 𝑏 𝑒 random • Abstract security  Probing model  Security order 𝑒 − 1 (at best)

  6. Masking 1 • Masking (e.g. Boolean encoding) 𝑏 = 𝑏 1 ⨁𝑏 2 ⨁ ⋯ ⨁𝑏 𝑒 • With 𝑏 2 , ⋯ , 𝑏 𝑒 random • Abstract security • Concrete security  Probing model  Noisy leakage  Security order model  𝑂 = (𝜏 2 ) 𝑒−1 𝑒 − 1 (at best) (under assumptions)

  7. Barthe et al. 2017 masking scheme 2 • Parallel masking scheme by design • All shares manipulated at once

  8. Barthe et al. 2017 masking scheme 2 • Parallel masking scheme by design • All shares manipulated at once • Example of mult. 𝑏 ∗ 𝑐 = 𝑑 for 𝑒 = 3 a b r a b a b r c 1 1 1 1 3 3 1 3 1      a b r a b a b r c 2 2 2 2 1 1 2 1 2 a b r a b a b r c 3 3 3 3 2 2 3 2 3

  9. Outline • Background  Masking  Barthe et al. masking scheme • How fast can be very high-order masking ?  Data representation  AES results and discussion • How can we evaluate security at very high order ?  Limitation of leakage detection strategy  Multi-model approach • Conclusion/Open problems

  10. Data representation and implementation 3 • 32-bit register ……… a30 a31 a32 a1 a2 a3 Secret bit + sum Random Random Random Random Random random bits bit bit bit bit bit

  11. Data representation and implementation 3 • 32-bit register ……… a30 a31 a32 a1 a2 a3 Secret bit + sum Random Random Random Random Random random bits bit bit bit bit bit • Use bitwise operators (XOR, AND, …)

  12. Data representation and implementation 3 • 32-bit register ……… a30 a31 a32 a1 a2 a3 Secret bit + sum Random Random Random Random Random random bits bit bit bit bit bit • Use bitwise operators (XOR, AND, …) • Implementation on 32-bit ARM • Optimal case: register size = nb of shares

  13. Data representation and implementation 3 • 32-bit register ……… a30 a31 a32 a1 a2 a3 Secret bit + sum Random Random Random Random Random random bits bit bit bit bit bit • Use bitwise operators (XOR, AND, …) • Implementation on 32-bit ARM • Optimal case: register size = nb of shares • Well suited for bitslice ciphers 

  14. Implementation Results: AES 4 • Application to AES • Gate level Time Spent (%) representation of AES S-box (Boyar, Randomness Peralta 2010) Non-linear op Linear op 10 cycles to generate 32-bit random value Total = 2 800 000 cycles

  15. Implementation Results: AES 4 • Application to AES • Gate level Time Spent (%) representation of AES S-box (Boyar, Randomness Peralta 2010) Non-linear op Linear op • SNI refreshing of one input of each multiplication 10 cycles to generate 32-bit random value (conservative) Total = 2 800 000 cycles

  16. Implementation Results: AES 4 • Application to AES • Gate level Time Spent (%) representation of AES S-box (Boyar, Randomness Peralta 2010) Non-linear op Linear op • SNI refreshing of one input of each multiplication 80 cycles to generate 32-bit random value (conservative) Total = 9 700 000 cycles

  17. Comparison with Goudarzi-Rivain 5 • Goudarzi-Rivain 2017: Generic ISW implementation and application to bitsliced AES Goudarzi-Rivain This paper 3,821,312 2,783,510

  18. Comparison with Goudarzi-Rivain 5 • Goudarzi-Rivain 2017: Generic ISW implementation and application to bitsliced AES Goudarzi-Rivain This paper 3,821,312 2,783,510 • Same order of magnitude of cycles • Very high-order masking is not out of reach !

  19. Outline • Background  Masking  Barthe et al. masking scheme • How fast can be very high-order masking ?  Data representation  AES results and discussion • How can we evaluate security at very high order ?  Limitation of leakage detection strategy  Multi-model approach • Conclusion/Open problems

  20. Limitations of leakage detection strategy 6 • Evaluator power = 2^30 • If security <= 2^30, security level • What if security > 2^30 ? • Security claims bounded by evaluator power

  21. Limitations of leakage detection strategy 6 • Evaluator power = 2^30 • If security <= 2^30, security level • What if security > 2^30 ? • Security claims bounded by evaluator power We expect 31th-security order (or 31/f-security order)

  22. Multi-Model Approach 7

  23. Multi-Model Approach 7 Probing model Abstract Qualitative Algorithmic security order d Risk captured: Lack of refreshing

  24. Multi-Model Approach 7 Bounded-Moment Probing model Model Abstract Physical Qualitative Qualitative Algorithmic security Physical security order order f d Risk captured: Risk captured: Lack of refreshing Share recombination

  25. Multi-Model Approach 7 Bounded-Moment Noisy Leakage Model Probing model Model Abstract Physical Physical Qualitative Qualitative Quantitative Algorithmic security Physical security Physical security order order order f MI , SNR d Risk captured: Risk captured: Risk captured: Lack of refreshing Share recombination Lack of noise

  26. Multi-Model Approach 7 Bounded-Moment Noisy Leakage Model Probing model Model Abstract Physical Physical Qualitative Qualitative Quantitative Algorithmic security Physical security Physical security order order order f MI , SNR d d + f + SNR + MI => Security level Risk captured: Risk captured: Risk captured: Lack of refreshing Share recombination Lack of noise

  27. Probing security (state of the art) 8 • 2 possible options:  Composable gadgets (SNI) o Simple to analyse o Implementation becomes expensive  Full code evaluation o Hard to analyse o Reduced implementation cost

  28. Bounded-Moment security 9

  29. Bounded-Moment security 9 • Leakage detection hard in practice with 32 shares

  30. Bounded-Moment security 9 • Leakage detection hard in practice with 32 shares • Idea similar to symmetric cryptanalysis: security based on reduced version • Leakage detection on small order (e.g. on 4 shares)

  31. Bounded-Moment security 9 • Leakage detection hard in practice with 32 shares • Idea similar to symmetric cryptanalysis: security based on reduced version • Leakage detection on small order (e.g. on 4 shares) • Extraction of a risk factor f from possible share recombination • Extrapolation of security

  32. Leakage detection results 10

  33. Leakage detection results 11

  34. Noisy Leakage Model 12 • SNR(=0,05) computed with linear regression • MI of the encoding • 31 / 15 / 7 -order security if flaw f = 1 / 2 / 4

  35. Noisy Leakage Model 12 • SNR(=0,05) computed with linear regression • MI of the encoding • 31 / 15 / 7 -order security if flaw f = 1 / 2 / 4

  36. Noisy Leakage Model 12 • SNR(=0,05) computed with linear regression • MI of the encoding • 31 / 15 / 7 -order security if flaw f = 1 / 2 / 4

  37. Noisy Leakage Model 12 • SNR(=0,05) computed with linear regression • MI of the encoding • 31 / 15 / 7 -order security if flaw f = 1 / 2 / 4 • Averaging: multiple apparition of sensitive values

  38. Putting things together 13

  39. Putting things together 13 Horizontal SCA

  40. Putting things together 13 Horizontal SCA Worst case

  41. Putting things together 13 Horizontal SCA Order reduction from flaw f Worst case Order reduction from noise

  42. Outline • Background  Masking  Barthe et al. masking scheme • How fast can be very high-order masking ?  Data representation  AES results and discussion • How can we evaluate security at very high order ?  Limitation of leakage detection strategy  Multi-model approach • Conclusion/Open problems

  43. Conclusion 14

  44. Conclusion 14 • Very high order (32 shares) implementation is not out of reach !

  45. Conclusion 14 • Very high order (32 shares) implementation is not out of reach ! • Multi-model approach proposed to evaluate very HO masked implementations ( security level )

  46. Conclusion 14 • Very high order (32 shares) implementation is not out of reach ! • Multi-model approach proposed to evaluate very HO masked implementations ( security level ) • Based on falsifiable assumptions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th September 2018 Outline Outline 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th

388 views • 35 slides
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2 Rina Zeitoun 1 Jean-S 1 IDEMIA, France 2 University of Luxembourg CHES 2018 Side-channel Attacks Differential Power Analysis [KJJ99] Group by

620 views • 47 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes Outline 1 Introduction 2

1.33k views • 98 slides
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Leuven, September 10th, 2012 I NTRODUCTION 1 K NOWN TABLE - BASED METHODS 2 C ORON -T CHULKINE METHOD N EISSE -P ULKUS METHOD 3 C

413 views • 28 slides
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

1.04k views • 51 slides
Efficient high order and domain decomposition methods for the time-harmonic Maxwells equations

Efficient high order and domain decomposition methods for the time-harmonic Maxwells equations

Efficient high order and domain decomposition methods for the time-harmonic Maxwells equations Marcella Bonazzoli 1 , Victorita Dolean 1 , 4 , Ivan G. Graham 3 , Frdric Hecht 2 , Frdric Nataf 2 , Francesca Rapetti 1 , Euan A. Spence 3 ,

828 views • 44 slides
How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT 2017, Paris 1 Introduction 2 Field Multiplications 3 Non-Linear Operations 4 Generic Polynomial Methods 5 Polynomial Methods for

873 views • 51 slides
Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on the spatial attribute type. Proposal part 2 Details of the masking attribute addition. Table 3-13 - S100_GF_SpatialAttributeType Role Name

558 views • 8 slides
Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views • 45 slides
Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1 Overview Masking,

785 views • 46 slides
Energy-efficient &amp; High-performance Energy-efficient &amp; High-performance Instruction Fetch

Energy-efficient &amp; High-performance Energy-efficient &amp; High-performance Instruction Fetch

Energy-efficient &amp; High-performance Energy-efficient &amp; High-performance Instruction Fetch using a Block-aware ISA Instruction Fetch using a Block-aware ISA Ahmad Zmily and Christos Kozyrakis Electrical Engineering Department Stanford

250 views • 23 slides
Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

6/8/2017 Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we Quantify Masking Risk? co-founder and shareholder Qview Medical (Los Altos, CA) Nico Karssemeijer consultant, co-founder and

883 views • 18 slides
WARM WELCOME Presentation Agenda DVR Introduction Matrix SATATYA Introduction SATATYA

WARM WELCOME Presentation Agenda DVR Introduction Matrix SATATYA Introduction SATATYA

WARM WELCOME Presentation Agenda DVR Introduction Matrix SATATYA Introduction SATATYA DVR Solution Hardware Solution Software Solution SATATYA DVR Key Features SATATYA DVR Feature List Digital Video Recorder (DVR)

941 views • 55 slides
for MN Board-Approved Supervisor Part I JENNIFER MOHLENHOFF, JD EXECUTIVE DIRECTOR MAMFT 2018

for MN Board-Approved Supervisor Part I JENNIFER MOHLENHOFF, JD EXECUTIVE DIRECTOR MAMFT 2018

Common Questions &amp; Best Practices for MN Board-Approved Supervisor Part I JENNIFER MOHLENHOFF, JD EXECUTIVE DIRECTOR MAMFT 2018 Fall Conference September 21, 2018 Definitions Minn. Rule 5300.0100 Subp. 15. Supervisee.

618 views • 31 slides
Radiation Protection and Nuclear Safety Regulatory Inspection: A Happy Marriage? Outline

Radiation Protection and Nuclear Safety Regulatory Inspection: A Happy Marriage? Outline

Alain GEENS Pierre BARRAS Radiation Protection and Nuclear Safety Regulatory Inspection: A Happy Marriage? Outline Introduction Legal aspects Problems Solution: Inspection by sampling &amp; REX How to treat an observation?

426 views • 28 slides
Syrian Refugee Youth in Jordan: Early Marriage in Perspective An Van Raemdonck| Vrije

Syrian Refugee Youth in Jordan: Early Marriage in Perspective An Van Raemdonck| Vrije

Syrian Refugee Youth in Jordan: Early Marriage in Perspective An Van Raemdonck| Vrije Universiteit Amsterdam Main findings Diverse contexts Reconsidering the link and needs between early marriage and SRHR complications Cultural,

157 views • 3 slides
Alpha Presentation Browser Sharing for Customer Support The Capstone Experience Team Amazon

Alpha Presentation Browser Sharing for Customer Support The Capstone Experience Team Amazon

Alpha Presentation Browser Sharing for Customer Support The Capstone Experience Team Amazon Liyuan Duan Megha Erappa Jonathan Kushion Rahul Yalamanchili Eunice Yoon Colin Zhong Department of Computer Science and Engineering Michigan State

331 views • 10 slides
Becoming a Nurse in the Time of COVID-19 Stephanie Woods RN, PhD Dean and Professor Hunt

Becoming a Nurse in the Time of COVID-19 Stephanie Woods RN, PhD Dean and Professor Hunt

Becoming a Nurse in the Time of COVID-19 Stephanie Woods RN, PhD Dean and Professor Hunt Endowed Chair in Nursing Rick and Ginger Francis Endowed Dean Gayle Greve Hunt School of Nursing Timeline 12/01/19 First case in Wujan China

370 views • 13 slides
Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old

Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old

Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old approach in multiple systems SSO Security Benefits Common SSO based configurations Examples of SSO usage Conclusion 15/12/11

379 views • 16 slides
Vincent Kieberl &amp; Silke Knossen Central control unit 3 control units Bus system Source:

Vincent Kieberl &amp; Silke Knossen Central control unit 3 control units Bus system Source:

Vincent Kieberl &amp; Silke Knossen Central control unit 3 control units Bus system Source: Volkswagen AG, Data Exchange on the CAN bus I The CAN bus Controller Area Network (CAN) Interconnects Electronic Control Units Source:

861 views • 22 slides

More recommend