From Trivial Composition to Full Verification and an Application to Masking in Hardware Gaëtan Cassiers, François-Xavier Standaert UCLouvain (Belgium) VeriSiCC Seminar, Paris, France, September 2019
Side-Channel Analysis
Side-Channel Analysis
Side-Channel Analysis
Side-Channel Analysis
Side-Channel Analysis
Side-Channel Analysis
Masking (e.g., Boolean π¦ = π¦ 0 + π¦ 1 + β― + π¦ π ) π Noisy leakages security: π β MI (π;π΄) MI π; π΄ < MI π π ; π π π Goal (ideally):
Masking (e.g., Boolean π¦ = π¦ 0 + π¦ 1 + β― + π¦ π ) Bounded moment security: ΰ· π π π π 1 ,π 2 ,β¦,π πβ1 ( π -1)th order statistical moment (ideally) π Noisy leakages security: π β MI (π;π΄) MI π; π΄ < MI π π ; π π π Goal (ideally):
Masking (e.g., Boolean π¦ = π¦ 0 + π¦ 1 + β― + π¦ π ) π¦ = π¦ 0 + π¦ 1 + β― + π¦ π Probing security: Sets of ( π -1) probes are of π (ideally) Bounded moment security: ΰ· π π π π 1 ,π 2 ,β¦,π πβ1 ( π -1)th order statistical moment (ideally) π Noisy leakages security: π β MI (π;π΄) MI π; π΄ < MI π π ; π π π Goal (ideally):
Security reductions abstract-qualitative π¦ = π¦ 0 + π¦ 1 + β― + π¦ π probing [Barthe et al., Eurocrypt 2017] bounded moment physical-qualitative [Duc et al., Eurocrypt 2014] physical-quantitative noisy leakages
What can go wrong? (e.g., when computing π. π ) Issue #1. Lack of randomness (can break the independence assumption) π 1 π 1 π 1 π 1 π 2 π 1 π 3 Example: probing π 1 = π 1 . π 1 + π 2 + π 3 π 2 π 2 π 1 π 2 π 2 π 2 π 3 β reveals information on π (when π 1 = 1) π 3 π 3 π 1 π 3 π 2 π 3 π 3
What can go wrong? (e.g., when computing π. π ) Issue #1. Lack of randomness (can break the independence assumption) β’ mitigated by adding π 1 π 1 π 1 π 1 π 2 π 1 π 3 0 π π 1 2 Β«refreshing gadgets Β» π 2 π 2 π 1 π 2 π 2 π 2 π 3 π 0 π + β 2 3 β’ can be analyzed in π 3 π π 0 π 3 π 1 π 3 π 2 π 3 π 3 2 3 the probing model
What can go wrong? (e.g., when computing π. π ) Issue #1. Lack of randomness (can break the independence assumption) β’ mitigated by adding π 1 π 1 π 1 π 1 π 2 π 1 π 3 0 π π 1 2 Β«refreshing gadgets Β» π 2 π 2 π 1 π 2 π 2 π 2 π 3 π 0 π + β 2 3 β’ can be analyzed in π 3 π π 0 π 3 π 1 π 3 π 2 π 3 π 3 2 3 the probing model Issue #2. Physical defaults (can break the independence assumption) Example: glitches (transcient values) Β« re-combine Β» the shares such that: π π = π(π¦ 1 β π¦ 2 β π¦ 3 ) (detected in the bounded moment model)
What can go wrong? (e.g., when computing π. π ) Issue #1. Lack of randomness (can break the independence assumption) β’ mitigated by adding π 1 π 1 π 1 π 1 π 2 π 1 π 3 0 π π 1 2 Β«refreshing gadgets Β» π 2 π 2 π 1 π 2 π 2 π 2 π 3 π 0 π + β 2 3 β’ can be analyzed in π 3 π π 0 π 3 π 1 π 3 π 2 π 3 π 3 2 3 the probing model Issue #2. Physical defaults (can break the independence assumption) β’ mitigated by adding a Β« non- completeness Β» property [ β Theshold Implementations] β’ abstract property: can be analyzed in the probing model!
Technical challenge: scalability π -probing security [ISW, 2004] : any π -tuple of shares in the protected circuit is independent of any sensitive variable
Technical challenge: scalability π -probing security [ISW, 2004] : any π -tuple of shares in the protected circuit is independent of any sensitive variable Problem: the cost of testing probing security increases (very) fast with circuit size and the # of shares (since β many tuples)
Technical challenge: scalability π -probing security [ISW, 2004] : any π -tuple of shares in the protected circuit is independent of any sensitive variable Problem: the cost of testing probing security increases (very) fast with circuit size and the # of shares (since β many tuples) β’ Solution #1: direct verification of (weaker) circuit properties β’ [Barthe et al., 2015/2019], [Bloem et al., 2018] β’ Solution #2: composable verification with (stronger) properties β’ [Barthe et al., 2016] β but limited to βabstractβ circuits β’ Solution #3: test more specific properties [Arribas et al., 2018]
Technical challenge: scalability π -probing security [ISW, 2004] : any π -tuple of shares in the protected circuit is independent of any sensitive variable Problem: the cost of testing probing security increases (very) fast with circuit size and the # of shares (since β many tuples) β’ Solution #1: direct verification of (weaker) circuit properties β’ [Barthe et al., 2015/2019], [Bloem et al., 2018] β’ Solution #2: composable verification with (stronger) properties β’ [Barthe et al., 2016] β but limited to βabstractβ circuits β’ Can be complementary: use #1 for gadgets, #2 for circuits
Does it go wrong (for hardware masking) ? β’ State-of-the-art hardware-oriented masking schemes β’ Consolidating Masking Scheme (CMS, 2015) β’ Domain-Oriented Masking (DOM, 2016) β’ Unified Masking Approach (UMA, 2017) β’ Generic Low-Latency Masking (GLM, 2018)
Does it go wrong (for hardware masking) ? β’ State-of-the-art hardware-oriented masking schemes β’ Consolidating Masking Scheme (CMS, 2015) β’ Domain-Oriented Masking (DOM, 2016) β’ Unified Masking Approach (UMA, 2017) β’ Generic Low-Latency Masking (GLM, 2018) β’ Intuitively appealing constructions β’ But no probing security proof at high orders β’ Theoretical concern or practical risk?
Does it go wrong (for hardware masking) ? β’ State-of-the-art hardware-oriented masking schemes β’ Consolidating Masking Scheme (CMS, 2015) β’ Domain-Oriented Masking (DOM, 2016) β’ Unified Masking Approach (UMA, 2017) β’ Generic Low-Latency Masking (GLM, 2018) β’ Intuitively appealing constructions β’ But no probing security proof at high orders β’ Theoretical concern or practical risk? β’ [Moos et al., 2019]: all the higher-order extensions of these schemes are affected by concrete flaws β’ Next: CMS (local) and DOM (composability) examplesβ¦
Consolidating Masking Scheme β’ Local flaw in the βring refreshingβ algorithm β’ Attack with 3 probes for any d >3 shares Problem: most of the randomness cancels outβ¦
Consolidating Masking Scheme β’ Local flaw in the βring refreshingβ algorithm β’ Attack with 3 probes for any d >3 shares Problem: most of the randomness cancels outβ¦ Fix proposed by De Cnudde ( β CMS more similar to DOM) Composability remains unclear
Composability requirements (example) π 1 + π 2 β€ π π 1 internal probes π 2 output probes π -(Strong) Non Interference [Barthe et al., CCS 2016] : a circuit gadget (e.g., f 1 ) is NI (SNI) any set of π 1 + π 2 probes can be simulated with at most π 1 + π 2 (only π 1 ) shares of each input D(input shares||probes) β D(input shares||simulation)
Composability requirements (example) π 1 + π 2 β€ π π 1 internal probes π 2 output probes Theorem [trivial composition] β any composition of q -SNI gadget is q -SNI π -(Strong) Non Interference [Barthe et al., CCS 2016] : a circuit gadget (e.g., f 1 ) is NI (SNI) any set of π 1 + π 2 probes can be simulated with at most π 1 + π 2 (only π 1 ) shares of each input D(input shares||probes) β D(input shares||simulation)
Domain Oriented Masking β’ Two algorithms: DOM-indep and DOM-dep β’ DOM-indep not sufficient to compose, e.g., z=x β x
Domain Oriented Masking β’ Two algorithms: DOM-indep and DOM-dep β’ DOM-indep not sufficient to compose, e.g., z=x β x β DOM-dep critical to compose but broken (& no fix)
Domain Oriented Masking β’ Two algorithms: DOM-indep and DOM-dep β’ DOM-indep not sufficient to compose, e.g., z=x β x β DOM-dep critical to compose but broken (& no fix) β’ SOTA (2018): β composable masking schemes that ignore physical defaults such as glitches & hardware- oriented masking schemes that mitigate glitches but are at best probing secure ( so not provably composable )
(Refined) model and security definition π 1 Glitch-extended probes: probing any output of a combinatorial circuit allows the adversary to observe all the circuit inputs Example: π 1 gives π, π and π
(Refined) model and security definition π 1 Glitch-extended probes: probing any output of a combinatorial circuit allows the adversary to observe all the circuit inputs Example: π 1 gives π, π and π π 2 (SNI-related) clarification : the adversary can also probe the stable register output π so both π 1 and π 2 appear in proofs
Recommend
More recommend
