and the Bounded Moment Leakage Model G. Barthe, F. Dupressoir, S. - PowerPoint PPT Presentation

Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model G. Barthe, F. Dupressoir, S. Faust, B. Grégoire, F.-X. Standaert , P.-Y. Strub IMDEA (Spain), Univ. Surrey (UK), Univ. Bochum (Germany), INRIA Sophia- Antipolis (France), UCL (Belgium), Ecole Polytechnique (France) EUROCRYPT 2017, Paris, France

Outline • Introduction / motivation • Side-channel attacks and noise • Masking and leakage models • Bounded moment model • Masking intuition & BMM definition • Probing security ⇒ BM security • Parallel multiplication (& refreshing) • BM security ⇏ probing security • Inner product masking ( with “non - mixing” leakages ) • Continuous security & refreshing gadgets • Conclusions

Outline • Introduction / motivation • Side-channel attacks and noise • Masking and leakage models • Bounded moment model • Masking intuition & BMM definition • Probing security ⇒ BM security • Parallel multiplication (& refreshing) • BM security ⇏ probing security • Inner product masking ( with “non - mixing” leakages ) • Continuous security & refreshing gadgets • Conclusions

Side-channel attacks 1 𝟑 𝟐𝟑𝟗 success probability computation 2 64 2 0 32 64 𝟐𝟑𝟗 96 # of measurements • ≈ physical attacks that decreases security exponentially in the # of measurements

Noise (hardware countermeasures) 2

Noise (hardware countermeasures) 2

Noise (hardware countermeasures) 2 • Additive noise ≈ cost × 2 ⇒ security × 2 ⇒ not a good (crypto) security parameter

Outline • Introduction / motivation • Side-channel attacks and noise • Masking and leakage models • Bounded moment model • Masking intuition & BMM definition • Probing security ⇒ BM security • Parallel multiplication (& refreshing) • BM security ⇏ probing security • Inner product masking ( with “non - mixing” leakages ) • Continuous security & refreshing gadgets • Conclusions

Masking ( ≈ noise amplification) 3 • Example: Boolean encoding 𝑧 = 𝑧 1 ⊕ 𝑧 2 ⊕ ⋯ ⊕ 𝑧 𝑒−1 ⊕ 𝑧 𝑒 With 𝑧 1 , 𝑧 2 , … , 𝑧 𝑒−2 , 𝑧 𝑒−1 ← {0,1} 𝑜 •

Masking (abstract view) 4 • Probing security ( Ishai, Sahai, Wagner 2003 ) 𝑧 = 𝑧 1 ⊕ 𝑧 2 ⊕ ⋯ ⊕ 𝑧 𝑒−1 ⊕ 𝑧 𝑒 ?

Masking (abstract view) 4 • Probing security ( Ishai, Sahai, Wagner 2003 ) 𝑧 = 𝑧 1 ⊕ 𝑧 2 ⊕ ⋯ ⊕ 𝑧 𝑒−1 ⊕ 𝑧 𝑒 ? • 𝑒 − 1 probes do not reveal anything on 𝑧

Masking (abstract view) 4 • Probing security ( Ishai, Sahai, Wagner 2003 ) 𝑧 = 𝑧 1 ⊕ 𝑧 2 ⊕ ⋯ ⊕ 𝑧 𝑒−1 ⊕ 𝑧 𝑒 y • But 𝑒 probes completely reveal 𝑧

Masking (concrete view) 5 • Probing security ( Ishai, Sahai, Wagner 2003 ) 𝑧 = 𝑧 1 ⊕ 𝑧 2 ⊕ ⋯ ⊕ 𝑧 𝑒−1 ⊕ 𝑧 𝑒 ? 𝑗 ; 𝑀) 𝑒 • Bounded information leakage MI(𝑍

Masking (concrete view) 5 • Probing security ( Ishai, Sahai, Wagner 2003 ) 𝑧 = 𝑧 1 ⊕ 𝑧 2 ⊕ ⋯ ⊕ 𝑧 𝑒−1 ⊕ 𝑧 𝑒 ? • Noisy leakage security ( Prouff, Rivain 2013 )

Masking (concrete view) 5 • Probing security ( Ishai, Sahai, Wagner 2003 ) 𝑧 = 𝑧 1 ⊕ 𝑧 2 ⊕ ⋯ ⊕ 𝑧 𝑒−1 ⊕ 𝑧 𝑒 (Duc, Dziembwski, Faust 2014) noise and independence • Noisy leakage security ( Prouff, Rivain 2013 )

Motivation / open questions 6 1. What happens with parallel implementations? • For example: one probe reveals the shares’ sum

Motivation / open questions 6 1. What happens with parallel implementations? • For example: one probe reveals the shares’ sum 2. How to test physical independence? ( consolidating ) ? ?

Motivation / open questions 6 1. What happens with parallel implementations? • For example: one probe reveals the shares’ sum 2. How to test physical independence? ( consolidating ) ? ? • W/O directly working in the noisy leakage model

Outline • Introduction / motivation • Side-channel attacks and noise • Masking and leakage models • Bounded moment model • Masking intuition & BMM definition • Probing security ⇒ BM security • Parallel multiplication (& refreshing) • BM security ⇏ probing security • Inner product masking ( with “non - mixing” leakages ) • Continuous security & refreshing gadgets • Conclusions

Masking statistical intuition 7 • 2-share / 1-bit example, serial implementation 𝑀 1 = 𝑧 1 + 𝑜 1 𝑀 2 = 𝑧 2 + 𝑜 2

Masking statistical intuition 7 • 2-share / 1-bit example, parallel implementation 𝑀 1 = 𝑧 1 + 𝑜 1 𝑀 2 = 𝑧 2 + 𝑜 2 𝑀 = 𝑧 1 + 𝑧 2 + 𝑜

Masking statistical intuition 7 • 2-share / 1-bit example, parallel implementation 𝑀 1 = 𝑧 1 + 𝑜 1 Definition (informal). An implementation is 𝑀 2 = 𝑧 2 + 𝑜 2 secure at order 𝑝 in the bounded moment model if all mixed statistical moments of order up to 𝑝 of its leakage vectors are independent of any sensitive variable manipulated 𝑀 = 𝑧 1 + 𝑧 2 + n

Outline • Introduction / motivation • Side-channel attacks and noise • Masking and leakage models • Bounded moment model • Masking intuition & BMM definition • Probing security ⇒ BM security • Parallel multiplication (& refreshing) • BM security ⇏ probing security • Inner product masking ( with “non - mixing” leakages ) • Continuous security & refreshing gadgets • Conclusions

Abstract reduction (answer to Q1) 8 • Theorem (informal). A parallel implementation is secure at order 𝑝 in the BMM if its serialization is secure at order 𝑝 in the probing model where • Adv 𝑞𝑠 can (typically) probe 𝑝 = 𝑒 − 1 wires 𝑒 • Adv 𝑐𝑛 can observe any 𝑀 = 𝑗=1 𝛽 𝑗 ∙ 𝑧 𝑗

Abstract reduction 8 • Theorem (informal). A parallel implementation is secure at order 𝑝 in the BMM if its serialization is secure at order 𝑝 in the probing model where • Adv 𝑞𝑠 can (typically) probe 𝑝 = 𝑒 − 1 wires 𝑒 • Adv 𝑐𝑛 can observe any 𝑀 = 𝑗=1 𝛽 𝑗 ∙ 𝑧 𝑗 • Intuition: summing the shares (in ℝ ) does not break the independent leakage assumption

Abstract reduction 8 • Theorem (informal). A parallel implementation is secure at order 𝑝 in the BMM if its serialization is secure at order 𝑝 in the probing model where • Adv 𝑞𝑠 can (typically) probe 𝑝 = 𝑒 − 1 wires 𝑒 • Adv 𝑐𝑛 can observe any 𝑀 = 𝑗=1 𝛽 𝑗 ∙ 𝑧 𝑗 • Intuition: summing the shares (in ℝ ) does not break the independent leakage assumption • Main ≠ between probing and BM security • Adv 𝑐𝑛 can sum over all the shares! • BM security is weaker (moments vs. distributions)

Concrete consequence 9 • If physically independent leakages, BM security extends to actual measurements (e.g., 𝑒 = 3 )

Concrete consequence (answer to Q2) 9 • If physically independent leakages, BM security extends to actual measurements (e.g., 𝑒 = 3 ) • If not, leakages are not independent

Outline • Introduction / motivation • Side-channel attacks and noise • Masking and leakage models • Bounded moment model • Masking intuition & BMM definition • Probing security ⇒ BM security • Parallel multiplication (& refreshing) • BM security ⇏ probing security • Inner product masking ( with “non - mixing” leakages ) • Continuous security & refreshing gadgets • Conclusions

Serial multiplication 10 • ISW 2003: multiplication 𝑑 = 𝑏 × 𝑐 compress 𝒅 𝟐 𝒃 𝟐 𝒄 𝟐 𝒃 𝟐 𝒄 𝟑 𝒃 𝟐 𝒄 𝟒 𝟏 𝒔 𝟐 𝒔 𝟑 𝒅 𝟑 𝒃 𝟑 𝒄 𝟐 𝒃 𝟑 𝒄 𝟑 𝒃 𝟑 𝒄 𝟒 −𝒔 𝟐 𝟏 𝒔 𝟒 ⊕ ⇒ 𝒅 𝟒 −𝒔 𝟑 −𝒔 𝟒 𝟏 𝒃 𝟒 𝒄 𝟐 𝒃 𝟒 𝒄 𝟑 𝒃 𝟒 𝒄 𝟒 refresh partial products

Serial multiplication 10 • ISW 2003: multiplication 𝑑 = 𝑏 × 𝑐 compress 𝒅 𝟐 𝒃 𝟐 𝒄 𝟐 𝒃 𝟐 𝒄 𝟑 𝒃 𝟐 𝒄 𝟒 𝟏 𝒔 𝟐 𝒔 𝟑 𝒅 𝟑 𝒃 𝟑 𝒄 𝟐 𝒃 𝟑 𝒄 𝟑 𝒃 𝟑 𝒄 𝟒 −𝒔 𝟐 𝟏 𝒔 𝟒 ⊕ ⇒ 𝒅 𝟒 −𝒔 𝟑 −𝒔 𝟒 𝟏 𝒃 𝟒 𝒄 𝟐 𝒃 𝟒 𝒄 𝟑 𝒃 𝟒 𝒄 𝟒 refresh partial products • AES S-box ( 𝑜 = 8 ) implementation • 𝑏 = 𝑏 1 ⊕ 𝑏 2 ⊕ ⋯ ⊕ 𝑏 𝑒 (e.g., 𝑒 = 8) Each register stores an 𝑏 𝑗 ( i.e., a GF 2 8 element ) • Memory ∝ 𝑜 ∙ 𝑒 , Time: ∝ 𝒆 𝟑 GF 2 8 mult. • • AES S-box ≈ 3 multiplications ( & 4 squarings )

Parallel multiplication 11 • Main tweak: interleave & regularize 𝒔 𝟐 𝒔 𝟒 𝒅 𝟐 𝒃 𝟐 𝒄 𝟐 𝒃 𝟐 𝒄 𝟒 𝒃 𝟒 𝒄 𝟐 𝒔 𝟑 𝒔 𝟐 𝒅 𝟑 𝒃 𝟑 𝒄 𝟑 𝒃 𝟑 𝒄 𝟐 𝒃 𝟐 𝒄 𝟑 ⊕ ⊕ ⊕ ⇒ 𝒔 𝟒 𝒔 𝟑 𝒅 𝟒 𝒃 𝟒 𝒄 𝟒 𝒃 𝟒 𝒄 𝟑 𝒃 𝟑 𝒄 𝟒 refresh