consolidating security notions in hardware masking
play

Consolidating Security Notions in Hardware Masking CHES 2019 - PowerPoint PPT Presentation

Jan 28, 2024 •535 likes •885 views

Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin, Oscar Reparaz P ROBLEM : SIDE - CHANNEL ANALYSIS S OLUTION : M ASKING P ROBING MODEL [ISW03] Adversary can probe up to intermediate values

  1. Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begül Bilgin, Oscar Reparaz

  2. P ROBLEM : SIDE - CHANNEL ANALYSIS

  3. S OLUTION : M ASKING

  4. P ROBING MODEL [ISW03] • Adversary can probe up to 𝑒 intermediate values • ”Ideal circuit”: probes are exact and instantaneous and independent • Basis for many proofs in SCA Source: [BDF+17] [ISW03] Yuval Ishai, Amit Sahai, David A. Wagner: Private Circuits: Securing Hardware against Probing Attacks. CRYPTO 2003: 463-481 4 [BDF+17] Gilles Barthe, François Dupressoir, Sebastian Faust, Benjamin Grégoire, François-Xavier Standaert, Pierre-Yves Strub: Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model. EUROCRYPT (1) 2017: 535-566

  5. M ASKING • Goal: no correlation between any 𝑒 wires and the secret • Split sensitive intermediates into 𝑒 + 1 shares • 𝑦 = 𝑦 & ∎𝑦 ( ∎𝑦 ) ⇒ 𝑧 = 𝐺 𝑦 = 𝑧 & ∎𝑧 ( ∎𝑧 ) 5

  6. E XTRA P ROBLEM IN HW: G LITCHES ! 6

  7. G LITCH - EXTENDED PROBING MODEL [RBN+15] • 𝑒 probes • Assume a glitch on combinational logic 𝐷 . can reveal any of it inputs • à Includes worst-case glitch Glitch- extended probe 7 [RBN+15] Oscar Reparaz, Begül Bilgin, Svetla Nikova, Benedikt Gierlichs, Ingrid Verbauwhede: Consolidating Masking Schemes. CRYPTO (1) 2015: 764-783

  8. 𝐽( ; ) = 0

  9. 𝐽( ; ) = 0 • Simple • Versatile o Probing/NI/SNI o Different models (with/without glitches, …) o Any type of masking (Boolean, multiplicative, arithmetic, …) o Non-uniformity possible o Information-theoretic vs practical security o Leakage functions (identity, Hamming, …) 9

  10. T HE STORY

  11. CHES ’18: M ULTIPLICATIVE M ASKING Boolean to Multiplicative Local Multiplicative Inversion to Boolean 𝜀 𝑦 Not Boolean masking Randomness recycling 11 [DRB18] Lauren De Meyer, Oscar Reparaz, Begül Bilgin: Multiplicative Masking for AES in Hardware. IACR Trans. Cryptogr. Hardw. Embed. Syst.2018(3): 431-468 (2018)

  12. H OW T O V ERIFY ? 🤰 12

  13. T OOL FROM [R EP 16] 0x31 0x9A 0xF5 0x3F 0xB5 0x8A • Simulated traces of intermediates • Random inputs • à TVLA (t-test) to detect flaws • Higher orders: combine probes (e.g. centered product) • Only for software (no glitches L ) 13 [Rep16] Oscar Reparaz: Detecting Flawed Masking Schemes with Leakage Detection Tests. FSE 2016: 204-222

  14. I DEA : G LITCH - EXTENDED PROBES 0x31 0x9A 0xF5 0x319A 0x31F5 0x3FB5 • Replace regular probes with glitch-extended probes • à TVLA to detect flaws • Higher orders: ? 14

  15. I DEA : G LITCH - EXTENDED P ROBES • Higher orders: concatenate extended probes à 𝜓 ) test to detect flaws • 0x9A31F5 0x31F53FB5 0x319A3FB5 15

  16. E SSENTIALLY : 𝐽( ℛ ; 𝑦 ) = 0 16 [BBF+18] Gilles Barthe, Sonia Belaïd, Pierre-Alain Fouque, Benjamin Grégoire: maskVerif: a formal tool for analyzing software and hardware masked implementations.IACR Cryptology ePrint Archive 2018: 562 (2018)

  17. P ROBING S ECURITY WITH / WITHOUT G LITCHES

  18. G LITCH - EXTENDED PROBING SECURITY [GM10] Given 𝑒 wires 𝒭 = 𝑟 ( , … , 𝑟 ; 𝐽( 𝒭 ; 𝑦 ) = 0 18 [GM10] Berndt M. Gammel, Stefan Mangard: On the Duality of Probing and Fault Attacks. J. Electronic Testing 26(4): 483-493 (2010)

  19. G LITCH - EXTENDED PROBING SECURITY Given 𝑒 wires 𝒭 = 𝑟 ( , … , 𝑟 ; with glitch-extended probes ℛ = ℛ ( , … , ℛ ; 𝐽( ℛ ; 𝑦 ) = 0 19

  20. T HRESHOLD I MPLEMENTATIONS

  21. T HRESHOLD I MPLEMENTATIONS [NRS11] • Non-Completeness 𝑦 & 𝑔 𝑧 & & 𝑦 ( 𝑔 𝑧 ( ( 𝑦 ) 𝑔 𝑧 ) ) • Uniformity ∀ 𝑦 & , 𝑦 ( , 𝑦 ) s.t. 𝑦 & ⊕ 𝑦 ( ⊕ 𝑦 ) = 𝑦: Pr 𝑦 & , 𝑦 ( , 𝑦 ) 𝑦 = 𝑞 21 [NRS11] Svetla Nikova, Vincent Rijmen, Martin Schläffer: Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches. J. Cryptology 24(2): 292-321 (2011)

  22. T HRESHOLD I MPLEMENTATIONS [NRS11] • Non-Completeness 𝑦 & 𝑔 𝑧 & & 𝑦 ( 𝑔 𝑧 ( 1-Glitch Extended ( Probing Security 𝑦 ) 𝑔 𝑧 ) ) 𝐽( ℛ ; 𝑦 ) = 0 • Uniformity ∀ 𝑦 & , 𝑦 ( , 𝑦 ) s.t. 𝑦 & ⊕ 𝑦 ( ⊕ 𝑦 ) = 𝑦: (Not sufficient for higher-order Pr 𝑦 & , 𝑦 ( , 𝑦 ) 𝑦 = 𝑞 probing security [RBN+15]) 22 [NRS11] Svetla Nikova, Vincent Rijmen, Martin Schläffer: Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches. J. Cryptology 24(2): 292-321 (2011) [RBN+15] Oscar Reparaz, Begül Bilgin, Svetla Nikova, Benedikt Gierlichs, Ingrid Verbauwhede: Consolidating Masking Schemes. CRYPTO (1) 2015: 764-783

  23. T HRESHOLD I MPLEMENTATIONS [NRS11] Non- 𝐽 ℛ; 𝑦 = 0 Uniformity Completeness Sufficient Necessary Efficient [ANR18] Verification Multi-variate Knowledge required 23 [NRS11] Svetla Nikova, Vincent Rijmen, Martin Schläffer: Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches. J. Cryptology 24(2): 292-321 (2011) [ANR18] Victor Arribas, Svetla Nikova, Vincent Rijmen: VerMI: Verification Tool for Masked Implementations. ICECS 2018: 381-384

  24. (S TRONG ) N ON -I NTERFERENCE

  25. (S TRONG ) N ON -I NTERFERENCE [BBD+16] • Notions introduced for composable security • More efficient verification (MaskVerif [BBF+18]) • Based on simulatability: ℐ 𝒯 𝒫 ℐ 𝒯 Gadget Simulator 𝒫 |𝒯| ≤ ℐ +| 𝒫 | (NI) |𝒯| ≤ ℐ (SNI) • Implies t-probing security [BBD+16] Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire, Pierre-Yves Strub, Rébecca Zucchini: Strong Non-Interference and Type-Directed Higher-Order Masking. ACM Conference on Computer and Communications Security 2016: 116-129 25 [BBF+18] Gilles Barthe, Sonia Belaïd, Pierre-Alain Fouque, Benjamin Grégoire: maskVerif: a formal tool for analyzing software and hardware masked implementations.IACR Cryptology ePrint Archive 2018: 562 (2018)

  26. (S TRONG ) N ON -I NTERFERENCE [BBD+16] • Originally without glitches • Extended by robust probing model [FGD+18] • Unify with mutual information framework: ℐ 𝒯 𝒫 Gadget 26 [FGD+18] Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert: Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3): 89-120 (2018)

  27. (S TRONG ) N ON -I NTERFERENCE [BBD+16] • Originally without glitches • Extended by robust probing model [FGD+18] • Unify with mutual information framework: ℐ 𝒯 𝒫 𝐽 ℐ, 𝒫 ; 𝒚 ̅ 𝒯 𝒚 𝒯 ) = 0 Gadget 27 [FGD+18] Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert: Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3): 89-120 (2018)

  28. (S TRONG ) N ON -I NTERFERENCE [BBD+16] • Originally without glitches • Extended by robust probing model [FGD+18] • Unify with mutual information framework: ℐ 𝒯 𝒫 𝐽 ℐ, 𝒫 ; 𝒚 ̅ 𝒯 𝒚 𝒯 ) = 0 Gadget o Example: output probes & SNI: 𝒯 = 0 ⇒ 𝐽 𝒫; 𝒚 = 0 28 [FGD+18] Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert: Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3): 89-120 (2018)

  29. (S TRONG ) N ON -I NTERFERENCE [BBD+16] • Originally without glitches • Extended by robust probing model [FGD+18] • Unify with mutual information framework: ℐ 𝒯 𝒫 𝐽 ℐ, 𝒫 ; 𝒚 ̅ 𝒯 𝒚 𝒯 ) = 0 Gadget o Example: output probes & SNI: 𝒯 = 0 ⇒ 𝐽 𝒫; 𝒚 = 0 • Glitches? à replace probes with glitch-extended probes 29 [FGD+18] Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert: Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3): 89-120 (2018)

  30. E XTENDING THE MODELS

  31. B EYOND G LITCHES • Gap between theory and practice o Coupling [DEM18] o CPU leaks [PV17] o … (Source: [DeC18]) • Robust Probing Model [FGD+18] In the same framework: 𝐽 ; = 0 • o New probe definitions: X-extended probes o Same tools!! [DEM18] Thomas De Cnudde, Maik Ender, Amir Moradi: Hardware Masking, Revisited. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(2): 123-148 (2018) [DeC18] T. De Cnudde: Cryptography Secured Against Side-Channel Attacks. PhD thesis, KU Leuven, S. Nikova, and V. Rijmen (promotors): 168 pages (2018) [PV17] Kostas Papagiannopoulos, Nikita Veshchikov: Mind the Gap: Towards Secure 1st-Order Masking in Software. COSADE 2017: 282-297 31 [FGD+18] Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert: Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3): 89-120 (2018)

Recommend

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

SP SPACE ACE 201 2016 Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security Security: : New Front New Frontiers iers Swarup Bhunia Professor Electrical & Computer Engineering SPACE | Dec 2016 1

607 views • 29 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1 Overview Masking,

785 views • 46 slides
and an Application to Masking in Hardware Gatan Cassiers, Franois-Xavier Standaert UCLouvain

and an Application to Masking in Hardware Gatan Cassiers, Franois-Xavier Standaert UCLouvain

From Trivial Composition to Full Verification and an Application to Masking in Hardware Gatan Cassiers, Franois-Xavier Standaert UCLouvain (Belgium) VeriSiCC Seminar, Paris, France, September 2019 Side-Channel Analysis Side-Channel

1.48k views • 74 slides
Endorse Brand - free Hardware Security Web + Hardware Security is much, much more than just:

Endorse Brand - free Hardware Security Web + Hardware Security is much, much more than just:

Why W3C needs to Remain Neutral and Endorse Brand - free Hardware Security Web + Hardware Security is much, much more than just: Image source: halfelf.org It is about decentralizing ID validation and key storage (my religion)

522 views • 16 slides
Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl Bilgin P ROBLEM : SIDE - CHANNEL ANALYSIS 2 S OLUTION : M ASKING 3 E XTRA P ROBLEM : G LITCHES ! 4 B OOLEAN M ASKING ! = # $ , # & , , # (

473 views • 43 slides
Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth Oswald March, 2013 Michael Tunstall (University of Bristol) Masking Tables March, 2013 1 / 21 Introduction Differential Power Analysis exploits

249 views • 21 slides
HARDSPLOIT Framework for Hardware Security Audit a bridge between hardware & a so0ware

HARDSPLOIT Framework for Hardware Security Audit a bridge between hardware & a so0ware

HARDSPLOIT Framework for Hardware Security Audit a bridge between hardware & a so0ware pentester Who am I ? Julien Moinard - Electronic engineer @opale-security (French company) - Security consultant, Hardware & SoDware pentester -

803 views • 40 slides
New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran &

New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran &

New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran & Amit Sahai Princeton University To appear in STOC04 Defining Security Central Problem in Cryptography Understanding what we want and what we

1.13k views • 34 slides
Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017

Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017

Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017 Tokyo, Japan 1 / 11 Outline Secure channels and how they are modeled Security notions for bidirectional channels Analysis of bidirectional

602 views • 39 slides
CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing. These

977 views • 34 slides
Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands June 21, 2018 Outline 1 Masking Countermeasure 2 Control Flow Integrity 3 Intrusion Detection 2 / 22 Rotating S-box Masking

540 views • 22 slides
Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson -

Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson -

Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson - @kennyog Based on joint work with Martin Albrecht, Jean Paul Degabriele and Torben Hansen Information Security Group Overview 1. Introducing SSH 2. SSH

817 views • 52 slides
Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB

Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB

Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB https://github.com/secworks IT security Embedded systems ASIC, FPGA Biometrics Open Crypto Hardware CPU design Assembly hacking Hardware Security

896 views • 50 slides
Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with Emmanuel Prouff EUROCRYPT 2013 May 27th Outline 1 Introduction and Previous Works 2 Our Contribution 3 Model of Leaking Computation 4

526 views • 36 slides
Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Message Authentication Codes (MACs) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Security Notions of MACs NMACs and HMACs

158 views • 12 slides
Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on the spatial attribute type. Proposal part 2 Details of the masking attribute addition. Table 3-13 - S100_GF_SpatialAttributeType Role Name

558 views • 8 slides
Security Notions 1

Security Notions 1

Security Notions 1 Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given

1.1k views • 37 slides
Hardware Security Group at Lab-STICC 8 faculties and 12 PhD students / postdocs / ATER /

Hardware Security Group at Lab-STICC 8 faculties and 12 PhD students / postdocs / ATER /

Hardware Security Group at Lab-STICC 8 faculties and 12 PhD students / postdocs / ATER / engineers Hardware security for embedded systems: memory and communication protection Arithmetic Tradeoffs on Performance/Cost/Security secure

310 views • 14 slides
for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

Attacker Models for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1 Security-sensitive hardware: examples 2 Naive attacker model Attacks on communication channels exploiting lousy crypto or insecure

904 views • 45 slides
Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views • 45 slides
White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile Delerabl Tancr` Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1 , erieure 2 Ecole Normale Sup SAC 2013 Outline 1 What is white-box

406 views • 38 slides

More recommend