Formal Verification of Masked Implementations Sonia Bela¨ ıd Benjamin Gr´ egoire CHES 2018 - Tutorial September 9th 2018 1 / 47
1 � Side-Channel Attacks and Masking 2 � Formal Tools for Verification at Fixed Order 3 � Formal Tools for Verification of Generic Implementations 2 / 47
1 � Side-Channel Attacks and Masking 2 � Formal Tools for Verification at Fixed Order 3 � Formal Tools for Verification of Generic Implementations 3 / 47
Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-channel analysis c = 011100110101010110001010 Alice Bob k k m c c m ENC DEC 4 / 47
Cryptanalysis ➜ Black-box cryptanalysis: A ← ( m, c ) ➜ Side-Channel Analysis c = 011100110101010110001010 Alice Bob k k m c c m ENC DEC 4 / 47
Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47
Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47
Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47
Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47
Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47
Example of SPA Algorithm 1 Example for i = 1 to n do if key [ i ] = 0 then do treatment 0 else do treatment 1 end if end for SPA: one single trace to recover the secret key 5 / 47
Example of DPA DPA: several traces to recover the secret key 6 / 47
How to thwart SCA? k Issue: leakage L is key-dependent m c L 7 / 47
How to thwart SCA? k Issue: leakage L is key-dependent m c L Idea of masking: make leakage L random sensitive value: v = f ( m, k ) � � � ... v 0 ← v ⊕ v i v 1 ← $ v t ← $ 1 � i � t ➜ any t -uple of v i is independent from v 7 / 47
Masked Implementations � Linear functions: apply the function to each share v ⊕ w → ( v 0 ⊕ w 0 , v 1 ⊕ w 1 , . . . , v t ⊕ w t ) 8 / 47
Masked Implementations � Linear functions: apply the function to each share v ⊕ w → ( v 0 ⊕ w 0 , v 1 ⊕ w 1 , . . . , v t ⊕ w t ) � Non-linear functions: much more complex ∀ 0 ≤ i < j ≤ t − 1 , r i,j ← $ ∀ 0 ≤ i < j ≤ t − 1 , r j,i ← ( r i,j ⊕ v i w j ) ⊕ v j w i � ∀ 0 ≤ i ≤ d − 1 , c i ← v i w i ⊕ r i,j j � = i vw ( c 0 , c 1 , . . . , c t ) → 8 / 47
Leakage Models � Probing model by Ishai, Sahai, and Wagner (Crypto 2003) ◮ a circuit is t -probing secure iff any set composed of the exact values of at most t intermediate variables is independent from the secret 9 / 47
Leakage Models � Probing model by Ishai, Sahai, and Wagner (Crypto 2003) ◮ a circuit is t -probing secure iff any set composed of the exact values of at most t intermediate variables is independent from the secret � Noisy leakage model by Chari, Jutla, Rao, and Rohatgi (Crypto 1999) then Rivain and Prouff (EC 2013) ◮ a circuit is secure in the noisy leakage model iff the adversary cannot recover information on the secret from the noisy values of all the intermediate variables 9 / 47
Leakage Models � Probing model by Ishai, Sahai, and Wagner (Crypto 2003) ◮ a circuit is t -probing secure iff any set composed of the exact values of at most t intermediate variables is independent from the secret � Noisy leakage model by Chari, Jutla, Rao, and Rohatgi (Crypto 1999) then Rivain and Prouff (EC 2013) ◮ a circuit is secure in the noisy leakage model iff the adversary cannot recover information on the secret from the noisy values of all the intermediate variables � Reduction by Duc, Dziembowski, and Faust (EC 2014) ◮ t -probing security ⇒ security in the noisy leakage model for some level of noise 9 / 47
How to Verify Probing Security? � variables: secret, shares, constant � masking order t = 3 function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ y 0 ← x 0 + r 0 y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 10 / 47
How to Verify Probing Security? � variables: secret, shares, constant � masking order t = 3 function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ independent from y 0 ← x 0 + r 0 the secret? y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 10 / 47
How to Verify Probing Security? � variables: secret, shares, constant � masking order t = 3 function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ independent from y 0 ← x 0 + r 0 the secret? y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 10 / 47
Non-Interference (NI) � t -NI ⇒ t -probing secure � a circuit is t -NI iff any set of t intermediate variables can be perfectly simulated with at most t shares of each input function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ can be simulated y 0 ← x 0 + r 0 with x 0 and x 1 y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 11 / 47
Non-Interference (NI) � t -NI ⇒ t -probing secure � a circuit is t -NI iff any set of t intermediate variables can be perfectly simulated with at most t shares of each input x 0 x 1 x 2 x 3 (= x + x 0 + x 1 + x 2 ) Ex-t3 3 observations y 0 y 1 y 2 y 3 12 / 47
1 � Side-Channel Attacks and Masking 2 � Formal Tools for Verification at Fixed Order 3 � Formal Tools for Verification of Generic Implementations 13 / 47
State-Of-The-Art � several tools were built to formally verify security of first-order implementations t = 1 � then a sequence of work tackled higher-order implementations t ≤ 5 ◮ maskVerif from Barthe et al.: first tool to achieve verification at high orders ◮ CheckMasks from Coron: improvements in terms of efficiency ◮ Bloem et al.’s tool: treatment of glitches attacks 14 / 47
State-Of-The-Art � several tools were built to formally verify security of first-order implementations t = 1 � then a sequence of work tackled higher-order implementations t ≤ 5 ◮ maskVerif from Barthe et al.: first tool to achieve verification at high orders ◮ CheckMasks from Coron: improvements in terms of efficiency ◮ Bloem et al.’s tool: treatment of glitches attacks 14 / 47
maskVerif � input: ◮ pseudo-code of a masked implementation ◮ order t � output: ◮ formal proof of t -probing security (or NI, SNI) ◮ potential flaws Gilles Barthe and Sonia Bela¨ ıd and Fran¸ cois Dupressoir and Pierre-Alain Fouque and Benjamin Gr´ egoire and Pierre-Yves Strub Verified Proofs of Higher-Order Masking , EUROCRYPT 2015, Proceedings, Part I, 457–485. 15 / 47
Checking probabilistic independence Problem: Check if a program expression e is probabilistic independent from a secret s Example: e = ( s ⊕ r 1 ) · ( r 1 ⊕ r 2 ) First solution: � for each value of s computes the associate distribution of e � if all the resulting distribution are equals then e is independent of s r 1 r 2 e r 1 r 2 e 0 0 0 0 0 0 s = 0 0 1 0 s = 1 0 1 1 1 0 1 1 0 0 1 1 0 1 1 0 16 / 47
Checking probabilistic independence Problem: Check if a program expression e is probabilistic independent from a secret s Example: e = ( s ⊕ r 1 ) · ( r 1 ⊕ r 2 ) First solution: � for each value of s computes the associate distribution of e � if all the resulting distribution are equals then e is independent of s � Complete � Exponential in the number of secret and random values 16 / 47
Checking probabilistic independence Second solution, using simple rules: � Rule 1: If e does not use s then it is independent 17 / 47
Checking probabilistic independence Second solution, using simple rules: � Rule 1: If e does not use s then it is independent � Rule 2: If e can be written as C [ f ⊕ r ] and r does not occur in C and f then it is sufficient to test the independence of C [ r ] The distribution of f ⊕ r is equal to the distribution of r 17 / 47
Checking probabilistic independence Second solution, using simple rules: � Rule 1: If e does not use s then it is independent � Rule 2: If e can be written as C [ f ⊕ r ] and r does not occur in C and f then it is sufficient to test the independence of C [ r ] � Rule 3: If Rules 1 and 2 do not apply then use the first solution (when possible) 17 / 47
Recommend
More recommend