formal verification of masked implementations
play

Formal Verification of Masked Implementations Sonia Bela d - PowerPoint PPT Presentation

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order 3 Formal Tools


  1. Formal Verification of Masked Implementations Sonia Bela¨ ıd Benjamin Gr´ egoire CHES 2018 - Tutorial September 9th 2018 1 / 47

  2. 1 � Side-Channel Attacks and Masking 2 � Formal Tools for Verification at Fixed Order 3 � Formal Tools for Verification of Generic Implementations 2 / 47

  3. 1 � Side-Channel Attacks and Masking 2 � Formal Tools for Verification at Fixed Order 3 � Formal Tools for Verification of Generic Implementations 3 / 47

  4. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-channel analysis c = 011100110101010110001010 Alice Bob k k m c c m ENC DEC 4 / 47

  5. Cryptanalysis ➜ Black-box cryptanalysis: A ← ( m, c ) ➜ Side-Channel Analysis c = 011100110101010110001010 Alice Bob k k m c c m ENC DEC 4 / 47

  6. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  7. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  8. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  9. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  10. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  11. Example of SPA Algorithm 1 Example for i = 1 to n do if key [ i ] = 0 then do treatment 0 else do treatment 1 end if end for SPA: one single trace to recover the secret key 5 / 47

  12. Example of DPA DPA: several traces to recover the secret key 6 / 47

  13. How to thwart SCA? k Issue: leakage L is key-dependent m c L 7 / 47

  14. How to thwart SCA? k Issue: leakage L is key-dependent m c L Idea of masking: make leakage L random sensitive value: v = f ( m, k ) � � � ... v 0 ← v ⊕ v i v 1 ← $ v t ← $ 1 � i � t ➜ any t -uple of v i is independent from v 7 / 47

  15. Masked Implementations � Linear functions: apply the function to each share v ⊕ w → ( v 0 ⊕ w 0 , v 1 ⊕ w 1 , . . . , v t ⊕ w t ) 8 / 47

  16. Masked Implementations � Linear functions: apply the function to each share v ⊕ w → ( v 0 ⊕ w 0 , v 1 ⊕ w 1 , . . . , v t ⊕ w t ) � Non-linear functions: much more complex ∀ 0 ≤ i < j ≤ t − 1 , r i,j ← $ ∀ 0 ≤ i < j ≤ t − 1 , r j,i ← ( r i,j ⊕ v i w j ) ⊕ v j w i � ∀ 0 ≤ i ≤ d − 1 , c i ← v i w i ⊕ r i,j j � = i vw ( c 0 , c 1 , . . . , c t ) → 8 / 47

  17. Leakage Models � Probing model by Ishai, Sahai, and Wagner (Crypto 2003) ◮ a circuit is t -probing secure iff any set composed of the exact values of at most t intermediate variables is independent from the secret 9 / 47

  18. Leakage Models � Probing model by Ishai, Sahai, and Wagner (Crypto 2003) ◮ a circuit is t -probing secure iff any set composed of the exact values of at most t intermediate variables is independent from the secret � Noisy leakage model by Chari, Jutla, Rao, and Rohatgi (Crypto 1999) then Rivain and Prouff (EC 2013) ◮ a circuit is secure in the noisy leakage model iff the adversary cannot recover information on the secret from the noisy values of all the intermediate variables 9 / 47

  19. Leakage Models � Probing model by Ishai, Sahai, and Wagner (Crypto 2003) ◮ a circuit is t -probing secure iff any set composed of the exact values of at most t intermediate variables is independent from the secret � Noisy leakage model by Chari, Jutla, Rao, and Rohatgi (Crypto 1999) then Rivain and Prouff (EC 2013) ◮ a circuit is secure in the noisy leakage model iff the adversary cannot recover information on the secret from the noisy values of all the intermediate variables � Reduction by Duc, Dziembowski, and Faust (EC 2014) ◮ t -probing security ⇒ security in the noisy leakage model for some level of noise 9 / 47

  20. How to Verify Probing Security? � variables: secret, shares, constant � masking order t = 3 function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ y 0 ← x 0 + r 0 y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 10 / 47

  21. How to Verify Probing Security? � variables: secret, shares, constant � masking order t = 3 function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ independent from y 0 ← x 0 + r 0 the secret? y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 10 / 47

  22. How to Verify Probing Security? � variables: secret, shares, constant � masking order t = 3 function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ independent from y 0 ← x 0 + r 0 the secret? y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 10 / 47

  23. Non-Interference (NI) � t -NI ⇒ t -probing secure � a circuit is t -NI iff any set of t intermediate variables can be perfectly simulated with at most t shares of each input function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ can be simulated y 0 ← x 0 + r 0 with x 0 and x 1 y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 11 / 47

  24. Non-Interference (NI) � t -NI ⇒ t -probing secure � a circuit is t -NI iff any set of t intermediate variables can be perfectly simulated with at most t shares of each input x 0 x 1 x 2 x 3 (= x + x 0 + x 1 + x 2 ) Ex-t3 3 observations y 0 y 1 y 2 y 3 12 / 47

  25. 1 � Side-Channel Attacks and Masking 2 � Formal Tools for Verification at Fixed Order 3 � Formal Tools for Verification of Generic Implementations 13 / 47

  26. State-Of-The-Art � several tools were built to formally verify security of first-order implementations t = 1 � then a sequence of work tackled higher-order implementations t ≤ 5 ◮ maskVerif from Barthe et al.: first tool to achieve verification at high orders ◮ CheckMasks from Coron: improvements in terms of efficiency ◮ Bloem et al.’s tool: treatment of glitches attacks 14 / 47

  27. State-Of-The-Art � several tools were built to formally verify security of first-order implementations t = 1 � then a sequence of work tackled higher-order implementations t ≤ 5 ◮ maskVerif from Barthe et al.: first tool to achieve verification at high orders ◮ CheckMasks from Coron: improvements in terms of efficiency ◮ Bloem et al.’s tool: treatment of glitches attacks 14 / 47

  28. maskVerif � input: ◮ pseudo-code of a masked implementation ◮ order t � output: ◮ formal proof of t -probing security (or NI, SNI) ◮ potential flaws Gilles Barthe and Sonia Bela¨ ıd and Fran¸ cois Dupressoir and Pierre-Alain Fouque and Benjamin Gr´ egoire and Pierre-Yves Strub Verified Proofs of Higher-Order Masking , EUROCRYPT 2015, Proceedings, Part I, 457–485. 15 / 47

  29. Checking probabilistic independence Problem: Check if a program expression e is probabilistic independent from a secret s Example: e = ( s ⊕ r 1 ) · ( r 1 ⊕ r 2 ) First solution: � for each value of s computes the associate distribution of e � if all the resulting distribution are equals then e is independent of s   r 1 r 2 e r 1 r 2 e         0 0 0 0 0 0   s = 0 0 1 0 s = 1 0 1 1      1 0 1  1 0 0     1 1 0 1 1 0 16 / 47

  30. Checking probabilistic independence Problem: Check if a program expression e is probabilistic independent from a secret s Example: e = ( s ⊕ r 1 ) · ( r 1 ⊕ r 2 ) First solution: � for each value of s computes the associate distribution of e � if all the resulting distribution are equals then e is independent of s � Complete � Exponential in the number of secret and random values 16 / 47

  31. Checking probabilistic independence Second solution, using simple rules: � Rule 1: If e does not use s then it is independent 17 / 47

  32. Checking probabilistic independence Second solution, using simple rules: � Rule 1: If e does not use s then it is independent � Rule 2: If e can be written as C [ f ⊕ r ] and r does not occur in C and f then it is sufficient to test the independence of C [ r ] The distribution of f ⊕ r is equal to the distribution of r 17 / 47

  33. Checking probabilistic independence Second solution, using simple rules: � Rule 1: If e does not use s then it is independent � Rule 2: If e can be written as C [ f ⊕ r ] and r does not occur in C and f then it is sufficient to test the independence of C [ r ] � Rule 3: If Rules 1 and 2 do not apply then use the first solution (when possible) 17 / 47

Recommend


More recommend