formal verification of masked implementations
play

Formal Verification of Masked Implementations Sonia Bela d - PowerPoint PPT Presentation

Apr 09, 2023 •263 likes •1.24k views

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order 3 Formal Tools

  1. Formal Verification of Masked Implementations Sonia Bela¨ ıd Benjamin Gr´ egoire CHES 2018 - Tutorial September 9th 2018 1 / 47

  2. 1 � Side-Channel Attacks and Masking 2 � Formal Tools for Verification at Fixed Order 3 � Formal Tools for Verification of Generic Implementations 2 / 47

  3. 1 � Side-Channel Attacks and Masking 2 � Formal Tools for Verification at Fixed Order 3 � Formal Tools for Verification of Generic Implementations 3 / 47

  4. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-channel analysis c = 011100110101010110001010 Alice Bob k k m c c m ENC DEC 4 / 47

  5. Cryptanalysis ➜ Black-box cryptanalysis: A ← ( m, c ) ➜ Side-Channel Analysis c = 011100110101010110001010 Alice Bob k k m c c m ENC DEC 4 / 47

  6. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  7. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  8. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  9. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  10. Cryptanalysis ➜ Black-box cryptanalysis ➜ Side-Channel Analysis: A ← ( m, c, L ) c = 011100110101010110001010 Alice Bob k k m c c m ENC ENC DEC DEC L 4 / 47

  11. Example of SPA Algorithm 1 Example for i = 1 to n do if key [ i ] = 0 then do treatment 0 else do treatment 1 end if end for SPA: one single trace to recover the secret key 5 / 47

  12. Example of DPA DPA: several traces to recover the secret key 6 / 47

  13. How to thwart SCA? k Issue: leakage L is key-dependent m c L 7 / 47

  14. How to thwart SCA? k Issue: leakage L is key-dependent m c L Idea of masking: make leakage L random sensitive value: v = f ( m, k ) � � � ... v 0 ← v ⊕ v i v 1 ← $ v t ← $ 1 � i � t ➜ any t -uple of v i is independent from v 7 / 47

  15. Masked Implementations � Linear functions: apply the function to each share v ⊕ w → ( v 0 ⊕ w 0 , v 1 ⊕ w 1 , . . . , v t ⊕ w t ) 8 / 47

  16. Masked Implementations � Linear functions: apply the function to each share v ⊕ w → ( v 0 ⊕ w 0 , v 1 ⊕ w 1 , . . . , v t ⊕ w t ) � Non-linear functions: much more complex ∀ 0 ≤ i < j ≤ t − 1 , r i,j ← $ ∀ 0 ≤ i < j ≤ t − 1 , r j,i ← ( r i,j ⊕ v i w j ) ⊕ v j w i � ∀ 0 ≤ i ≤ d − 1 , c i ← v i w i ⊕ r i,j j � = i vw ( c 0 , c 1 , . . . , c t ) → 8 / 47

  17. Leakage Models � Probing model by Ishai, Sahai, and Wagner (Crypto 2003) ◮ a circuit is t -probing secure iff any set composed of the exact values of at most t intermediate variables is independent from the secret 9 / 47

  18. Leakage Models � Probing model by Ishai, Sahai, and Wagner (Crypto 2003) ◮ a circuit is t -probing secure iff any set composed of the exact values of at most t intermediate variables is independent from the secret � Noisy leakage model by Chari, Jutla, Rao, and Rohatgi (Crypto 1999) then Rivain and Prouff (EC 2013) ◮ a circuit is secure in the noisy leakage model iff the adversary cannot recover information on the secret from the noisy values of all the intermediate variables 9 / 47

  19. Leakage Models � Probing model by Ishai, Sahai, and Wagner (Crypto 2003) ◮ a circuit is t -probing secure iff any set composed of the exact values of at most t intermediate variables is independent from the secret � Noisy leakage model by Chari, Jutla, Rao, and Rohatgi (Crypto 1999) then Rivain and Prouff (EC 2013) ◮ a circuit is secure in the noisy leakage model iff the adversary cannot recover information on the secret from the noisy values of all the intermediate variables � Reduction by Duc, Dziembowski, and Faust (EC 2014) ◮ t -probing security ⇒ security in the noisy leakage model for some level of noise 9 / 47

  20. How to Verify Probing Security? � variables: secret, shares, constant � masking order t = 3 function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ y 0 ← x 0 + r 0 y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 10 / 47

  21. How to Verify Probing Security? � variables: secret, shares, constant � masking order t = 3 function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ independent from y 0 ← x 0 + r 0 the secret? y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 10 / 47

  22. How to Verify Probing Security? � variables: secret, shares, constant � masking order t = 3 function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ independent from y 0 ← x 0 + r 0 the secret? y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 10 / 47

  23. Non-Interference (NI) � t -NI ⇒ t -probing secure � a circuit is t -NI iff any set of t intermediate variables can be perfectly simulated with at most t shares of each input function Ex-t3 ( x 0 , x 1 , x 2 , x 3 , c ): (* x 0 , x 1 , x 2 = $ *) (* x 3 = x + x 0 + x 1 + x 2 *) r 0 ← $ r 1 ← $ can be simulated y 0 ← x 0 + r 0 with x 0 and x 1 y 1 ← x 3 + r 1 t 1 ← x 1 + r 0 t 2 ← ( x 1 + r 0 ) + x 2 y 2 ← ( x 1 + r 0 + x 2 ) + r 1 y 3 ← c + r 1 return ( y 0 , y 1 , y 2 , y 3 ) 11 / 47

  24. Non-Interference (NI) � t -NI ⇒ t -probing secure � a circuit is t -NI iff any set of t intermediate variables can be perfectly simulated with at most t shares of each input x 0 x 1 x 2 x 3 (= x + x 0 + x 1 + x 2 ) Ex-t3 3 observations y 0 y 1 y 2 y 3 12 / 47

  25. 1 � Side-Channel Attacks and Masking 2 � Formal Tools for Verification at Fixed Order 3 � Formal Tools for Verification of Generic Implementations 13 / 47

  26. State-Of-The-Art � several tools were built to formally verify security of first-order implementations t = 1 � then a sequence of work tackled higher-order implementations t ≤ 5 ◮ maskVerif from Barthe et al.: first tool to achieve verification at high orders ◮ CheckMasks from Coron: improvements in terms of efficiency ◮ Bloem et al.’s tool: treatment of glitches attacks 14 / 47

  27. State-Of-The-Art � several tools were built to formally verify security of first-order implementations t = 1 � then a sequence of work tackled higher-order implementations t ≤ 5 ◮ maskVerif from Barthe et al.: first tool to achieve verification at high orders ◮ CheckMasks from Coron: improvements in terms of efficiency ◮ Bloem et al.’s tool: treatment of glitches attacks 14 / 47

  28. maskVerif � input: ◮ pseudo-code of a masked implementation ◮ order t � output: ◮ formal proof of t -probing security (or NI, SNI) ◮ potential flaws Gilles Barthe and Sonia Bela¨ ıd and Fran¸ cois Dupressoir and Pierre-Alain Fouque and Benjamin Gr´ egoire and Pierre-Yves Strub Verified Proofs of Higher-Order Masking , EUROCRYPT 2015, Proceedings, Part I, 457–485. 15 / 47

  29. Checking probabilistic independence Problem: Check if a program expression e is probabilistic independent from a secret s Example: e = ( s ⊕ r 1 ) · ( r 1 ⊕ r 2 ) First solution: � for each value of s computes the associate distribution of e � if all the resulting distribution are equals then e is independent of s   r 1 r 2 e r 1 r 2 e         0 0 0 0 0 0   s = 0 0 1 0 s = 1 0 1 1      1 0 1  1 0 0     1 1 0 1 1 0 16 / 47

  30. Checking probabilistic independence Problem: Check if a program expression e is probabilistic independent from a secret s Example: e = ( s ⊕ r 1 ) · ( r 1 ⊕ r 2 ) First solution: � for each value of s computes the associate distribution of e � if all the resulting distribution are equals then e is independent of s � Complete � Exponential in the number of secret and random values 16 / 47

  31. Checking probabilistic independence Second solution, using simple rules: � Rule 1: If e does not use s then it is independent 17 / 47

  32. Checking probabilistic independence Second solution, using simple rules: � Rule 1: If e does not use s then it is independent � Rule 2: If e can be written as C [ f ⊕ r ] and r does not occur in C and f then it is sufficient to test the independence of C [ r ] The distribution of f ⊕ r is equal to the distribution of r 17 / 47

  33. Checking probabilistic independence Second solution, using simple rules: � Rule 1: If e does not use s then it is independent � Rule 2: If e can be written as C [ f ⊕ r ] and r does not occur in C and f then it is sufficient to test the independence of C [ r ] � Rule 3: If Rules 1 and 2 do not apply then use the first solution (when possible) 17 / 47

Recommend

VerMI &amp; VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas

VerMI &amp; VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas

VerMI &amp; VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas COSIC, KULeuven Joint work with Vincent Rijmen (KU Leuven), Felix Wegener, Amir Moradi (RU Bochum) 1 Verification Tools Why do we need

782 views • 50 slides
Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Crypto. group SWORD Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an Explanation Based on Externally-Amplified Couplings Itamar Levi, Davide Bellizia and Franois-Xavier Standaert Aug. 2018 Moti

298 views • 27 slides
End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About

End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About

End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About RISC-V RISC-V is an Open Instruction Set Architecture (ISA) Can be freely used for any purpose Many implementations are available from

677 views • 22 slides
LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

1 / 20 Conclusion FSE 2014 LS-Designs G. Leurent (UCL,Inria) Motivation LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security Analysis LS-Designs . . . . . . . . . . . . . . . . . . Vincent

638 views • 27 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
Formal verification of an implementation of CRT-RSA Vigilants algorithm Maria CHRISTOFI Joint

Formal verification of an implementation of CRT-RSA Vigilants algorithm Maria CHRISTOFI Joint

Formal verification of an implementation of CRT-RSA Vigilants algorithm Maria CHRISTOFI Joint work with Boutheina CHETALI, Louis GOUBIN and David VIGILANT PROOFS 2012, September 13 th 2012 Introduction Implementations of cryptosystems can

612 views • 29 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
Verification of Protocol Implementations by Typechecking Cdric Fournet Microsoft Research w

Verification of Protocol Implementations by Typechecking Cdric Fournet Microsoft Research w

Formal/Computational Verification of Protocol Implementations by Typechecking Cdric Fournet Microsoft Research w ith Karthik Bhargavan, Andy Gordon, http://research.microsoft.com/~fournet http://msr-inria.inria.fr/projects/sec

1.28k views • 101 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal Verification Yosys-STMBMC iCE40 FPGAs Bounded Model Checking (Project IceStorm) Using any SMT-LIB2 solver (using QF_AUFBV logic) Xilinx

707 views • 56 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Towards an Ecosystem for Verifying Implementations of BFT protocols Ivana Vukotic, Vincent Rahli,

Towards an Ecosystem for Verifying Implementations of BFT protocols Ivana Vukotic, Vincent Rahli,

Towards an Ecosystem for Verifying Implementations of BFT protocols Ivana Vukotic, Vincent Rahli, Marcus Vlp and Paulo Esteves-Verssimo PhD start: April 2017 Areas: BFT &amp; Formal verification Univ. of Luxembourg SnT Luxembourg

314 views • 10 slides
Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification 2 Formal

627 views • 19 slides
Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification Transition systems 2

798 views • 62 slides
Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox, Doug Woos, Zachary Tatlock, and Karl Palmskog We should verify implementations of distributed systems... ...and we have! Framework Prover

1.41k views • 86 slides
Formal Verification and Testing for Formal Verification and Testing for Reactive Systems

Formal Verification and Testing for Formal Verification and Testing for Reactive Systems

ARTIST2 - ARTIST2 - MOTIVES MOTIVES Trento - - Italy, February 19 Italy, February 19- -23, 2007 23, 2007 Trento Session: Testing and Runtime Verification Formal Verification and Testing for Formal Verification and Testing for Reactive

881 views • 31 slides
Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies Synopsys, Inc. June 18, 2017 1 Build Better Formal Verification Tools? CAR BICYCLE DOG S oftware that learns from experience and enables

767 views • 40 slides
Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA tools for students, hobbyists, enthusiasts FPGA Synthesis Formal Verification Free to use: Free to use: Xilinx Vivado WebPack,

819 views • 49 slides
Formal Verification via MCMAS &amp; PRISM Hongyang Qu University of Sheffield 1 December 2015

Formal Verification via MCMAS &amp; PRISM Hongyang Qu University of Sheffield 1 December 2015

Formal Verification via MCMAS &amp; PRISM Hongyang Qu University of Sheffield 1 December 2015 Outline Motivation for Formal Verification Overview of MCMAS Overview of PRISM Formal verification It is a systematic way to check

461 views • 34 slides

More recommend