glitch resistant masking revisited or why proofs in the
play

Glitch-Resistant Masking Revisited or Why Proofs in the Robust - PowerPoint PPT Presentation

Apr 06, 2023 •223 likes •694 views

Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben Moos 1 , Amir Moradi 1 , Tobias Schneider 2 and Franois-Xavier Standaert 2 Horst Grtz Institute for IT Security, Ruhr-Universitt Bochum,

  1. Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben Moos 1 , Amir Moradi 1 , Tobias Schneider 2 and François-Xavier Standaert 2 ✶ Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany ✷ ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium August 27th, 2019

  2. Section 1 Introduction Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 1

  3. Physical Attacks Introduction ❦ • Physical characteristics used to extract secrets: · · · ❦ ✶ ❦ ✷ Leakage ❦ ♥ • Timing ② ✶ ① ✶ • Power • EM ① ✷ ② ✷ • Countermeasures to increase ② ① ❋ attack complexity: · · · · · · • Masking • Hiding ② ♥ ① ♥ • Re-keying Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 2

  4. Concept of Masking Introduction ❦ • Encode sensitive variables into shares · · · ❦ ✶ ❦ ✷ ❦ ♥ • Compute securely on shares ② ✶ ① ✶ • Decode at end to recover result ① ✷ ② ✷ ② ① ❋ ′ · · · · · · ② ♥ ① ♥ Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 3

  5. Concept of Masking Introduction ❦ • Encode sensitive variables into shares · · · ❦ ✶ ❦ ✷ ❦ ♥ • Compute securely on shares ② ✶ ① ✶ • Decode at end to recover result ① ✷ ② ✷ ② Masking if implemented correctly ① ❋ ′ · · · · · · increases the attack complexity exponentially in the number of shares. (assuming sufficient noise) ② ♥ ① ♥ Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 3

  6. ❋ ✶ ② ① ❋ ✸ ❋ ✷ Security Notions Introduction • Masked algorithms can be proven secure • Common Solution: Probing model 1 Definition ( t -Probing Security) A circuit C is t -probing secure if and only if every t -tuple of its intermediate variables is independent of any sensitive variable. 1 Y. Ishai, A. Sahai and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks , CRYPTO 2003 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 4

  7. Security Notions Introduction • Masked algorithms can be proven secure • Common Solution: Probing model 1 Definition ( t -Probing Security) A circuit C is t -probing secure if and only if every t -tuple of its intermediate variables is independent of any sensitive variable. Example: ❋ ✶ • 3rd-order masking ② ① ❋ ✸ • Any possible combination of three ❋ ✷ probes should not reveal secret 1 Y. Ishai, A. Sahai and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks , CRYPTO 2003 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 4

  8. Security Notions Introduction • Masked algorithms can be proven secure • Common Solution: Probing model 1 Definition ( t -Probing Security) A circuit C is t -probing secure if and only if every t -tuple of its intermediate variables is independent of any sensitive variable. Example: ❋ ✶ • 3rd-order masking ② ① ❋ ✸ • Any possible combination of three ❋ ✷ probes should not reveal secret 1 Y. Ishai, A. Sahai and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks , CRYPTO 2003 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 4

  9. Security Notions Introduction • Masked algorithms can be proven secure • Common Solution: Probing model 1 Definition ( t -Probing Security) A circuit C is t -probing secure if and only if every t -tuple of its intermediate variables is independent of any sensitive variable. Example: ❋ ✶ • 3rd-order masking ② ① ❋ ✸ • Any possible combination of three ❋ ✷ probes should not reveal secret 1 Y. Ishai, A. Sahai and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks , CRYPTO 2003 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 4

  10. ❋ ✶ ❋ ✶ ❋ ✸ ❋ ✶ ❋ ✸ ❋ ✸ ❋ ✷ ❋ ✷ ❋ ✷ t t t t ✶ t ✷ t ✶ t ✷ t t ✶ t ✷ t ✶ Security Notions Introduction • Scales badly with number of probes and complexity of algorithm • Prove smaller sub-gadgets and compose securely 2 G. Barthe, S. Belaïd, F . Dupressoir, P .-A. Fouque, B. Gregoire, P .-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking , CCS 2016 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5

  11. ❋ ✶ ❋ ✸ ❋ ✶ ❋ ✸ ❋ ✷ ❋ ✷ t t t t ✶ t ✷ t ✶ t ✷ t t ✶ t ✷ t ✶ Security Notions Introduction • Scales badly with number of probes and complexity of algorithm • Prove smaller sub-gadgets and compose securely ❋ ✶ ❋ ✸ ❋ ✷ 2 G. Barthe, S. Belaïd, F . Dupressoir, P .-A. Fouque, B. Gregoire, P .-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking , CCS 2016 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5

  12. ❋ ✶ ❋ ✸ ❋ ✷ t t t t ✶ t ✷ t ✶ t ✷ t t ✶ t ✷ t ✶ Security Notions Introduction • Scales badly with number of probes and complexity of algorithm • Prove smaller sub-gadgets and compose securely ❋ ✶ ❋ ✶ ❋ ✸ ❋ ✸ ❋ ✷ ❋ ✷ 2 G. Barthe, S. Belaïd, F . Dupressoir, P .-A. Fouque, B. Gregoire, P .-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking , CCS 2016 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5

  13. t t t t ✶ t ✷ t ✶ t ✷ t t ✶ t ✷ t ✶ Security Notions Introduction • Scales badly with number of probes and complexity of algorithm • Prove smaller sub-gadgets and compose securely ❋ ✶ ❋ ✶ ❋ ✸ ❋ ✶ ❋ ✸ ❋ ✸ ❋ ✷ ❋ ✷ ❋ ✷ 2 G. Barthe, S. Belaïd, F . Dupressoir, P .-A. Fouque, B. Gregoire, P .-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking , CCS 2016 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5

  14. Security Notions Introduction • Scales badly with number of probes and complexity of algorithm • Prove smaller sub-gadgets and compose securely ❋ ✶ ❋ ✶ ❋ ✸ ❋ ✶ ❋ ✸ ❋ ✸ ❋ ✷ ❋ ✷ ❋ ✷ • Common Solution: (Strong) Non-Interference 2 Definition ( t − (Strong) Non-Interference) A circuit gadget G is t − (Strong) Non-Interfering ( t -(S)NI) if and only if for any set of t ✶ probes on its intermediate values and every set of t ✷ probes on its output shares with t ✶ + t ✷ � t , the totality of the probes can be simulated with t ✶ + t ✷ (only t ✶ ) shares of each input. 2 G. Barthe, S. Belaïd, F . Dupressoir, P .-A. Fouque, B. Gregoire, P .-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking , CCS 2016 Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5

  15. ❋ ✶ ❋ ✷ Potential Flaws Introduction Local Flaw: Probing security of masked module is reduced. Example: 2nd-order masking ❋ ✶ Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 6

  16. Potential Flaws Introduction Local Flaw: Probing security of masked module is reduced. Example: 2nd-order masking ❋ ✶ Compositional Flaw: Probing security of composition of modules is reduced. Example: 2nd-order masking ❋ ✶ ❋ ✷ Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 6

  17. Robust Probing Introduction • Physical defaults (glitches, transitions, coupling) reduce masking order in practice • Numerous higher-order hardware-oriented masking schemes: • CMS: Consolidated Masking Schemes • DOM: Domain-Oriented Masking • UMA: Unified Masking Approach • GLM: Generic Low-Latency Masking Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 7

  18. Robust Probing Introduction • Physical defaults (glitches, transitions, coupling) reduce masking order in practice • Numerous higher-order hardware-oriented masking schemes: • CMS: Consolidated Masking Schemes • DOM: Domain-Oriented Masking • UMA: Unified Masking Approach • GLM: Generic Low-Latency Masking • Due to lack of model: Mostly focused on glitch-resistant (local) probing security • Dedicated extension of probing model to hardware masking: Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 7

Recommend

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views • 45 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack Ronald Cramer (CWI) Ivan Damgrd (AU) Chaoping Xing (NTU) ChenYuan (NTU) Eprint 2016/681 Integer One-Way Function (iOWF) maps integers to finite

582 views • 32 slides
Proofs as Programs Revisited Ryota Akiyoshi Waseda Institute for Advanced Study Keio

Proofs as Programs Revisited Ryota Akiyoshi Waseda Institute for Advanced Study Keio

Proofs as Programs Revisited Ryota Akiyoshi Waseda Institute for Advanced Study Keio University July 27th., 2018 1 / 26 Aim of This Talk The aim is to revisit Schwichtenbergs works by focusing on parameter subsystems of

694 views • 47 slides
Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

614 views • 48 slides
Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on the spatial attribute type. Proposal part 2 Details of the masking attribute addition. Table 3-13 - S100_GF_SpatialAttributeType Role Name

558 views • 8 slides
Enhanced Target Collision Resistant Hash Functions Revisited Mohammad-Reza Reyhanitabar, Willy

Enhanced Target Collision Resistant Hash Functions Revisited Mohammad-Reza Reyhanitabar, Willy

Centre for Computer and Information Security Research Enhanced Target Collision Resistant Hash Functions Revisited Mohammad-Reza Reyhanitabar, Willy Susilo, and Yi Mu Centre for Computer and Information Security Research University of

230 views • 21 slides
Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture Damage 1 Balanced Mix Design: ETG Definition Asphalt mix design using performance tests on appropriately conditioned specimens that address

480 views • 46 slides
Glitch and veto studies in LIGOs S5 search for gravitational wave bursts Erik Katsavounidis

Glitch and veto studies in LIGOs S5 search for gravitational wave bursts Erik Katsavounidis

Glitch and veto studies in LIGOs S5 search for gravitational wave bursts Erik Katsavounidis MIT for the LIGO Scientific Collaboration 11 th GWDAW, Potsdam, Germany December 19, 2006 LIGO-G060638-00-Z 1 Glitch study requirements Low

481 views • 19 slides
Gravitational waves from the pulsar glitch recovery period Mark Bennett Anthony van Eysden

Gravitational waves from the pulsar glitch recovery period Mark Bennett Anthony van Eysden

Gravitational waves from the pulsar glitch recovery period Mark Bennett Anthony van Eysden Andrew Melatos University of Melbourne Overview Different types of signal from a pulsar glitch Calculate GW signal using simple model of a

404 views • 15 slides
Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1 Overview Masking,

785 views • 46 slides
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Euclid (300 BC) Proofs, Continued Today Proofs : A style guide Proofs should be easy to verify. All the cleverness goes into finding/writing the proof, not reading/verifying it! P vs. NP (informally) : P =

682 views • 21 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

6/8/2017 Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we Quantify Masking Risk? co-founder and shareholder Qview Medical (Los Altos, CA) Nico Karssemeijer consultant, co-founder and

883 views • 18 slides
Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and Ext, Revisited Hom and Ext, Revisited Joint work with Hailong Dao and Mohammad Eghbali JL Hom and Ext, Revisited Hom

871 views • 45 slides
Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble Alpes in

Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble Alpes in

Understanding the Masking-Shadowing Function in Understanding the Masking-Shadowing Function in Microfacet-Based BRDFs 2014-09-01 Microfacet-Based BRDFs Eric Heitz Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble

808 views • 77 slides
An introduction to using slip-resistant flooring from Altro discover altro.com/slip-resistant

An introduction to using slip-resistant flooring from Altro discover altro.com/slip-resistant

An introduction to using slip-resistant flooring from Altro discover altro.com/slip-resistant Typical applications Healthcare Education Back-of-house High traffic areas Manufacturing and industrial areas General

536 views • 43 slides
R&D on graphite based oxidation resistant materials and radiation resistant tungsten J

R&D on graphite based oxidation resistant materials and radiation resistant tungsten J

The High Power Targetry R&D Roadmap for High Energy Physics Workshop @Fermilab, USA 31st May, 2017 R&D on graphite based oxidation resistant materials and radiation resistant tungsten J PARC Center, High Energy Accelerator Research

625 views • 23 slides
Multi-drug Resistant Organisms (MDROs) in Healthcare Facilities Gail Bennett RN, MSN, CIC 1

Multi-drug Resistant Organisms (MDROs) in Healthcare Facilities Gail Bennett RN, MSN, CIC 1

Multi-drug Resistant Organisms (MDROs) in Healthcare Facilities Gail Bennett RN, MSN, CIC 1 What we will cover: General information Specific MDROs Methicillin Resistant Staph aureus (MRSA) Vancomycin Resistant Enterococci (VRE)

993 views • 57 slides
Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2

Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2

Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2 Interactive Proofs IP[k] IP[poly] = PSPACE 2 Interactive Proofs IP[k] IP[poly] = PSPACE IP protocol for TQBF using arithmetization 2 Interactive

1.75k views • 136 slides
Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth Oswald March, 2013 Michael Tunstall (University of Bristol) Masking Tables March, 2013 1 / 21 Introduction Differential Power Analysis exploits

249 views • 21 slides
Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th

Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th

Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th International Conference on Finite Fields and their Applications June 5, 2017 Violetta Weger Weight two Masking in the McEliece system Outline 1

1.31k views • 34 slides

More recommend