higher order side channel security and mask refreshing
play

Higher-Order Side Channel Security and Mask Refreshing J.-S. - PowerPoint PPT Presentation

May 04, 2023 •377 likes •1.14k views

Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T. Roche thomas.roche@ssi.gouv.fr FSE 2013 March 2013 T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing Side Channel Analysis

  1. Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T. Roche thomas.roche@ssi.gouv.fr FSE 2013 – March 2013 T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  2. Side Channel Analysis Side Channel Attacks (SCA) appear 15 years ago ◮ 1996 : Timing Attacks ◮ 1998 : Power Analysis ◮ 2000 : Electromagnetic Analysis Numerous attacks ◮ 1998 : (single-bit) DPA KocherJaffeJune1999 ◮ 1999 : (multi-bit) DPA Messerges99 ◮ 2000 : Higher-order SCA Messerges2000 ◮ 2002 : Template SCA ChariRaoRohatgi2002 ◮ 2004 : CPA BrierClavierOlivier2004 ◮ 2005 : Stochastic SCA SchindlerLemkePaar2006 ◮ 2008 : Mutual Information SCA GierlichsBatinaTuyls2008 ◮ etc. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  3. Side Channel Analysis Side Channel Attacks (SCA) appear 15 years ago ◮ 1996 : Timing Attacks ◮ 1998 : Power Analysis ◮ 2000 : Electromagnetic Analysis Numerous attacks ◮ 1998 : (single-bit) DPA KocherJaffeJune1999 ◮ 1999 : (multi-bit) DPA Messerges99 ◮ 2000 : Higher-order SCA Messerges2000 ◮ 2002 : Template SCA ChariRaoRohatgi2002 ◮ 2004 : CPA BrierClavierOlivier2004 ◮ 2005 : Stochastic SCA SchindlerLemkePaar2006 ◮ 2008 : Mutual Information SCA GierlichsBatinaTuyls2008 ◮ etc. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  4. SCA Countermeasures Masking [IBM Team at CRYPTO 1999] . ◮ Efficient against SCA in practice. ◮ Difficult to implement for non-linear transformations. Shuffling [Researchers from Graz University at ACNS 2006] . ◮ Less efficient against SCA in practice. ◮ Easy to implement for every transformation. Whitening [Kocher Jaffe June, CRYPTO 1999] . ◮ Less efficient than masking when used alone and costly in Hardware. ◮ Easy to implement for every transformation. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  5. SCA Countermeasures Masking [IBM Team at CRYPTO 1999] . ◮ Efficient against SCA in practice. ◮ Difficult to implement for non-linear transformations. Shuffling [Researchers from Graz University at ACNS 2006] . ◮ Less efficient against SCA in practice. ◮ Easy to implement for every transformation. Whitening [Kocher Jaffe June, CRYPTO 1999] . ◮ Less efficient than masking when used alone and costly in Hardware. ◮ Easy to implement for every transformation. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  6. SCA Countermeasures Masking [IBM Team at CRYPTO 1999] . ◮ Efficient against SCA in practice. ◮ Difficult to implement for non-linear transformations. Shuffling [Researchers from Graz University at ACNS 2006] . ◮ Less efficient against SCA in practice. ◮ Easy to implement for every transformation. Whitening [Kocher Jaffe June, CRYPTO 1999] . ◮ Less efficient than masking when used alone and costly in Hardware. ◮ Easy to implement for every transformation. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  7. SCA Countermeasures Masking [IBM Team at CRYPTO 1999] . ◮ Efficient against SCA in practice. ◮ Difficult to implement for non-linear transformations. Shuffling [Researchers from Graz University at ACNS 2006] . ◮ Less efficient against SCA in practice. ◮ Easy to implement for every transformation. Whitening [Kocher Jaffe June, CRYPTO 1999] . ◮ Less efficient than masking when used alone and costly in Hardware. ◮ Easy to implement for every transformation. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  8. Masking/Sharing Coutermeasures Idea : consists in securing the implementation using secret sharing techniques. First Ideas in GoubinPatarin99 and ChariJutlaRaoRohatgi99 . Soundness based on the following remark : [Chari-Jutla-Rao-Rohatgi CRYPTO’99] ◮ Bit x masked �→ x 0 , x 1 , . . . , x d ◮ Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � � ◮ # of leakage samples to test ( L i ) i | x = 0 = ( L i ) i | x = 1 : q ≥ O (1) σ d Until now, security proofs are not unconditional and are ”limited” to so-called probing adversaries. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  9. Masking/Sharing Coutermeasures Idea : consists in securing the implementation using secret sharing techniques. First Ideas in GoubinPatarin99 and ChariJutlaRaoRohatgi99 . Soundness based on the following remark : [Chari-Jutla-Rao-Rohatgi CRYPTO’99] ◮ Bit x masked �→ x 0 , x 1 , . . . , x d ◮ Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � � ◮ # of leakage samples to test ( L i ) i | x = 0 = ( L i ) i | x = 1 : q ≥ O (1) σ d Until now, security proofs are not unconditional and are ”limited” to so-called probing adversaries. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  10. Masking/Sharing Coutermeasures Idea : consists in securing the implementation using secret sharing techniques. First Ideas in GoubinPatarin99 and ChariJutlaRaoRohatgi99 . Soundness based on the following remark : [Chari-Jutla-Rao-Rohatgi CRYPTO’99] ◮ Bit x masked �→ x 0 , x 1 , . . . , x d ◮ Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � � ◮ # of leakage samples to test ( L i ) i | x = 0 = ( L i ) i | x = 1 : q ≥ O (1) σ d Until now, security proofs are not unconditional and are ”limited” to so-called probing adversaries. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  11. Masking/Sharing Coutermeasures Idea : consists in securing the implementation using secret sharing techniques. First Ideas in GoubinPatarin99 and ChariJutlaRaoRohatgi99 . Soundness based on the following remark : [Chari-Jutla-Rao-Rohatgi CRYPTO’99] ◮ Bit x masked �→ x 0 , x 1 , . . . , x d ◮ Leakage : L i ∼ x i + N ( µ, σ 2 ) � � � � ◮ # of leakage samples to test ( L i ) i | x = 0 = ( L i ) i | x = 1 : q ≥ O (1) σ d Until now, security proofs are not unconditional and are ”limited” to so-called probing adversaries. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  12. Probing Adversary Notion introduced in IshaiSahaiWagner, CRYPTO 2003 A d th -order probing adversary is allowed to observe at most d intermediate results during the overall algorithm processing. ◮ Hardware interpretation : d is the maximum of wires observed in the circuit. ◮ Software interpretation : d is the maximum of different timings during the processing. d th -order probing adversary = d th -order SCA as introduced in Messerges99 . Countermeasures proved to be secure against a d th -order probing adv. : ◮ d = 1 : KocherJaffeJune99 , Bl¨ omerGuajardoKrummel04 , ProuffRivain07 . ◮ d = 2 : RivainDottaxProuff08 . ◮ d ≥ 1 : IshaiSahaiWagner03 , ProuffRoche11 , GenelleProuffQuisquater11 , CarletGoubinProuffQuisquaterRivain12 . T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  13. Probing Adversary Notion introduced in IshaiSahaiWagner, CRYPTO 2003 A d th -order probing adversary is allowed to observe at most d intermediate results during the overall algorithm processing. ◮ Hardware interpretation : d is the maximum of wires observed in the circuit. ◮ Software interpretation : d is the maximum of different timings during the processing. d th -order probing adversary = d th -order SCA as introduced in Messerges99 . Countermeasures proved to be secure against a d th -order probing adv. : ◮ d = 1 : KocherJaffeJune99 , Bl¨ omerGuajardoKrummel04 , ProuffRivain07 . ◮ d = 2 : RivainDottaxProuff08 . ◮ d ≥ 1 : IshaiSahaiWagner03 , ProuffRoche11 , GenelleProuffQuisquater11 , CarletGoubinProuffQuisquaterRivain12 . T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  14. Higher-Order Masking Schemes Achieving security in the probing adversary model Definition A dth-order masking scheme for an encryption algorithm c ← E ( m , k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) Completeness : there exists R s.t. : R ( c 0 , · · · , c d ) = E ( m , k ) Security : ∀{ iv 1 , iv 2 , . . . , iv d } ⊆ { intermediate var. of E ′ } : � � � � Pr k | iv 1 , iv 2 , . . . , iv d = Pr k For SPN ( eg. DES, AES) the main issue is masking the S-box. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

  15. Higher-Order Masking Schemes Achieving security in the probing adversary model Definition A dth-order masking scheme for an encryption algorithm c ← E ( m , k ) is an algorithm ( c 0 , c 1 , . . . , c d ) ← E ′ � � ( m 0 , m 1 , . . . , m d ) , ( k 0 , k 1 , . . . , k d ) Completeness : there exists R s.t. : R ( c 0 , · · · , c d ) = E ( m , k ) Security : ∀{ iv 1 , iv 2 , . . . , iv d } ⊆ { intermediate var. of E ′ } : � � � � Pr k | iv 1 , iv 2 , . . . , iv d = Pr k For SPN ( eg. DES, AES) the main issue is masking the S-box. T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing

Recommend

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid,

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid,

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid, Dahmun Goudarzi, and Matthieu Rivain dahmun.goudarzi@pqshield.com 1 Side-Channel Attacks and Higher-Order Masking in 1 in 2 in 3

655 views • 52 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures Dahmun Goudarzi, Matthieu Rivain, Srinivas Vivek, and Damien Vergnaud Background 2 Secure Software S-box Implementations Higher-Order

636 views • 25 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel Snooping Scenario: Ann the Attacker works in a building across the street from Victor the Victim. Late one night Ann can see Victor hard at work in

727 views • 44 slides
How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

824 views • 54 slides
Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed, F.-X. Standaert , A. Joux NXP & UCL Crypto Group & Univ. Versailles CHES 2012, Leuven, Belgium SCA security (implementation level) 1 SCA

857 views • 70 slides
HO in Coq Guillaume Ambal, Sergue Lenglet and Alan Schmitt Higher-Order -calculus

HO in Coq Guillaume Ambal, Sergue Lenglet and Alan Schmitt Higher-Order -calculus

HO in Coq Guillaume Ambal, Sergue Lenglet and Alan Schmitt Higher-Order -calculus Model of concurrent and communicating systems First-order: inert data (channel names, . . . ) Higher-order: executable processes

866 views • 57 slides
York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order:

First Order Haskell Neil Mitchell York University www.cs.york.ac.uk/~ndm First order vs Higher order Higher order: functions are values Can be passed around Stored in data structure Harder for reasoning and analysis More

483 views • 15 slides
Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI Laboratory for Embedded Security Emmanuel Prouff emmanuel.prouff@ssi.gouv.fr Agence Nationale de la S ecurit e des Syst` emes dInformation

790 views • 68 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel Medwed Franois-Xavier Standaert Johann

814 views • 28 slides
LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me PhD student at Hasselt University since 2014 Since 2016 on FWO SBO research grant Researching wireless security Protocol security,

803 views • 57 slides
Higher-Order Model Checking: Principles and Applications to Program Verification and Security

Higher-Order Model Checking: Principles and Applications to Program Verification and Security

Higher-Order Model Checking: Principles and Applications to Program Verification and Security Part I: Types and Recursion Schemes for Higher-Order Program Verification Part II: Higher-Order Program Verification and Language-Based Security

836 views • 54 slides
Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December 2010 Amir Moradi E Embedded Security Group, Ruhr University Bochum b dd d S it G R h U i it B h m, Germany G Embedded Security Group Outline

495 views • 26 slides
Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with Emmanuel Prouff EUROCRYPT 2013 May 27th Outline 1 Introduction and Previous Works 2 Our Contribution 3 Model of Leaking Computation 4

526 views • 36 slides
System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz MIT CSAIL Microsoft Research Security is a big concern in cloud adoption Why are cache-based side channel

588 views • 38 slides
Breaking Deployed Crypto The Side Channel Analyst s Way Daniel Moghimi (@danielmgmi)

Breaking Deployed Crypto The Side Channel Analyst s Way Daniel Moghimi (@danielmgmi)

Breaking Deployed Crypto The Side Channel Analyst s Way Daniel Moghimi (@danielmgmi) 04/30/2020 Hardwear.io About Me Daniel Moghimi @danielmgmi Security Researcher PhD Student @ WPI Microarchitectural Security Side

926 views • 69 slides
Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Extending SMT solvers to higher-order logic Haniel Barbosa Andrew Reynolds Daniel El Ouraoui Clark Barrett Cesare Tinelli SMT 2019 20190707, Lisbon, PT To be published in the proceedings of CADE 2019 Why higher-order logic?

569 views • 25 slides

More recommend