leakage squeezing revisited
play

Leakage Squeezing Revisited Vincent Grosso 1 , Fran cois-Xavier - PowerPoint PPT Presentation

Leakage Squeezing Revisited Vincent Grosso 1 , Fran cois-Xavier Standaert 1 , Emmanuel Prouff 2 . 1 ICTEAM/ELEN/Crypto Group, Universit e catholique de Louvain, Belgium. 2 ANSSI, 51 Bd de la Tour-Maubourg, 75700 Paris 07 SP, France. CARDIS


  1. Leakage Squeezing Revisited Vincent Grosso 1 , Fran¸ cois-Xavier Standaert 1 , Emmanuel Prouff 2 . 1 ICTEAM/ELEN/Crypto Group, Universit´ e catholique de Louvain, Belgium. 2 ANSSI, 51 Bd de la Tour-Maubourg, 75700 Paris 07 SP, France. CARDIS 2013, Berlin.

  2. Secret Sharing UCL Crypto Group Leakage Squeezing 1 / 26 UCL/ICTEAM/ELEN

  3. Secret Sharing UCL Crypto Group Leakage Squeezing 1 / 26 UCL/ICTEAM/ELEN

  4. Secret Sharing P( | )=P( ) UCL Crypto Group Leakage Squeezing 1 / 26 UCL/ICTEAM/ELEN

  5. Boolean Secret Sharing Let X be a variable and M a random value uniformly chosen among the possible values of X . UCL Crypto Group Leakage Squeezing 2 / 26 UCL/ICTEAM/ELEN

  6. Boolean Secret Sharing Let X be a variable and M a random value uniformly chosen among the possible values of X . Then X can be shared with the vector ( X ⊕ M , M ). UCL Crypto Group Leakage Squeezing 2 / 26 UCL/ICTEAM/ELEN

  7. Boolean Secret Sharing Let X be a variable and M a random value uniformly chosen among the possible values of X . Then X can be shared with the vector ( X ⊕ M , M ). M is random ⇒ no information on X is available from the observation of M . UCL Crypto Group Leakage Squeezing 2 / 26 UCL/ICTEAM/ELEN

  8. Boolean Secret Sharing Let X be a variable and M a random value uniformly chosen among the possible values of X . Then X can be shared with the vector ( X ⊕ M , M ). M is random ⇒ no information on X is available from the observation of M . X ⊕ M one-time-pad of X ⇒ no information on X is available from the observation of X ⊕ M . UCL Crypto Group Leakage Squeezing 2 / 26 UCL/ICTEAM/ELEN

  9. Masking ≃ Computing on Shared Values Traces contain information plus some noise. UCL Crypto Group Leakage Squeezing 3 / 26 UCL/ICTEAM/ELEN

  10. Masking ≃ Computing on Shared Values Unprotected device: unidimensional leakage is sufficient to mount an attack. UCL Crypto Group Leakage Squeezing 3 / 26 UCL/ICTEAM/ELEN

  11. Masking ≃ Computing on Shared Values Protected software device with 2 shares: ideally bi- dimensional leakages are sufficient to mount an attack. UCL Crypto Group Leakage Squeezing 3 / 26 UCL/ICTEAM/ELEN

  12. Masking ≃ Computing on Shared Values Protected software device with 3 shares: ideally tri- dimensional leakages are sufficient to mount an attack. UCL Crypto Group Leakage Squeezing 3 / 26 UCL/ICTEAM/ELEN

  13. Masking ≃ Computing on Shared Values Dimension of an attack : number of leakage points used. UCL Crypto Group Leakage Squeezing 3 / 26 UCL/ICTEAM/ELEN

  14. Order (statistical) Let X i be r random variables, then the central mixed moment of orders d 1 , . . . , d r is defined by: E(( X 1 − E( X 1 )) d 1 × · · · × ( X r − E( X r )) d r ) . UCL Crypto Group Leakage Squeezing 4 / 26 UCL/ICTEAM/ELEN

  15. Order (statistical) Let X i be r random variables, then the central mixed moment of orders d 1 , . . . , d r is defined by: E(( X 1 − E( X 1 )) d 1 × · · · × ( X r − E( X r )) d r ) . The order of an attack is the smallest statical moment order ( d = � i d i ) used in the attack. UCL Crypto Group Leakage Squeezing 4 / 26 UCL/ICTEAM/ELEN

  16. Order (statistical) Let X i be r random variables, then the central mixed moment of orders d 1 , . . . , d r is defined by: E(( X 1 − E( X 1 )) d 1 × · · · × ( X r − E( X r )) d r ) . The order of an attack is the smallest statical moment order ( d = � i d i ) used in the attack. If we have noisy random variables, the moment becomes harder to estimate as the order increases. UCL Crypto Group Leakage Squeezing 4 / 26 UCL/ICTEAM/ELEN

  17. Application to attack ⊲ Order � ↔ data complexity. ⊲ Dimension � ↔ computational complexity. UCL Crypto Group Leakage Squeezing 5 / 26 UCL/ICTEAM/ELEN

  18. Application to attack ⊲ Order � ↔ data complexity. ⊲ Dimension � ↔ computational complexity. The data complexity of a successful attack increases exponentially with the order of the attack (with noise as a basis). UCL Crypto Group Leakage Squeezing 5 / 26 UCL/ICTEAM/ELEN

  19. Outline 1. Leakage squeezing 2. Assumption fulfilled 3. On the adversary condition 4. On the physical condition UCL Crypto Group Leakage Squeezing 6 / 26 UCL/ICTEAM/ELEN

  20. Outline 1. Leakage squeezing 2. Assumption fulfilled 3. On the adversary condition 4. On the physical condition UCL Crypto Group Leakage Squeezing 7 / 26 UCL/ICTEAM/ELEN

  21. Motivation ⊲ Masking security holds if all masks are uniformly distributed ⇒ strong randomness requirements in masked implementation. Leakage squeezing proposes to reduce the amount of entropy (i.e. the number of masks). ⊲ Less masks can lead to more efficient implementation ⊲ Preserved security order under two conditions: ◦ Unidimensional leakage. ◦ Linear leakage. UCL Crypto Group Leakage Squeezing 8 / 26 UCL/ICTEAM/ELEN

  22. On the security conditions ⊲ Unidimensional leakage only 1 share, adversarial condition: ◦ points of interest are difficult to find ◦ implementation always leak on all shares What happen if adversary obtain leakage on both shares? UCL Crypto Group Leakage Squeezing 9 / 26 UCL/ICTEAM/ELEN

  23. On the security conditions ⊲ Unidimensional leakage only 1 share, adversarial condition: ◦ points of interest are difficult to find ◦ implementation always leak on all shares What happen if adversary obtain leakage on both shares? Similar security as uniform masking :) UCL Crypto Group Leakage Squeezing 9 / 26 UCL/ICTEAM/ELEN

  24. On the security conditions ⊲ Unidimensional leakage only 1 share, adversarial condition: ◦ points of interest are difficult to find ◦ implementation always leak on all shares What happen if adversary obtain leakage on both shares? Similar security as uniform masking :) ⊲ Linear leakage, physical condition: ◦ classical hypothesis (Hamming weight leakage) for adversary but not for evaluation ◦ cryptographic designers can hardly control the leakage function What happen if the leakage function is not linear? UCL Crypto Group Leakage Squeezing 9 / 26 UCL/ICTEAM/ELEN

  25. On the security conditions ⊲ Unidimensional leakage only 1 share, adversarial condition: ◦ points of interest are difficult to find ◦ implementation always leak on all shares What happen if adversary obtain leakage on both shares? Similar security as uniform masking :) ⊲ Linear leakage, physical condition: ◦ classical hypothesis (Hamming weight leakage) for adversary but not for evaluation ◦ cryptographic designers can hardly control the leakage function What happen if the leakage function is not linear? The security order decrease, depending on the degree of the leakage function :( UCL Crypto Group Leakage Squeezing 9 / 26 UCL/ICTEAM/ELEN

  26. Target C 12 = { 0x03 , 0x18 , 0x3f , 0x55 , 0x60 , 0x6e , 0x8c , 0xa5 , 0xb2 , 0xcb , 0xd6 , 0xf9 } [NGD11]. Univariate security of order 2, if linear leakage. C 16 = { 0x10 , 0x1f , 0x26 , 0x29 , 0x43 , 0x4c , 0x75 , 0x7a , 0x85 , 0x8a , 0xb3 , 0xbc , 0xd6 , 0xd9 , 0xe0 , 0xef } [BCG13]. Univariate security of order 3, if linear leakage. UCL Crypto Group Leakage Squeezing 10 / 26 UCL/ICTEAM/ELEN

  27. Modification of hypothesis ⊲ Multivariate (higher dimension) attacks. ⇒ Adversarial condition. l 1 = l ( X ⊕ m ) + N 1 , UCL Crypto Group Leakage Squeezing 11 / 26 UCL/ICTEAM/ELEN

  28. Modification of hypothesis ⊲ Multivariate (higher dimension) attacks. ⇒ Adversarial condition. l 1 = l ( X ⊕ m ) + N 1 , l 2 = l ( m ) + N 2 UCL Crypto Group Leakage Squeezing 11 / 26 UCL/ICTEAM/ELEN

  29. Modification of hypothesis ⊲ Multivariate (higher dimension) attacks. ⇒ Adversarial condition. l 1 = l ( X ⊕ m ) + N 1 , l 2 = l ( m ) + N 2 ⊲ Polynomial leakage. ⇒ Physical condition. Let X be an internal value, X i denotes the value of the i th bit of X . For a linear leakage ∃{ a i } i s.t. l ( X ) = � i a i X i UCL Crypto Group Leakage Squeezing 11 / 26 UCL/ICTEAM/ELEN

  30. Modification of hypothesis ⊲ Multivariate (higher dimension) attacks. ⇒ Adversarial condition. l 1 = l ( X ⊕ m ) + N 1 , l 2 = l ( m ) + N 2 ⊲ Polynomial leakage. ⇒ Physical condition. Let X be an internal value, X i denotes the value of the i th bit of X . For a polynomial leakage ∃{ a i } i , { b i , j } i , j , . . . s.t. l ( X ) = � i a i X i + � � j b i , j X i × X j + � � � k c i , j , k X i × X j × X k i i j For uniform masking, polynomial leakage does not mix different shares. It has thus no incidence on security order. UCL Crypto Group Leakage Squeezing 11 / 26 UCL/ICTEAM/ELEN

  31. Framework ⊲ Mutual information. UCL Crypto Group Leakage Squeezing 12 / 26 UCL/ICTEAM/ELEN

  32. Framework ⊲ Mutual information. K UCL Crypto Group Leakage Squeezing 12 / 26 UCL/ICTEAM/ELEN

  33. Framework ⊲ Mutual information. L UCL Crypto Group Leakage Squeezing 12 / 26 UCL/ICTEAM/ELEN

  34. Framework ⊲ Mutual information. K L UCL Crypto Group Leakage Squeezing 12 / 26 UCL/ICTEAM/ELEN

  35. Framework ⊲ Mutual information. K L The maximum information available. UCL Crypto Group Leakage Squeezing 12 / 26 UCL/ICTEAM/ELEN

  36. Framework ⊲ Perceived information. K L The maximum information available. UCL Crypto Group Leakage Squeezing 12 / 26 UCL/ICTEAM/ELEN

Recommend


More recommend