M&M: Masks and Macs against Physical Attacks CHES 2019 Lauren - - PowerPoint PPT Presentation

m m masks and macs against physical attacks
SMART_READER_LITE
LIVE PREVIEW

M&M: Masks and Macs against Physical Attacks CHES 2019 Lauren - - PowerPoint PPT Presentation

Apr 29, 2023 42 likes •326 views

M&M: Masks and Macs against Physical Attacks CHES 2019 Lauren De Meyer, Victor Arribas Svetla Nikova, Ventzislav Nikov, Vincent Rijmen B ACK TO THE 90 S Differential Power Analysis (DPA) Paul Kocher et al. 1999 [KJJ99]

slide-1
SLIDE 1

M&M: Masks and Macs against Physical Attacks

CHES 2019 Lauren De Meyer, Victor Arribas Svetla Nikova, Ventzislav Nikov, Vincent Rijmen

slide-2
SLIDE 2

2

  • Differential Power Analysis (DPA) – Paul Kocher et al. 1999 [KJJ99]
  • Differential Fault Analysis (DFA) – Biham and Shamir 1997 [BS97]

BACK TO THE 90’S

[KJJ99] Paul C. Kocher, Joshua Jaffe, Benjamin Jun: Differential Power Analysis. CRYPTO 1999: 388-397 [BS97] Eli Biham, Adi Shamir: Differential Fault Analysis of Secret Key Cryptosystems. CRYPTO 1997: 513-525

slide-3
SLIDE 3

3

  • Against side-channel attacks:
  • Hiding
  • Masking
  • Against fault attacks:
  • Repetition, redundancy

(EDC, tags), …

  • Detection, correction or

infection

COUNTERMEASURES

𝑞", … , 𝑞% 𝑑", … , 𝑑% Masked AES 𝑞 𝑆 𝜐) AES with redundancy 𝑑 𝑆 𝜐*

slide-4
SLIDE 4

4

COMBINED COUNTERMEASURES

𝑞", … , 𝑞% 𝑆 𝜐"

), … , 𝜐% )

?

𝑑", … , 𝑑% 𝑆 𝜐"

*, … , 𝜐% *

slide-5
SLIDE 5

5

THRESHOLD CRYPTO

Shamir’s Secret Sharing [Sha79] Masking ([ISW03],[NRS11], …) SPDZ [DPS+12], … MPC Embedded Systems Passive Active SCA SCA+FA

….

[Sha79] Adi Shamir: How to Share a Secret. Commun. ACM 22(11): 612-613 (1979) [DPS+12] Ivan Damgård, Valerio Pastro, Nigel P. Smart, Sarah Zakarias: Multiparty Computation from Somewhat Homomorphic Encryption. CRYPTO 2012: 643-662 [NRS11] Svetla Nikova, Vincent Rijmen, Martin Schläffer: Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches. J. Cryptology 24(2): 292-321 (2011) [ISW03] Yuval Ishai, Amit Sahai, David A. Wagner: Private Circuits: Securing Hardware against Probing Attacks. CRYPTO 2003: 463-481

slide-6
SLIDE 6

6

TWO ROUTES

[RDB+18] Oscar Reparaz, Lauren De Meyer, Begül Bilgin, Victor Arribas, Svetla Nikova, Ventzislav Nikov, Nigel P. Smart: CAPA: The Spirit of Beaver Against Physical Attacks. CRYPTO (1) 2018: 121-151 [SMG16] Tobias Schneider, Amir Moradi, Tim Güneysu: ParTI - Towards Combined Hardware Countermeasures Against Side-Channel and Fault-Injection Attacks. CRYPTO (2) 2016: 302-332 [SFE+18] Okan Seker, Abraham Fernandez-Rubio, Thomas Eisenbarth, Rainer Steinwandt: Extending Glitch-Free Multiparty Protocols to Resist Fault Injection Attacks. IACR Trans. Cryptogr. Hardw.

  • Embed. Syst. 2018(3): 394-430 (2018)

CAPA [RDB+18]: Based on active MPC protocol SPDZ Extension of masking schemes:

  • ParTI [SMG16]
  • [SFE+18]
  • New: M&M
slide-7
SLIDE 7

M&M

The essentials

slide-8
SLIDE 8

8

ADVERSARY MODEL

  • Side-Channel Adversary:
  • 𝑒-probing model
  • Faulting Adversary:
  • Fault = stochastic additive error
  • Unlimited # bits
  • Fault = exact
  • Limited to 𝑒 shares
  • Combined Adversary
slide-9
SLIDE 9

9

INFORMATION-THEORETIC MAC TAGS

MAC key: 𝛽 ∈ 𝐻𝐺 21 2 Data block: 𝑦 ∈ 𝐻𝐺(21) tag: 𝜐6 ∈ 𝐻𝐺 21 2 × × ×

  • Used 1x!
  • Secret!

Pr[compromised (𝑦, 𝜐6) = consistent] = 2=12

slide-10
SLIDE 10

10

  • Suppose 𝛽=fixed (not secret)
  • ~ linear code
  • ~ ParTI [SMG16]
  • Fault model: limited in HW
  • Combined Attacks
  • Adversary has “some” side-channel information
  • 𝑦 → 𝑦 ⊕ Δ

⇒ 𝜐6 → 𝜐6 ⊕ ?

  • make 𝛽 secret

INFORMATION-THEORETIC MAC TAGS MOTIVATION

[SMG16] Tobias Schneider, Amir Moradi, Tim Güneysu: ParTI - Towards Combined Hardware Countermeasures Against Side-Channel and Fault-Injection Attacks. CRYPTO (2) 2016: 302-332

slide-11
SLIDE 11

11

MASKED MULTIPLIER

𝒚 × 𝒜 𝒚𝒛 𝒛

  • ISW, TI, DOM, CMS, …
  • Example (𝑒 = 1):

𝑨" = 𝑦"𝑧" ⊕ 𝑦"𝑧I ⊕ 𝑠 𝑨I = 𝑦I𝑧I ⊕ [𝑦I𝑧" ⊕ 𝑠]

slide-12
SLIDE 12

12

M&M MULTIPLICATION

𝒚 × 𝜷𝟑𝒚𝒛 𝝊𝒚 𝒜 𝒚𝒛 𝝊𝒜 × 𝒛 𝝊𝒛

Masks: MACs:

slide-13
SLIDE 13

13

M&M MULTIPLICATION

𝒚 × 𝜷𝟑𝒚𝒛 𝝊𝒚 𝒜 𝒚𝒛 𝝊𝒜 × 𝒛 𝝊𝒛

Masks: MACs:

×

𝜷=𝟐 𝜷𝒚𝒛

slide-14
SLIDE 14

14

OR OTHER OPERATIONS …

𝒚 ()OPQI 𝜷𝟑𝒐Q𝟐𝒚𝟑𝒐Q𝟐 𝝊𝒚 𝒜 𝒚𝟑𝒐Q𝟐 𝝊𝒜 ()OPQI

Masks: MACs:

×

𝜷𝒚𝟑𝒐Q𝟐 𝜷=𝟑𝒐

slide-15
SLIDE 15

15

AND EVEN …

𝒚 ()=I 𝜷=𝟐𝒚=𝟐 𝝊𝒚 𝒜 𝒚=𝟐 𝝊𝒜 ()=I

Masks: MACs:

×

𝜷𝒚=𝟐 𝜷𝟑

slide-16
SLIDE 16

BUILDING BLOCKS FOR ANY ALGORITHM MANY FLAVORS OF MASKING

à MANY FLAVORS OF M&M

2

slide-17
SLIDE 17

17

𝑁𝐵𝐷 𝒒 𝝊𝒒 𝝊𝒅 𝒅 𝐹𝑜𝑑 𝐹𝑜𝑑Z[\

Now what?

Masked Encryption Datapath Masked Tag Datapath

slide-18
SLIDE 18

18

𝜷𝒅 = 𝝊𝒅? 𝑁𝐵𝐷 𝒒 𝝊𝒒 𝝊𝒅 𝒅 𝐹𝑜𝑑 𝐹𝑜𝑑Z[\

slide-19
SLIDE 19

19

𝜷𝒅 = 𝝊𝒅? 𝑁𝐵𝐷 𝒒 𝝊𝒒 𝝊𝒅 𝒅 𝐹𝑜𝑑 𝐹𝑜𝑑Z[\

Vulnerable to combined attacks!

slide-20
SLIDE 20

20

𝑞 𝑑′ 𝑑 𝐹𝑜𝑑 𝐹𝑜𝑑

INFECTIVE COMPUTATION [LRT12]

[LRT12] V. Lomné, T. Roche, and A. Thillard. On the need of randomness in fault attack countermeasures - application to AES. In G. Bertoni and B. Gierlichs, editors, FDTC 2012, pages 85–94. IEEE Computer Society, 2012. [BG13] A. Battistello and C. Giraud. Fault analysis of infective AES computations. In W. Fischer and J. Schmidt, editors, FDTC 2013, pages 101–107. IEEE Computer Society, 2013.

PRNG 𝑑 ⊕ 𝑆 ⋅ (𝑑 ⊕ 𝑑_) 𝑆 ≠ 0,1 Broken by [BG13] (bias on 𝑆) Infect

slide-21
SLIDE 21

21

𝑁𝐵𝐷 𝒒 𝝊𝒒 𝝊𝒅 𝒅 𝐹𝑜𝑑 𝐹𝑜𝑑Z[\

PROPOSAL

PRNG 𝑑b ⊕ 𝑆 ⋅ ( 𝛽𝑑 b ⊕ 𝜐b

*)

𝑆 ≠ 0 Infect 𝜷 Unshared: 𝑑 ⊕ 𝑆 𝛽𝑑 ⊕ 𝜐* = 𝑑 if tags ok Else random

slide-22
SLIDE 22

22

NO BIAS?

  • Faulty evaluation gives ̃

𝑑 = 𝑑 ⊕ Δ

  • Output:

𝑑 ⊕ Δ ⊕ 𝑆 ⋅ 𝛽 𝑑 ⊕ Δ ⊕ 𝜐* = 𝑑 ⊕ Δ ⊕ 𝑆 ⋅ 𝛽𝑑 ⊕ 𝛽Δ ⊕ 𝜐* = 𝑑 ⊕ Δ(1 ⊕ 𝑆𝛽)

  • Is Δ(1 ⊕ 𝑆𝛽) uniformly random?
  • Yes if 𝛽 uniform in 𝔾e and 𝑆 uniform in 𝔾e

slide-23
SLIDE 23

CASE STUDY

slide-24
SLIDE 24

24

  • Using S-box from [DRB+16]
  • Comparing area-overhead to state-of-the-art:

EXAMPLE: AES

[DRB+16] Thomas De Cnudde, Oscar Reparaz, Begül Bilgin, Svetla Nikova, Ventzislav Nikov, Vincent Rijmen: Masking AES with d+1 Shares in Hardware. CHES 2016: 194-212 [RDB+18] Oscar Reparaz, Lauren De Meyer, Begül Bilgin, Victor Arribas, Svetla Nikova, Ventzislav Nikov, Nigel P. Smart: CAPA: The Spirit of Beaver Against Physical Attacks. CRYPTO (1) 2018: 121-151 [SMG16] Tobias Schneider, Amir Moradi, Tim Güneysu: ParTI - Towards Combined Hardware Countermeasures Against Side-Channel and Fault-Injection Attacks. CRYPTO (2) 2016: 302-332

Scheme SCA-only [kGE] Combined [kGE] Overhead factor 𝑒 = 1 CAPA [RDB+18] 3.6 30.5 8.47 ParTI [SMG16] 7.9 20.2 2.56 M&M 7.6 19.2 𝟑. 𝟔𝟒 𝑒 = 2 CAPA [RDB+18] 5.9 55.2 9.35 M&M 12.6 33.2 𝟑. 𝟕𝟒

slide-25
SLIDE 25

25

SIDE-CHANNEL EVALUATION

200 400 600 800 1000 100 200 300 400 500 600 700 800 900 1000

4.5 20 40 60 80 100 120

  • Spartan6 on SAKURA-G
  • TVLA [BCD+13] (t-test)
  • 50 million traces

Masks on Masks off

[BCD+13] G. Becker, J. Cooper, E. De Mulder, G. Goodwill, J. Jaffe, G. Kenworthy, T. Kouzminov, A. Leiserson, M. Marson, P. Rohatgi, et al. Test vector leakage assessment (tvla) methodology in

  • practice. In International Cryptographic Module Conference, volume 1001, page 13, 2013.
slide-26
SLIDE 26

26

FAULT EVALUATION

  • No “standard” methods of verification
  • Adapt HDL with possibility to inject randomized faults (XOR)
  • Experiment: 50 000 iterations, 189 faulty ciphertexts not infected

à experimental rate of detection/infection = 0.9962

  • Theoretical rate of detection/infection: 1 − 2=s = 0.9961
  • Verification methodology extended and automized in VerFI

(see poster session)

slide-27
SLIDE 27

27

  • Cheaper than CAPA and stronger adversary than ParTI
  • Super versatile: use any existing or future(?) masking scheme
  • Infective computation can be combined with detection result (see paper)
  • Future work:
  • provable security against combined attacks?
  • Verification tools for combined countermeasures?
  • Optimization: don’t update tags: 𝛽𝑦 → 𝛽=I𝑧 → ⋯ → 𝛽𝑨

TAKE-AWAY

slide-28
SLIDE 28

Thank You