Physical Defaults & the Robust Probing Model Sebastian Faust, - PowerPoint PPT Presentation

Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert TU Darmstadt (Germany), Radbout University Nijmegen (The Netherlands), DarkMatter LLC (UAE), UCLouvain (Belgium) CHES 2018, Amsterdam, The Netherlands

Masking (e.g., Boolean 𝒚 = 𝒚 𝟐 + 𝒚 𝟑 + ⋯ + 𝒚 𝒆 ) 1 𝑑 Noisy leakages security: 𝑂 ∝ MI (𝑌;𝑴) MI 𝑌; 𝑴 < MI 𝑌 𝑗 ; 𝑀 𝑗 𝑒 Goal (ideally):

Masking (e.g., Boolean 𝒚 = 𝒚 𝟐 + 𝒚 𝟑 + ⋯ + 𝒚 𝒆 ) 1 Bounded moment security: 𝑀 𝑗 𝑌 𝑗 1 ,𝑗 2 ,…,𝑗 𝑒−1 ( 𝑒 -1)th order statistical moment (ideally) 𝑑 Noisy leakages security: 𝑂 ∝ MI (𝑌;𝑴) MI 𝑌; 𝑴 < MI 𝑌 𝑗 ; 𝑀 𝑗 𝑒 Goal (ideally):

Masking (e.g., Boolean 𝒚 = 𝒚 𝟐 + 𝒚 𝟑 + ⋯ + 𝒚 𝒆 ) 1 𝑦 = 𝑦 1 + 𝑦 2 + ⋯ + 𝑦 𝑒 Probing security: Sets of ( 𝑒 -1) probes are of 𝑌 (ideally) Bounded moment security: 𝑀 𝑗 𝑌 𝑗 1 ,𝑗 2 ,…,𝑗 𝑒−1 ( 𝑒 -1)th order statistical moment (ideally) 𝑑 Noisy leakages security: 𝑂 ∝ MI (𝑌;𝑴) MI 𝑌; 𝑴 < MI 𝑌 𝑗 ; 𝑀 𝑗 𝑒 Goal (ideally):

Security reductions 2 abstract-qualitative 𝑦 = 𝑦 1 + 𝑦 2 + ⋯ + 𝑦 𝑒 probing [Barthe et al., Eurocrypt 2017] bounded moment physical-qualitative [Duc et al., Eurocrypt 2014] physical-quantitative noisy leakages

What can go wrong? (e.g., when computing 𝒃. 𝒄 ) 3 Issue #1. Lack of randomness (can break the independence assumption) 𝑑 1 𝑏 1 𝑐 1 𝑏 1 𝑐 2 𝑏 1 𝑐 3 Example: probing 𝑑 1 = 𝑏 1 . 𝑐 1 + 𝑐 2 + 𝑐 3 𝑑 2 𝑏 2 𝑐 1 𝑏 2 𝑐 2 𝑏 2 𝑐 3 ⇒ reveals information on 𝑐 (when 𝑑 1 = 1) 𝑑 3 𝑏 3 𝑐 1 𝑏 3 𝑐 2 𝑏 3 𝑐 3

What can go wrong? (e.g., when computing 𝒃. 𝒄 ) 3 Issue #1. Lack of randomness (can break the independence assumption) • mitigated by adding 𝑑 1 𝑏 1 𝑐 1 𝑏 1 𝑐 2 𝑏 1 𝑐 3 0 𝑠 𝑠 1 2 «refreshing gadgets » 𝑑 2 𝑏 2 𝑐 1 𝑏 2 𝑐 2 𝑏 2 𝑐 3 𝑠 0 𝑠 + ⇒ 2 3 • can be analyzed in 𝑑 3 𝑠 𝑠 0 𝑏 3 𝑐 1 𝑏 3 𝑐 2 𝑏 3 𝑐 3 2 3 the probing model

What can go wrong? (e.g., when computing 𝒃. 𝒄 ) 3 Issue #1. Lack of randomness (can break the independence assumption) • mitigated by adding 𝑑 1 𝑏 1 𝑐 1 𝑏 1 𝑐 2 𝑏 1 𝑐 3 0 𝑠 𝑠 1 2 «refreshing gadgets » 𝑑 2 𝑏 2 𝑐 1 𝑏 2 𝑐 2 𝑏 2 𝑐 3 𝑠 0 𝑠 + ⇒ 2 3 • can be analyzed in 𝑑 3 𝑠 𝑠 0 𝑏 3 𝑐 1 𝑏 3 𝑐 2 𝑏 3 𝑐 3 2 3 the probing model Issue #2. Physical defaults (can break the independence assumption) Example: glitches (transcient values) « re-combine » the shares such that: 𝑀 𝑗 = 𝜀(𝑦 1 ∙ 𝑦 2 ∙ 𝑦 3 ) (detected in the bounded moment model)

What can go wrong? (e.g., when computing 𝒃. 𝒄 ) 3 Issue #1. Lack of randomness (can break the independence assumption) • mitigated by adding 𝑑 1 𝑏 1 𝑐 1 𝑏 1 𝑐 2 𝑏 1 𝑐 3 0 𝑠 𝑠 1 2 «refreshing gadgets » 𝑑 2 𝑏 2 𝑐 1 𝑏 2 𝑐 2 𝑏 2 𝑐 3 𝑠 0 𝑠 + ⇒ 2 3 • can be analyzed in 𝑑 3 𝑠 𝑠 0 𝑏 3 𝑐 1 𝑏 3 𝑐 2 𝑏 3 𝑐 3 2 3 the probing model Issue #2. Physical defaults (can break the independence assumption) • mitigated by adding a « non- completeness » property [ ≈ Theshold Implementations] • abstract property: can be analyzed in the probing model!

Security notions (and scalability) 4 𝒓 -probing security [ISW, 2004] : any 𝑟 -tuple of shares in the protected circuit is independent of any sensitive variable

Security notions (and scalability) 4 𝒓 -probing security [ISW, 2004] : any 𝑟 -tuple of shares in the protected circuit is independent of any sensitive variable Problem: the cost of testing probing security increases (very) fast with circuit size and the # of shares (since ∃ many tuples) [Barthe et al., Eurocrypt 2015]

Security notions (and scalability) 4 𝑟 1 + 𝑟 2 ≤ 𝑟 𝑟 1 internal probes 𝑟 2 output probes 𝒓 -probing security [ISW, 2004] : any 𝑟 -tuple of shares in the protected circuit is independent of any sensitive variable 𝒓 -(Strong) Non Interference [Barthe et al., CCS 2016] : a circuit gadget (e.g., f 1 ) is NI (SNI) if any set of 𝑟 1 + 𝑟 2 probes can be simulated with at most 𝑟 1 + 𝑟 2 (only 𝑟 1 ) shares of each input D(input shares||probes) ≈ D(input shares||simulation)

Security notions (and scalability) 4 𝑟 1 + 𝑟 2 ≤ 𝑟 𝑟 1 internal probes 𝑟 2 output probes 𝒓 -probing security [ISW, 2004] : any 𝑟 -tuple of shares in the protected circuit is independent of any sensitive variable 𝒓 -(Strong) Non Interference [Barthe et al., CCS 2016] : a circuit gadget (e.g., f 1 ) is NI (SNI) if any set of 𝑟 1 + 𝑟 2 probes can be simulated with at most 𝑟 1 + 𝑟 2 (only 𝑟 1 ) shares of each input D(input shares||probes) ≈ D(input shares||simulation)

Problem statement (simplified) 5 • Composable masking 𝑏 1 𝑐 1 𝑏 1 𝑐 2 𝑏 1 𝑐 3 0 𝑠 𝑠 1 2 schemes ignore physical 𝑏 2 𝑐 1 𝑏 2 𝑐 2 𝑏 2 𝑐 3 𝑠 0 𝑠 + 2 3 𝑏 3 𝑐 1 𝑏 3 𝑐 2 𝑏 3 𝑐 3 𝑠 𝑠 0 defaults such as glitches 2 3

Problem statement (simplified) 5 • Composable masking 𝑏 1 𝑐 1 𝑏 1 𝑐 2 𝑏 1 𝑐 3 0 𝑠 𝑠 1 2 schemes ignore physical 𝑏 2 𝑐 1 𝑏 2 𝑐 2 𝑏 2 𝑐 3 𝑠 0 𝑠 + 2 3 𝑏 3 𝑐 1 𝑏 3 𝑐 2 𝑏 3 𝑐 3 𝑠 𝑠 0 defaults such as glitches 2 3 • Treshold implementations y 1 x 1 f 1 mitigate glitches but are only proven “uniform” y 2 x 2 f 2 ( ≈ probing secure) y 3 x 3 f 3 ⇒ testing scales badly

Problem statement (simplified) 5 • Composable masking 𝑏 1 𝑐 1 𝑏 1 𝑐 2 𝑏 1 𝑐 3 0 𝑠 𝑠 1 2 schemes ignore physical 𝑏 2 𝑐 1 𝑏 2 𝑐 2 𝑏 2 𝑐 3 𝑠 0 𝑠 + 2 3 𝑏 3 𝑐 1 𝑏 3 𝑐 2 𝑏 3 𝑐 3 𝑠 𝑠 0 defaults such as glitches 2 3 • Treshold implementations y 1 x 1 f 1 mitigate glitches but are only proven “uniform” y 2 x 2 f 2 ( ≈ probing secure) y 3 x 3 f 3 ⇒ testing scales badly • Design & prove masked implementations that are ( jointly! ) robust against glitches and composable

(Refined) model and security definition 6 𝑞 1 Glitch-extended probes: probing any output of a combinatorial sub- circuit allows the adversary to observe all the sub-circuit inputs Example: 𝑞 1 gives 𝑏, 𝑐 and 𝑑

(Refined) model and security definition 6 𝑞 1 Glitch-extended probes: probing any output of a combinatorial sub- circuit allows the adversary to observe all the sub-circuit inputs Example: 𝑞 1 gives 𝑏, 𝑐 and 𝑑 𝑞 2 Technical clarification : non-extended probes on the stable registers’ values have to be considered in the simulation too

(Refined) model and security definition 6 𝑞 1 Glitch-extended probes: probing any output of a combinatorial sub- circuit allows the adversary to observe all the sub-circuit inputs Example: 𝑞 1 gives 𝑏, 𝑐 and 𝑑 𝑞 2 Technical clarification : non-extended probes on the stable registers’ values have to be considered in the simulation too Definition: a gadget is glitch-robust 𝒓 -SNI if it is 𝑟 - SNI in the “glitch - extended” probing model

(Refined) model and security definition 6 𝒒 𝟐 Glitch-extended probes: probing any output of a combinatorial sub- circuit allows the adversary to observe all the sub-circuit inputs Example: 𝑞 1 gives 𝑏, 𝑐 and 𝑑 𝑞 2 Technical clarification : non-extended probes on the stable registers’ values have to be considered in the simulation too Definition: a gadget is glitch-robust 𝒓 -SNI if it is 𝑟 - SNI in the “glitch - extended” probing model ⇒ Shares’ fan in of robust gadgets should be minimum

(Refined) model and security definition 6 𝒒 𝟐 Glitch-extended probes: probing any output of a combinatorial sub- circuit allows the adversary to observe all the sub-circuit inputs Example: 𝑞 1 gives 𝑏, 𝑐 and 𝑑 𝒒 𝟑 Technical clarification : non-extended probes on the stable registers’ values have to be considered in the simulation too Definition: a gadget is glitch-robust 𝒓 -SNI if it is 𝑟 - SNI in the “glitch - extended” probing model ⇒ Shares’ fan in of robust gadgets should be minimum ⇒ Outputs of SNI gadgets should be stored in registers

ISW mult. is glitch-robust 𝒓 -SNI in 2 cycles 7 Example with: • 𝑒 = 3 • 𝑟 = 2

ISW mult. is glitch-robust 𝒓 -SNI in 2 cycles 7 The adversary can observe: • 12 glitch-extended probes • 𝑣 𝑗,𝑘 ’s and 𝑑 𝑗 ’s • 3 stable (output) probes 𝑑 𝑗 ’s ⇒ We need to describe a simulator using 𝑟 1 shares/input

ISW mult. is glitch-robust 𝒓 -SNI in 2 cycles 7 • 1 st example: 2 extended probes • G( 𝑣 1,2 ) ≔ 𝑏 1 , 𝑐 2 , 𝑠 1,2 • G 𝑑 1 ≔ 𝑣 1,1 , 𝑣 2,1 , 𝑣 3,1 to simul. with 2 shares/input