Crypto. group SWORD Reducing a Masked Implementationβs Effective Security Order with Setup Manipulations And an Explanation Based on Externally-Amplified Couplings Itamar Levi, Davide Bellizia and FranΓ§ois-Xavier Standaert Aug. 2018
Moti otivatio ion 1 rand. Masking - a well understood SCA countermeasure π = π¦ 1 β¨π¦ 2 β¨ β¦ β¨ π¦ π β’ Split sensitive variables into d shares. L= W( x 1 )+ W( x 2 )+ N 0 β’ Compute on those shares only. x 1 x 2 Independence assumption β the shares induced leakages are Pr( L|x ) independent, and β’ they are merged linearly β¦ x =0 x =0 {x 1 ,x 2 }=11 {x 1 ,x 2 }=00 x =1 It forces the adversary to estimate a higher-order statistical {x 1 ,x 2 }=10,01 moment of the leakage β’ data complexity grows exponentially with d -> amplifies the noise in the leakages 0 1 2 L Β΅ 1 = Β΅ 2 The lowest key-dependent stat. moment - security order Ο 1 β Ο 2 Concretely though, it is hard to achieve it β¦ Motiva couplin Ext.- Test- Concl. tion gs amp. cases
Moti otivatio ion 2 Well understood non-idealities: β’ Glitches β’ Memory transitions x 2 x 1 Can recombine leakages (nonlinear manner) Can be kept under control at design (synthesis) time: β’ Threshold Implementations (TIs) - non-completeness [NRS11] β’ Transition-based leakages can be mitigated by doubling the number of shares [BGG+14] / adding registers or refreshing [CGP+12] => logical recombination , since they can be formulated as logical conditions which can then be verified and prevented [FGP+18] => recalling yesterdayβs Session 6 . Motiva couplin Ext.- Test- Concl. tion gs amp. cases
Moti otivatio ion 3 Well understood physical defaults: β’ Glitches β’ Memory transitions x 2 x 1 Can recombine leakages (nonlinear manner) Can be kept under control at design (synthesis) time: β’ Threshold Implementations (TIs) - non-completeness [NRS11] β’ Transition-based leakages can be mitigated by doubling the number of shares [BGG+14] / adding registers or refreshing [CGP+12] => logical recombinations , since they can be formulated as logical conditions which can then be verified and prevented [FGP+18]. This talk: another physical default, couplings , recently reported by De Cnudde et al. β’ Electrical dependency between the shares (e.g. capacitive, resistive) Motiva couplin Ext.- Test- Concl. tion gs amp. cases
Out utli line 4 Masking Scheme Glitches Transitions What are couplings What do we know of them Verification: How to externally amplify them MaskVerif , ELMO .. Logic level Different test cases (SW/HW) Phys. level β’ Moving from detection to exploitation Couplings Discussion/ how to advance ?? Motiva couplin Ext.- Test- Concl. tion gs amp. cases
Wha hat ar are e couplin ings 5 ⒠Electrical x 1 x 2 x 1 x 2 x 1 x 2 ⒠Capacitive ⒠Resistive In theory In practice: not so linear and not so nice⦠⒠Inductive (less local) ⒠Memri/Resistive-RAM (consider new devices M/RRAM etc.) ⒠Affected by ⒠Capacitive - proximity ⒠Resistive - power-grid / proximity ⒠All - Technology params ⒠Periodicity (L, RC) ⒠What can we control? ⒠Depend on the device (SW/FPGA/ASIC ⦠) but, ⒠Mainly on the power-grid and proximity Motiva couplin Ext.- Test- Concl. tion gs amp. cases
Motiva couplin Ext.- Test- Wha hat do do we e kno now of of the them Concl. tion gs amp. cases In n the the con ontext of of SC SCA β’ De Cnudde et al., [CBG+17, CEM18] put forward that even when implemented correctly (glitches, transitions), masking can suffer from re-combinations. β’ Tweaking shares proximity ( placement and routing ) β’ Iterating/parallelize the shares to increase their signal/re-combination x 1 x 2 β’ Typically not something an adversary can do .. (designers will aim to prevent) β’ Practically: β’ The amplitude of these lower-order leakages was usually lower than the one of the d th order leakages [CBG+17] β’ Were evaluated by detection-tests (T-tests) x 1 x 2 β’ Is there a real threat without internal-amplification? 6
Motiva couplin Ext.- Test- How to o ext xternall lly am ampli lify the them Concl. tion gs amp. cases β’ A simple example (resistive couplings): x 1 x 2 x 1 x 2 πβ² = π½ 1 π½ πβ1 + π½ 2 π½ πβ2 β πΎ(π½ πβ1 β π½ πβ2 ) π = π½ πβ1 + π½ πβ2 R on ~0.1- Pr( L|x ) Pr( L|x ) 1k π» 0 x =0 x =0 {x 1 ,x 2 }=00 {x 1 ,x 2 }=11 0 x =1 R gr <<R on {x 1 ,x 2 }=10,01 0 1 2 0 1 2 L L 7
Motiva couplin Ext.- Test- How to o ext xternall lly am ampli lify the them Concl. tion gs amp. cases β’ A simple example: β’ Devices in linear mode.. π½β² = π½ 1 π½ πβ1 + π½ 2 π½ πβ2 β πΎ(π½ πβ1 β π½ πβ2 ) β’ First order approx. 1 β’ No capacitive effects π½ π = β 1 1 + 2π ππ¦π’ π πΈπΈ,ππ¦π’ π ππ_π π ππ¦π’ π ππ¦π’ π ππ1 π ππ2 β 2π ππ¦π’ πΎ = + π 2π ππ¦π’ + π ππ1 2π ππ¦π’ + π ππ2 π ππ¦π’ βͺπ ππ1 ,π ππ2 π x 1 x 2 πΈπΈ,ππ¦π’ πΈπΈ,ππ¦π’ Pr( L|x ) β’ But, lowering V DD has a negative effect β¦ β’ Reduces the signal (typically, SNR β ) β’ At some point the device will not work 0 2 8 1 L
Motiva couplin Ext.- Test- How to o ext xternall lly am ampli lify the them Concl. tion gs amp. cases β’ A simple example: β’ Devices in linear mode.. π½β² = π½ 1 π½ πβ1 + π½ 2 π½ πβ2 β πΎ(π½ πβ1 β π½ πβ2 ) β’ First order 1 β’ No capacitive effects π½ π = β 1 1 + 2π ππ¦π’ π ππ_π π ππ¦π’ π ππ1 π ππ2 β 2π ππ¦π’ πΎ = + π 2π ππ¦π’ + π ππ1 2π ππ¦π’ + π ππ2 π ππ¦π’ βͺπ ππ1 ,π ππ2 π x 1 x 2 πΈπΈ,ππ¦π’ πΈπΈ,ππ¦π’ Pr( L|x ) β’ But, lowering V DD has a negative effect β¦ β’ Reduces the signal (typically, SNR β ) β’ At some point the device will not work β’ So, increasing R ext then, β’ Too much- the device will not work β’ 0 2 We might need to simult. Increase V DD 9 1 L β’ With R ext β the noise increase
Motiva couplin Ext.- Test- How to o ext xternall lly am ampli lify the them Concl. tion gs amp. cases π½β² = π½ 1 π½ πβ1 + π½ 2 π½ πβ2 β πΎ(π½ πβ1 β π½ πβ2 ) πΎ β 2π ππ¦π’ π πΈπΈ,ππ¦π’ β’ But, lowering V DD has a negative effect β¦ β’ Reduces the signal (typically, SNR β ) β’ At some point the device will not work β’ So, increasing R ext then, β’ Too much- the device will not work β’ We might need to simult. Increase V DD β’ With R ext β the noise increase β’ No trivial answer to what is the worst-case scenario, β’ Depends on the device, the noise, power regulator (if any). 10 β’ The exploration space for a certification lab is huge β¦
Motiva couplin Ext.- Test- How to o ext xternall lly am ampli lify the them Concl. tion gs amp. cases The simplified model can be generalized ( d ): β’ But, -------> d ---------> d /2 ??? β’ Expected: leakage at all stat.-moments/powers (solve MAXWELL β¦ ) ο¨ modeling is hard β’ So our goals were: β’ To examine weather setup-manipulations can reduce the effectively security-order β’ Our explanation is based on these externally amplified couplings β’ The approach we use: β’ To try and falsify β’ To understand if the amplitudes of lower orders leakages can be made significant with amplification 11
Motiva couplin Ext.- Test- How to o eval aluate? e? Concl. tion gs amp. cases Moving on from a: β’ β detection β based approach (T-test) β’ Hard to connect with actual SR β’ to actual exploitation (MCP-DPA): β’ Profiling moments ( d =2 use CM, d >2 use SM..) β’ Gives us the ability to check the contribution of different statistical orders β’ The asymptotic value gives an estimation of the informativeness /SR /#samples required [MS16] 12
Motiva couplin Ext.- Test- Tes est-cases Concl. tion gs amp. cases β’ We have investigated two designs / platforms: β’ HW: AES128 (8bit) 2-shares implementation adopting Domain Oriented Masking [GMK17] on Spartan6 LX75 FPGA (Sakura G board) β’ SW: 2-shares AES SBOX with the bitslice secure scheme in [JS17] implementation following Barthe et-al. [BDF+17] on an Atmel SAM4C16 (ARM Cortex-M4) SW HW β’ Lecroy WaveRunner (12bit), β’ Picoscope 5244B (quant. 12bit) + β’ Tektronix CT1 + res. (1 Ξ© to 39 Ξ© ), β’ Sakura G β s preamp benchtop PSU β’ low-noise res. (0 to 20 Ξ© ). β’ f clk = 100MHz β’ f clk = 4MHz β’ S R = 1GS/s β’ S R = 250MS/s (<- enough) β’ V DD from 1 to 1.55 V β’ V DD from 1 to 1.45 V β’ Removed - 2.2, 0.1 Β΅F Caps... β’ Commercial off-the-shelf devices β yet to be explored on ASICs/ specialized 13 devices
Motiva couplin Ext.- Test- Tes est-cases Concl. tion gs amp. cases HW SW β’ HW β S box-parallel design β’ SW - serial ο nicer to interprate ... β’ Conceptually SW will be more sensitive due to a shared power-grid 1 4
Motiva couplin Ext.- Test- Is Is the the pr proble lem concrete? Concl. tion gs amp. cases Software implementation ( u C) β ARM32 bit (ATMEGA) Model/Simulation Measurement ( u C) No ampl. 1ohm 1.4 | 1.2V 1 5
Recommend
More recommend
