side channel masking with pseudo random generator
play

Side-channel Masking with Pseudo-Random Generator Eurocrypt 2020 - PowerPoint PPT Presentation

Feb 04, 2024 •359 likes •848 views

Side-channel Masking with Pseudo-Random Generator Eurocrypt 2020 Jean-Sbastien Coron Aurlien Greuet Rina Zeitoun University of Luxembourg & IDEMIA 11/05/2020 Jean-Sbastien Coron, Aurlien Greuet, Rina Zeitoun Side-channel Masking

  1. Side-channel Masking with Pseudo-Random Generator Eurocrypt 2020 Jean-Sébastien Coron Aurélien Greuet Rina Zeitoun University of Luxembourg & IDEMIA 11/05/2020 Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  2. Motivation: side-channel attacks High-order masking : randomness cost Number of randoms is high: can become a bottleneck Our goal: minimize number of calls to TRNG and remain secure in the probing model t = 2 t = 3 t = 4 t = 5 t = 6 Rivain-Prouff [RP10] 2880 5760 9600 14400 20160 Belaïd et. al [BBP16] 2560 5120 8000 13120 18240 Faust et. al [FPS17] 1415 2530 6082 6699 20712 This paper 48 108 192 300 432 Table: number of bytes of true randomness to get t -th order security for AES. Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  3. Motivation: side-channel attacks High-order masking : randomness cost Number of randoms is high: can become a bottleneck Our goal: minimize number of calls to TRNG and remain secure in the probing model t = 2 t = 3 t = 4 t = 5 t = 6 Rivain-Prouff [RP10] 2880 5760 9600 14400 20160 Belaïd et. al [BBP16] 2560 5120 8000 13120 18240 Faust et. al [FPS17] 1415 2530 6082 6699 20712 This paper 48 108 192 300 432 Table: number of bytes of true randomness to get t -th order security for AES. Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  4. Side-Channel attacks Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  5. Differential Power Analysis [KJJ99] Group by predicted SBox output bit Average trace 111 Differential trace 000 Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  6. Countermeasure Masking countermeasure Let x be a sensitive variable: Generate a random r (different for each execution) x ′ = x ⊕ r Mask x using r : Manipulate x ′ (instead of x ) and r independently r is random ⇒ x ′ is random ⇒ no information on x leaks True only in case of one leakage point ☞ Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  7. Countermeasure Masking countermeasure Let x be a sensitive variable: Generate a random r (different for each execution) x ′ = x ⊕ r Mask x using r : Manipulate x ′ (instead of x ) and r independently r is random ⇒ x ′ is random ⇒ no information on x leaks True only in case of one leakage point ☞ Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  8. Countermeasure Masking countermeasure Let x be a sensitive variable: Generate a random r (different for each execution) x ′ = x ⊕ r Mask x using r : Manipulate x ′ (instead of x ) and r independently r is random ⇒ x ′ is random ⇒ no information on x leaks True only in case of one leakage point ☞ Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  9. Differential Power Analysis (second-order) Manipulation of x ′ = x ⊕ r E ( x ′ ) E ( r ) f ( E ( x ′ ) , E ( r )) correlated with x = x ′ ⊕ r Second-order attack requires more curves but can be practical Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  10. Solution: Higher-Order Boolean Masking Basic principle Each sensitive variable x is shared into n variables: x = x 1 ⊕ x 2 ⊕ · · · ⊕ x n Generate n − 1 random variables x 1 , x 2 , . . ., x n − 1 Initially let x n = x ⊕ x 1 ⊕ x 2 ⊕ · · · ⊕ x n − 1 Security against DPA attack of order n − 1 Any subset of n − 1 shares is uniformly and independently distributed ⇒ If we probe at most n − 1 shares x i , we learn nothing about x Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  11. Solution: Higher-Order Boolean Masking Basic principle Each sensitive variable x is shared into n variables: x = x 1 ⊕ x 2 ⊕ · · · ⊕ x n Generate n − 1 random variables x 1 , x 2 , . . ., x n − 1 Initially let x n = x ⊕ x 1 ⊕ x 2 ⊕ · · · ⊕ x n − 1 Security against DPA attack of order n − 1 Any subset of n − 1 shares is uniformly and independently distributed ⇒ If we probe at most n − 1 shares x i , we learn nothing about x Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  12. ISW Security Model Proof of security in the Probing Model [ISW03]: ( x 1 , x 2 , . . ., x n ) m t probes Sim Block cipher c Show that any t < n probes can be perfectly simulated from at most n − 1 of the x i ’s. Those n − 1 shares x i are uniformly and independently distributed. ⇒ The adversary learns nothing from the t probes Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  13. ISW Security Model Proof of security in the Probing Model [ISW03]: ( x 1 , x 2 , . . ., x n ) m t probes Sim Block cipher c Show that any t < n probes can be perfectly simulated from at most n − 1 of the x i ’s. Those n − 1 shares x i are uniformly and independently distributed. ⇒ The adversary learns nothing from the t probes Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  14. Linear Operations Computation of a ⊕ b Inputs: ( a i ) i and ( b i ) i such that a 1 ⊕ a 2 ⊕ · · · ⊕ a n = a b 1 ⊕ b 2 ⊕ · · · ⊕ b n = b Output: ( c i ) i such that ( a 1 ⊕ b 1 ) ⊕ ( a 2 ⊕ b 2 ) ⊕ · · · ⊕ ( a n ⊕ b n ) = a ⊕ b ⇒ c 1 ⊕ c 2 ⊕ · · · ⊕ c n = a ⊕ b Computation of a 2 in F 2 k Inputs: ( a i ) i such that a 1 ⊕ a 2 ⊕ · · · ⊕ a n = a Output: ( c i ) i such that ( a 2 1 ) ⊕ ( a 2 2 ) ⊕ · · · ⊕ ( a 2 n ) = a 2 ⇒ c 1 ⊕ c 2 ⊕ · · · ⊕ c n = a 2 Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  15. Linear Operations Computation of a ⊕ b Inputs: ( a i ) i and ( b i ) i such that a 1 ⊕ a 2 ⊕ · · · ⊕ a n = a b 1 ⊕ b 2 ⊕ · · · ⊕ b n = b Output: ( c i ) i such that ( a 1 ⊕ b 1 ) ⊕ ( a 2 ⊕ b 2 ) ⊕ · · · ⊕ ( a n ⊕ b n ) = a ⊕ b ⇒ c 1 ⊕ c 2 ⊕ · · · ⊕ c n = a ⊕ b Computation of a 2 in F 2 k Inputs: ( a i ) i such that a 1 ⊕ a 2 ⊕ · · · ⊕ a n = a Output: ( c i ) i such that ( a 2 1 ) ⊕ ( a 2 2 ) ⊕ · · · ⊕ ( a 2 n ) = a 2 ⇒ c 1 ⊕ c 2 ⊕ · · · ⊕ c n = a 2 Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  16. Secure Multiplication in High-Order Masking Schemes Secure Computation of a × b Inputs: ( a i ) i and ( b i ) i such that a 1 ⊕ a 2 ⊕ · · · ⊕ a n = a b 1 ⊕ b 2 ⊕ · · · ⊕ b n = b Output: ( c i ) i such that c 1 ⊕ c 2 ⊕ c 2 ⊕ · · · ⊕ c n = a × b Ishai-Sahai-Wagner private circuit [ISW03] Secure against t probes for n = 2 t + 1 shares. Number of operations: O( t 2 ) Requires O( t 2 ) randoms per multiplication. Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  17. Secure Multiplication in High-Order Masking Schemes Secure Computation of a × b Inputs: ( a i ) i and ( b i ) i such that a 1 ⊕ a 2 ⊕ · · · ⊕ a n = a b 1 ⊕ b 2 ⊕ · · · ⊕ b n = b Output: ( c i ) i such that c 1 ⊕ c 2 ⊕ c 2 ⊕ · · · ⊕ c n = a × b Ishai-Sahai-Wagner private circuit [ISW03] Secure against t probes for n = 2 t + 1 shares. Number of operations: O( t 2 ) Requires O( t 2 ) randoms per multiplication. Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  18. Ishai-Sahai-Wagner (ISW) Scheme Decomposition of the c i �� � �� � � � c i = a i b i a i b j = i i i i , j Example for n = 3 ☞ For n shares: requires n ( n − 1 )/ 2 fresh random values Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  19. Ishai-Sahai-Wagner (ISW) Scheme Decomposition of the c i �� � �� � � � c i = a i b i a i b j = i i i i , j Example for n = 3 � � a 1 b 1 a 1 b 2 a 1 b 3 � � � � a 2 b 1 a 2 b 2 a 2 b 3 � � a 3 b 1 a 3 b 2 a 3 b 3 ☞ For n shares: requires n ( n − 1 )/ 2 fresh random values Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  20. Ishai-Sahai-Wagner (ISW) Scheme Decomposition of the c i �� � �� � � � c i = a i b i a i b j = i i i i , j Example for n = 3 � � a 1 b 1 a 1 b 2 a 1 b 3 → c 1 � � � � → c 2 a 2 b 1 a 2 b 2 a 2 b 3 → c 3 � � a 3 b 1 a 3 b 2 a 3 b 3 ☞ For n shares: requires n ( n − 1 )/ 2 fresh random values Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

  21. Ishai-Sahai-Wagner (ISW) Scheme Decomposition of the c i �� � �� � � � c i = a i b i a i b j = i i i i , j Example for n = 3 � � a 1 b 1 a 1 b 2 a 1 b 3 → c 1 � � � � → c 2 a 2 b 1 a 2 b 2 a 2 b 3 → c 3 � � a 3 b 1 a 3 b 2 a 3 b 3 ☞ For n shares: requires n ( n − 1 )/ 2 fresh random values Jean-Sébastien Coron, Aurélien Greuet, Rina Zeitoun Side-channel Masking with Pseudo-Random Generator

Recommend

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod

Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod

Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod August 1999 Contents 1 Introduction 3 2 Concept of Pseudo-Random Bit Generator 4 3 The Blum-Blum-Shub Generator 7 3.1 Some number-theoretic

481 views • 21 slides
A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt

A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt

FIRST TALK A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt f r Sicherheit in der Informationstechnik (BSI), Bonn, Germany Barcelona, May 22, 2007 Power attacks on a block cipher

1.13k views • 13 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with Emmanuel Prouff EUROCRYPT 2013 May 27th Outline 1 Introduction and Previous Works 2 Our Contribution 3 Model of Leaking Computation 4

526 views • 36 slides
and an Application to Masking in Hardware Gatan Cassiers, Franois-Xavier Standaert UCLouvain

and an Application to Masking in Hardware Gatan Cassiers, Franois-Xavier Standaert UCLouvain

From Trivial Composition to Full Verification and an Application to Masking in Hardware Gatan Cassiers, Franois-Xavier Standaert UCLouvain (Belgium) VeriSiCC Seminar, Paris, France, September 2019 Side-Channel Analysis Side-Channel

1.48k views • 74 slides
How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

824 views • 54 slides
Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number is a number chosen as if by chance from some specified distribution such that selection of a large set of these numbers reproduces the underlying

720 views • 12 slides
Hardware Random Recoding Redundant Representations of Numbers, Side Channel Analysis, Elliptic

Hardware Random Recoding Redundant Representations of Numbers, Side Channel Analysis, Elliptic

Hardware Random Recoding Redundant Representations of Numbers, Side Channel Analysis, Elliptic Curve Cryptography Thomas Chabrier, Danuta Pamula, Arnaud Tisserand IRISA Laboratory, CAIRN Research Team 1/20 Plan Context Redundant

512 views • 20 slides
Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of

Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of

Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of PRG (pseudo-random generators) being constructed from any one-way functions. Now we shall consider a related concept: Pseudo-random

829 views • 15 slides
Practical Seed-Recovery for the PCG Pseudo-Random Number Generator Charles Bouillaguet, Florette

Practical Seed-Recovery for the PCG Pseudo-Random Number Generator Charles Bouillaguet, Florette

Practical Seed-Recovery for the PCG Pseudo-Random Number Generator Charles Bouillaguet, Florette Martinez and Julia Sauvage November 2, 2020 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 1 / 31 Introduction

533 views • 52 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2 Rina Zeitoun 1 Jean-S 1 IDEMIA, France 2 University of Luxembourg CHES 2018 Side-channel Attacks Differential Power Analysis [KJJ99] Group by

620 views • 47 slides
BK4047B 20 MHz Dual Channel Function/Arbitrary Waveform Generator BK4047B 20 MHz Dual Channel

BK4047B 20 MHz Dual Channel Function/Arbitrary Waveform Generator BK4047B 20 MHz Dual Channel

BK4047B 20 MHz Dual Channel Function/Arbitrary Waveform Generator BK4047B 20 MHz Dual Channel Function/Arbitrary Waveform Generator Overview Dual-channel operation with each channel providing the rated amplitude (10 Vpp) Sine and square

469 views • 10 slides
Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin,

Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin,

Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin, Oscar Reparaz P ROBLEM : SIDE - CHANNEL ANALYSIS S OLUTION : M ASKING P ROBING MODEL [ISW03] Adversary can probe up to intermediate values

885 views • 34 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl

Multiplicative Masking for AES in Hardware CHES 2018 Lauren De Meyer, Oscar Reparaz, Begl Bilgin P ROBLEM : SIDE - CHANNEL ANALYSIS 2 S OLUTION : M ASKING 3 E XTRA P ROBLEM : G LITCHES ! 4 B OOLEAN M ASKING ! = # $ , # &amp; , , # (

473 views • 43 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

684 views • 55 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

1.37k views • 63 slides
Analysis of the Linux Random Number Generator Patrick Lacharme, Andrea R ock, Vincent Stubel,

Analysis of the Linux Random Number Generator Patrick Lacharme, Andrea R ock, Vincent Stubel,

Analysis of the Linux Random Number Generator Patrick Lacharme, Andrea R ock, Vincent Stubel, Marion Videau October 23, 2009 - Rennes Outline Random Number Generators The Linux Random Number Generator Building Blocks Entropy Estimation

681 views • 55 slides
Random Numbers, Files, and Onwards Random Numbers Computers cannot produce truly random numbers.

Random Numbers, Files, and Onwards Random Numbers Computers cannot produce truly random numbers.

Random Numbers, Files, and Onwards Random Numbers Computers cannot produce truly random numbers. We make do with pseudo-random numbers, which are good enough. The pseudo-random generation algorithm is given a seed value. The same seed will always

331 views • 12 slides
FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begl Bilgin, Andrey Bogdanov, Miroslav Kne evi , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago Side Channel Resistance 2 Side

1.29k views • 76 slides
Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and

Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and

Why do we need random numbers? Simulation Sampling Numerical analysis Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and critical element in many cryptographic protocols Usually:

157 views • 5 slides

More recommend