Symbolic Approach for Side-Channel Resistance Analysis of Masked - PowerPoint PPT Presentation

Introduction / Motivation Symbolic Method Experiments Conclusion Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS In` es Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz Sorbonne Universit´ es, UPMC Univ Paris 06, UMR 7606, LIP6, F-75005, Paris, France September 29th, 2017, Taipei, Taiwan 1 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Introduction / Motivation 1 Symbolic Method 2 Experiments 3 Conclusion 4 2 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Side-Channel Attacks Execution EM time emission Power Consumption Statistical analysis Measurements Side channels for key recovery 3 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion The Masking Countermeasure Aim: observation of d intermediate computations cannot reveal the secret x = ⇒ d-th order masking Splits a secret x in d+1 shares using random uniform variables called masks Operation-dependent, i.e boolean masking: x ⊕ m At software level, usually added in the source code (easy to identify secret variables) Problems Need to ensure that a masked program is leakage free in practice Compilation flow and optimizations (reordering, removal...) may affect masking effectiveness 4 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Masked Programs Security: Existing Formal Verifications [Bayrak,CHES13] SAT verification of sensitivity : an operation on a secret must involve a random variable which is not a don’t care variable (i.e it affects the result) � Low level: LLVM programs × Security property not sufficient [Eldib,TACAS14] SMT verification of perfect masking , i.e statistical independency of intermediate computations from secrets � Strong security property × C level & Bit-blasted programs (could be applied to low level) × Lack of scalability (combinatorial blow-up of the enumeration) [Barthe,Eurocrypt15] t-non-interference : joint probability distribution of any t intermediate expressions is independent from secrets � Strong security property � Good scalability × Cannot conclude for some cases 5 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Our Goal To verify side channel resistance: Of 1st order masked programs At assembly level In the value-based model: instruction result leaks Considering that: leakage-free instruction ⇐ ⇒ result is statistically independent from secrets With a symbolic approach that infers the distribution type of instruction expressions 6 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Plan Introduction / Motivation 1 Symbolic Method 2 Experiments 3 Conclusion 4 7 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Verification Scheme # r0 ← k ; r1 ← m1; r2 ← m2; r3 ← m3 1 eor r4 , r0 , r1 # k ⊕ m1 2 eor r5 , r0 , r2 # k ⊕ m2 3 and r5 , r5 , r3 # ( k ⊕ m2) & m3 4 and r5 , r5 , r4 # ( k ⊕ m1) & ( ( k ⊕ m2) & m3) & Is the root distribution statistically independent from k? & ◮ Inputs tagged with a ⊕ ⊕ m3 distribution type mask ◮ Bottom-up combination of k m1 m2 distribution types using defined mask mask secret inference rules Data dependency graph of the last instruction 8 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Symbolic Approach 4 distribution types for variables and expressions: Random Uniform Distribution ( RUD ) Unknown Distribution ( UKD ) Constant ( CST ) (Statistically) Independent from Secrets Distribution ( ISD ): not necessarily uniform but identical for all values of the secrets. k m 1 m 2 e e’   0 0 0 0   P(e=0)= 3 P(e’=0)= 1   0 1 0 0   k : secret 0 4 2 P(e=1)= 1 P(e’=1)= 1 1 0 0 1 m 1 , m 2 : masks 4 2   1 1 1  1    e = (k ⊕ m 1 ) & m 2 0 0 0  0  e’= (k ⊕ m 1 ) & m 1  P(e=0)= 3    0 1 1 0 P(e’=0)=1   4 1 1 0 0 P(e=1)= 1 0 P(e’=1)=0 4     1 1 0 0   9 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Independence Notions Which distribution types assert that an expression is statistically independent from secrets? Dependence between expression e and variable v : structural = ⇒ v appears in e statistical = ⇒ the distribution of the result of e depends on v = ⇒ Need to keep track of structural dependencies: (k ⊕ m) & m Safe types: Unsafe type: e ∼ RUD e ∼ UKD { dep } with structural e ∼ ISD dependency on some secret e ∼ UKD with no structural variable: dep ∩ S � = ∅ dependency on any secret 10 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Dominant Masks Aim: to find a mask that randomizes the whole expression Dom Rule expression e = e’ ⊕ m or e = e’ + m mod 2 n m ∼ RUD { m } m �∈ dep( e’ ) = ⇒ e ∼ RUD and m is a dominant mask of e . 2 sets of dominant masks: dom ⊕ (e) the set of xor dominant masks of e dom + (e) the set of additive dominant masks of e Examples: dom ⊕ ((k + m1) ⊕ (k ⊕ m1 ⊕ m2)) = m2 dom + ((k + m1) ⊕ 0) = dom + (k + m1) = m1 11 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Other Inference Rules By distribution types: Set of rules for ⊕ , + mod 2 n Set of rules for AND and OR Disjoint rule for binary operators u ∼ ISD { dep0 } and v ∼ ISD { dep1 } No masks in common: dep0 ∩ dep1 ∩ M = ∅ = ⇒ (u op v) ∼ ISD { dep0 ∪ dep1 } for every binary operation op ⊲ More details in the paper 12 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Running Example Type inference for the last instruction i4 : (k ⊕ m 1 ) & ((k ⊕ m 2 ) & m 3 ) ISD {k, m1, m2, m3} & ISD {k, m2, m3} RUD & RUD {k, m1} {k, m2} ⊕ ⊕ m3 RUD{m3} m1 k m2 RUD{m1} RUD{m2} UKD{k} ⊲ i4 is statistically independent from k 13 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Bit Level Analysis When no conclusion is possible at word level: e ... = ⇒ split the expression into several expressions at e n e 2 e 1 e 0 bit level ⊲ case 1: ⊲ case 2: ⊲ case 3: ... e i-1 ... ... ... ... e n ... e 2 e 1 e 0 e n e i+1 e i e 0 e n e i e i e 0 m n m 2 m 1 m 0 CST ISD CST ISD CST CST ISD CST e i ∼ RUD and different Deduplicated ISD bit and Concatenation of an ISD dominant mask for each e i concatenation with CST bits bit with CST bits Example from mix columns in AES: e = ((LSR(mt1 ⊕ mp ⊕ sbox5, 7) ⊕ LSR(mt2 ⊕ mp ⊕ sbox10, 7)) + (((LSR(mt1 ⊕ mp ⊕ sbox5, 7) ⊕ LSR(mt2 ⊕ mp ⊕ sbox10, 7)) ≪ 1) b 7 = mt1 7 ⊕ mp 7 ⊕ sbox5 7 ⊕ mt2 7 ⊕ mp 7 ⊕ sbox10 7 e = ⇒ 0000 00b 7 b 7 = ⇒ ISD 14 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Plan Introduction / Motivation 1 Symbolic Method 2 Experiments 3 Conclusion 4 15 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Comparison with Two Methods Our method: distribution type inference implemented in Python C-enumerative : generates a C program that computes the expression distribution by enumerating on all variable values ◮ returns: RUD, ISD or vulnerable SMT-enumerative : extends Eldib et al. ’s approach for n -bit variables ( generates a SMT problem that searches for two values of a secret for which the expression distribution is different ) ◮ returns: ISD or vulnerable 16 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Benchmarks #ASM Size Secure in Program # masks # secrets inst in bits literature Boolean programs for comparison with SMT P6 [Eldib,TACAS14] 8 1 3 3 × Masked Chi 8 1 2 3 � [Eldib,TACAS14] Algorithms for switching between boolean and arithmetic maskings Goubin Conversion 8 4 2 1 � [Goubin01] Coron Conversion 37 4 3 1 � [Coron15] Cryptographic algorithms Masked AES 1st round 422 8 6 16 + 16 � [Herbst06] Simon TI 1st round 15 32 5 3 + 2 � [Shahverdi17] 17 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Experimental Comparison Ref (enumeration) Symbolic Program # RUD # ISD # Vuln # RUD # ISD # UKD # CST P6 6 2 0 6 2 0 0 Masked Chi 2 2 4 2 2 4 0 Goubin 7 1 0 5 0 3 0 Conversion Coron 19 11 7 14 10 13 0 Conversion Masked AES - - - 302 0 0 120 1st round Simon TI - - - 7 4 3 1 1st round Enumeration methods = ⇒ sound, complete but not applicable on AES/Simon Symbolic method = ⇒ sound { Vuln } ⊆ { UKD } but not complete 18 / 24

Introduction / Motivation Symbolic Method Experiments Conclusion Verification Time Symbolic Enum C SMT Program time time time P6 < 1s < 1s < 1s Masked Chi < 1s < 1s < 1s Goubin < 1s < 1s 35mn Conversion Coron 2s 1s 5,6h Conversion Masked AES 22s - - 1st round Simon TI 8.5s - - 1st round C-enumeration = ⇒ fast but only for small programs SMT-enumeration = ⇒ can be long even for small programs Symbolic method = ⇒ better scalability 19 / 24