very high order masking efficient
play

Very High-Order Masking: Efficient Implementation and Security - PowerPoint PPT Presentation

Jul 03, 2023 •118 likes •614 views

Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and Franois-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan Outline Background Masking Barthe et al. masking

  1. Very High-Order Masking: Efficient Implementation and Security Evaluation Anthony Journault and François-Xavier Standaert UCL (Louvain-la-Neuve, Belgium) CHES 2017, Taipei, Taiwan

  2. Outline • Background  Masking  Barthe et al. masking scheme • How fast can be very high-order masking ?  Data representation  AES results and discussion • How can we evaluate security at very high order ?  Limitation of leakage detection strategy  Multi-model approach • Conclusion/Open problems

  3. Outline • Background  Masking  Barthe et al. masking scheme • How fast can be very high-order masking ?  Data representation  AES results and discussion • How can we evaluate security at very high order ?  Limitation of leakage detection strategy  Multi-model approach • Conclusion/Open problems

  4. Masking 1 • Masking (e.g. Boolean encoding) 𝑏 = 𝑏 1 ⨁𝑏 2 ⨁ ⋯ ⨁𝑏 𝑒 • With 𝑏 2 , ⋯ , 𝑏 𝑒 random

  5. Masking 1 • Masking (e.g. Boolean encoding) 𝑏 = 𝑏 1 ⨁𝑏 2 ⨁ ⋯ ⨁𝑏 𝑒 • With 𝑏 2 , ⋯ , 𝑏 𝑒 random • Abstract security  Probing model  Security order 𝑒 − 1 (at best)

  6. Masking 1 • Masking (e.g. Boolean encoding) 𝑏 = 𝑏 1 ⨁𝑏 2 ⨁ ⋯ ⨁𝑏 𝑒 • With 𝑏 2 , ⋯ , 𝑏 𝑒 random • Abstract security • Concrete security  Probing model  Noisy leakage  Security order model  𝑂 = (𝜏 2 ) 𝑒−1 𝑒 − 1 (at best) (under assumptions)

  7. Barthe et al. 2017 masking scheme 2 • Parallel masking scheme by design • All shares manipulated at once

  8. Barthe et al. 2017 masking scheme 2 • Parallel masking scheme by design • All shares manipulated at once • Example of mult. 𝑏 ∗ 𝑐 = 𝑑 for 𝑒 = 3 a b r a b a b r c 1 1 1 1 3 3 1 3 1      a b r a b a b r c 2 2 2 2 1 1 2 1 2 a b r a b a b r c 3 3 3 3 2 2 3 2 3

  9. Outline • Background  Masking  Barthe et al. masking scheme • How fast can be very high-order masking ?  Data representation  AES results and discussion • How can we evaluate security at very high order ?  Limitation of leakage detection strategy  Multi-model approach • Conclusion/Open problems

  10. Data representation and implementation 3 • 32-bit register ……… a30 a31 a32 a1 a2 a3 Secret bit + sum Random Random Random Random Random random bits bit bit bit bit bit

  11. Data representation and implementation 3 • 32-bit register ……… a30 a31 a32 a1 a2 a3 Secret bit + sum Random Random Random Random Random random bits bit bit bit bit bit • Use bitwise operators (XOR, AND, …)

  12. Data representation and implementation 3 • 32-bit register ……… a30 a31 a32 a1 a2 a3 Secret bit + sum Random Random Random Random Random random bits bit bit bit bit bit • Use bitwise operators (XOR, AND, …) • Implementation on 32-bit ARM • Optimal case: register size = nb of shares

  13. Data representation and implementation 3 • 32-bit register ……… a30 a31 a32 a1 a2 a3 Secret bit + sum Random Random Random Random Random random bits bit bit bit bit bit • Use bitwise operators (XOR, AND, …) • Implementation on 32-bit ARM • Optimal case: register size = nb of shares • Well suited for bitslice ciphers 

  14. Implementation Results: AES 4 • Application to AES • Gate level Time Spent (%) representation of AES S-box (Boyar, Randomness Peralta 2010) Non-linear op Linear op 10 cycles to generate 32-bit random value Total = 2 800 000 cycles

  15. Implementation Results: AES 4 • Application to AES • Gate level Time Spent (%) representation of AES S-box (Boyar, Randomness Peralta 2010) Non-linear op Linear op • SNI refreshing of one input of each multiplication 10 cycles to generate 32-bit random value (conservative) Total = 2 800 000 cycles

  16. Implementation Results: AES 4 • Application to AES • Gate level Time Spent (%) representation of AES S-box (Boyar, Randomness Peralta 2010) Non-linear op Linear op • SNI refreshing of one input of each multiplication 80 cycles to generate 32-bit random value (conservative) Total = 9 700 000 cycles

  17. Comparison with Goudarzi-Rivain 5 • Goudarzi-Rivain 2017: Generic ISW implementation and application to bitsliced AES Goudarzi-Rivain This paper 3,821,312 2,783,510

  18. Comparison with Goudarzi-Rivain 5 • Goudarzi-Rivain 2017: Generic ISW implementation and application to bitsliced AES Goudarzi-Rivain This paper 3,821,312 2,783,510 • Same order of magnitude of cycles • Very high-order masking is not out of reach !

  19. Outline • Background  Masking  Barthe et al. masking scheme • How fast can be very high-order masking ?  Data representation  AES results and discussion • How can we evaluate security at very high order ?  Limitation of leakage detection strategy  Multi-model approach • Conclusion/Open problems

  20. Limitations of leakage detection strategy 6 • Evaluator power = 2^30 • If security <= 2^30, security level • What if security > 2^30 ? • Security claims bounded by evaluator power

  21. Limitations of leakage detection strategy 6 • Evaluator power = 2^30 • If security <= 2^30, security level • What if security > 2^30 ? • Security claims bounded by evaluator power We expect 31th-security order (or 31/f-security order)

  22. Multi-Model Approach 7

  23. Multi-Model Approach 7 Probing model Abstract Qualitative Algorithmic security order d Risk captured: Lack of refreshing

  24. Multi-Model Approach 7 Bounded-Moment Probing model Model Abstract Physical Qualitative Qualitative Algorithmic security Physical security order order f d Risk captured: Risk captured: Lack of refreshing Share recombination

  25. Multi-Model Approach 7 Bounded-Moment Noisy Leakage Model Probing model Model Abstract Physical Physical Qualitative Qualitative Quantitative Algorithmic security Physical security Physical security order order order f MI , SNR d Risk captured: Risk captured: Risk captured: Lack of refreshing Share recombination Lack of noise

  26. Multi-Model Approach 7 Bounded-Moment Noisy Leakage Model Probing model Model Abstract Physical Physical Qualitative Qualitative Quantitative Algorithmic security Physical security Physical security order order order f MI , SNR d d + f + SNR + MI => Security level Risk captured: Risk captured: Risk captured: Lack of refreshing Share recombination Lack of noise

  27. Probing security (state of the art) 8 • 2 possible options:  Composable gadgets (SNI) o Simple to analyse o Implementation becomes expensive  Full code evaluation o Hard to analyse o Reduced implementation cost

  28. Bounded-Moment security 9

  29. Bounded-Moment security 9 • Leakage detection hard in practice with 32 shares

  30. Bounded-Moment security 9 • Leakage detection hard in practice with 32 shares • Idea similar to symmetric cryptanalysis: security based on reduced version • Leakage detection on small order (e.g. on 4 shares)

  31. Bounded-Moment security 9 • Leakage detection hard in practice with 32 shares • Idea similar to symmetric cryptanalysis: security based on reduced version • Leakage detection on small order (e.g. on 4 shares) • Extraction of a risk factor f from possible share recombination • Extrapolation of security

  32. Leakage detection results 10

  33. Leakage detection results 11

  34. Noisy Leakage Model 12 • SNR(=0,05) computed with linear regression • MI of the encoding • 31 / 15 / 7 -order security if flaw f = 1 / 2 / 4

  35. Noisy Leakage Model 12 • SNR(=0,05) computed with linear regression • MI of the encoding • 31 / 15 / 7 -order security if flaw f = 1 / 2 / 4

  36. Noisy Leakage Model 12 • SNR(=0,05) computed with linear regression • MI of the encoding • 31 / 15 / 7 -order security if flaw f = 1 / 2 / 4

  37. Noisy Leakage Model 12 • SNR(=0,05) computed with linear regression • MI of the encoding • 31 / 15 / 7 -order security if flaw f = 1 / 2 / 4 • Averaging: multiple apparition of sensitive values

  38. Putting things together 13

  39. Putting things together 13 Horizontal SCA

  40. Putting things together 13 Horizontal SCA Worst case

  41. Putting things together 13 Horizontal SCA Order reduction from flaw f Worst case Order reduction from noise

  42. Outline • Background  Masking  Barthe et al. masking scheme • How fast can be very high-order masking ?  Data representation  AES results and discussion • How can we evaluate security at very high order ?  Limitation of leakage detection strategy  Multi-model approach • Conclusion/Open problems

  43. Conclusion 14

  44. Conclusion 14 • Very high order (32 shares) implementation is not out of reach !

  45. Conclusion 14 • Very high order (32 shares) implementation is not out of reach ! • Multi-model approach proposed to evaluate very HO masked implementations ( security level )

  46. Conclusion 14 • Very high order (32 shares) implementation is not out of reach ! • Multi-model approach proposed to evaluate very HO masked implementations ( security level ) • Based on falsifiable assumptions

Recommend

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th

High Order Masking of Look-up Tables with Common Shares J-S.Coron, F.Rondepierre, R.Zeitoun 12th September 2018 Outline Outline 1 Introduction 1st Order Solution Higher Order Masking of Look-Up Tables 2 Higher Order: Optimizations 12th

388 views • 35 slides
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order Masking x = x 1 + x 2 +

855 views • 42 slides
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2 Rina Zeitoun 1 Jean-S 1 IDEMIA, France 2 University of Luxembourg CHES 2018 Side-channel Attacks Differential Power Analysis [KJJ99] Group by

620 views • 47 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin,

Higher-Order Masking Schemes for S-boxes Matthieu Rivain Joint work with C. Carlet, L. Goubin, E. Prouff and M. Quisquater FSE 2012 Washington DC, 21st March 2012 Higher-Order Masking Schemes for S-boxes Outline 1 Introduction 2

1.33k views • 98 slides
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Leuven, September 10th, 2012 I NTRODUCTION 1 K NOWN TABLE - BASED METHODS 2 C ORON -T CHULKINE METHOD N EISSE -P ULKUS METHOD 3 C

413 views • 28 slides
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

1.04k views • 51 slides
Efficient high order and domain decomposition methods for the time-harmonic Maxwells equations

Efficient high order and domain decomposition methods for the time-harmonic Maxwells equations

Efficient high order and domain decomposition methods for the time-harmonic Maxwells equations Marcella Bonazzoli 1 , Victorita Dolean 1 , 4 , Ivan G. Graham 3 , Frdric Hecht 2 , Frdric Nataf 2 , Francesca Rapetti 1 , Euan A. Spence 3 ,

828 views • 44 slides
How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT

How Fast Can Higher-Order Masking Be in Software? Dahmun Goudarzi and Matthieu Rivain EUROCRYPT 2017, Paris 1 Introduction 2 Field Multiplications 3 Non-Linear Operations 4 Generic Polynomial Methods 5 Polynomial Methods for

873 views • 51 slides
Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on

Proposal to add masking function to GFM Proposal part 1 Adding a masking reference attribute on the spatial attribute type. Proposal part 2 Details of the masking attribute addition. Table 3-13 - S100_GF_SpatialAttributeType Role Name

558 views • 8 slides
Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views • 45 slides
Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1 Overview Masking,

785 views • 46 slides
Energy-efficient &amp; High-performance Energy-efficient &amp; High-performance Instruction Fetch

Energy-efficient &amp; High-performance Energy-efficient &amp; High-performance Instruction Fetch

Energy-efficient &amp; High-performance Energy-efficient &amp; High-performance Instruction Fetch using a Block-aware ISA Instruction Fetch using a Block-aware ISA Ahmad Zmily and Christos Kozyrakis Electrical Engineering Department Stanford

250 views • 23 slides
Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we

6/8/2017 Disclosures Masking and Breast Density Volpare Health Solutions (Wellington, New Zealand) Can we Quantify Masking Risk? co-founder and shareholder Qview Medical (Los Altos, CA) Nico Karssemeijer consultant, co-founder and

883 views • 18 slides
Spectral and High-Order Methods Spectral and High-Order Methods for Shock-Induced Mixing for

Spectral and High-Order Methods Spectral and High-Order Methods for Shock-Induced Mixing for

Spectral and High-Order Methods Spectral and High-Order Methods for Shock-Induced Mixing for Shock-Induced Mixing Andrew W. Cook William Cabot Jeffrey A. Greenough Stephen V. Weber This work was performed under the auspices of the U.S.

338 views • 23 slides
A High- A High -Performance Area Performance Area- -Efficient Efficient AES Cipher on a Many

A High- A High -Performance Area Performance Area- -Efficient Efficient AES Cipher on a Many

A High- A High -Performance Area Performance Area- -Efficient Efficient AES Cipher on a Many AES Ci h AES Ci h AES Cipher on a Many- M M -Core Platform Core Platform C C Pl tf Pl tf Bin Liu and Bevan M. Baas VLSI Computation Lab

180 views • 15 slides
Towards Industrial Adoption of High-Order Methods Towards Industrial Adoption of High-Order

Towards Industrial Adoption of High-Order Methods Towards Industrial Adoption of High-Order

Towards Industrial Adoption of High-Order Methods Towards Industrial Adoption of High-Order Methods PyFR Symposium 19 th June 2020 Mark Allan 19 th June 2020 Presenter Mark Allan [ Product Lead ] Towards Industrial Adoption of High-Order

553 views • 32 slides
Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble Alpes in

Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble Alpes in

Understanding the Masking-Shadowing Function in Understanding the Masking-Shadowing Function in Microfacet-Based BRDFs 2014-09-01 Microfacet-Based BRDFs Eric Heitz Understanding the Masking-Shadowing Function INRIA ; CNRS ; Univ. Grenoble

808 views • 77 slides
Efficient, Parametrically-Robust Nonlinear Model Reduction using Local Reduced-Order Bases

Efficient, Parametrically-Robust Nonlinear Model Reduction using Local Reduced-Order Bases

Introduction Local Reduced-Order Models Application Conclusion Efficient, Parametrically-Robust Nonlinear Model Reduction using Local Reduced-Order Bases Matthew J. Zahr and Charbel Farhat Farhat Research Group Stanford University SIAM

545 views • 39 slides
Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth

Masking TablesAn Underestimated Security Risk Michael Tunstall Carolyn Whitnall Elisabeth Oswald March, 2013 Michael Tunstall (University of Bristol) Masking Tables March, 2013 1 / 21 Introduction Differential Power Analysis exploits

249 views • 21 slides
Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th

Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th

Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th International Conference on Finite Fields and their Applications June 5, 2017 Violetta Weger Weight two Masking in the McEliece system Outline 1

1.31k views • 34 slides
Unsteady CFD Optimization using High-Order Discontinuous Galerkin Finite Element Methods Matthew

Unsteady CFD Optimization using High-Order Discontinuous Galerkin Finite Element Methods Matthew

Introduction High-Order Numerical Scheme Fully-Discrete Adjoint Method Applications Conclusion Unsteady CFD Optimization using High-Order Discontinuous Galerkin Finite Element Methods Matthew J. Zahr and Per-Olof Persson Stanford University

780 views • 40 slides

More recommend