Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model

Size: px

Start display at page:

Download "Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model"

Logan Carr
5 years ago
Views:

Bochum (Germany), INRIA Sophia- Antipolis (France),

1 Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model G. Barthe, F. Dupressoir, S. Faust, B. Grégoire, F.-X. Standaert, P.-Y. Strub IMDEA (Spain), Univ. Surrey (UK), Univ. Bochum (Germany), INRIA Sophia- Antipolis (France), UCL (Belgium), Ecole Polytechnique (France) EUROCRYPT 2017, Paris, France

2 Outline Introduction / motivation Side-channel attacks and noise Masking and leakage models Bounded moment model Masking intuition & BMM definition Probing security BM security Parallel multiplication (& refreshing) BM security probing security Inner product masking (with non-mixing leakages) Continuous security & refreshing gadgets Conclusions

3 Outline Introduction / motivation Side-channel attacks and noise Masking and leakage models Bounded moment model Masking intuition & BMM definition Probing security BM security Parallel multiplication (& refreshing) BM security probing security Inner product masking (with non-mixing leakages) Continuous security & refreshing gadgets Conclusions

4 Side-channel attacks computation success probability # of measurements 128 physical attacks that decreases security exponentially in the # of measurements 96

5 Noise (hardware countermeasures) 2

6 Noise (hardware countermeasures) 2

7 Noise (hardware countermeasures) 2 Additive noise cost 2 security 2 not a good (crypto) security parameter

8 Outline Introduction / motivation Side-channel attacks and noise Masking and leakage models Bounded moment model Masking intuition & BMM definition Probing security BM security Parallel multiplication (& refreshing) BM security probing security Inner product masking (with non-mixing leakages) Continuous security & refreshing gadgets Conclusions

9 Masking ( noise amplification) 3 Example: Boolean encoding y = y 1 y 2 y d 1 y d With y 1, y 2,, y d 2, y d 1 {0,1} n

10 Masking (abstract view) 4 Probing security (Ishai, Sahai, Wagne003) y = y 1 y 2 y d 1 y d?

11 Masking (abstract view) 4 Probing security (Ishai, Sahai, Wagne003) y = y 1 y 2 y d 1 y d? d 1 probes do not reveal anything on y

12 Masking (abstract view) 4 Probing security (Ishai, Sahai, Wagne003) y = y 1 y 2 y d 1 y d y But d probes completely reveal y

13 Masking (concrete view) 5 Probing security (Ishai, Sahai, Wagne003) y = y 1 y 2 y d 1 y d? Bounded information leakage MI(Y i ; L) d

14 Masking (concrete view) 5 Probing security (Ishai, Sahai, Wagne003) y = y 1 y 2 y d 1 y d? Noisy leakage security (Prouff, Rivain 2013)

15 Masking (concrete view) 5 Probing security (Ishai, Sahai, Wagne003) y = y 1 y 2 y d 1 y d Noisy leakage security (Prouff, Rivain 2013) noise and independence (Duc, Dziembwski, Faust 2014)

16 Motivation / open questions 6 1. What happens with parallel implementations? For example: one probe reveals the shares sum

17 Motivation / open questions 6 1. What happens with parallel implementations? For example: one probe reveals the shares sum 2. How to test physical independence? (consolidating)??

18 Motivation / open questions 6 1. What happens with parallel implementations? For example: one probe reveals the shares sum 2. How to test physical independence? (consolidating)?? W/O directly working in the noisy leakage model

19 Outline Introduction / motivation Side-channel attacks and noise Masking and leakage models Bounded moment model Masking intuition & BMM definition Probing security BM security Parallel multiplication (& refreshing) BM security probing security Inner product masking (with non-mixing leakages) Continuous security & refreshing gadgets Conclusions

20 Masking statistical intuition 7 2-share / 1-bit example, serial implementation L 1 = y 1 + n 1 L 2 = y 2 + n 2

21 Masking statistical intuition 7 2-share / 1-bit example, parallel implementation L 1 = y 1 + n 1 L 2 = y 2 + n 2 L = y 1 + y 2 + n

22 Masking statistical intuition 7 2-share / 1-bit example, parallel implementation L 1 = y 1 + n 1 Definition (informal). An implementation is secure at order o in the bounded moment model if all mixed statistical moments of order up to o of its leakage vectors are independent of any sensitive variable manipulated L 2 = y 2 + n 2 L = y 1 + y 2 + n

23 Outline Introduction / motivation Side-channel attacks and noise Masking and leakage models Bounded moment model Masking intuition & BMM definition Probing security BM security Parallel multiplication (& refreshing) BM security probing security Inner product masking (with non-mixing leakages) Continuous security & refreshing gadgets Conclusions

24 Abstract reduction (answer to Q1) 8 Theorem (informal). A parallel implementation is secure at order o in the BMM if its serialization is secure at order o in the probing model where Adv pr can (typically) probe o = d 1 wires d Adv bm can observe any L = i=1 α i y i

25 Abstract reduction 8 Theorem (informal). A parallel implementation is secure at order o in the BMM if its serialization is secure at order o in the probing model where Adv pr can (typically) probe o = d 1 wires d Adv bm can observe any L = i=1 α i y i Intuition: summing the shares (in R) does not break the independent leakage assumption

26 Abstract reduction 8 Theorem (informal). A parallel implementation is secure at order o in the BMM if its serialization is secure at order o in the probing model where Adv pr can (typically) probe o = d 1 wires d Adv bm can observe any L = i=1 α i y i Intuition: summing the shares (in R) does not break the independent leakage assumption Main between probing and BM security Adv bm can sum over all the shares! BM security is weaker (moments vs. distributions)

27 Concrete consequence 9 If physically independent leakages, BM security extends to actual measurements (e.g., d = 3)

28 Concrete consequence (answer to Q2) 9 If physically independent leakages, BM security extends to actual measurements (e.g., d = 3) If not, leakages are not independent

29 Outline Introduction / motivation Side-channel attacks and noise Masking and leakage models Bounded moment model Masking intuition & BMM definition Probing security BM security Parallel multiplication (& refreshing) BM security probing security Inner product masking (with non-mixing leakages) Continuous security & refreshing gadgets Conclusions

30 Serial multiplication 10 ISW 2003: multiplication c = a b b 1 b 2 b 3 a 2 b 1 a 2 b 2 a 2 b 3 a 3 b 1 a 3 b 2 a 3 b 3 partial products refresh c 1 c 2 c 3 compress

31 Serial multiplication 10 ISW 2003: multiplication c = a b b 1 b 2 b 3 a 2 b 1 a 2 b 2 a 2 b 3 a 3 b 1 a 3 b 2 a 3 b 3 partial products refresh c 1 c 2 c 3 compress AES S-box (n = 8) implementation a = a 2 a d (e.g., d = 8) Each register stores an a i (i.e., a GF 2 8 element) Memory n d, Time: d 2 GF 2 8 mult. AES S-box 3 multiplications (& 4 squarings)

32 Parallel multiplication 11 Main tweak: interleave & regularize b 1 a 2 b 2 a 3 b 3 b 3 a 3 b 1 a 2 b 1 b 2 a 3 b 2 a 2 b 3 c 1 c 2 c 3 refresh

33 Parallel multiplication 11 Main tweak: interleave & regularize b 1 a 2 b 2 a 3 b 3 b 3 a 3 b 1 a 2 b 1 b 2 a 3 b 2 a 2 b 3 refresh AES S-box (n = 8) implementation a = a 2 a d (e.g., d = 8) Each register stores n a i s (i.e., GF 2 elements) Memory n d, Time: d GF 2 mult. (i.e., ANDs) AES bitslice S-box 32 AND gates (& 83 XORs) c 1 c 2 c 3

Parallel multiplication 11 Main tweak: interleave & regularize b 1 a 2 b 2 a 3 b 3 b 3 a 3 b 1 a 2 b 1 b 2 a 3 b 2 a 2 b 3 refresh AES S-box (n = 8) implementation a = a 2 a d (e.g., d = 8) Each register stores n a i s (i.

34 Parallel multiplication 11 Main tweak: interleave & regularize b 1 a 2 b 2 a 3 b 3 b 3 a 3 b 1 a 2 b 1 b 2 a 3 b 2 a 2 b 3 refresh AES S-box (n = 8) implementation a = a 2 a d (e.g., d = 8) Each register stores n a i s (i.e., GF 2 elements) Memory n d, Time: d GF 2 mult. (i.e., ANDs) AES bitslice S-box 32 AND gates (& 83 XORs) Performance gains with large d s (8, 16, 32) c 1 c 2 c 3

35 Security analysis 12 We analyzed the SNI security of the gadgets composable probing security (Barthe et al. 2016)

36 Security analysis 12 We analyzed the SNI security of the gadgets composable probing security (Barthe et al. 2016) Iterating (d 1)/3 refresh is SNI for d < 12

37 Security analysis 12 We analyzed the SNI security of the gadgets composable probing security (Barthe et al. 2016) Iterating (d 1)/3 refresh is SNI for d < 12 Multiplication is more tricky

38 Outline Introduction / motivation Side-channel attacks and noise Masking and leakage models Bounded moment model Masking intuition & BMM definition Probing security BM security Parallel multiplication (& refreshing) BM security probing security Inner product masking (with non-mixing leakages) Continuous security & refreshing gadgets Conclusions

39 Specialized encodings 13 Probing security is stronger than BM security (And also stronger than noisy leakage security) Is it sometimes too strong? i.e., breaks designs that are secure against DPA

40 Specialized encodings 13 Probing security is stronger than BM security (And also stronger than noisy leakage security) Is it sometimes too strong? i.e., breaks designs that are secure against DPA Example: Boolean encoding (2 shares) y = y 1 y 2

41 Specialized encodings 13 Probing security is stronger than BM security (And also stronger than noisy leakage security) Is it sometimes too strong? i.e., breaks designs that are secure against DPA Example: Boolean encoding (2 shares) IP masking in GF(2 8 ) with non-mixing leakages 2 y = p i s i i=1 y = y 1 y 2 p 2 = 1 p 2 = 5 p 2 = 7

42 Outline Introduction / motivation Side-channel attacks and noise Masking and leakage models Bounded moment model Masking intuition & BMM definition Probing security BM security Parallel multiplication (& refreshing) BM security probing security Inner product masking (with non-mixing leakages) Continuous security & refreshing gadgets Conclusions

43 Continuous security 14 So far we discussed one-shot probing attacks

44 Continuous security 14 So far we discussed one-shot probing attacks Yet, side-channel attacks are usually continuous i.e, accumulate information from multiple executions

45 Continuous security 14 So far we discussed one-shot probing attacks Yet, side-channel attacks are usually continuous i.e, accumulate information from multiple executions Typical issue: refreshing by add a share of 0 Frequently used in practice Yet insecure in the continuous probing model What does it mean concretely? i.e., can we (sometimes) use such a refreshing?

46 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 a 2 a 3 a 4 Accumulated knowledge:

47 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 a 2 a 3 a 4 Accumulated knowledge:

48 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 a 2 a 3 a 4 Accumulated knowledge:

49 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 step 2 a 2 a 2 a 3 a 3 a 4 a 4 Accumulated knowledge:

50 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 step 2 a 2 a 2 a 3 a 3 a 4 a 4 Accumulated knowledge:

51 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 step 2 a 2 a 2 a 3 a 3 a 4 a 4 Accumulated knowledge:

52 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 step 2 a 2 a 2 a 3 a 3 a 4 a 4 Accumulated knowledge: a2

53 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 step 2 step 3 a 2 a 2 a 2 a 3 a 3 a 3 a 4 a 4 a 4 Accumulated knowledge: a2

54 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 step 2 step 3 a 2 a 2 a 2 a 3 a 3 a 3 a 4 a 4 a 4 Accumulated knowledge: a2

55 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 step 2 step 3 a 2 a 2 a 2 a 3 a 3 a 3 a 4 a 4 a 4 Accumulated knowledge: a2

56 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 step 2 step 3 a 2 a 2 a 2 a 3 a 3 a 3 a 4 a 4 a 4 Accumulated knowledge: a2 a3

57 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 step 2 step 3 a 2 a 2 a 2 a 3 a 3 a 3 a 4 a 4 a 4 After d iterations, a is learned in full by Adv pr

58 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 step 2 step 3 a 2 a 2 a 2 a 3 a 3 a 3 a 4 a 4 a 4 After d iterations, a is learned in full by Adv pr Not possible in the BMM. Intuition: adaptation does not help since Adv bm can anyway sum over all shares!

59 Continuous probing attack 15 Target: refresh(a) = a r rot(r) step 1 step 2 step 3 a 2 a 2 a 2 a 3 a 3 a 3 a 4 a 4 a 4 After d iterations, a is learned in full by Adv pr Impact: refresh(. ) can be used to refresh the key of a key homomorphic primitive ( fully linear overheads)

60 Outline Introduction / motivation Side-channel attacks and noise Masking and leakage models Bounded moment model Masking intuition & BMM definition Probing security BM security Parallel multiplication (& refreshing) BM security probing security Inner product masking (with non-mixing leakages) Continuous security & refreshing gadgets Conclusions

61 Conclusions 16 Probing security is relevant to parallel implem.

62 Conclusions 16 Probing security is relevant to parallel implem. BMM suggests a principled path to security eval. probing security [DDF14] + noise, noisy leakages security bounded moment security

63 Conclusions 16 Probing security is relevant to parallel implem. BMM suggests a principled path to security eval. probing security [DDF14] + noise, noisy leakages security bounded moment security Parallel implem. are appealing for masking Leverage the memory needed to store shares

64 Conclusions 16 Probing security is relevant to parallel implem. BMM suggests a principled path to security eval. probing security [DDF14] + noise, noisy leakages security bounded moment security Parallel implem. are appealing for masking Leverage the memory needed to store shares Cont. probing security sometimes too strong

65 THANKS

Formal Verification of Masked Implementations

Formal Verification of Masked Implementations Sonia Belaïd Benjamin Grégoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order