Provable Security against Side-Channel Attacks

Size: px

Start display at page:

Download "Provable Security against Side-Channel Attacks"

Edgar Marsh
5 years ago
Views:

1 Provable Security against Side-Channel Attacks Matthieu Rivain MCrypt Seminar Aug. 11th 2014

2 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

3 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

4 Side-channel attacks

5 Side-channel attacks

6 Side-channel attacks

7 Side-channel attacks

8 Side-channel attacks

9 Side-channel attacks Sound and temperature Proofs of concept in idealized conditions Minor practical threats on embedded systems Running time Trivial solution: constant-time implementations Must be carefully addressed timing flaw still discovered in OpenSSL in 2011! timing flaws can be induced by the processor (cache, branch prediction,...)

10 Side-channel attacks Power consumption and EM emanations Close by nature (switching activity) Can be modeled as weighted sums of the transitions EM can be more informative (placing of the probe) but assume a raw access to the circuit Both are noisy i.e. non-deterministic Noise amplification by generating random switching activity

11 Side-channel attacks Power consumption and EM emanations Close by nature (switching activity) Can be modeled as weighted sums of the transitions EM can be more informative (placing of the probe) but assume a raw access to the circuit Both are noisy i.e. non-deterministic Noise amplification by generating random switching activity This talk: leakage = power consuption + EM emanations

12 Provable security Traditional approach define an adversarial model (e.g. chosen plaintext attacker) define a security goal (e.g. distinguish two ciphertexts)

13 Provable security Traditional approach define an adversarial model (e.g. chosen plaintext attacker) define a security goal (e.g. distinguish two ciphertexts) k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c ˆb A c m E(k, ) Challenger Adversary Oracle

14 Provable security Traditional approach define an adversarial model (e.g. chosen plaintext attacker) define a security goal (e.g. distinguish two ciphertexts) k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c ˆb A c m E(k, ) Challenger Adversary Oracle Security reduction: If A exists with non-negligible Pr[ˆb = b] 1/2 then I can use A to efficiently solve a hard problem.

15 Provable security... in the presence of leakage k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c ˆb A c m E(k, ) Challenger Adversary Oracle

16 Provable security... in the presence of leakage k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c, l ˆb A c,l m E(k, ) Challenger Adversary Oracle

17 Provable security... in the presence of leakage k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c, l 1,..., l q ˆb A c,l m E(k, ) Challenger Adversary Oracle

18 Provable security... in the presence of leakage k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c, l 1,..., l q ˆb A c,l m E(k, ) Challenger Adversary Oracle Issue: how to model the leakage?

19 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

20 Modeling side-channel leakage The encryption oracle cannot be seen as a mathematical function E(k, ) : m c anymore, but as a computation. Two classical approaches to model computation: Turing machines (programs) Circuits How to model leaking computation?

21 Modeling side-channel leakage Chronology Probing model (circuits, 2003) Physically observable cryptography (Turing machines, 2004) Leakage resilient cryptography (2008) Further leakage models for circuits (2010) Noisy leakage model (2013) Presentation Leakage models for circuits Leakage models for programs

22 Modeling side-channel leakage Chronology Probing model (circuits, 2003) Physically observable cryptography (Turing machines, 2004) Leakage resilient cryptography (2008) Further leakage models for circuits (2010) Noisy leakage model (2013) Presentation Leakage models for circuits Leakage models for programs

23 Modeling side-channel leakage Chronology Probing model (circuits, 2003) Physically observable cryptography (Turing machines, 2004) Leakage resilient cryptography (2008) Further leakage models for circuits (2010) Noisy leakage model (2013) Presentation Leakage models for circuits Leakage models for programs

24 Leakage Models for Circuits [Ishai-Sahai-Wagner. CRYPTO 2003] Directed graph whose nodes are gates and edges are wires in 1 Op 1 in 2 Op 3 copy out 1 in 3 copy Op 4 out 2 $ Op 2 mem

25 Leakage Models for Circuits [Ishai-Sahai-Wagner. CRYPTO 2003] Directed graph whose nodes are gates and edges are wires in 1 w 1 in 2 w 2 Op 1 w 5 Op 3 w 9 copy w 12 out 1 w 6 w 3 copy w 11 in 3 w 7 Op 4 w 13 out 2 $ w 4 Op 2 w 8 mem w 10 At each cycles, the circuit leaks f(w 1, w 2,..., w n )

26 Leakage Models for Circuits Probing security model [Ishai-Sahai-Wagner. CRYPTO 2003] the adversary gets (w i ) i I for some chosen set I t AC 0 leakage model [Faust et al. EUROCRYPT 2010] the leakage function f belongs to the AC 0 complexity class i.e. f is computable by circuits of constant depth d Noisy circuit-leakage model [Faust et al. EUROCRYPT 2010] f : (w 1, w 2,..., w n ) (w 1 ε 1, w 2 ε 2,..., w n ε n ) { 1 with proba p < 1/2 with ε i = 0 with proba 1 p

27 Leakage Models for Circuits Probing security model [Ishai-Sahai-Wagner. CRYPTO 2003] the adversary gets (w i ) i I for some chosen set I t AC 0 leakage model [Faust et al. EUROCRYPT 2010] the leakage function f belongs to the AC 0 complexity class i.e. f is computable by circuits of constant depth d Noisy circuit-leakage model [Faust et al. EUROCRYPT 2010] f : (w 1, w 2,..., w n ) (w 1 ε 1, w 2 ε 2,..., w n ε n ) { 1 with proba p < 1/2 with ε i = 0 with proba 1 p These models fail in capturing EM and PC leakages!

28 Leakage Models for Circuits Probing security model [Ishai-Sahai-Wagner. CRYPTO 2003] the adversary gets (w i ) i I for some chosen set I t AC 0 leakage model [Faust et al. EUROCRYPT 2010] the leakage function f belongs to the AC 0 complexity class i.e. f is computable by circuits of constant depth d Noisy circuit-leakage model [Faust et al. EUROCRYPT 2010] f : (w 1, w 2,..., w n ) (w 1 ε 1, w 2 ε 2,..., w n ε n ) { 1 with proba p < 1/2 with ε i = 0 with proba 1 p These models fail in capturing EM and PC leakages! Circuits not convenient to model software implementations (or algorithms / protocols)

29 Physically Observable Cryptography [Micali-Reyzin. TCC 04] Framework for leaking computation Strong formalism using Turing machines Assumption: Only Computation Leaks (OCL) Computation divided into subcomputations y SC(x) Each SC accesses a part of the state x and leaks f(x) f adaptively chosen by the adversary No actual proposal for f

30 Leakage Resilient Cryptography Model introduced in [Dziembowski-Pietrzak. STOC 08] Specialization of the Micali-Reyzin framework Leakage functions follow the bounded retrieval model [Crescenzo et al. TCC 06] f : {0, 1} n {0, 1} λ for some constant λ < n

31 Leakage Resilient Cryptography Example: LR stream cipher [Pietrzak. EUROCRYPT 09] Many further LR crypto primitives published so far Generic LR compilers [Goldwasser-Rothblum. FOCS 12] [Dziembowski-Faust. TCC 12]

32 Leakage Resilient Cryptography Limitation: the leakage of a subcomputation is limited to λ-bit values for λ < n (the input size) Side-channel leakage far bigger than n bits although it may not remove all the entropy of x Figure: Power consumption of a DES computation.

33 Noisy Leakage Model [Prouff-Rivain. EUROCRYPT 2013] OCL assumption (Micali-Reyzin framework) New class of noisy leakage functions An observation f(x) introduces a bounded bias in Pr[x] very generic

34 Notion of bias Bias of X given Y = y: β(x Y = y) = Pr[X] Pr[X Y = y] with = Euclidean norm. Bias of X given Y : β(x Y ) = Pr[Y = y] β(x Y = y). y Y β(x Y ) [ 0; Related to MI by: 1 1 X ] (indep. / deterministic relation) 1 X β(x Y ) MI(X; Y ) ln 2 ln 2 β(x Y )

35 Noisy Leakage Model Every subcomputation leaks a noisy function f of its input noise modeled by a fresh random tape argument ψ is some noise parameter f N (1/ψ) β ( X f(x) ) < 1 ψ Capture any form of noisy leakage

36 Noisy Leakage Model In practice, the multivariate Gaussian model is widely admitted f(x) N ( m x, Σ) x X The bias can be efficiently computed: β(x f(x)) = y x ( ( p y px y 1/ X ) ) 2 1/2 with p y = x φ Σ ( y m x) z φ Σ( z m x) and p x y = φ Σ( y m x) where φ Σ : y exp ( 1 2 y Σ y ). v φ Σ( y m v)

37 Noisy Leakage Model Illustration: univariate Hamming weight model with Gaussian noise f(x) = HW(X) + N (0, σ 2 ) Figure: log 10 β(x f(x)) w.r.t. σ.

38 Noisy Leakage Model Illustration: univariate Hamming weight model with Gaussian noise f(x) = HW(X) + N (0, σ) Figure: ψ = 1 β(x f(x)) w.r.t. σ.

39 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

40 Achieving provable security against SCA k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c, l 1,..., l q ˆb A c,l m E(k, ) Challenger Adversary Oracle Describe a (protected) implementation of E(k, ) Model the leakage Provide a security reduction

41 Achieving provable security against SCA k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c, l 1,..., l q ˆb A c,l m E(k, ) Challenger Adversary Oracle Describe a (protected) implementation of E(k, ) Model the leakage Provide a security reduction What about generic security against SCA? for any cryptosystem, security goal, adversarial model

42 General setting A Security Game (m i, k) l(m i, k) O Adversary 0/1 Leakage Oracle

43 General setting Distinguisher A Security Game (m i, k) l(m i, k) O 0/1 Leakage Oracle Security: Dist : Adv(Dist O( ) ) 2 κ

44 General setting Distinguisher A Security Game (m i, k) l($, $) O 0/1 Leakage Oracle Security: Dist : Adv(Dist O( ) ) 2 κ

45 General setting Distinguisher A Security Game (m i, k) l(m i, k) O Adversary 0/1 Leakage Oracle Security: Dist : Adv(Dist O( ) ) 2 κ A : Adv(A-SG O( ) ) Adv(A-SG O$ ( ) )

46 General setting Distinguisher A Security Game (m i, k) l(m i, k) O Adversary 0/1 Leakage Oracle Security: Dist : Adv(Dist O( ) ) 2 κ A : Adv(A-SG O( ) ) Adv(A-SG O$ ( ) ) Information theoretic security: MI((m, k); l(m, k)) 2 κ

47 General setting Distinguisher A Security Game (m i, k) l(m i, k) O Adversary 0/1 Leakage Oracle Security: Dist : Adv(Dist O( ) ) 2 κ A : Adv(A-SG O( ) ) Adv(A-SG O$ ( ) ) Information theoretic security: MI((m, k); l(m, k)) 2 κ IT Security Security

48 Using random sharing Principle Randomly share the internal state of the computation A d-sharing of x F is a tuple (x 1, x 2,..., x n ) s.t. x 1 + x x n = x with n 1 degrees of randomness Subcomputations y SC(x) are replaced by (y 1, y 2,..., y n ) SC (x 1, x 2,..., x n )

49 Using random sharing Soundness [Chari et al. CRYPTO 99] Univariate Gaussian leakage model: l i x i + N (µ, σ 2 ) Distinguishing ( (l i ) i x = 0 ) from ( (l i ) i x = 1 ) takes q samples: q cst σ n Limitations: univariate leakage model, Gaussian noise assumption static leakage of the shares (i.e. without computation) no scheme proposed to securely compute on a shared state

50 Ishai-Sahai-Wagner Scheme [Ishai-Sahai-Wagner. CRYPTO 2003] Binary circuit model Goal: security against t-probing attacks Every wire w is shared in n wires w 1, w 2,..., w n Issue: how to encode logic gates? NOT gates and AND gates NOT gates encoding: w = w 1 w 2 w n

51 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b

52 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j

53 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 a 1 b 2 a 1 b 3 a 2 b 1 a 2 b 2 a 2 b 3 a 3 b 1 a 3 b 2 a 3 b 3

54 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 a 1 b 2 a 1 b a 2 b 2 a 2 b 3 a 2 b a 3 b 3 a 3 b 1 a 3 b 2 0

55 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 a 1 b 2 a 1 b 3 0 a 2 b 1 a 3 b 1 0 a 2 b 2 a 2 b a 3 b a 3 b

56 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 a 1 b 2 a 2 b 1 a 1 b 3 a 3 b 1 0 a 2 b 2 a 2 b 3 a 3 b a 3 b 3

57 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 a 1 b 2 a 2 b 1 a 1 b 3 a 3 b 1 0 a 2 b 2 a 2 b 3 a 3 b a 3 b 3

58 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 a 1 b 2 a 2 b 1 a 1 b 3 a 3 b 1 0 r 1,2 r 1,3 0 a 2 b 2 a 2 b 3 a 3 b r 2,3 0 0 a 3 b

59 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 a 1 b 2 a 2 b 1 a 1 b 3 a 3 b 1 0 r 1,2 r 1,3 0 a 2 b 2 a 2 b 3 a 3 b 2 r 1,2 0 r 2,3 0 0 a 3 b 3 r 1,3 r 2,3 0

60 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 (a 1 b 2 r 1,2 ) a 2 b 1 (a 1 b 3 r 1,3 ) a 3 b 1 r 1,2 a 2 b 2 (a 2 b 3 r 2,3 ) a 3 b 2 r 1,3 r 2,3 a 3 b 3

61 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 (a 1 b 2 r 1,2 ) a 2 b 1 (a 1 b 3 r 1,3 ) a 3 b 1 r 1,2 a 2 b 2 (a 2 b 3 r 2,3 ) a 3 b 2 r 1,3 r 2,3 a 3 b 3

62 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 (a 1 b 2 r 1,2 ) a 2 b 1 (a 1 b 3 r 1,3 ) a 3 b 1 r 1,2 a 2 b 2 (a 2 b 3 r 2,3 ) a 3 b 2 r 1,3 r 2,3 a 3 b 3 c 1 a 1 b 1 (a 1 b 2 r 1,2 ) a 2 b 1 (a 1 b 3 r 1,3 ) a 3 b 1

63 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 (a 1 b 2 r 1,2 ) a 2 b 1 (a 1 b 3 r 1,3 ) a 3 b 1 r 1,2 a 2 b 2 (a 2 b 3 r 2,3 ) a 3 b 2 r 1,3 r 2,3 a 3 b 3 c 1 c 2 a 1 b 1 (a 1 b 2 r 1,2 ) a 2 b 1 (a 1 b 3 r 1,3 ) a 3 b 1

64 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 (a 1 b 2 r 1,2 ) a 2 b 1 (a 1 b 3 r 1,3 ) a 3 b 1 r 1,2 a 2 b 2 (a 2 b 3 r 2,3 ) a 3 b 2 r 1,3 r 2,3 a 3 b 3 c 1 c 2 c 3 a 1 b 1 (a 1 b 2 r 1,2 ) a 2 b 1 (a 1 b 3 r 1,3 ) a 3 b 1

65 Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 (a 1 b 2 r 1,2 ) a 2 b 1 (a 1 b 3 r 1,3 ) a 3 b 1 r 1,2 a 2 b 2 (a 2 b 3 r 2,3 ) a 3 b 2 r 1,3 r 2,3 a 3 b 3 c 1 c 2 c 3 a 1 b 1 (a 1 b 2 r 1,2 ) a 2 b 1 (a 1 b 3 r 1,3 ) a 3 b 1

66 Ishai-Sahai-Wagner Scheme Sketch of security proof t-probing adversary n = 2t + 1 shares probed wires: v 1, v 2,..., v t construct a set I = {raw and column indices of v k } (v 1, v 2,..., v t ) perfectly simulated from (a i ) i I and (b i ) i I I 2t < n (a i ) i I and (b i ) i I are random I -tuples

67 Ishai-Sahai-Wagner Scheme (a i ) i (b i ) i $ $ $ c 0 c 1 c 2 Figure: AND gate for n = 3

68 Ishai-Sahai-Wagner Scheme Can be transposed to the dth-order security model the adversary must combined the leakage of at least d subcomputations to recover information in presence of noise d is a relevant security parameter [Chari et al. CRYPTO 99] Many dth-order secure schemes based on ISW scheme Not fully satisfactory an relevant adversary should use all the leakage

69 Security in the noisy model [Prouff-Rivain. EUROCRYPT 2013] Every y SC(x) leaks f(x) where β ( X f(x) ) < 1 ψ Information theoretic security proof: MI ( (m, k); l(m, k)) < O(ω d ) Assumtpion: the noise parameter ψ can be linearly increased Need of a leak-free component for refreshing x = (x 0, x 1,..., x d ) x = (x }{{} 0, x 1,..., x d }{{} ) i x i=x i x i =x with (x x) and (x x) mutually independent.

70 Overview of the proof Consider a SPN computation Figure: Example of SPN round.

71 Overview of the proof Classical implementation protected with sharing Figure: Example of SPN round protected with sharing.

72 S-Box computation [Carlet et al. FSE 12] Polynomial evaluation over GF(2 n ) Two types of elementary calculations: linear functions (additions, squares, multiplication by coefficients) multiplications over GF(2 n )

73 Linear functions Given a sharing X = X 0 X 1 X d X 0 X 1 X d (X 0 ) (X 1 ) (X d )

74 Linear functions Given a sharing X = X 0 X 1 X d X 0 X 1 X d f 0 (X 0 ) (X 0 ) (X 1 ) (X d ) f 1 (X 1 ) f d (X d )

75 Linear functions Given a sharing X = X 0 X 1 X d X 0 X 1 X d f 0 (X 0 ) (X 0 ) (X 1 ) (X d ) f 1 (X 1 ) f d (X d ) For f i N (1/ψ) with ψ = O( X 1 2 ω), we show MI ( X; (f 0 (X 0 ), f 1 (X 1 ),..., f d (X d )) ) 1 ω d+1

76 Multiplications Inputs: sharings i A i = g(x) and i B i = g(x) where X = s-box input First step: cross-products A 0 B 0 A 0 B 1 A 0 B d A 1 B 0 A 1 B 1 A 1 B d A d B 0 A d B 1 A d B d

77 Multiplications Inputs: sharings i A i = g(x) and i B i = g(x) where X = s-box input First step: cross-products A 0 B 0 A 0 B 1 A 0 B d A 1 B 0 A 1 B 1 A 1 B d A d B 0 A d B 1 A d B d f 0,0 (A 0,B 0 ) f 0,1 (A 0,B 1 ) f 0,d (A 0,B d ) f 1,0 (A 1,B 0 ) f 1,1 (A 1,B 1 ) f 1,d (A 1,B d ) f d,0 (A d,b 0 ) f d,1 (A d,b 1 ) f d,d (A d,b d )

78 Multiplications Inputs: sharings i A i = g(x) and i B i = g(x) where X = s-box input First step: cross-products A 0 B 0 A 0 B 1 A 0 B d A 1 B 0 A 1 B 1 A 1 B d A d B 0 A d B 1 A d B d For f i,j N (1/ψ) with ψ = O( X 3 2 d ω) we show MI ( X; (f i,j (A i, B j )) i,j ) 1 ω d+1

79 Multiplications Second step: refreshing Apply on each column and one row of A 0 B 0 A 0 B 1 A 0 B d A 1 B 0 A 1 B 1 A 1 B d A d B 0 A d B 1 A d B d We get a fresh (d + 1) 2 -sharing of A B V 0,0 V 0,1 V 0,d V 1,0 V 1,1 V 1,d V d,0 V d,1 V d,d

80 Multiplications Third step: summing rows Takes d elementary calculations (XORs) per row: T i,1 V i,0 V i,1 T i,2 T i,1 V i,2. T i,d T i,d 1 V i,d

81 Multiplications Third step: summing rows Takes d elementary calculations (XORs) per row: T i,1 V i,0 V i,1 T i,2 T i,1 V i,2.. T i,d T i,d 1 V i,d f i,1 (V i,0,v i,1 ) f i,2 (T i,1,v i,2 ) f i,d (T i,d 1,V i,d )

82 Multiplications Third step: summing rows Takes d elementary calculations (XORs) per row: T i,1 V i,0 V i,1 T i,2 T i,1 V i,2.. T i,d T i,d 1 V i,d f i,1 (V i,0,v i,1 ) f i,2 (T i,1,v i,2 ) f i,d (T i,d 1,V i,d ) For f i,j N (1/ψ) with ψ = O( X 3 2 ω), we show MI ( X; (F 0, F 1,..., F d ) ) 1 ω d+1 where F i = ( f i,1(v i,0, V i,1), f i,2(t i,1, V i,2),..., f i,d (T i,d 1, V i,d ) )

83 Putting everything together Several sequences of subcomputations, each leaking L t with MI((m, k); L t ) 1 ω d+1 Use of share-refreshing between each sequence (L t ) t are mutually independent given (m, k) We hence have MI ( (m, k); (L 1, L 2,..., L T ) ) T MI((m, k); L t ) t=1 T ω d+1

84 Improved security proof [Duc-Dziembowski-Faust. EUROCRYPT 2014] Security reduction: probing model noisy model ISW scheme secure in the noisy model No need for leak-free component!

85 Improved security proof Consider y 1 SC 1 (x 1 ), y 2 SC 2 (x 2 ),..., y n SC n (x n ) t-probing model: l = (x i ) i I with I = t ε-random probing model: l = (ϕ 1 (x 1 ), ϕ 2 (x 2 ),..., ϕ n (x n )) where ϕ i is a ε-identity function i.e. { x with proba ε with ϕ i (x) = with proba 1 ε δ-noisy model: l = (f 1 (x 1 ), f 2 (x 2 ),..., f n (x n )) with β(x f i (X)) δ (here = L 1 )

86 Improved security proof Consider y 1 SC 1 (x 1 ), y 2 SC 2 (x 2 ),..., y n SC n (x n ) t-probing model: l = (x i ) i I with I = t ε-random probing model: l = (ϕ 1 (x 1 ), ϕ 2 (x 2 ),..., ϕ n (x n )) where ϕ i is a ε-identity function i.e. { x with proba ε with ϕ i (x) = with proba 1 ε δ-noisy model: l = (f 1 (x 1 ), f 2 (x 2 ),..., f n (x n )) with β(x f i (X)) δ (here = L 1 ) t-probing security ε-random probing security δ-noisy security

87 From probing to random probing ε-random probing adv. A rp t-probing adv. A p with t = 2nε 1 A p works as follows { 1 with proba ε sample (z 1, z 2,..., z n ) where z i = 0 with proba 1 ε set I = {i z i = 1}, if I > t return get (x i ) i I call A rp on (y 1, y 2,..., y n ) where y i = { xi if i I if i / I If I t : (y 1, y 2,..., y n ) (ϕ 1 (x 1 ), ϕ 2 (x 2 ),..., ϕ n (x n )) Chernoff bound: Pr[ I > t] exp( t/6) A rp A p : Adv(A p ) Adv(A rp ) exp( t/6)

88 From probing to random probing ε-random probing adv. A rp t-probing adv. A p with t = 2nε 1 A p works as follows { 1 with proba ε sample (z 1, z 2,..., z n ) where z i = 0 with proba 1 ε set I = {i z i = 1}, if I > t return get (x i ) i I call A rp on (y 1, y 2,..., y n ) where y i = { xi if i I if i / I If I t : (y 1, y 2,..., y n ) (ϕ 1 (x 1 ), ϕ 2 (x 2 ),..., ϕ n (x n )) Chernoff bound: Pr[ I > t] exp( t/6) A rp : Adv(A rp ) max Ap Adv(A p ) + exp( t/6)

89 From random probing to noisy leakage Main lemma: every f s.t. β(x f(x)) δ can be written: f = f ϕ where ϕ is an ε-identity function with ε δ X, and } f efficient to sample f efficient to sample Pr[f(x) = y] eff. computable δ-noisy adversary A n ε-random probing adv. A rp get (ϕ 1 (x 1 ), ϕ 2 (x 2 ),..., ϕ n (x n )) call A n on (f 1 ϕ 1 (x 1 ), f 2 ϕ 2 (x 1 ),..., f n ϕ n (x n )) A n A rp : Adv(A rp ) = Adv(A n )

90 From random probing to noisy leakage Main lemma: every f s.t. β(x f(x)) δ can be written: f = f ϕ where ϕ is an ε-identity function with ε δ X, and } f efficient to sample f efficient to sample Pr[f(x) = y] eff. computable δ-noisy adversary A n ε-random probing adv. A rp get (ϕ 1 (x 1 ), ϕ 2 (x 2 ),..., ϕ n (x n )) call A n on (f 1 ϕ 1 (x 1 ), f 2 ϕ 2 (x 1 ),..., f n ϕ n (x n )) A n : Adv(A n ) max Arp Adv(A rp )

91 Combining both reductions Security against t-probing security against δ-noisy where δ = t + 1 2n X exp( t/6) must be negligible t 8.65 κ ISW scheme with d-sharing is secure against δ-noisy attackers where δ = d (and d 17.5 κ) n X For ISW-multiplication n = O(d 2 ) and X = F F giving δ = O(1/d F 2 ) ψ = O(d F 2 ) Limitation: ψ is still in O(d)

92 Conclusion New practically relevant model for leaking computation: the noisy model Need for practical investigations for the bias estimation Only 2 works proposing formal proofs in this model Open issues: a scheme secure with constant noise secure implementations with different kind of randomization (e.g. exponent/message blinding for RSA/ECC)

Masking against Side-Channel Attacks: a Formal Security Proof

Masking against Side-Channel Attacks: a Formal Security Proof Emmanuel Prouff 1 and Matthieu Rivain 2 1 ANSSI emmanuel.prouff@ssi.gouv.fr 2 CryptoExperts matthieu.rivain@cryptoexperts.com Abstract. Masking