On the Use of Masking to Defeat Power-Analysis Attacks

Size: px

Start display at page:

Download "On the Use of Masking to Defeat Power-Analysis Attacks"

Kristian Bruce
5 years ago
Views:

1 1/32 On the Use of Masking to Defeat Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd

2 Outline Power-Analysis Attacks Masking Countermeasure Leakage Models Security in the probing model Construction of Secure Masking Schemes - Composition 2/32

3 Ü Black-box cryptanalysis Ü Side-channel analysis Alice mi Bob k ENC ci ci k DEC mi 3/32

4 Ü Black-box cryptanalysis: A (mi, c i ) Ü Side-Channel Analysis Alice mi Bob k ENC ci ci k DEC mi 3/32

5 Ü Black-box cryptanalysis Ü Side-Channel Analysis: A (mi, c i, L i ) Alice mi Bob k ENC ci ci k DEC mi Li 3/32

6 Ü Black-box cryptanalysis Ü Side-Channel Analysis: A (mi, c i, L i ) Alice mi Bob k ENC ci ci k DEC mi Li 3/32

7 Ü Black-box cryptanalysis Ü Side-Channel Analysis: A (mi, c i, L i ) Alice mi Bob k ENC ci ci k DEC mi Li 3/32

8 Ü Black-box cryptanalysis Ü Side-Channel Analysis: A (mi, c i, L i ) Alice mi Bob k ENC ci ci k DEC mi Li 3/32

9 Ü Black-box cryptanalysis Ü Side-Channel Analysis: A (mi, c i, L i ) Alice mi Bob k ENC ci ci k DEC mi Li 3/32

10 A Power-Analysis Attack against AES-128 Figure : Consumption trace of a full AES-128 from the DPA Contest v2 4/32

11 A Power-Analysis Attack against AES-128 Figure : Consumption trace of a full AES-128 from the DPA Contest v2 4/32

12 A Power-Analysis Attack against AES bit input m k 0 8 bits S-box 8-bit v f (v) + ε 5/32

13 A Power-Analysis Attack against AES bit input m k 0 8 bits S-box 8-bit v f (v) + ε 5/32

14 A Power-Analysis Attack against AES bit input m k 0 8 bits S-box 8-bit v f (v) + ε Attack on 8 bits prediction of the outputs for the 256 possible 8-bit secret correlation between predictions and leakage selection of the best correlation to find the correct 8-bit secret Attack on 128 bits repetition of the attack on 8 bits on each S-box 5/32

15 Algorithmic Countermeasures Problem: leakage L is key-dependent k m c L Two main algorithmic solutions: Fresh Re-keying: regularly change k Masking: make leakage L random 6/32

16 Fresh Re-keying Idea: regularly change k master key k r R session key k m c 7/32

17 Masking Idea: make leakage L random sensitive value: v = f (m,k) ( ) v 0 v v i 1 i t v 1 $... v t $ each t-uple of (v i ) i is independent from v 8/32

18 Outline Power-Analysis Attacks Masking Countermeasure Leakage Models Security in the probing model Construction of Secure Masking Schemes - Composition 9/32

19 Current Research on Masking Masking 10/32

20 Current Research on Masking Masking Security Efficiency 10/32

21 Current Research on Masking Masking Security Efficiency Realism leakage models Proofs formal proofs of security 10/32

22 Current Research on Masking Masking Security Efficiency Realism leakage models Proofs formal proofs of security [EC:PR13] Masking against Side-Channel Attacks: A Formal Security Proof [EC:DDF14] Unifying Leakage Models: From Probing Attacks to Noisy Leakage [EC:DFS15] Making Masking Security Proofs Concrete - Or How to Evaluate the Security of Any Leaking Device... 10/32

23 Current Research on Masking Masking Security Efficiency Realism leakage models Proofs formal proofs of security [EC:PR13] Masking against Side-Channel [C:ISW03] Private Circuits: Securing Attacks: A Formal Security Proof Hardware against Probing Attacks [EC:DDF14] Unifying Leakage Models: From Probing Attacks to Noisy Leakage [EC:DFS15] Making Masking Security Proofs Concrete - Or How to Evaluate [CHES:RP10] Provably Secure Higher- Order Masking of AES [FSE:CPRR13] Higher-Order Side Channel Security and Mask Refreshing the Security of Any Leaking Device... 10/32

24 Current Research on Masking Masking Security Efficiency Realism leakage models Proofs formal proofs of security [EC:PR13] Masking against Side-Channel [C:ISW03] Private Circuits: Securing Attacks: A Formal Security Proof Hardware against Probing Attacks [EC:DDF14] Unifying Leakage Models: From Probing Attacks to Noisy Leakage [EC:DFS15] Making Masking Security Proofs Concrete - Or How to Evaluate the Security of Any Leaking Device... [CHES:RP10] Provably Secure Higher- Order Masking of AES [FSE:CPRR13] Higher-Order Side Channel Security and Mask Refreshing [EC:BBDFGS15] formal proofs of masking schemes 10/32

25 Current Research on Masking Masking Security Efficiency Realism leakage models Proofs formal proofs of security [EC:PR13] Masking against Side-Channel [C:ISW03] Private Circuits: Securing Attacks: A Formal Security Proof Hardware against Probing Attacks [EC:DDF14] Unifying Leakage Models: From Probing Attacks to Noisy Leakage [EC:DFS15] Making Masking Security Proofs Concrete - Or How to Evaluate the Security of Any Leaking Device... [CHES:RP10] Provably Secure Higher- Order Masking of AES [FSE:CPRR13] Higher-Order Side Channel Security and Mask Refreshing [EC:BBDFGS15] formal proofs of masking schemes [eprint:bbdfg15] generation of formally proven masking schemes at any order 10/32

26 Current Research on Masking Masking Security Efficiency Realism leakage models [EC:PR13] Masking against Side-Channel Attacks: A Formal Security Proof [EC:DDF14] Unifying Leakage Models: From Probing Attacks to Noisy Leakage [EC:DFS15] Making Masking Security Proofs Concrete - Or How to Evaluate the Security of Any Leaking Device... Proofs formal proofs of security [C:ISW03] Private Circuits: Securing Hardware against Probing Attacks [CHES:RP10] Provably Secure Higher- Order Masking of AES [FSE:CPRR13] Higher-Order Side Channel Security and Mask Refreshing [EC:BBDFGS15] formal proofs of masking schemes [eprint:bbdfg15] generation of formally proven masking schemes at any order [FSE:CPRR13] Higher-Order Side Channel Security and Mask Refreshing [EC:BBPPTV16] improvement of the randomness complexity for some multiplications 10/32

27 Outline Power-Analysis Attacks Masking Countermeasure Leakage Models Security in the probing model Construction of Secure Masking Schemes - Composition 11/32

28 Power-Analysis Attacks on Masking Schemes First-order masking compare C (L (v +m),l (m)) to the predictions on v 12/32

29 Power-Analysis Attacks on Masking Schemes 3 rd -order masking compare C (L (v +m 1 ),L (m 2 ),L (m 3 ),L (m 1 +m 2 +m 3 )) to the predictions on v 12/32

30 Security of Masked Programs: Leakage Model convenience for security proofs t-probing model Ishai, Sahai, Wagner Crypto 03 no leak-free gates leak-free gates noisy leakage model Prouff, Rivain Eurocrypt 13 realism 13/32

31 Security of Masked Programs: Leakage Model convenience for security proofs t-probing model Ishai, Sahai, Wagner Crypto 03 reduction Duc, Dziembowski, Faust Eurocrypt 14 no leak-free gates leak-free gates noisy leakage model Prouff, Rivain Eurocrypt 13 realism 13/32

32 Outline Power-Analysis Attacks Masking Countermeasure Leakage Models Security in the probing model Construction of Secure Masking Schemes - Composition 14/32

33 Security in the t-probing model t-probing model assumptions: only one variable is leaking at a time the attacker can get the exact value of at most t variables show that all the t-uples are independent from the secret 15/32

34 Security in the t-probing model v: randomly generated variable c: known constant x: secret variable function Ex-t3(x 1,x 2,x 3,x 4,c): (* x 1,x 2,x 3 = $ *) (* x 4 = x +x 1 +x 2 +x 3 *) r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) 16/32

35 Security in the t-probing model v: randomly generated variable c: known constant x: secret variable 1. independent from the secret? function Ex-t3(x 1,x 2,x 3,x 4,c): (* x 1,x 2,x 3 = $ *) (* x 4 = x +x 1 +x 2 +x 3 *) r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) 16/32

36 Security in the t-probing model v: randomly generated variable c: known constant x: secret variable 1. independent from the secret? function Ex-t3(x 1,x 2,x 3,x 4,c): (* x 1,x 2,x 3 = $ *) (* x 4 = x +x 1 +x 2 +x 3 *) r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) 16/32

37 Security in the t-probing model v: randomly generated variable c: known constant x: secret variable 1. independent from the secret?? function Ex-t3(x 1,x 2,x 3,x 4,c): (* x 1,x 2,x 3 = $ *) (* x 4 = x +x 1 +x 2 +x 3 *) r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) 16/32

38 Security in the t-probing model v: randomly generated variable c: known constant x: secret variable 1. independent from the secret? many mistakes function Ex-t3(x 1,x 2,x 3,x 4,c): (* x 1,x 2,x 3 = $ *) (* x 4 = x +x 1 +x 2 +x 3 *) r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) 16/32

39 Security in the t-probing model v: randomly generated variable c: known constant x: secret variable function Ex-t3(x 1,x 2,x 3,x 4,c): (* x 1,x 2,x 3 = $ *) (* x 4 = x +x 1 +x 2 +x 3 *) 1. independent from the secret? many mistakes r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) 2. test uples missing cases inefficient 16/32

40 Security in the t-probing model Contributions: 1. new algorithm to decide whether a t-uple is independent from the secret no false positive more efficient than existing works 2. new algorithm to enumerate all the t-uples more efficient than existing works Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire, and Pierre-Yves Strub. Verified proofs of higher-order masking. EUROCRYPT /32

41 1. Show that a t-uple is independent from the secret Inputs: t intermediate variables, b true (Rule 1) secret variables? yes (Rule 2) no (Rule 2) an expression v is invertible in the only occurrence of a random r? yes v r; (Rule 1) no (Rule 3) (Rule 3) is flag b = true? yes simplify; b false; (Rule 1) no function Ex-t3(x 1,x 2,x 3,x 4,c): r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) distribution independent from the secret might be used for an attack 18/32

42 1. Show that a t-uple is independent from the secret Inputs: t intermediate variables, b true (Rule 1) secret variables? yes (Rule 2) no (Rule 2) an expression v is invertible in the only occurrence of a random r? yes v r; (Rule 1) no (Rule 3) (Rule 3) is flag b = true? yes simplify; b false; (Rule 1) no function Ex-t3(x 1,x 2,x 3,x 4,c): r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) distribution independent from the secret might be used for an attack 18/32

43 1. Show that a t-uple is independent from the secret Inputs: t intermediate variables, b true (Rule 1) secret variables? yes (Rule 2) no (Rule 2) an expression v is invertible in the only occurrence of a random r? yes v r; (Rule 1) no (Rule 3) (Rule 3) is flag b = true? yes simplify; b false; (Rule 1) no function Ex-t3(x 1,x 2,x 3,x 4,c): r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) distribution independent from the secret might be used for an attack 18/32

44 1. Show that a t-uple is independent from the secret Inputs: t intermediate variables, b true (Rule 1) secret variables? yes (Rule 2) no (Rule 2) an expression v is invertible in the only occurrence of a random r? yes v r; (Rule 1) no (Rule 3) (Rule 3) is flag b = true? yes simplify; b false; (Rule 1) no function Ex-t3(x 1,x 2,x 3,x 4,c): r 1 $ r 2 $ y 1 x 1 +r 1 y 2 x 3 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) distribution independent from the secret might be used for an attack 18/32

45 2. Extension to All Possible Sets Problem: n intermediate variables ( n t ) proofs 19/32

46 2. Extension to All Possible Sets Problem: n intermediate variables ( n t ) proofs New Idea: proofs for sets of more than t variables find larger sets which cover all the intermediate variables is a hard problem two algorithms efficient in practice 19/32

47 2. Extension to All Possible Sets Problem: n intermediate variables ( n t ) proofs New Idea: proofs for sets of more than t variables find larger sets which cover all the intermediate variables is a hard problem two algorithms efficient in practice Algorithm 1: 19/32

48 2. Extension to All Possible Sets Problem: n intermediate variables ( n t ) proofs New Idea: proofs for sets of more than t variables find larger sets which cover all the intermediate variables is a hard problem two algorithms efficient in practice X Algorithm 1: 1. select X = (t variables) and prove its independence 19/32

49 2. Extension to All Possible Sets Problem: n intermediate variables ( n t ) proofs New Idea: proofs for sets of more than t variables find larger sets which cover all the intermediate variables is a hard problem two algorithms efficient in practice X X Algorithm 1: 1. select X = (t variables) and prove its independence 2. extend X to X with more but still independence 19/32

50 2. Extension to All Possible Sets Problem: n intermediate variables ( n t ) proofs New Idea: proofs for sets of more than t variables find larger sets which cover all the intermediate variables is a hard problem two algorithms efficient in practice X X ( ) C X Algorithm 1: 1. select X = (t variables) and prove its independence 2. extend X to X with more but still independence ( ) 3. recursively descend in set C X 19/32

51 2. Extension to All Possible Sets Problem: n intermediate variables ( n t ) proofs New Idea: proofs for sets of more than t variables find larger sets which cover all the intermediate variables is a hard problem two algorithms efficient in practice X X ( ) C X Algorithm 1: 1. select X = (t variables) and prove its independence 2. extend X to X with more but still independence ( ) 3. recursively descend in set C X 4. merge X ( ) and C X once they are processed separately. 19/32

52 2. Extension to All Possible Sets: Example function Ex-t3(x 1,x 2,x 3,x 4,c): r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) 20/32

53 2. Extension to All Possible Sets: Example X: function Ex-t3(x 1,x 2,x 3,x 4,c): r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) 20/32

54 2. Extension to All Possible Sets: Example X: function Ex-t3(x 1,x 2,x 3,x 4,c): r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) 20/32

55 2. Extension to All Possible Sets: Example X: C ( X): function Ex-t3(x 1,x 2,x 3,x 4,c): r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) 20/32

56 2. Extension to All Possible Sets: Example X: function Ex-t3(x 1,x 2,x 3,x 4,c): r 1 $ r 2 $ y 1 x 1 +r 1 C ( X): merge X and C ( X): y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) 20/32

57 2. Extension to All Possible Sets: Example X: C ( X): merge X and C ( X): function Ex-t3(x 1,x 2,x 3,x 4,c): r 1 $ r 2 $ y 1 x 1 +r 1 y 2 (x +x 1 +x 2 +x 3 ) +r 2 t 1 x 2 +r 1 t 2 (x 2 +r 1 ) +x 3 y 3 (x 2 +r 1 +x 3 ) +r 2 y 4 c +r 2 return(y 1,y 2,y 3,y 4 ) 207 proofs instead of /32

58 Application to the Sbox [CPRR13, Algorithm 4] Method # tuples Security Complexity # sets time* First-Order Masking naive s Alg s Alg s Second-Order Masking naive 12, s Alg. 1 12, s Alg s Third-Order Masking naive 4,499, s Alg. 1 4,499,950 68, s Alg. 2 33, s Fourth-Order Masking naive - unpractical Alg. 1 2,277,036,685 8,852, s Alg. 2 3,343, s *run on a headless VM with a dual core (only one core is used in the computation) 64-bit processor clocked at 2GHz 21/32

59 Benchmarks Reference Target # tuples Security Complexity # sets time (s) First-Order Masking FSE13 full AES 17,206 3, MAC-SHA3 full Keccak-f 13,466 5, Second-Order Masking RSA06 Sbox 1,188,111 4, CHES10 Sbox 7,140 1 st -order flaws (2) CHES10 AES KS 23,041, , ,745 FSE13 2 rnds AES 25,429, ,865 1,295 FSE13 4 rnds AES 109,571,806 2,317,593 40,169 Third-Order Masking RSA06 Sbox 2,057,067,320 3 rd -order flaws (98,176) 2,013, FSE13 Sbox(4) 4,499,950 33, FSE13 Sbox(5) 4,499,950 39, Fourth-Order Masking FSE13 Sbox (4) 2,277,036,685 3,343, Fifth-Order Masking CHES10 216,071, , /32

60 Outline Power-Analysis Attacks Masking Countermeasure Leakage Models Security in the probing model Construction of Secure Masking Schemes - Composition 23/32

61 Current Issues in Composition 24/32

62 Current Issues in Composition 24/32

63 Current Issues in Composition A refresh algorithm takes as input a sharing (x i ) i 0 of x and returns a new sharing (x i ) i 0 of x such that (x i ) i 1 and (x i ) i 1 are mutually independent. 24/32

64 Current Issues in Composition A refresh algorithm takes as input a sharing (x i ) i 0 of x and returns a new sharing (x i ) i 0 of x such that (x i ) i 1 and (x i ) i 1 are mutually independent. 24/32

65 Current Issues in Composition A refresh algorithm takes as input a sharing (x i ) i 0 of x and returns a new sharing (x i ) i 0 of x such that (x i ) i 1 and (x i ) i 1 are mutually independent. 24/32

66 Composition in the t-probing model Contributions: 1. new algorithm to verify the security of compositions formal security any order 2. compiler to build a higher-order secure scheme from any C implementation efficient any order Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, and Benjamin Grégoire. Compositional Verification of Higher-Order Masking Application to a Verifying Masking Compiler. eprint /32

67 Security properties in the t-probing model if t is fixed: show that any set of t intermediate variables is independent from the secret 26/32

68 Security properties in the t-probing model if t is fixed: show that any set of t intermediate variables is independent from the secret if t is not fixed: show that any set of t intermediate variables can be simulated with at most t shares of each input a 0 a 1 a 2 a 3 (= a +a 0 +a 1 +a 2 ) c 0 c 1 c 2 c /32

69 Security properties in the t-probing model if t is fixed: show that any set of t intermediate variables is independent from the secret if t is not fixed: show that any set of t intermediate variables can be simulated with at most t shares of each input a 0 a 1 a 2 a 3 (= a +a 0 +a 1 +a 2 ) 3 function Linear-function-t(a 0,...,a i,...a t ): for i = 0 to t c i f (a i ) return (c 0,...,c i,...,c t ) c 0 c 1 c 2 c 3 straightforward for linear functions 26/32

70 Security properties in the t-probing model if t is fixed: show that any set of t intermediate variables is independent from the secret if t is not fixed: show that any set of t intermediate variables can be simulated with at most t shares of each input a 0 a 1 a 2 a 3 (= a +a 0 +a 1 +a 2 ) 3 function Linear-function-t(a 0,...,a i,...a t ): for i = 0 to t c i f (a i ) return (c 0,...,c i,...,c t ) c 0 c 1 c 2 c 3 straightforward for linear functions 26/32

71 Security properties in the t-probing model if t is fixed: show that any set of t intermediate variables is independent from the secret if t is not fixed: show that any set of t intermediate variables can be simulated with at most t shares of each input a 0 a 1 a 2 a 3 (= a +a 0 +a 1 +a 2 ) 3 function Linear-function-t(a 0,...,a i,...a t ): for i = 0 to t c i f (a i ) return (c 0,...,c i,...,c t ) c 0 c 1 c 2 c 3 straightforward for linear functions formal proofs with EasyCrypt and pen-and paper proofs for small non-linear functions 26/32

72 Current Issues t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 t t 2 A 2 A 1 t 1 A 3 t 3 27/32

73 Current Issues t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 t t 2 A 2 A 1 t 1 A 3 t 3 27/32

74 Current Issues t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 t t 2 + t 3 A 2 A 1 t 1 + t 3 A 3 27/32

75 Current Issues t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 t t 2 + t 3 A 2 A 1 t 1 + t 3 A 3 27/32

76 Current Issues t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 t A 2 A 1 t 1 + t 3 + t 2 + t 3 A 3 27/32

77 Current Issues t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 t A 2 A 1 t 1 + t 2 + 2t 3 t? A 3 27/32

78 Current Issues t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 t A 2 A 1 t 1 + t 2 + 2t 3 t? A 3 27/32

79 Current Issues t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 +t r t t 2 A 2 A 1 t 1 t r A 3 t 3 27/32

80 Current Issues t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 +t r t t 2 A 2 A 1 t 1 t r A 3 t 3 27/32

81 Current Issues t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 +t r t t 2 + t 3 A 2 A 1 t 1 t r + t 3 A 3 27/32

82 Current Issues t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 +t r t t 2 + t 3 A 2 A 1 t 1 t r + t 3 A 3 27/32

83 Current Issues t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 +t r t A 2 A 1 t 1 + t 2 + 2t 3 + t r t? A 3 27/32

84 Stronger security property for Refresh Strong Non-Interference in the t-probing model: if t is not fixed: show that any set of t intermediate variables with - t 1 on internal variables - t 2 = t t 1 on the outputs can be simulated with at most t 1 shares of each input a 0 a 1 a 2 a 3 2 internal c 0 c 1 c 2 c output observation 28/32

85 Secure Composition t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 +t r t t 2 A 2 A 1 t 1 t r A 3 t 3 29/32

86 Secure Composition t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 +t r t t 2 A 2 A 1 t 1 t r A 3 t 3 29/32

87 Secure Composition t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 +t r t t 2 + t 3 A 2 A 1 t 1 t r internal +t 3 output A 3 29/32

88 Secure Composition t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 +t r t t 2 + t 3 A 2 A 1 t 1 t r internal +t 3 output A 3 29/32

89 Secure Composition t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 +t r t A 2 A 1 t 1 + t 2 + t 3 + t r t 3 output A 3 29/32

90 Secure Composition t 0 A 0 Constraint: t 0 +t 1 +t 2 +t 3 +t r t A 2 A 1 t 1 + t 2 + t 3 + t r t 3 output A 3 29/32

91 Secure Composition t 0 + t 1 + t 2 + t 3 + t r A 0 Constraint: t 0 +t 1 +t 2 +t 3 +t r t A 1 A 2 t 3 output A 3 29/32

92 Secure Composition t 0 + t 1 + t 2 + t 3 + t r t A 0 Constraint: t 0 +t 1 +t 2 +t 3 +t r t A 1 A 2 t 3 output A 3 29/32

93 Secure Composition Automatic tool for C-based algorithms unprotected algorithm higher-order masked algorithm example for AES S-box x 2 30/32

94 Secure Composition Automatic tool for C-based algorithms unprotected algorithm higher-order masked algorithm example for AES S-box x x /32

95 Secure Composition Automatic tool for C-based algorithms unprotected algorithm higher-order masked algorithm example for AES S-box x x /32

96 Secure Composition Automatic tool for C-based algorithms unprotected algorithm higher-order masked algorithm example for AES S-box x x x /32

97 Some Results Resource usage statistics for generating masked algorithms (at any order) from some unmasked implementations 1 Scheme # Refresh Time Memory AES ( ) 2/Sbox 0.09s 4Mo AES (x g(x)) s 4Mo Keccak with Refresh Mo Keccak s 22870Mo Simon s 15Mo Speck s 38Mo 1 On a Intel(R) Xeon(R) CPU E GHz with 64Go of memory running Linux (Fedora) 31/32

98 Some Results Resource usage statistics for generating masked algorithms (at any order) from some unmasked implementations 1 Scheme # Refresh Time Memory AES ( ) 2/Sbox 0.09s 4Mo AES (x g(x)) s 4Mo Keccak with Refresh s 456Mo Keccak s 22870Mo Simon s 15Mo Speck s 38Mo 1 On a Intel(R) Xeon(R) CPU E GHz with 64Go of memory running Linux (Fedora) 31/32

99 Conclusion Masking Realism models close enough to the reality Security Proofs formal proofs of security [EC15] formal proofs of masking schemes Efficiency [EC16] improvement of the randomness complexity for some multiplications [eprint15] generation of formally proven masking schemes at any order 32/32

100 Conclusion Masking Realism models close enough to the reality Security Proofs formal proofs of security [EC15] formal proofs of masking schemes Efficiency [EC16] improvement of the randomness complexity for some multiplications [eprint15] generation of formally proven masking schemes at any order extend the verification to higher orders using composition 32/32

101 Conclusion Masking Realism models close enough to the reality Security Proofs formal proofs of security [EC15] formal proofs of masking schemes Efficiency [EC16] improvement of the randomness complexity for some multiplications [eprint15] generation of formally proven masking schemes at any order extend the verification to higher orders using composition integrate transition/glitch-based model 32/32

102 Conclusion Masking Realism models close enough to the reality Security Proofs formal proofs of security [EC15] formal proofs of masking schemes Efficiency [EC16] improvement of the randomness complexity for some multiplications [eprint15] generation of formally proven masking schemes at any order extend the verification to higher orders using composition integrate transition/glitch-based model build practical experiments for both attacks and new countermeasures 32/32

103 Conclusion Masking Security Efficiency Realism models close enough to the reality Proofs formal proofs of security [EC15] formal proofs of masking schemes [EC16] improvement of the randomness complexity for some multiplications still reduce the randomness in multiplications [eprint15] generation of formally proven masking schemes at any order extend the verification to higher orders using composition integrate transition/glitch-based model build practical experiments for both attacks and new countermeasures 32/32

Formal Verification of Side-Channel Countermeasures

Formal Verification of Side-Channel Countermeasures Sonia Belaïd June 5th 2018 1 / 35 1 Side-Channel Attacks 2 Masking 3 Formal Tools Verification of Masked Implementations at Fixed Order Verification