Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias...
Transcript of Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias...
![Page 1: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/1.jpg)
Glitch-Resistant Masking Revisitedor Why Proofs in the Robust Probing Model are Needed
Thorben Moos1, Amir Moradi1, Tobias Schneider2 and François-Xavier Standaert2
1Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany2ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium
August 27th, 2019
![Page 2: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/2.jpg)
Section 1
Introduction
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 1
![Page 3: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/3.jpg)
Physical AttacksIntroduction
F
x1
x2
· · ·
xn
x
k1 k2 · · · kn
k
y1
y2
· · ·
yn
y
Leakage
• Physical characteristics used toextract secrets:• Timing• Power• EM
• Countermeasures to increaseattack complexity:• Masking• Hiding• Re-keying
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 2
![Page 4: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/4.jpg)
Concept of MaskingIntroduction
F ′
x1
x2
· · ·
xn
x
k1 k2 · · · kn
k
y1
y2
· · ·
yn
y
• Encode sensitive variables into shares• Compute securely on shares• Decode at end to recover result
Masking if implemented correctlyincreases the attack complexity exponentially
in the number of shares.(assuming sufficient noise)
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 3
![Page 5: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/5.jpg)
Concept of MaskingIntroduction
F ′
x1
x2
· · ·
xn
x
k1 k2 · · · kn
k
y1
y2
· · ·
yn
y
• Encode sensitive variables into shares• Compute securely on shares• Decode at end to recover result
Masking if implemented correctlyincreases the attack complexity exponentially
in the number of shares.(assuming sufficient noise)
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 3
![Page 6: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/6.jpg)
Security NotionsIntroduction
• Masked algorithms can be proven secure• Common Solution: Probing model1
Definition (t-Probing Security)
A circuit C is t-probing secure if and only if every t-tuple of its intermediate variables isindependent of any sensitive variable.
F1
F2
F3x y
Example:• 3rd-order masking• Any possible combination of three
probes should not reveal secret
1Y. Ishai, A. Sahai and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks, CRYPTO 2003
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 4
![Page 7: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/7.jpg)
Security NotionsIntroduction
• Masked algorithms can be proven secure• Common Solution: Probing model1
Definition (t-Probing Security)
A circuit C is t-probing secure if and only if every t-tuple of its intermediate variables isindependent of any sensitive variable.
F1
F2
F3x y
Example:• 3rd-order masking• Any possible combination of three
probes should not reveal secret
1Y. Ishai, A. Sahai and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks, CRYPTO 2003
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 4
![Page 8: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/8.jpg)
Security NotionsIntroduction
• Masked algorithms can be proven secure• Common Solution: Probing model1
Definition (t-Probing Security)
A circuit C is t-probing secure if and only if every t-tuple of its intermediate variables isindependent of any sensitive variable.
F1
F2
F3x y
Example:• 3rd-order masking• Any possible combination of three
probes should not reveal secret
1Y. Ishai, A. Sahai and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks, CRYPTO 2003
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 4
![Page 9: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/9.jpg)
Security NotionsIntroduction
• Masked algorithms can be proven secure• Common Solution: Probing model1
Definition (t-Probing Security)
A circuit C is t-probing secure if and only if every t-tuple of its intermediate variables isindependent of any sensitive variable.
F1
F2
F3x y
Example:• 3rd-order masking• Any possible combination of three
probes should not reveal secret
1Y. Ishai, A. Sahai and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks, CRYPTO 2003
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 4
![Page 10: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/10.jpg)
Security NotionsIntroduction
• Scales badly with number of probes and complexity of algorithm• Prove smaller sub-gadgets and compose securely
F1
F2
F3
F1
F2
F3 F1
F2
F3
• Common Solution: (Strong) Non-Interference2
Definition (t−(Strong) Non-Interference)
A circuit gadget G is t−(Strong) Non-Interfering (t-(S)NI) if and only if for any set of t1probes on its intermediate values and every set of t2 probes on its output shares witht1 + t2 6 t, the totality of the probes can be simulated with t1 + t2 (only t1) shares of
each input.
2G. Barthe, S. Belaïd, F. Dupressoir, P.-A. Fouque, B. Gregoire, P.-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking, CCS 2016
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5
![Page 11: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/11.jpg)
Security NotionsIntroduction
• Scales badly with number of probes and complexity of algorithm• Prove smaller sub-gadgets and compose securely
F1
F2
F3
F1
F2
F3 F1
F2
F3
• Common Solution: (Strong) Non-Interference2
Definition (t−(Strong) Non-Interference)
A circuit gadget G is t−(Strong) Non-Interfering (t-(S)NI) if and only if for any set of t1probes on its intermediate values and every set of t2 probes on its output shares witht1 + t2 6 t, the totality of the probes can be simulated with t1 + t2 (only t1) shares of
each input.
2G. Barthe, S. Belaïd, F. Dupressoir, P.-A. Fouque, B. Gregoire, P.-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking, CCS 2016
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5
![Page 12: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/12.jpg)
Security NotionsIntroduction
• Scales badly with number of probes and complexity of algorithm• Prove smaller sub-gadgets and compose securely
F1
F2
F3
F1
F2
F3
F1
F2
F3
• Common Solution: (Strong) Non-Interference2
Definition (t−(Strong) Non-Interference)
A circuit gadget G is t−(Strong) Non-Interfering (t-(S)NI) if and only if for any set of t1probes on its intermediate values and every set of t2 probes on its output shares witht1 + t2 6 t, the totality of the probes can be simulated with t1 + t2 (only t1) shares of
each input.
2G. Barthe, S. Belaïd, F. Dupressoir, P.-A. Fouque, B. Gregoire, P.-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking, CCS 2016
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5
![Page 13: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/13.jpg)
Security NotionsIntroduction
• Scales badly with number of probes and complexity of algorithm• Prove smaller sub-gadgets and compose securely
F1
F2
F3
F1
F2
F3 F1
F2
F3
• Common Solution: (Strong) Non-Interference2
Definition (t−(Strong) Non-Interference)
A circuit gadget G is t−(Strong) Non-Interfering (t-(S)NI) if and only if for any set of t1probes on its intermediate values and every set of t2 probes on its output shares witht1 + t2 6 t, the totality of the probes can be simulated with t1 + t2 (only t1) shares of
each input.
2G. Barthe, S. Belaïd, F. Dupressoir, P.-A. Fouque, B. Gregoire, P.-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking, CCS 2016
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5
![Page 14: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/14.jpg)
Security NotionsIntroduction
• Scales badly with number of probes and complexity of algorithm• Prove smaller sub-gadgets and compose securely
F1
F2
F3
F1
F2
F3 F1
F2
F3
• Common Solution: (Strong) Non-Interference2
Definition (t−(Strong) Non-Interference)
A circuit gadget G is t−(Strong) Non-Interfering (t-(S)NI) if and only if for any set of t1probes on its intermediate values and every set of t2 probes on its output shares witht1 + t2 6 t, the totality of the probes can be simulated with t1 + t2 (only t1) shares of
each input.
2G. Barthe, S. Belaïd, F. Dupressoir, P.-A. Fouque, B. Gregoire, P.-Y. Strub and R. Zucchini, Strong Non-Interference and Type-Directed Higher-Order Masking, CCS 2016
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 5
![Page 15: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/15.jpg)
Potential FlawsIntroduction
Local Flaw: Probing security of masked module is reduced.
Example: 2nd-order masking F1
Compositional Flaw: Probing security of composition of modules is reduced.
Example: 2nd-order masking F1 F2
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 6
![Page 16: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/16.jpg)
Potential FlawsIntroduction
Local Flaw: Probing security of masked module is reduced.
Example: 2nd-order masking F1
Compositional Flaw: Probing security of composition of modules is reduced.
Example: 2nd-order masking F1 F2
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 6
![Page 17: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/17.jpg)
Robust ProbingIntroduction
• Physical defaults (glitches, transitions, coupling) reduce masking order in practice• Numerous higher-order hardware-oriented masking schemes:
• CMS: Consolidated Masking Schemes• DOM: Domain-Oriented Masking• UMA: Unified Masking Approach• GLM: Generic Low-Latency Masking
• Due to lack of model: Mostly focused on glitch-resistant (local) probing security• Dedicated extension of probing model to hardware masking:
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 7
![Page 18: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/18.jpg)
Robust ProbingIntroduction
• Physical defaults (glitches, transitions, coupling) reduce masking order in practice• Numerous higher-order hardware-oriented masking schemes:
• CMS: Consolidated Masking Schemes• DOM: Domain-Oriented Masking• UMA: Unified Masking Approach• GLM: Generic Low-Latency Masking
• Due to lack of model: Mostly focused on glitch-resistant (local) probing security• Dedicated extension of probing model to hardware masking:
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 7
![Page 19: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/19.jpg)
OverviewIntroduction
In this paper:• Analysis of higher-order HW masking schemes
• CMS - local• DOM - local• UMA - compositional• GLM - local + compositional
• Experiments and evaluation of practical impact of flaws• Conclusion: Always verify local and compositional security in adequate model
Strong case for unified HW security notion(e.g., robust probing model)
Disclaimer
Most of the flaws are in instantiations/compositions which are not explicitly given in thesources, and their specific instantiations at lower orders should not be affected by ourflaws. The discussed flaws can still result in insecure designs when used by others.
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 8
![Page 20: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/20.jpg)
OverviewIntroduction
In this paper:• Analysis of higher-order HW masking schemes
• CMS - local• DOM - local• UMA - compositional• GLM - local + compositional
• Experiments and evaluation of practical impact of flaws• Conclusion: Always verify local and compositional security in adequate model
Strong case for unified HW security notion(e.g., robust probing model)
Disclaimer
Most of the flaws are in instantiations/compositions which are not explicitly given in thesources, and their specific instantiations at lower orders should not be affected by ourflaws. The discussed flaws can still result in insecure designs when used by others.
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 8
![Page 21: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/21.jpg)
Section 2
Local Flaws
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 9
![Page 22: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/22.jpg)
Consolidated Masking SchemeLocal Flaws
2nd-order masking
• First proposed at CRYPTO 2015 as d+1masking scheme• Then used at CHES 2016 to mask AES
with d+1 shares for d=1 and d=2• "Our construction is generic and can be
extended to higher orders"• "The ring structure of the refreshing in the
general, higher-order case..."
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 10
![Page 23: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/23.jpg)
Consolidated Masking SchemeLocal Flaws
2nd-order masking 3rd-order maskingThorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 11
![Page 24: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/24.jpg)
Consolidated Masking SchemeLocal Flaws
• Local Flaw: Attack with 3 standard probes• Authors already proposed fix• Compositional security is still open issue
In Paper: Domain-Oriented Masking
(dd/2e+ 1)th-order flaw with extended probesfor DOM-dep multiplication
3rd-order maskingThorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 12
![Page 25: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/25.jpg)
Consolidated Masking SchemeLocal Flaws
• Local Flaw: Attack with 3 standard probes• Authors already proposed fix• Compositional security is still open issue
In Paper: Domain-Oriented Masking
(dd/2e+ 1)th-order flaw with extended probesfor DOM-dep multiplication
3rd-order maskingThorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 12
![Page 26: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/26.jpg)
Consolidated Masking SchemeLocal Flaws
• Local Flaw: Attack with 3 standard probes• Authors already proposed fix• Compositional security is still open issue
In Paper: Domain-Oriented Masking
(dd/2e+ 1)th-order flaw with extended probesfor DOM-dep multiplication
3rd-order maskingThorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 12
![Page 27: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/27.jpg)
Section 3
Compositional Flaws
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 13
![Page 28: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/28.jpg)
Generic Low-Latency MaskingCompositional Flaws
In Paper: Unified Masking Approach
A systematic composability flaw
• Introduced at CHES 2018• Proposes to use CMS refresh R
• Suffers from same flaws• Local Flaw• Compositional Flaw
• Fix requires secure refresh algorithmwith low-latency
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 14
![Page 29: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/29.jpg)
Generic Low-Latency MaskingCompositional Flaws
In Paper: Unified Masking Approach
A systematic composability flaw
• Introduced at CHES 2018• Proposes to use CMS refresh R
• Suffers from same flaws• Local Flaw• Compositional Flaw
• Fix requires secure refresh algorithmwith low-latency
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 14
![Page 30: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/30.jpg)
On the Need of the Robust Probing ModelCompositional Flaws
TIGadget
SNIR S1
xx x′
yy y′
zc c′
TIGadget
SNIR S1S2
xx x′
yy y′
zc c′
• Security depends on combinatorialcombinations, refreshs, register stages• Not sufficient to solve glitch-resistance
and composability separately• Example: Non-completeness and SNI
• Solution: Unified model• Note: TI can be composable, but hard to
formally prove for higher orders
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 15
![Page 31: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/31.jpg)
On the Need of the Robust Probing ModelCompositional Flaws
TIGadget
SNIR S1
xx x′
yy y′
zc c′
TIGadget
SNIR S1S2
xx x′
yy y′
zc c′
• Security depends on combinatorialcombinations, refreshs, register stages• Not sufficient to solve glitch-resistance
and composability separately• Example: Non-completeness and SNI• Solution: Unified model• Note: TI can be composable, but hard to
formally prove for higher orders
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 15
![Page 32: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/32.jpg)
Section 4
Practical Impact
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 16
![Page 33: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/33.jpg)
ExperimentsPractical Impact
• SAKURA-G (Spartan-6 FPGA), Clock: 6 MHz, Sampling: 500 MS/s• Leakage detection with fixed-vs-random t-test
Results:• All flaws are practically detecable / Not necessarily reduce practical security• Bias caused by the flaws have low amplitude• All order reductions multivariate
0 100 200 300 400Time samples
-5
0
5
10
t-st
atis
tics
(a) 3rd-order multivariate (CMS)
0 200 400 600 800 1000Time samples
-10
0
10
20
t-st
atis
tics
(b) 4th-order univariate (CMS)
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 17
![Page 34: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/34.jpg)
ExperimentsPractical Impact
• SAKURA-G (Spartan-6 FPGA), Clock: 6 MHz, Sampling: 500 MS/s• Leakage detection with fixed-vs-random t-test
Results:• All flaws are practically detecable / Not necessarily reduce practical security• Bias caused by the flaws have low amplitude• All order reductions multivariate
0 100 200 300 400Time samples
-5
0
5
10
t-st
atis
tics
(c) 3rd-order multivariate (CMS)
0 200 400 600 800 1000Time samples
-10
0
10
20
t-st
atis
tics
(d) 4th-order univariate (CMS)
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 17
![Page 35: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/35.jpg)
Composability in Hardware - A Matter of RegistersPractical Impact
X X
b2x1b1x1
X
b3x1
X X X
X X
b2x2b1x2
X
b3x2
X X X
X X
b2x3b1x3
X
b3x3
X X X
𝑟11 𝑟2
1 𝑟11 𝑟3
1 𝑟21 𝑟3
1
𝑟12 𝑟1
2 𝑟22 𝑟2
2 𝑟32 𝑟3
2
c1 c2 c3
• Register placement is essential• Used by TI glitch propagation• For DOM initially claimed that the
DOM-indep multiplier does not requireoutput registers• Without output registers (red) the
construction is not composable• Pipeline registers can be important
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 18
![Page 36: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/36.jpg)
Section 5
Conclusion
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 19
![Page 37: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/37.jpg)
SummaryConclusion
• Extensive security proofs not yet established in HW masking• Lack of appropriate model for higher orders and composability
Our results show:
• No HW masking provides local and compositional higher-order security• Practical impact could be limited, flaws are still an undesirable source of risk• Currently: Only adapted DOM-indep multiplication was robustly proven secure
In the future:
• Fix flaws and prove existing schemes• Design new (improved) schemes
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 20
![Page 38: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/38.jpg)
SummaryConclusion
• Extensive security proofs not yet established in HW masking• Lack of appropriate model for higher orders and composability
Our results show:
• No HW masking provides local and compositional higher-order security• Practical impact could be limited, flaws are still an undesirable source of risk• Currently: Only adapted DOM-indep multiplication was robustly proven secure
In the future:
• Fix flaws and prove existing schemes• Design new (improved) schemes
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 20
![Page 39: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/39.jpg)
SummaryConclusion
• Extensive security proofs not yet established in HW masking• Lack of appropriate model for higher orders and composability
Our results show:
• No HW masking provides local and compositional higher-order security• Practical impact could be limited, flaws are still an undesirable source of risk• Currently: Only adapted DOM-indep multiplication was robustly proven secure
In the future:
• Fix flaws and prove existing schemes• Design new (improved) schemes
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 20
![Page 40: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/40.jpg)
Thank you for your attention.
Any questions?
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 21
![Page 41: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/41.jpg)
Section 6
Backup
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 22
![Page 42: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/42.jpg)
Security NotionsBackup
Example:
x1x2
· · ·xn
input
sharesF
y1y2
· · ·yn
output
shares
t1
t2
Simulate with• NI: 2 + 1 = 3• SNI: 2 = 2
input shares.
• Enables reasoning about secure composition of modules• Has been used to prove various SW-oriented masked algorithms/gadgets• Alternative notions allow trade-offs, e.g., PINI3
3G. Cassiers, F.-X. Standaert, Trivially and Efficiently Composing Masked Gadgets with Probe Isolating Non-Interference, eprint 2018/438
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 23
![Page 43: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/43.jpg)
Security NotionsBackup
Example:
x1x2
· · ·xn
input
sharesF
y1y2
· · ·yn
output
shares
t1
t2
Simulate with• NI: 2 + 1 = 3• SNI: 2 = 2
input shares.
• Enables reasoning about secure composition of modules• Has been used to prove various SW-oriented masked algorithms/gadgets• Alternative notions allow trade-offs, e.g., PINI3
3G. Cassiers, F.-X. Standaert, Trivially and Efficiently Composing Masked Gadgets with Probe Isolating Non-Interference, eprint 2018/438
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 23
![Page 44: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/44.jpg)
Security NotionsBackup
Example:
x1x2
· · ·xn
input
sharesF
y1y2
· · ·yn
output
shares
t1
t2
Simulate with• NI: 2 + 1 = 3• SNI: 2 = 2
input shares.
• Enables reasoning about secure composition of modules• Has been used to prove various SW-oriented masked algorithms/gadgets• Alternative notions allow trade-offs, e.g., PINI3
3G. Cassiers, F.-X. Standaert, Trivially and Efficiently Composing Masked Gadgets with Probe Isolating Non-Interference, eprint 2018/438
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 23
![Page 45: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/45.jpg)
Security NotionsBackup
Example:
x1x2
· · ·xn
input
sharesF
y1y2
· · ·yn
output
shares
t1
t2
Simulate with• NI: 2 + 1 = 3• SNI: 2 = 2
input shares.
• Enables reasoning about secure composition of modules• Has been used to prove various SW-oriented masked algorithms/gadgets• Alternative notions allow trade-offs, e.g., PINI3
3G. Cassiers, F.-X. Standaert, Trivially and Efficiently Composing Masked Gadgets with Probe Isolating Non-Interference, eprint 2018/438
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 23
![Page 46: Glitch-Resistant Masking Revisited - or Why Proofs in the ... · Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert j Glitch-Resistant Masking Revisited j](https://reader033.fdocuments.in/reader033/viewer/2022050406/5f83a4cd318a57433c353284/html5/thumbnails/46.jpg)
Security NotionsBackup
Example:
x1x2
· · ·xn
input
sharesF
y1y2
· · ·yn
output
shares
t1
t2
Simulate with• NI: 2 + 1 = 3• SNI: 2 = 2
input shares.
• Enables reasoning about secure composition of modules• Has been used to prove various SW-oriented masked algorithms/gadgets• Alternative notions allow trade-offs, e.g., PINI3
3G. Cassiers, F.-X. Standaert, Trivially and Efficiently Composing Masked Gadgets with Probe Isolating Non-Interference, eprint 2018/438
Thorben Moos, Amir Moradi, Tobias Schneider and François-Xavier Standaert | Glitch-Resistant Masking Revisited | August 27th, 2019 23