Abstract
We revisit the matrix model for non-interference (NI) probing security of masking gadgets introduced by Belaïd et al. at CRYPTO 2017. This leads to two main results.
1) We generalise the theorems on which this model is based, so as to be able to apply them to masking schemes over any finite field—in particular \(\mathbb {F}_2\)—and to be able to analyse the strong non-interference (SNI) security notion. We also follow Faust et al. (TCHES 2018) to additionally consider a robust probing model that takes hardware defects such as glitches into account.
2) We exploit this improved model to implement a very efficient verification algorithm that improves the performance of state-of-the-art software by three orders of magnitude. We show applications to variants of NI and SNI multiplication gadgets from Barthe et al. (EUROCRYPT 2017) which we verify to be secure up to order 11 after a significant parallel computation effort, whereas the previous largest proven order was 7; SNI refreshing gadgets (ibid.); and NI multiplication gadgets from Groß et al. (TIS@CCS 2016) secure in presence of glitches. We also reduce the randomness cost of some existing gadgets, notably for the implementation-friendly case of 8 shares, improving here the previous best results by 17% (resp. 19%) for SNI multiplication (resp. refreshing).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Results for unary functions can then easily be obtained by e.g. fixing one input.
- 2.
As Condition 11 directly implies an attack, one could also formulate this corollary solely in terms of this condition.
- 3.
Recall that an [n, k] linear code over a field \(\mathbb {K}\) is a k-dimensional linear subspace of \(\mathbb {K}^n\).
- 4.
This use of scalar matrices is only so that \(\boldsymbol{\varPi }\) is defined on the same base structure as \(\boldsymbol{\varDelta }\) below. As an example, taking \(\ell = d =2\) and considering two probes in \(\mathcal {P}'\) as \(p_1' = p_1 + p_2\); \(p_2' = p_2\), then \(\boldsymbol{\varPi } = \begin{pmatrix}\boldsymbol{I}_4 &{} \boldsymbol{I}_4\\ \boldsymbol{0}_4 &{} \boldsymbol{I}_4\end{pmatrix}\).
- 5.
This use of diagonal matrices allows to keep track of (the lack of) simplifications when combining several probes; for instance, if two probes depend on the same \(\boldsymbol{a}_i\) as \(\boldsymbol{a}_i\boldsymbol{b}_j\) and \(\boldsymbol{a}_i\boldsymbol{b}_{j'}\) with \(j\ne j'\), then the sum of those probes still depends on \(\boldsymbol{a}_i\). Continuing the previous example and taking \(p_1' = \boldsymbol{a}_0\boldsymbol{b}_0 + \boldsymbol{a}_0\boldsymbol{b}_1 + \boldsymbol{a}_1\boldsymbol{b}_2 + \boldsymbol{a}_2\), then the first row of \(\boldsymbol{\varDelta }\) (whose entries are \(4\times 4\) matrices) is \(\left( \begin{array}{llllllllllll} 1&{} &{} &{} &{}0&{} &{} &{} &{}0&{} &{} &{} \\ &{}1&{} &{} &{} &{}0&{} &{} &{} &{}0&{} &{} \\ &{} &{}0&{} &{} &{} &{}1&{} &{} &{} &{}0&{} \\ &{} &{} &{}0&{} &{} &{} &{}0&{} &{} &{} &{}1 \end{array}\right) \).
- 6.
It can also be trivially modified to check attacks against NI security.
- 7.
That is, the only non-trivial linear combination over \(\mathbb {F}_2\) that depends on all the elements of the set.
- 8.
One may remark that since information set decoding relies on Gaussian elimination, the cost of one step of this algorithm increases more than linearly in the size of \(\mathcal {P}\).
- 9.
Note that this means that one would not detect the existence of an attack that would use only elementary probes. However, it is easy to see from their definitions that \(\ell \) such probes functionally depend on at most \(\ell \) shares, and so can never lead to a non-trivial attack.
- 10.
This additional constraint is not in itself necessary, but it simplifies the overall algorithm.
- 11.
We ourselves used the latest version of maskVerif to do so up to order 8.
- 12.
This however still cannot theoretically justify the use of this masked multiplication at order 31 as is done in [JS17].
- 13.
Available at https://gitlab.com/benjgregoire/maskverif.
- 14.
This corresponds exactly to the probes made of an even number of \(\boldsymbol{a}_*\boldsymbol{b}_*\) terms.
- 15.
This is after filtering of the initial \(\approx \) \(2^{59}\) (resp. \(\approx \) \(2^{59.76}\)) sets.
- 16.
- 17.
This is somewhat slow compared to performance on the similar ‘6126. The reason is currently unclear, but might involve the different build environment and overall setup.
References
Barthe, G., Belaïd, S., Cassiers, G., Fouque, P.-A., Grégoire, B., Standaert, F.-X.: maskVerif: automated verification of higher-order masking in presence of physical defaults. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11735, pp. 300–318. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29959-0_15
Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.-A., Grégoire, B.: Compositional verification of higher-order masking: application to a verifying masking compiler. IACR Cryptology ePrint Archive 2015, 506 (2015)
Barthe, G., et al.: Strong non-interference and type-directed higher-order masking. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 116–129. ACM (2016)
Barthe, G., et al.: Improved parallel mask refreshing algorithms: generic solutions with parametrized non-interference & automated optimizations. IACR Cryptology ePrint Archive 2018, 505 (2018)
Belaïd, S., Benhamouda, F., Passelègue, A., Prouff, E., Thillard, A., Vergnaud, D.: Randomness complexity of private circuits for multiplication. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 616–648. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_22
Belaïd, S., Benhamouda, F., Passelègue, A., Prouff, E., Thillard, A., Vergnaud, D.: Private multiplication over finite fields. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 397–426. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_14
Barthe, G., et al.: Parallel implementations of masking schemes and the bounded moment leakage model. In: Coron and Nielsen [CN17], pp. 535–566 (2017)
Belaïd, S., Dagand, P.É., Mercadier, D., Rivain, M., Wintersdorff, R.: Tornado: automatic generation of probing-secure masked bitsliced implementations. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 311–341. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_11
Bloem, R., Gross, H., Iusupov, R., Könighofer, B., Mangard, S., Winter, J.: Formal verification of masked hardware implementations in the presence of glitches. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 321–353. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_11
Belaïd, S., Goudarzi, D., Rivain, M.: Tight private circuits: achieving probing security with the least refreshing. In: Peyrin and Galbraith [PG18], pp. 343–372
Bordes, N., Karpman, P.: Fast verification of masking schemes in characteristic two. IACR Cryptol. ePrint Arch. 2019, 1165 (2019)
Bronchain, O., Standaert, F.-X.: Side-channel countermeasures’ dissection and the limits of closed source security evaluations. IACR Cryptology ePrint Archive 2019, 1008 (2019)
Coron, J.-S., Greuet, A., Prouff, E., Zeitoun, R.: Faster evaluation of SBoxes via common shares. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 498–514. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_24
Coron, J.-S., Nielsen, J.B. (eds.): EUROCRYPT 2017. LNCS, vol. 10210. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7
Duc, A., Faust, S., Standaert, F.-X.: Making masking security proofs concrete. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 401–429. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_16
Fan, J., Gierlichs, B. (eds.): COSADE 2018. LNCS, vol. 10815. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89641-0
Faust, S., Grosso, V., Pozo, S.M.D., Paglialonga, C., Standaert, F.-X.: Composable masking schemes in the presence of physical defaults & the robust probing model. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3), 89–120 (2018)
Goudarzi, D., Journault, A., Rivain, M., Standaert, F.-X.: Secure multiplication for bitslice higher-order masking: optimisation and comparison. In: Fan and Gierlichs [FG18], pp. 3–22
Groß, H., Mangard, S., Korak, T.: Domain-oriented masking: compact masked hardware implementations with arbitrary protection order. In: Bilgin, B., Nikova, S., Rijmen, V. (eds.) ACM TIS@CCS 2016, p. 3. ACM (2016)
Gao, S., Marshall, B., Page, D., Oswald, E.: Share-slicing: friend or foe? IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(1), 152–174 (2020)
Grégoire, B., Papagiannopoulos, K., Schwabe, P., Stoffelen, K.: Vectorizing higher-order masking. In: Fan and Gierlichs [FG18], pp. 23–43
Goudarzi, D., Rivain, M.: How fast can higher-order masking be in software? In: Coron and Nielsen [CN17], pp. 567–597
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27
Journault, A., Standaert, F.-X.: Very high order masking: efficient implementation and security evaluation. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 623–643. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_30
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Knuth, D.E.: Combinatorial Algorithms, Part 1, volume 4A of The Art of Computer Programming. Addison Wesley (2011)
Karpman, P., Roche, D.S.: New instantiations of the CRYPTO 2017 masking schemes. In: Peyrin and Galbraith [PG18], pp. 285–314
Knichel, D., Sasdrich, P., Moradi, A.: SILVER – statistical independence and leakage verification. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 787–816. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_26
Liu, C.N., Tang, D.T.: Enumerating combinations of m out of n objects [G6] (algorithm 452). Commun. ACM 16(8), 485 (1973)
Moos, T., Moradi, A., Schneider, T., Standaert, F.-X.: Glitch-resistant masking revisited or why proofs in the robust probing model are needed. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 256–292 (2019)
Nijenhuis, A., Wilf, H.S.: Combinatorial Algorithms for Computers and Calculators, 2nd edn. Academic Press, New York (1978)
Peyrin, T., Galbraith, S. (eds.): ASIACRYPT 2018. LNCS, vol. 11273. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3
Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5–9 (1962)
Schwartz, J.T.: Fast probabilistic algorithms for verification of polynomial identities. J. ACM 27(4), 701–717 (1980)
Walsh, T.R.: A simple sequencing and ranking method that works on almost all gray codes. Unpublished research report. https://www.labunix.uqam.ca/~walsh_t/papers/sequencing_and_ranking.pdf
Wang, W., Guo, C., François-Xavier Standaert, Y.Y., Cassiers, G.: Packed multiplication: how to amortize the cost of side-channel masking? IACR Cryptol. ePrint Arch. 2020, 1103 (2020)
Acknowledgments
We thank Clément Pernet for his contribution to the proof of Lemma 14, Yann Rotella for an early discussion on the possibility of further filtering, the authors of [BBC+19] for providing us access to an up-to-date version of maskVerif, and finally all the reviewers for their constructive comments.
This work is partially supported by the French National Research Agency in the framework of the Investissements d’avenir programme (ANR-15-IDEX-02).
Some of the computations presented in this paper were performed using the GRICAD infrastructure (https://gricad.univ-grenoble-alpes.fr), which is partially supported by the Equip@Meso project (ANR-10-EQPX-29-01) of the Investissements d’Avenir programme.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Bordes, N., Karpman, P. (2021). Fast Verification of Masking Schemes in Characteristic Two. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12697. Springer, Cham. https://doi.org/10.1007/978-3-030-77886-6_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-77886-6_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-77885-9
Online ISBN: 978-3-030-77886-6
eBook Packages: Computer ScienceComputer Science (R0)
