Skip to main content
SpringerLink
Log in

Mind the Gap: Towards Secure 1st-Order Masking in Software

  • Conference paper
  • First Online:
Constructive Side-Channel Analysis and Secure Design (COSADE 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10348))

Abstract

Cryptographic implementations are vulnerable to side-channel analysis. Implementors often opt for masking countermeasures to protect against these types of attacks. Masking countermeasures can ensure theoretical protection against value-based leakages. However, the practical effectiveness of masking is often halted by physical effects such as glitches and distance-based leakages, which violate the independent leakage assumption (ILA) and result in security order reductions. This paper aims to address this gap between masking theory and practice in the following threefold manner. First, we perform an in-depth investigation of the device-specific effects that invalidate ILA in the AVR microcontroller ATMega163. Second, we provide an automated tool, capable of detecting ILA violations in AVR assembly code. Last, we craft the first (to our knowledge) “hardened” 1st-order ISW-based, masked Sbox implementation, which is capable of resisting 1st-order, univariate side-channel attacks. Enforcing the ILA in the masked RECTANGLE Sbox requires 1319 clock cycles, i.e. a 15-fold increase compared to a naive 1st-order ISW-based implementation.

The work described in this paper has been supported by the Netherlands Organization for Scientific Research NWO under project ProFIL (628.001.007).

This work is the result of a short term scientific mission that has been supported by ICT COST Action IC1204: “Trustworthy Manufacturing and Utilization of Secure Devices”.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    http://www.atmel.com/images/doc1142.pdf.

  2. 2.

    https://www.riscure.com/security-tools/hardware/power-tracer.

  3. 3.

    http://www.atmel.com/images/Atmel-0856-AVR-Instruction-Set-Manual.pdf.

  4. 4.

    http://www.ulb.ac.be/di/dpalab/download/SILK_v0.1.zip.

  5. 5.

    We have contacted the author, there is intention to eventually publish the code.

  6. 6.

    https://github.com/nikita-veshchikov/ascold.

References

  1. Balasch, J., Gierlichs, B., Grosso, V., Reparaz, O., Standaert, F.-X.: On the cost of lazy engineering for masked software implementations. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 64–81. Springer, Cham (2015). doi:10.1007/978-3-319-16763-3_5

    Google Scholar 

  2. Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.-A., Grégoire, B., Strub, P.-Y.: Verified proofs of higher-order masking. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 457–485. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_18

    Google Scholar 

  3. Batina, L., Gierlichs, B., Prouff, E., Rivain, M., Standaert, F.-X., Veyrat-Charvillon, N.: Mutual information analysis: a comprehensive study. J. Cryptol. 24(2), 269–291 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  4. Battistello, A., Coron, J.-S., Prouff, E., Zeitoun, R.: Horizontal side-channel attacks and countermeasures on the ISW masking scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 23–39. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53140-2_2

    Google Scholar 

  5. Biham, E.: A fast new DES implementation in software. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 260–272. Springer, Heidelberg (1997). doi:10.1007/BFb0052352

    Chapter  Google Scholar 

  6. Bottinelli, P., Bos, J.W.: Computational aspects of correlation power analysis. IACR Cryptology ePrint Archive 260 (2015)

    Google Scholar 

  7. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28632-5_2

    Chapter  Google Scholar 

  8. Canright, D., Batina, L.: A very compact “perfectly masked” s-box for AES (corrected). IACR Cryptology ePrint Archive 11 (2009)

    Google Scholar 

  9. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener [34], pp. 398–412

    Google Scholar 

  10. Cooper, J., DeMulder, E., Goodwill, G., Jaffe, J., Kenworthy, G., Rohatgi, P.: Test Vector Leakage Assessment (TVLA) methodology in practice (2013). http://icmc-2013.org/wp/wp-content/uploads/2013/09/goodwillkenworthtestvector.pdf

  11. Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_25

    Chapter  Google Scholar 

  12. Coron, J.-S., Giraud, C., Prouff, E., Renner, S., Rivain, M., Vadnala, P.K.: Conversion of security proofs from one leakage model to another: a new issue. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 69–81. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29912-4_6

    Chapter  Google Scholar 

  13. Daemen, J., Govaerts, R., Vandewalle, J.: A new approach to block cipher design. In: Anderson, R. (ed.) FSE 1993. LNCS, vol. 809, pp. 18–32. Springer, Heidelberg (1994). doi:10.1007/3-540-58108-1_2

    Chapter  Google Scholar 

  14. Groot, W., Papagiannopoulos, K., Piedra, A., Schneider, E., Batina, L.: Bitsliced masking and ARM: friends or foes? In: Bogdanov, A. (ed.) LightSec 2016. LNCS, vol. 10098, pp. 91–109. Springer, Cham (2017). doi:10.1007/978-3-319-55714-4_7

    Chapter  Google Scholar 

  15. Goubin, L., Patarin, J.: DES and differential power analysis the “Duplication” method. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999). doi:10.1007/3-540-48059-5_15

    Chapter  Google Scholar 

  16. Goudarzi, D., Rivain, M.: How fast can higher-order masking be in software? Cryptology ePrint Archive, Report 2016/264 (2016). http://eprint.iacr.org/2016/264

  17. Grosso, V., Leurent, G., Standaert, F.-X., Varıcı, K.: LS-designs: bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 18–37. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46706-0_2

    Google Scholar 

  18. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_27

    Chapter  Google Scholar 

  19. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener [34], pp. 388–397

    Google Scholar 

  20. Mangard, S., Schramm, K.: Pinpointing the side-channel leakage of masked AES hardware implementations. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 76–90. Springer, Heidelberg (2006). doi:10.1007/11894063_7

    Chapter  Google Scholar 

  21. Messerges, T.S.: Securing the AES finalists against power analysis attacks. In: Goos, G., Hartmanis, J., Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 150–164. Springer, Heidelberg (2001). doi:10.1007/3-540-44706-7_11

    Chapter  Google Scholar 

  22. Nikova, S., Rechberger, C., Rijmen, V.: Threshold implementations against side-channel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 529–545. Springer, Heidelberg (2006). doi:10.1007/11935308_38

    Chapter  Google Scholar 

  23. Prouff, E., Rivain, M.: Masking against side-channel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38348-9_9

    Chapter  Google Scholar 

  24. Renauld, M., Standaert, F.-X., Veyrat-Charvillon, N., Kamel, D., Flandre, D.: A formal study of power variability issues and side-channel attacks for nanoscale devices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 109–128. Springer, Heidelberg (2011). doi:10.1007/978-3-642-20465-4_8

    Chapter  Google Scholar 

  25. Reparaz, O.: Detecting flawed masking schemes with leakage detection tests. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 204–222. Springer, Heidelberg (2016). doi:10.1007/978-3-662-52993-5_11

    Chapter  Google Scholar 

  26. Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15031-9_28

    Chapter  Google Scholar 

  27. Schneider, T., Moradi, A.: Leakage assessment methodology. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 495–513. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48324-4_25

    Chapter  Google Scholar 

  28. Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). doi:10.1007/978-3-642-01001-9_26

    Chapter  Google Scholar 

  29. Stöttinger, M.: Mutating runtime architectures as a countermeasure against power analysis attacks. Ph.D. thesis, Darmstadt University of Technology, Germany (2012)

    Google Scholar 

  30. Keccak Team: Note on side-channel attacks and their countermeasures. http://keccak.noekeon.org/NoteSideChannelAttacks.pdf

  31. Veshchikov, N.: SILK: high level of abstraction leakage simulator for side channel analysis. In: Preda, M.D., McDonald, J.T. (eds.) Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW@ACSAC 2014, New Orleans, LA, USA, 9 December 2014, p. 3:1–3:11. ACM (2014)

    Google Scholar 

  32. Wang, J., Vadnala, P.K., Großschädl, J., Xu, Q.: Higher-order masking in practice: a vector implementation of masked AES for ARM NEON. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 181–198. Springer, Cham (2015). doi:10.1007/978-3-319-16715-2_10

    Google Scholar 

  33. Whitnall, C., Oswald, E., Mather, L.: An exploration of the Kolmogorov-Smirnov test as a competitor to mutual information analysis. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 234–251. Springer, Heidelberg (2011). doi:10.1007/978-3-642-27257-8_15

    Chapter  Google Scholar 

  34. Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999)

    MATH  Google Scholar 

  35. Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms. Sci. China Inf. Sci. 58(12), 1–15 (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Radboud Universiteit, Nijmegen, Netherlands

    Kostas Papagiannopoulos

  2. Quality and Security of Information Systems, Département d’informatique, Université Libre de Bruxelles, Brussels, Belgium

    Nikita Veshchikov

Authors
  1. Kostas Papagiannopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nikita Veshchikov
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nikita Veshchikov .

Editor information

Editors and Affiliations

  1. Secure-IC S.A.S. and TELECOM-ParisTech, Paris, France

    Sylvain Guilley

A Appendix

A Appendix

Below, we include the 32\(\,\times \,\)32 matrix R that is generated experimentally, while investigating all possible neighbouring leakage effects in the ATMega163 register file (by performing 32 experiments similar to Listing 1.5). Value ‘1’ denotes the presence of leakage and ‘0’ the absence. The tool ASCOLD uses R in order to detect neighbour-based ILA violations.

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Papagiannopoulos, K., Veshchikov, N. (2017). Mind the Gap: Towards Secure 1st-Order Masking in Software. In: Guilley, S. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2017. Lecture Notes in Computer Science(), vol 10348. Springer, Cham. https://doi.org/10.1007/978-3-319-64647-3_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64647-3_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64646-6

  • Online ISBN: 978-3-319-64647-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation