Advertisement

Masking Proofs Are Tight and How to Exploit it in Security Evaluations

  • Vincent Grosso
  • François-Xavier Standaert
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10821)

Abstract

Evaluating the security level of a leaking implementation against side-channel attacks is a challenging task. This is especially true when countermeasures such as masking are implemented since in this case: (i) the amount of measurements to perform a key recovery may become prohibitive for certification laboratories, and (ii) applying optimal (multivariate) attacks may be computationally intensive and technically challenging. In this paper, we show that by taking advantage of the tightness of masking security proofs, we can significantly simplify this evaluation task in a very general manner. More precisely, we show that the evaluation of a masked implementation can essentially be reduced to the one of an unprotected implementation. In addition, we show that despite optimal attacks against masking schemes are computationally intensive for large number of shares, heuristic (soft analytical side-channel) attacks can approach optimality efficiently. As part of this second contribution, we also improve over the recent multivariate (aka horizontal) side-channel attacks proposed at CHES 2016 by Battistello et al.

Notes

Acknowledgments

François-Xavier Standaert is a senior associate researcher of the Belgian Fund for Scientific Research (FNRS-F.R.S.). This work has been funded in parts by the ERC project 724725 (acronym SWORD), the EU project REASSURE and the Brussels Region INNOVIRIS project SCAUT.

Supplementary material

References

  1. 1.
    Archambeau, C., Peeters, E., Standaert, F.-X., Quisquater, J.-J.: Template attacks in principal subspaces. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 1–14. Springer, Heidelberg (2006).  https://doi.org/10.1007/11894063_1CrossRefGoogle Scholar
  2. 2.
    Balasch, J., Gierlichs, B., Grosso, V., Reparaz, O., Standaert, F.-X.: On the cost of lazy engineering for masked software implementations. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 64–81. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-16763-3_5Google Scholar
  3. 3.
    Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.-A., Grégoire, B., Strub, P.-Y.: Verified proofs of higher-order masking. In: Oswald and Fischlin [47], pp. 457–485Google Scholar
  4. 4.
    Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.-A., Grégoire, B., Strub, P.-Y., Zucchini, R.: Strong non-interference and type-directed higher-order masking. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S., (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October, 2016, pp. 116–129. ACM (2016)Google Scholar
  5. 5.
    Barthe, G., Dupressoir, F., Faust, S., Grégoire, B., Standaert, F.-X., Strub, P.-Y.: Parallel implementations of masking schemes and the bounded moment leakage model. In: Coron and Nielsen [15], pp. 535–566Google Scholar
  6. 6.
    Batina, L., Robshaw, M. (eds.): CHES 2014. LNCS, vol. 8731. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44709-3zbMATHGoogle Scholar
  7. 7.
    Battistello, A., Coron, J.-S., Prouff, E., Zeitoun, R.: Horizontal side-channel attacks and countermeasures on the ISW masking scheme. In: Gierlichs and Poschmann [29], pp. 23–39Google Scholar
  8. 8.
    Belaïd, S., Benhamouda, F., Passelègue, A., Prouff, E., Thillard, A., Vergnaud, D.: Randomness complexity of private circuits for multiplication. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 616–648. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_22CrossRefGoogle Scholar
  9. 9.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-28632-5_2CrossRefGoogle Scholar
  10. 10.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_26Google Scholar
  11. 11.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36400-5_3CrossRefGoogle Scholar
  12. 12.
    Choudary, M.O.: Efficient multivariate statistical techniques for extracting secrets from electronic devices. Ph.D. thesis, University of Cambridge (2014)Google Scholar
  13. 13.
    Cooper, J., De Mulder, E., Goodwill, G., Jaffe, J., Kenworthy, G., Rohatgi, P.: Test vector leakage assessment (TVLA) methodology in practice (extended abstract). In: ICMC 2013. http://icmc-2013.org/wp/wp-content/uploads/2013/09/goodwillkenworthtestvector.pdf
  14. 14.
    Coron, J.-S., Giraud, C., Prouff, E., Renner, S., Rivain, M., Vadnala, P.K.: Conversion of security proofs from one leakage model to another: a new issue. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 69–81. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29912-4_6CrossRefGoogle Scholar
  15. 15.
    Coron, J.-S., Nielsen, J.B. (eds.): EUROCRYPT 2017. LNCS, vol. 10210. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56620-7zbMATHGoogle Scholar
  16. 16.
    Coron, J.-S., Prouff, E., Rivain, M., Roche, T.: Higher-order side channel security and mask refreshing. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 410–424. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43933-3_21Google Scholar
  17. 17.
    Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45325-3_20CrossRefGoogle Scholar
  18. 18.
    Ding, A.A., Zhang, L., Fei, Y., Luo, P.: A statistical model for higher order DPA on masked devices. In: Batina and Robshaw [6], pp. 147–169Google Scholar
  19. 19.
    Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen and Oswald [45], pp. 423–440Google Scholar
  20. 20.
    Duc, A., Faust, S., Standaert, F.-X.: Making masking security proofs concrete - or how to evaluate the security of any leaking device. In: Oswald and Fischlin [47], pp. 401–429Google Scholar
  21. 21.
    Duc, A., Faust, S., Standaert, F.-X.: Making masking security proofs concrete or how to evaluate the security of any leaking device (extended version). IACR Cryptology ePrint Archive 2015, 119 (2015)Google Scholar
  22. 22.
    Durvaux, F., Standaert, F.-X.: From improved leakage detection to the detection of points of interests in leakage traces. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 240–262. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_10CrossRefGoogle Scholar
  23. 23.
    Durvaux, F., Standaert, F.-X., Del Pozo, S.M.: Towards easy leakage certification. In: Gierlichs and Poschmann [29], pp. 40–60Google Scholar
  24. 24.
    Durvaux, F., Standaert, F.-X., Veyrat-Charvillon, N.: How to certify the leakage of a chip? In: Nguyen and Oswald [45], pp. 459–476Google Scholar
  25. 25.
    Dziembowski, S., Faust, S., Herold, G., Journault, A., Masny, D., Standaert, F.-X.: Towards sound fresh re-keying with hard (physical) learning problems. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 272–301. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53008-5_10CrossRefGoogle Scholar
  26. 26.
    Dziembowski, S., Faust, S., Skorski, M.: Noisy leakage revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 159–188. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_6Google Scholar
  27. 27.
    Fei, Y., Luo, Q., Ding, A.A.: A statistical model for dpa with novel algorithmic confusion analysis. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 233–250. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-33027-8_14CrossRefGoogle Scholar
  28. 28.
    Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual information analysis. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 426–442. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85053-3_27CrossRefGoogle Scholar
  29. 29.
    Gierlichs, B., Poschmann, A.Y. (eds.): CHES 2016. LNCS, vol. 9813. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53140-2zbMATHGoogle Scholar
  30. 30.
    Goodwill, G., Jun, B., Jaffe, J., Rohatgi, P.: A testing methodology for side channel resistance validation. In: NIST Non-invasive Attack Testing Workshop (2011). http://csrc.nist.gov/news_events/non-invasive-attack-testing-workshop/papers/08_Goodwill.pdf
  31. 31.
    Goudarzi, D., Rivain, M.: How fast can higher-order masking be in software? In: Coron and Nielsen [15], pp. 567–597Google Scholar
  32. 32.
    Grosso, V., Prouff, E., Standaert, F.-X.: Efficient masked s-boxes processing – a step forward. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 251–266. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-06734-6_16CrossRefGoogle Scholar
  33. 33.
    Grosso, V., Standaert, F.-X.: ASCA, SASCA and DPA with enumeration: which one beats the other and when? In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 291–312. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48800-3_12CrossRefGoogle Scholar
  34. 34.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_27CrossRefGoogle Scholar
  35. 35.
    Journault, A., Standaert, F.-X.: Very high order masking: efficient implementation and security evaluation. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 623–643. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66787-4_30CrossRefGoogle Scholar
  36. 36.
    Lemke-Rust, K., Paar, C.: Gaussian mixture models for higher-order side channel analysis. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 14–27. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74735-2_2CrossRefGoogle Scholar
  37. 37.
    Lerman, L., Poussier, R., Bontempi, G., Markowitch, O., Standaert, F.-X.: Template attacks vs. machine learning revisited (and the curse of dimensionality in side-channel analysis). In: Mangard, S., Poschmann, A.Y. (eds.) COSADE 2014. LNCS, vol. 9064, pp. 20–33. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-21476-4_2CrossRefGoogle Scholar
  38. 38.
    Lomné, V., Prouff, E., Rivain, M., Roche, T., Thillard, A.: How to estimate the success rate of higher-order side-channel attacks. In: Batina and Robshaw [6], pp. 35–54Google Scholar
  39. 39.
    Mangard, S., Oswald, E., Standaert, F.-X.: One for all - all for one: unifying standard differential power analysis attacks. IET Inf. Secur. 5(2), 100–110 (2011)CrossRefGoogle Scholar
  40. 40.
    Mangard, S., Popp, T., Gammel, B.M.: Side-channel leakage of masked CMOS gates. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 351–365. Springer, Heidelberg (2005).  https://doi.org/10.1007/978-3-540-30574-3_24CrossRefGoogle Scholar
  41. 41.
    Martin, D.P., Mather, L., Oswald, E., Stam, M.: Characterisation and estimation of the key rank distribution in the context of side channel evaluations. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 548–572. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_20CrossRefGoogle Scholar
  42. 42.
    Mather, L., Oswald, E., Bandenburg, J., Wójcik, M.: Does my device leak information? An a priori statistical power analysis of leakage detection tests. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 486–505. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-42033-7_25CrossRefGoogle Scholar
  43. 43.
    Mather, L., Oswald, E., Whitnall, C.: Multi-target DPA attacks: Pushing DPA beyond the limits of a desktop computer. In: Sarkar and Iwata [53], pp. 243–261Google Scholar
  44. 44.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48285-7_33Google Scholar
  45. 45.
    Nguyen, P.Q., Oswald, E. (eds.): EUROCRYPT 2014. LNCS, vol. 8441. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5Google Scholar
  46. 46.
    Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptol. 24(2), 292–321 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  47. 47.
    Oswald, E., Fischlin, M. (eds.): EUROCRYPT 2015. LNCS, vol. 9056. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5zbMATHGoogle Scholar
  48. 48.
    Poussier, R., Grosso, V., Standaert, F.-X.: Comparing approaches to rank estimation for side-channel security evaluations. In: Homma, N., Medwed, M. (eds.) CARDIS 2015. LNCS, vol. 9514, pp. 125–142. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-31271-2_8CrossRefGoogle Scholar
  49. 49.
    Prouff, E.: DPA attacks and s-boxes. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 424–441. Springer, Heidelberg (2005).  https://doi.org/10.1007/11502760_29CrossRefGoogle Scholar
  50. 50.
    Prouff, E., Rivain, M.: Masking against side-channel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_9CrossRefGoogle Scholar
  51. 51.
    Rivain, M.: On the exact success rate of side channel analysis in the Gaussian model. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 165–183. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-04159-4_11CrossRefGoogle Scholar
  52. 52.
    Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-15031-9_28CrossRefGoogle Scholar
  53. 53.
    Sarkar, P., Iwata, T. (eds.): ASIACRYPT 2014. LNCS, vol. 8874. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45608-8zbMATHGoogle Scholar
  54. 54.
    Schindler, W., Lemke, K., Paar, C.: A stochastic model for differential side channel cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 30–46. Springer, Heidelberg (2005).  https://doi.org/10.1007/11545262_3CrossRefGoogle Scholar
  55. 55.
    Schneider, T., Moradi, A.: Leakage assessment methodology - extended version. J. Crypt. Eng. 6(2), 85–99 (2016)CrossRefGoogle Scholar
  56. 56.
    Standaert, F.-X.: How (not) to use Welch’s t-test in side-channel security evaluations. IACR Cryptology ePrint Archive 2017, 138 (2017)Google Scholar
  57. 57.
    Standaert, F.-X., Malkin, T.G., Yung, M.: A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01001-9_26CrossRefGoogle Scholar
  58. 58.
    Standaert, F.-X., Veyrat-Charvillon, N., Oswald, E., Gierlichs, B., Medwed, M., Kasper, M., Mangard, S.: The world is not enough: another look on second-order DPA. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 112–129. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17373-8_7CrossRefGoogle Scholar
  59. 59.
    Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Soft analytical side-channel attacks. In: Sarkar and Iwata [53], pp. 282–296Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Digital Security GroupRadboud University NijmegenNijmegenThe Netherlands
  2. 2.ICTEAM - Crypto GroupUniversité catholique de LouvainLouvain-la-NeuveBelgium

Personalised recommendations