Making Masking Security Proofs Concrete (Or How to Evaluate the Security of Any Leaking Device), Extended Version

Duc, Alexandre; Faust, Sebastian; Standaert, François‐Xavier

doi:10.1007/s00145-018-9277-0

Cited by 89 publications

(117 citation statements)

References 64 publications

Supporting

Mentioning

115

Contrasting

Order By: Relevance

“…More precisely, if an implementation obtained by applying the compiler in [ISW03] is secure at order n in the probing model, then [DFS15,Theorem 3] shows that the success probability of distinguishing the correct key among |K| candidates is bounded above by |K| · 2 −n/9 if the leakage L i on each intermediate variable X i satisfies:…”

Section: Introductionmentioning

confidence: 99%

Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme

Battistello

Coron

Prouff

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. A common countermeasure against side-channel attacks consists in using the masking scheme originally introduced by Ishai, Sahai and Wagner (ISW) at Crypto 2003, and further generalized by Rivain and Prouff at CHES 2010. The countermeasure is provably secure in the probing model, and it was showed by Duc, Dziembowski and Faust at Eurocrypt 2014 that the proof can be extended to the more realistic noisy leakage model. However the extension only applies if the leakage noise σ increases at least linearly with the masking order n, which is not necessarily possible in practice. In this paper we investigate the security of an implementation when the previous condition is not satisfied, for example when the masking order n increases for a constant noise σ. We exhibit two (template) horizontal side-channel attacks against the Rivain-Prouff's secure multiplication scheme and we analyze their efficiency thanks to several simulations and experiments. We also describe a variant of Rivain-Prouff's multiplication that is still provably secure in the original ISW model, and also heuristically secure against our new attacks. Finally, we describe a new mask refreshing algorithm with complexity O(n log n), instead of O(n 2 ) for the classical algorithm.

show abstract

Section: Introductionmentioning

confidence: 99%

Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme

Battistello

Coron

Prouff

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In the previous section, we have shown with Theorems 9 and 10 that the two models (bit-level probing and bounded moments) are equivalent, which motivates to consider the probing model at bit level (as opposed to at word level, as done in many papers (to cite a few: [16,19]). We give hereafter some examples of masking with codes at bit-level.…”

Section: Illustration For Some Coding-based Masking Schemesmentioning

confidence: 94%

Codes for Side-Channel Attacks and Protections

Guilley

Heuser

Rioul

2017

Codes, Cryptology and Information Security

View full text Add to dashboard Cite

Abstract. This article revisits side-channel analysis from the standpoint of coding theory. On the one hand, the attacker is shown to apply an optimal decoding algorithm in order to recover the secret key from the analysis of the side-channel. On the other hand, the side-channel protections are presented as a coding problem where the information is mixed with randomness to weaken as much as possible the sensitive information leaked into the side-channel. Therefore, the field of side-channel analysis is viewed as a struggle between a coder and a decoder. In this paper, we focus on the main results obtained through this analysis. In terms of attacks, we discuss optimal strategy in various practical contexts, such as type of noise, dimensionality of the leakage and of the model, etc. Regarding countermeasures, we give a formal analysis of some masking schemes, including enhancements based on codes contributed via fruitful collaborations with Claude Carlet.

show abstract

“…Duc, Dziembowski and Faust [17] show that proving probing security allows one to estimate the practical (noisy leakage) security of a masked algorithm. While Duc, Faust and Standaert [18] empirically show that some of the factors of Duc et al's bound [17] are likely proof artefacts, the remainder of the bound, and in particular a factor that includes the size of the circuit, seems to be tight. Intuitively, Duc et al [18] essentially show that the probing security order gives an indication of the smallest order moment of the distribution over leakage traces that contains information about the secret, whereas the size of the circuit the adversary can probe is an indicator of how easy it is to evaluate higher-order moments.…”

Section: Adversary and Leakage Models For Maskingmentioning

confidence: 99%

Strong Non-Interference and Type-Directed Higher-Order Masking

Barthe

Belaïd

Dupressoir

et al. 2016

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

123

132

View full text Add to dashboard Cite

Differential power analysis (DPA) is a side-channel attack in which an adversary retrieves cryptographic material by measuring and analyzing the power consumption of the device on which the cryptographic algorithm under attack executes. An effective countermeasure against DPA is to mask secrets by probabilistically encoding them over a set of shares, and to run masked algorithms that compute on these encodings. Masked algorithms are often expected to provide, at least, a certain level of probing security. Leveraging the deep connections between probabilistic information flow and probing security, we develop a precise, scalable, and fully automated methodology to verify the probing security of masked algorithms, and generate them from unprotected descriptions of the algorithm. Our methodology relies on several contributions of independent interest, including a stronger notion of probing security that supports compositional reasoning, and a type system for enforcing an expressive class of probing policies. Finally, we validate our methodology on examples that go significantly beyond the state-of-the-art

show abstract

Making Masking Security Proofs Concrete (Or How to Evaluate the Security of Any Leaking Device), Extended Version

Cited by 89 publications

References 64 publications

Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme

Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme

Codes for Side-Channel Attacks and Protections

Strong Non-Interference and Type-Directed Higher-Order Masking

Contact Info

Product

Resources

About