Rosita: Towards Automatic Elimination of Power-Analysis Leakage in Ciphers

Shelton, Madura A.; Samwel, Niels; Batina, Lejla; Regazzoni, Francesco; Wagner, Markus; Yarom, Yuval

doi:10.14722/ndss.2021.23137

Cited by 17 publications

(10 citation statements)

References 75 publications

(100 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The accuracy of such simulators depends on the set of experiments used to learn the model. Recently, ELMO has been extended into ELMO* in order to better model register or memory reuse as well as interaction between non consecutive instructions [23]. As for MAPS [14], it has been built using the RTL description of the Arm Cortex-M3.…”

Section: Related Workmentioning

confidence: 99%

“…In order to remove the micro-architectural leakage, the ROSITA tool [23] automates leaking pattern replacement detected by using ELMO* and non specific t-tests. The iterative process is able to remove most leakages from three implementations but fails for one implementation.…”

Section: Related Workmentioning

confidence: 99%

“…Some of the peaks can be explained, e.g. the two consecutive str instructions (lines 10-11) are likely to leak the transition of the data written to memory [17], [23], explaining partly the peak on the blue curve at samples 120 -128 in Fig. 1.…”

mentioning

confidence: 99%

See 2 more Smart Citations

ARMISTICE: Microarchitectural Leakage Modeling for Masked Software Formal Verification

Grandmaison¹,

Heydemann

Meunier

2022

IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.

View full text Add to dashboard Cite

Side channel attacks are powerful attacks for retrieving secret data by exploiting physical measurements such as power consumption or electromagnetic emissions. Masking is a popular countermeasure as it can be proven secure against an attacker model. In practice, software masked implementations suffer from a security reduction due to a mismatch between the considered leakage sources in the security proof and the real ones, which depend on the micro-architecture. We propose ARMISTICE, a framework for formally verifying the absence of leakage in first-order masked implementations taking into account modelled micro-architectural sources of leakage. As a proof of concept, we present the modelling of an Arm Cortex-M3 core from its RTL description and leakage test vectors, as well as the modelling of the memory of a STM32F1 board, exclusively using leakage test vectors. We show that, with these models, ARMISTICE pinpoints vulnerable instructions in real world masked implementations and helps the design of masked software implementations which are practically secure.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

ARMISTICE: Microarchitectural Leakage Modeling for Masked Software Formal Verification

Grandmaison¹,

Heydemann

Meunier

2022

IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.

View full text Add to dashboard Cite

show abstract

“…These phenomena can halve the security order, making the first order masking (with two shares or mask and masked intermediate value) vulnerable even to first-order attacks [3]. This is important since this is the most widely used scheme in practice, because of the complexities involved in higher-order masking [43].…”

Section: Masking Protected Implementationsmentioning

confidence: 99%

“…Nonetheless, as mentioned above, if masking is not properly implemented the implementation can be vulnerable to first-order attacks: It is important to ensure that the two parts of the same secret (mask and masked intermediate value) are not handled too closely [43]. For instance, authors in [54] claim that when the mask leakage is included in the observation time window, (first-order) TAs can relate the dependence between the mask and the masked variable leakage.…”

Section: Profiling Attacks On Maskingmentioning

confidence: 99%

Keep It Unbiased: A Comparison Between Estimation of Distribution Algorithms and Deep Learning for Human Interaction-Free Side-Channel Analysis

Rioja¹,

Batina²,

Armendariz³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Evaluating side-channel analysis (SCA) security is a complex process, involving applying several techniques whose success depends on human engineering. Therefore, it is crucial to avoid a false sense of confidence provided by non-optimal (failing) attacks. Different alternatives have emerged lately trying to mitigate human dependency, among which deep learning (DL) attacks are the most studied today. DL promise to simplify the procedure by e.g. evading the need for point of interest selection or the capability of bypassing noise and desynchronization, among other shortcuts. However, including DL in the equation comes at a price, since working with neural networks is not straightforward in this context. Recently, an alternative has appeared with the potential to mitigate this dependence without adding extra complexity: Estimation of Distribution Algorithm-based SCA. In this paper, we compare these two relevant methods, supporting our findings by experiments on various datasets.

show abstract

A Tale of Two Boards: On the Influence of Microarchitecture on Side-Channel Leakage

Arora

Buhan

Perin

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Advances in cryptography have enabled the features of confidentiality, security, and integrity on small embedded devices such as IoT devices. While mathematically strong, the platform on which an algorithm is implemented plays a significant role in the security of the final product. Side-channel attacks exploit the variations in the system's physical characteristics to obtain information about the sensitive data. In our scenario, a software implementation of a cryptographic algorithm is flashed on devices from different manufactures with the same instruction set configured for identical execution. To analyze the influence of the microarchitecture on side-channel leakage, we acquire thirty-two sets of power traces from four physical devices. While we notice minor differences in the leakage behavior for different physical boards from the same manufacturer, our results confirm that the difference in microarchitecture implementations of the same core will leak different side-channel information. We also show that TVLA leakage prediction should be treated with caution as it is sensitive to both false positives and negatives.

show abstract

Rosita: Towards Automatic Elimination of Power-Analysis Leakage in Ciphers

Cited by 17 publications

References 75 publications

ARMISTICE: Microarchitectural Leakage Modeling for Masked Software Formal Verification

ARMISTICE: Microarchitectural Leakage Modeling for Masked Software Formal Verification

Keep It Unbiased: A Comparison Between Estimation of Distribution Algorithms and Deep Learning for Human Interaction-Free Side-Channel Analysis

A Tale of Two Boards: On the Influence of Microarchitecture on Side-Channel Leakage

Contact Info

Product

Resources

About