On the Practical Security of a Leakage Resilient Masking Scheme

Transcription

1 On the Practical Security of a Leakage Resilient Masking Scheme T. Roche thomas.roche@ssi.gouv.fr Joint work with E. Prouff and M. Rivain CT-RSA 2014 Feb. 2014

2 Side Channel Analysis Side Channel Attacks (SCA) appear 15 years ago 1996 : Timing Attacks 1998 : Power Analysis 2000 : Electromagnetic Analysis Numerous attacks 1998 : (single-bit) DPA KocherJaffeJune : (multi-bit) DPA Messerges : Higher-order SCA Messerges : Template SCA ChariRaoRohatgi : CPA BrierClavierOlivier : Stochastic SCA SchindlerLemkePaar : Mutual Information SCA GierlichsBatinaTuyls2008 etc.

3 Side Channel Analysis Side Channel Attacks (SCA) appear 15 years ago 1996 : Timing Attacks 1998 : Power Analysis 2000 : Electromagnetic Analysis Numerous attacks 1998 : (single-bit) DPA KocherJaffeJune : (multi-bit) DPA Messerges : Higher-order SCA Messerges : Template SCA ChariRaoRohatgi : CPA BrierClavierOlivier : Stochastic SCA SchindlerLemkePaar : Mutual Information SCA GierlichsBatinaTuyls2008 etc.

4 Side Channel Analysis Side Channel Attacks (SCA) appear 15 years ago 1996 : Timing Attacks 1998 : Power Analysis 2000 : Electromagnetic Analysis Numerous attacks 1998 : (single-bit) DPA KocherJaffeJune : (multi-bit) DPA Messerges : Higher-order SCA Messerges : Template SCA ChariRaoRohatgi : CPA BrierClavierOlivier : Stochastic SCA SchindlerLemkePaar : Mutual Information SCA GierlichsBatinaTuyls2008 etc.

5 Side Channel Analysis Side Channel Attacks (SCA) appear 15 years ago 1996 : Timing Attacks 1998 : Power Analysis 2000 : Electromagnetic Analysis Numerous attacks 1998 : (single-bit) DPA KocherJaffeJune : (multi-bit) DPA Messerges : Higher-order SCA Messerges : Template SCA ChariRaoRohatgi : CPA BrierClavierOlivier : Stochastic SCA SchindlerLemkePaar : Mutual Information SCA GierlichsBatinaTuyls2008 etc.

6 Masking/Sharing Coutermeasures Idea : consists in securing the implementation using secret sharing techniques. First Ideas in GoubinPatarin99 and ChariJutlaRaoRohatgi99. Soundness based on the following remark : [Chari-Jutla-Rao-Rohatgi CRYPTO 99] Bit x masked x 0, x 1,..., x d Leakage : Li x i + N (µ, σ 2 )( # of leakage samples to test (Li ) i x = 0 ) = ( (L i ) i x = 1 ) : q O(1)σ d

7 Masking/Sharing Coutermeasures Idea : consists in securing the implementation using secret sharing techniques. First Ideas in GoubinPatarin99 and ChariJutlaRaoRohatgi99. Soundness based on the following remark : [Chari-Jutla-Rao-Rohatgi CRYPTO 99] Bit x masked x 0, x 1,..., x d Leakage : Li x i + N (µ, σ 2 )( # of leakage samples to test (Li ) i x = 0 ) = ( (L i ) i x = 1 ) : q O(1)σ d

8 Masking/Sharing Coutermeasures Idea : consists in securing the implementation using secret sharing techniques. First Ideas in GoubinPatarin99 and ChariJutlaRaoRohatgi99. Soundness based on the following remark : [Chari-Jutla-Rao-Rohatgi CRYPTO 99] Bit x masked x 0, x 1,..., x d Leakage : Li x i + N (µ, σ 2 )( # of leakage samples to test (Li ) i x = 0 ) = ( (L i ) i x = 1 ) : q O(1)σ d

9 Probing Adversary Notion introduced in IshaiSahaiWagner, CRYPTO 2003 A d th -order probing adversary is allowed to observe at most d intermediate results during the overall algorithm processing. Hardware interpretation : d is the maximum of wires observed in the circuit. Software interpretation : d is the maximum of different timings during the processing. d th -order probing adversary = d th -order SCA as introduced in Messerges99. Countermeasures proved to be secure against a d th -order probing adv. : d = 1 : KocherJaffeJune99, BlömerGuajardoKrummel04, ProuffRivain07. d = 2 : RivainDottaxProuff08. d 1 : IshaiSahaiWagner03, ProuffRoche11, GenelleProuffQuisquater11, CarletGoubinProuffQuisquaterRivain12.

10 Probing Adversary Notion introduced in IshaiSahaiWagner, CRYPTO 2003 A d th -order probing adversary is allowed to observe at most d intermediate results during the overall algorithm processing. Hardware interpretation : d is the maximum of wires observed in the circuit. Software interpretation : d is the maximum of different timings during the processing. d th -order probing adversary = d th -order SCA as introduced in Messerges99. Countermeasures proved to be secure against a d th -order probing adv. : d = 1 : KocherJaffeJune99, BlömerGuajardoKrummel04, ProuffRivain07. d = 2 : RivainDottaxProuff08. d 1 : IshaiSahaiWagner03, ProuffRoche11, GenelleProuffQuisquater11, CarletGoubinProuffQuisquaterRivain12.

11 Higher-Order Masking Schemes Achieving security in the probing adversary model Definition A dth-order masking scheme for an encryption algorithm c E(m, k) is an algorithm (c 0, c 1,..., c d ) E ( (m 0, m 1,..., m d ), (k 0, k 1,..., k d ) ) Completeness : there exists R s.t. : R(c 0,, c d ) = E(m, k) Security : {iv 1, iv 2,..., iv d } {intermediate var. of E } : Pr ( k iv 1, iv 2,..., iv d ) = Pr ( k )

12 State Of The Art dth-order masking schemes Boolean Masking n = 2d + 1, O(d 2 ) [Ishai et al.03] (hardware oriented) [Rivain-Prouff 10] [Kim et al.11] Multiplicative Masking n = d + 1, O(d 2 ) [Genelle et al.11] (alternating Boolean and Multiplicative Masking) Polynomial Masking Õ(d 2 ) [Prouff-Roche 11] (n = 2d + 1, Glitches Resitance) Inner-Product Masking O(d 2 ) [Balasch et al.12] (n = 2(d + 1), Glitches Resistance)

13 State Of The Art dth-order masking schemes Boolean Masking n = 2d + 1, O(d 2 ) [Ishai et al.03] (hardware oriented) [Rivain-Prouff 10] [Kim et al.11] Multiplicative Masking n = d + 1, O(d 2 ) [Genelle et al.11] (alternating Boolean and Multiplicative Masking) Polynomial Masking Õ(d 2 ) [Prouff-Roche 11] (n = 2d + 1, Glitches Resitance) Inner-Product Masking O(d 2 ) [Balasch et al.12] (n = 2(d + 1), Glitches Resistance)

14 Mutual Information Analysis of Masking Schemes Mutual Information Evaluation Hamming Weight Model and Additive Gaussian Noise O(X ) = HW (X ) + B B N (0, σ) In this idealized model, the success rate of an optimal multi-query (HO-)SCA targeting (Z 0,, Z d ) is a monotonously increasing function of I(O(Z 0 ),, O(Z d ); Z) [Standaert et al. 09]

15 Mutual Information Analysis of Masking Schemes Boolean Sharing Manipulation of randomized variable z $ (z r 1 r d, r 1,, r d ), where r i are randomly generated in GF(2 l ).

16 Mutual Information Analysis of Masking Schemes Information Leaked by a d th -order Boolean Sharing 4 1O Bool.Mask. 2O Leak 2O Bool.Mask. 3O Leak 2 log10 (I(Z, O)) Noise Standard Deviation

17 Mutual Information Analysis of Masking Schemes Multiplicative Sharing Manipulation of randomized variable z $ (zxr 1 x xr d, r 1,, r d ), where r i are randomly generated in GF (2 l ).

18 Mutual Information Analysis of Masking Schemes Multiplicative Sharing Manipulation of randomized variable z $ (zxr 1 x xr d, r 1,, r d ), where r i are randomly generated in GF (2 l ). 1st-order Flaw Pr(zxr 1 x xr d = 0 z = 0) = 1

19 Mutual Information Analysis of Masking Schemes Information Leaked by a d th -order Multiplicative Sharing 4 2 1O Bool.Mask. 2O Leak 2O Bool.Mask. 3O Leak 1O Mult.Mask. 1O Leak log10 (I(Z, O)) Noise Standard Deviation

20 Mutual Information Analysis of Masking Schemes Shamir s Secret Sharing Manipulation of randomized variable $ z P z [X ] : z + a 1 X + + a d X d P z, α 1,, α n (P z (α 1 ),, P z (α n )) where a i are randomly generated in GF(2 l ) and α i are distinct public value of GF(2 l ).

21 Mutual Information Analysis of Masking Schemes Information Leaked by a d th -order Shamir s Secret Sharing log10 (I(Z, O)) O Bool.Mask. 2O Leak 2O Bool.Mask. 3O Leak 1O Mult.Mask. 1O Leak 1O Poly.Mask. 2O Leak 2O Poly.Mask. 3O Leak Noise Standard Deviation

22 Mutual Information Analysis of Masking Schemes IP-masking [Dziembowski-Faust TCC 2012] Manipulation of randomized variable z $ ( z n i=2 L ir i L 1, R 2,, R n, L 1,, L n ) where R i are randomly generated in GF(2 l ) and L i are randomly generated in GF(2 l ).

23 Mutual Information Analysis of Masking Schemes Information Leaked by a d th -order IP sharing log10 (MI) O Bool.Mask. 2O Leak 2O Bool.Mask. 3O Leak 1O Mult.Mask. 1O Leak 1O Poly.Mask. 2O Leak 2O Poly.Mask. 3O Leak 1O IP.Mask. 2O Leak 2O IP.Mask. 3O Leak Noise Standard Deviation

24 Analysis of Inner-Product Masking Scheme IP-masking Scheme BalaschFaustGierlichsVerbauwhede, ASIACRYPT n shares for (n 1) probing security (HO-)Glitches Attack resistant masking scheme Weak information leakage assuming standard Leakage Functions e.g. HW Complexity O(n 2 ) Proofs in the continuous bounded-range leakage model only if n 130 Practical Leakage Resilient Masking Scheme O() : {0, 1} l {0, 1} λ λ << l

25 Analysis of Inner-Product Masking Scheme IP-masking Scheme BalaschFaustGierlichsVerbauwhede, ASIACRYPT 2012 Inner-Product Sharing Scheme z $ ( z n i=2 L ir i L 1, R 2,, R n, L 1,, L n ) R i in GF(2 l ), L i in GF(2 l ). IP-Masking Scheme [Balasch et al. 12] inputs : {(L A, R A ), (L B, R B )} RefreshMasks(A) : O(n) A + B : O(n) xa + y : O(n) A B : O(n 2 )

26 Analysis of Inner-Product Masking Scheme IP-masking Scheme BalaschFaustGierlichsVerbauwhede, ASIACRYPT 2012 Inner-Product Sharing Scheme z $ ( z n i=2 L ir i L 1, R 2,, R n, L 1,, L n ) R i in GF(2 l ), L i in GF(2 l ). IP-Masking Scheme [Balasch et al. 12] inputs : {(L A, R A ), (L B, R B )} RefreshMasks(A) : O(n) A + B : O(n) xa + y : O(n) A B : O(n 2 )

27 Analysis of Inner-Product Masking Scheme Algorithm Refresh Mask description Input : the (2n, d)-sharing (L, R) of V. Output: the (2n, d)-sharing (L, R ) such that L, R = L, R. /* Refresh Masks */ 1 L (randnonzero()) n ; 2 for i = 1 to n do 3 A i L i L i ; 4 X A, R ; 5 B IPHalfMask(X, L ); 6 R R B; 7 return (L, R );

28 Analysis of Inner-Product Masking Scheme Algorithm Refresh Mask description Input : the (2n, d)-sharing (L, R) of V. Output: the (2n, d)-sharing (L, R ) such that L, R = L, R. /* Refresh Masks */ 1 L (randnonzero()) n ; 2 for i = 1 to n do 3 A i L i L i ; 4 X A, R ; 5 B IPHalfMask(X, L ); 6 R R B; 7 return (L, R );

29 Analysis of Inner-Product Masking Scheme Algorithm Refresh Mask description Input : the (2n, d)-sharing (L, R) of V. Output: the (2n, d)-sharing (L, R ) such that L, R = L, R. /* Refresh Masks */ 1 L (randnonzero()) n ; 2 for i = 1 to n do 3 A i L i L i ; 4 X A, R ; 5 B IPHalfMask(X, L ); 6 R R B; 7 return (L, R );

30 Analysis of Inner-Product Masking Scheme Algorithm Refresh Mask description Input : the (2n, d)-sharing (L, R) of V. Output: the (2n, d)-sharing (L, R ) such that L, R = L, R. /* Refresh Masks */ 1 L (randnonzero()) n ; 2 for i = 1 to n do 3 A i L i L i ; 4 X A, R ; 5 B IPHalfMask(X, L ); 6 R R B; 7 return (L, R ); For n = 2, V = L 1 R 1 L 2 R 2 X = (L 1 L 1 )R 1 (L 2 L 2 )R 2

31 Analysis of Inner-Product Masking Scheme Algorithm Refresh Mask description Input : the (2n, d)-sharing (L, R) of V. Output: the (2n, d)-sharing (L, R ) such that L, R = L, R. /* Refresh Masks */ 1 L (randnonzero()) n ; 2 for i = 1 to n do 3 A i L i L i ; 4 X A, R ; 5 B IPHalfMask(X, L ); 6 R R B; 7 return (L, R ); For n = 2, V = L 1 R 1 L 2 R 2 X = (L 1 L 1 )R 1 (L 2 L 2 )R 2

32 Analysis of Inner-Product Masking Scheme Algorithm Refresh Mask description Input : the (2n, d)-sharing (L, R) of V. Output: the (2n, d)-sharing (L, R ) such that L, R = L, R. /* Refresh Masks */ 1 L (randnonzero()) n ; 2 for i = 1 to n do 3 A i L i L i ; 4 X A, R ; 5 B IPHalfMask(X, L ); 6 R R B; 7 return (L, R ); For n = 2, V = L 1 R 1 L 2 R 2 X = (L 1 L 1 )R 1 (L 2 L 2 )R 2

33 Analysis of Inner-Product Masking Scheme A 1 st -order Flaw for any d for v = 0, and Pr[X = x V = v] = { if x = 0 2 l 2 l (2 l 1) n if x 0 2 l 2 l (2 l 1) n 1 Pr[X = x V = v] = { 1 1 if x = v 2 l 2 l (2 l 1) n if x v 2 l 2 l (2 l 1) n, otherwise.

34 Analysis of Inner-Product Masking Scheme A 1 st -order Flaw for any d for v = 0, and Pr[X = x V = v] = { if x = 0 2 l 2 l (2 l 1) n if x 0 2 l 2 l (2 l 1) n 1 Pr[X = x V = v] = { 1 1 if x = v 2 l 2 l (2 l 1) n if x v 2 l 2 l (2 l 1) n, otherwise. I(V ; O(X )) 0

35 Analysis of Inner-Product Masking Scheme Information Leaked by the 1 st -order Flaw Eq. (8) 1O IP.Mask. 2O Leak Eq. (9) 2O IP.Mask. 3O Leak Eq. (10) 1O IP.Mask. 1O Flaw Eq. (11) 2O IP.Mask. 1O Flaw log10 (MI) Noise Standard Deviation

36 Analysis of Inner-Product Masking Scheme Information Leaked by the 1 st -order Flaw on 4-bit variables log10 (MI) Eq. (11) 1O IP.Mask. 2O Leak Eq. (12) 2O IP.Mask. 3O Leak Eq. (13) 1O IP.Mask. 1O Flaw Eq. (14) 2O IP.Mask. 1O Flaw 10 x CPA exploiting the flaw X 2O-CPA exploiting the half IP-Masking R Noise Standard Deviation

37 Conclusion and Future works A security flaw in Blasch et al. scheme 1st-order flaw (exponential decay w.r.t. the mask order) in practice much easier to mount than a d-order attack. noise addition techniques won t help that much. proof in the continuous bounded-leakage model is still standing ways of improving the n 130 bound?

38 Conclusion and Future works A security flaw in Blasch et al. scheme 1st-order flaw (exponential decay w.r.t. the mask order) in practice much easier to mount than a d-order attack. noise addition techniques won t help that much. proof in the continuous bounded-leakage model is still standing ways of improving the n 130 bound?

39 Conclusion and Future works A security flaw in Blasch et al. scheme 1st-order flaw (exponential decay w.r.t. the mask order) in practice much easier to mount than a d-order attack. noise addition techniques won t help that much. proof in the continuous bounded-leakage model is still standing ways of improving the n 130 bound?

40 Conclusion and Future works IP-Masking Scheme w.r.t. to recent results in leakage resilience proofs ProufRivain, EUROCRYPT 2013 security proofs in continuous leakage model practical noisy leakage models additive masking (Ishai et al. scheme) improvements and link with probing security DucDziembowskiFaust, to appear EUROCRYPT 2014