on the use of masking to defeat power-analysis attacks ... · power-analysis attacks ens paris...
TRANSCRIPT
![Page 1: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/1.jpg)
On the Use of Masking to DefeatPower-Analysis Attacks
ENS Paris Crypto Day
February 16, 2016
Presented by Sonia Belaïd
1/32
![Page 2: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/2.jpg)
2/32
Outline
Power-Analysis Attacks
Masking Countermeasure
Leakage Models
Security in the probing model
Construction of Secure Masking Schemes - Composition
![Page 3: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/3.jpg)
3/32
Ü Black-box cryptanalysisÜ Side-channel analysis
Alice Bob
ENCmi
k
ci DECci
k
mi
L i
![Page 4: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/4.jpg)
3/32
Ü Black-box cryptanalysis: A ← (mi ,c i)
Ü Side-Channel Analysis
Alice Bob
ENCmi
k
ci DECci
k
mi
L i
![Page 5: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/5.jpg)
3/32
Ü Black-box cryptanalysisÜ Side-Channel Analysis: A ← (mi ,c i ,L i)
Alice Bob
ENCENCmi
k
ci DECDECci
k
mi
L i
![Page 6: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/6.jpg)
3/32
Ü Black-box cryptanalysisÜ Side-Channel Analysis: A ← (mi ,c i ,L i)
Alice Bob
ENCENCmi
k
ci DECDECci
k
mi
L i
![Page 7: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/7.jpg)
3/32
Ü Black-box cryptanalysisÜ Side-Channel Analysis: A ← (mi ,c i ,L i)
Alice Bob
ENCENCmi
k
ci DECDECci
k
mi
L i
![Page 8: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/8.jpg)
3/32
Ü Black-box cryptanalysisÜ Side-Channel Analysis: A ← (mi ,c i ,L i)
Alice Bob
ENCENCmi
k
ci DECDECci
k
mi
L i
![Page 9: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/9.jpg)
3/32
Ü Black-box cryptanalysisÜ Side-Channel Analysis: A ← (mi ,c i ,L i)
Alice Bob
ENCENCmi
k
ci DECDECci
k
mi
L i
![Page 10: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/10.jpg)
4/32
A Power-Analysis Attack against AES-128
Figure : Consumption trace of a full AES-128 from the DPA Contest v2
![Page 11: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/11.jpg)
4/32
A Power-Analysis Attack against AES-128
Figure : Consumption trace of a full AES-128 from the DPA Contest v2
![Page 12: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/12.jpg)
5/32
A Power-Analysis Attack against AES-128
128-bit input m
⊕k0
S-box
8-bit v f (v)+ε
– 8 bits
Attack on 8 bits
Ï prediction of the outputs for the 256 possible 8-bit secretÏ correlation between predictions and leakageÏ selection of the best correlation to find the correct 8-bit secret
Attack on 128 bits
Ï repetition of the attack on 8 bits on each S-box
![Page 13: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/13.jpg)
5/32
A Power-Analysis Attack against AES-128
128-bit input m
⊕k0
S-box
8-bit v f (v)+ε
– 8 bits
Attack on 8 bits
Ï prediction of the outputs for the 256 possible 8-bit secretÏ correlation between predictions and leakageÏ selection of the best correlation to find the correct 8-bit secret
Attack on 128 bits
Ï repetition of the attack on 8 bits on each S-box
![Page 14: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/14.jpg)
5/32
A Power-Analysis Attack against AES-128
128-bit input m
⊕k0
S-box
8-bit v f (v)+ε
– 8 bits
Attack on 8 bits
Ï prediction of the outputs for the 256 possible 8-bit secretÏ correlation between predictions and leakageÏ selection of the best correlation to find the correct 8-bit secret
Attack on 128 bits
Ï repetition of the attack on 8 bits on each S-box
![Page 15: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/15.jpg)
6/32
Algorithmic Countermeasures
Problem: leakage L is key-dependent
m
k
c
L
Two main algorithmic solutions:
Ï Fresh Re-keying: regularly change kÏ Masking: make leakage L random
![Page 16: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/16.jpg)
7/32
Fresh Re-keying
Idea: regularly change k
session key k?
R
master key k
cm
r
![Page 17: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/17.jpg)
8/32
Masking
Idea: make leakage L random
sensitive value: v = f (m,k)
v0 ← v ⊕( ⊕1ÉiÉt
v i
)v1 ← $ ... v t ← $
Ü each t-uple of (v i)i is independent from v
![Page 18: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/18.jpg)
9/32
Outline
Power-Analysis Attacks
Masking Countermeasure
Leakage Models
Security in the probing model
Construction of Secure Masking Schemes - Composition
![Page 19: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/19.jpg)
10/32
Current Research on Masking
Masking
Security Efficiency
Realismleakage models
Proofsformal proofs of security
[EC:PR13] Masking against Side-Channel
Attacks: A Formal Security Proof
[EC:DDF14] Unifying Leakage Models:
From Probing Attacks to Noisy Leakage
[EC:DFS15] Making Masking Security
Proofs Concrete - Or How to Evaluate
the Security of Any Leaking Device
...
[C:ISW03] Private Circuits: Securing
Hardware against Probing Attacks
[CHES:RP10] Provably Secure Higher-
Order Masking of AES
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBDFGS15] formal proofs of mask-
ing schemes
[ePrint:BBDFG15] generation of formally
proven masking schemes at any order
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBPPTV16] improvement of the
randomness complexity for some multipli-
cations
![Page 20: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/20.jpg)
10/32
Current Research on Masking
Masking
Security Efficiency
Realismleakage models
Proofsformal proofs of security
[EC:PR13] Masking against Side-Channel
Attacks: A Formal Security Proof
[EC:DDF14] Unifying Leakage Models:
From Probing Attacks to Noisy Leakage
[EC:DFS15] Making Masking Security
Proofs Concrete - Or How to Evaluate
the Security of Any Leaking Device
...
[C:ISW03] Private Circuits: Securing
Hardware against Probing Attacks
[CHES:RP10] Provably Secure Higher-
Order Masking of AES
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBDFGS15] formal proofs of mask-
ing schemes
[ePrint:BBDFG15] generation of formally
proven masking schemes at any order
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBPPTV16] improvement of the
randomness complexity for some multipli-
cations
![Page 21: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/21.jpg)
10/32
Current Research on Masking
Masking
Security Efficiency
Realismleakage models
Proofsformal proofs of security
[EC:PR13] Masking against Side-Channel
Attacks: A Formal Security Proof
[EC:DDF14] Unifying Leakage Models:
From Probing Attacks to Noisy Leakage
[EC:DFS15] Making Masking Security
Proofs Concrete - Or How to Evaluate
the Security of Any Leaking Device
...
[C:ISW03] Private Circuits: Securing
Hardware against Probing Attacks
[CHES:RP10] Provably Secure Higher-
Order Masking of AES
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBDFGS15] formal proofs of mask-
ing schemes
[ePrint:BBDFG15] generation of formally
proven masking schemes at any order
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBPPTV16] improvement of the
randomness complexity for some multipli-
cations
![Page 22: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/22.jpg)
10/32
Current Research on Masking
Masking
Security Efficiency
Realismleakage models
Proofsformal proofs of security
[EC:PR13] Masking against Side-Channel
Attacks: A Formal Security Proof
[EC:DDF14] Unifying Leakage Models:
From Probing Attacks to Noisy Leakage
[EC:DFS15] Making Masking Security
Proofs Concrete - Or How to Evaluate
the Security of Any Leaking Device
...
[C:ISW03] Private Circuits: Securing
Hardware against Probing Attacks
[CHES:RP10] Provably Secure Higher-
Order Masking of AES
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBDFGS15] formal proofs of mask-
ing schemes
[ePrint:BBDFG15] generation of formally
proven masking schemes at any order
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBPPTV16] improvement of the
randomness complexity for some multipli-
cations
![Page 23: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/23.jpg)
10/32
Current Research on Masking
Masking
Security Efficiency
Realismleakage models
Proofsformal proofs of security
[EC:PR13] Masking against Side-Channel
Attacks: A Formal Security Proof
[EC:DDF14] Unifying Leakage Models:
From Probing Attacks to Noisy Leakage
[EC:DFS15] Making Masking Security
Proofs Concrete - Or How to Evaluate
the Security of Any Leaking Device
...
[C:ISW03] Private Circuits: Securing
Hardware against Probing Attacks
[CHES:RP10] Provably Secure Higher-
Order Masking of AES
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBDFGS15] formal proofs of mask-
ing schemes
[ePrint:BBDFG15] generation of formally
proven masking schemes at any order
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBPPTV16] improvement of the
randomness complexity for some multipli-
cations
![Page 24: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/24.jpg)
10/32
Current Research on Masking
Masking
Security Efficiency
Realismleakage models
Proofsformal proofs of security
[EC:PR13] Masking against Side-Channel
Attacks: A Formal Security Proof
[EC:DDF14] Unifying Leakage Models:
From Probing Attacks to Noisy Leakage
[EC:DFS15] Making Masking Security
Proofs Concrete - Or How to Evaluate
the Security of Any Leaking Device
...
[C:ISW03] Private Circuits: Securing
Hardware against Probing Attacks
[CHES:RP10] Provably Secure Higher-
Order Masking of AES
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBDFGS15] formal proofs of mask-
ing schemes
[ePrint:BBDFG15] generation of formally
proven masking schemes at any order
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBPPTV16] improvement of the
randomness complexity for some multipli-
cations
![Page 25: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/25.jpg)
10/32
Current Research on Masking
Masking
Security Efficiency
Realismleakage models
Proofsformal proofs of security
[EC:PR13] Masking against Side-Channel
Attacks: A Formal Security Proof
[EC:DDF14] Unifying Leakage Models:
From Probing Attacks to Noisy Leakage
[EC:DFS15] Making Masking Security
Proofs Concrete - Or How to Evaluate
the Security of Any Leaking Device
...
[C:ISW03] Private Circuits: Securing
Hardware against Probing Attacks
[CHES:RP10] Provably Secure Higher-
Order Masking of AES
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBDFGS15] formal proofs of mask-
ing schemes
[ePrint:BBDFG15] generation of formally
proven masking schemes at any order
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBPPTV16] improvement of the
randomness complexity for some multipli-
cations
![Page 26: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/26.jpg)
10/32
Current Research on Masking
Masking
Security Efficiency
Realismleakage models
Proofsformal proofs of security
[EC:PR13] Masking against Side-Channel
Attacks: A Formal Security Proof
[EC:DDF14] Unifying Leakage Models:
From Probing Attacks to Noisy Leakage
[EC:DFS15] Making Masking Security
Proofs Concrete - Or How to Evaluate
the Security of Any Leaking Device
...
[C:ISW03] Private Circuits: Securing
Hardware against Probing Attacks
[CHES:RP10] Provably Secure Higher-
Order Masking of AES
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBDFGS15] formal proofs of mask-
ing schemes
[ePrint:BBDFG15] generation of formally
proven masking schemes at any order
[FSE:CPRR13] Higher-Order Side Chan-
nel Security and Mask Refreshing
[EC:BBPPTV16] improvement of the
randomness complexity for some multipli-
cations
![Page 27: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/27.jpg)
11/32
Outline
Power-Analysis Attacks
Masking Countermeasure
Leakage Models
Security in the probing model
Construction of Secure Masking Schemes - Composition
![Page 28: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/28.jpg)
12/32
Power-Analysis Attacks on Masking Schemes
First-order masking
Ü compare C (L (v +m),L (m)) to the predictions on v
![Page 29: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/29.jpg)
12/32
Power-Analysis Attacks on Masking Schemes
3rd -order masking
Ü compare C (L (v +m1),L (m2),L (m3),L (m1 +m2 +m3)) to thepredictions on v
![Page 30: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/30.jpg)
13/32
Security of Masked Programs: Leakage Model
realism
conv
enie
nce
fors
ecur
itypr
oofs t-probing model
Ishai, Sahai, Wagner
Crypto 03
noisyleakage model
Prouff, Rivain
Eurocrypt 13
no leak-free gates
leak-free gates
reductionDuc, Dziembowski, Faust
Eurocrypt 14
![Page 31: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/31.jpg)
13/32
Security of Masked Programs: Leakage Model
realism
conv
enie
nce
fors
ecur
itypr
oofs t-probing model
Ishai, Sahai, Wagner
Crypto 03
noisyleakage model
Prouff, Rivain
Eurocrypt 13
no leak-free gates
leak-free gates
reductionDuc, Dziembowski, Faust
Eurocrypt 14
![Page 32: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/32.jpg)
14/32
Outline
Power-Analysis Attacks
Masking Countermeasure
Leakage Models
Security in the probing model
Construction of Secure Masking Schemes - Composition
![Page 33: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/33.jpg)
15/32
Security in the t-probing modelt-probing model assumptions:
Ï only one variable is leaking at a timeÏ the attacker can get the exact value of at most t variables
Ü show that all the t-uples are independent from the secret
![Page 34: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/34.jpg)
16/32
Security in the t-probing modelv: randomly generated variablec: known constantx: secret variable
function Ex-t3(x1,x2,x3,x4,c):(* x1,x2,x3 = $ *)(* x4 = x +x1 +x2 +x3 *)
r1 ← $
r2 ← $
y1 ← x1 + r1y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
1. independentfrom the secret?
8 many mistakes
48?
2. test 286 3-uples8 missing cases8 inefficient
![Page 35: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/35.jpg)
16/32
Security in the t-probing modelv: randomly generated variablec: known constantx: secret variable
function Ex-t3(x1,x2,x3,x4,c):(* x1,x2,x3 = $ *)(* x4 = x +x1 +x2 +x3 *)
r1 ← $
r2 ← $
y1 ← x1 + r1y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
1. independentfrom the secret?
8 many mistakes
4
8?
2. test 286 3-uples8 missing cases8 inefficient
![Page 36: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/36.jpg)
16/32
Security in the t-probing modelv: randomly generated variablec: known constantx: secret variable
function Ex-t3(x1,x2,x3,x4,c):(* x1,x2,x3 = $ *)(* x4 = x +x1 +x2 +x3 *)
r1 ← $
r2 ← $
y1 ← x1 + r1y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
1. independentfrom the secret?
8 many mistakes
4
8
?
2. test 286 3-uples8 missing cases8 inefficient
![Page 37: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/37.jpg)
16/32
Security in the t-probing modelv: randomly generated variablec: known constantx: secret variable
function Ex-t3(x1,x2,x3,x4,c):(* x1,x2,x3 = $ *)(* x4 = x +x1 +x2 +x3 *)
r1 ← $
r2 ← $
y1 ← x1 + r1y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
1. independentfrom the secret?
8 many mistakes
48
?
2. test 286 3-uples8 missing cases8 inefficient
![Page 38: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/38.jpg)
16/32
Security in the t-probing modelv: randomly generated variablec: known constantx: secret variable
function Ex-t3(x1,x2,x3,x4,c):(* x1,x2,x3 = $ *)(* x4 = x +x1 +x2 +x3 *)
r1 ← $
r2 ← $
y1 ← x1 + r1y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
1. independentfrom the secret?
8 many mistakes
48?
2. test 286 3-uples8 missing cases8 inefficient
![Page 39: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/39.jpg)
16/32
Security in the t-probing modelv: randomly generated variablec: known constantx: secret variable
function Ex-t3(x1,x2,x3,x4,c):(* x1,x2,x3 = $ *)(* x4 = x +x1 +x2 +x3 *)
r1 ← $
r2 ← $
y1 ← x1 + r1y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
1. independentfrom the secret?
8 many mistakes
48?
2. test 286 3-uples8 missing cases8 inefficient
![Page 40: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/40.jpg)
17/32
Security in the t-probing model
Contributions:
1. new algorithm to decide whether a t-uple is independent from thesecret
Ï no false positiveÏ more efficient than existing works
2. new algorithm to enumerate all the t-uplesÏ more efficient than existing works
Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, BenjaminGrégoire, and Pierre-Yves Strub.Verified proofs of higher-order masking. EUROCRYPT 2015.
![Page 41: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/41.jpg)
18/32
1. Show that a t-uple is independent from the secret
Inputs: t intermediate variables, b ← true
(Rule 1) secret variables?yes Ü (Rule 2)
no Ü 4
(Rule 2) an expression v is invertible in theonly occurrence of a random r?
yes Ü v ← r ; (Rule 1)
no Ü (Rule 3)
(Rule 3) is flag b = true?
yes Ü simplify; b ← false; (Rule 1)
no Ü 8
function Ex-t3(x1,x2,x3,x4,c):
r1 ← $
r2 ← $
y1 ← x1 + r1
y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1
t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
4 Ü distribution independent from the secret8 Ü might be used for an attack
![Page 42: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/42.jpg)
18/32
1. Show that a t-uple is independent from the secret
Inputs: t intermediate variables, b ← true
(Rule 1) secret variables?yes Ü (Rule 2)
no Ü 4
(Rule 2) an expression v is invertible in theonly occurrence of a random r?
yes Ü v ← r ; (Rule 1)
no Ü (Rule 3)
(Rule 3) is flag b = true?
yes Ü simplify; b ← false; (Rule 1)
no Ü 8
function Ex-t3(x1,x2,x3,x4,c):
r1 ← $
r2 ← $
y1 ← x1 + r1
y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1
t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
4 Ü distribution independent from the secret8 Ü might be used for an attack
![Page 43: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/43.jpg)
18/32
1. Show that a t-uple is independent from the secret
Inputs: t intermediate variables, b ← true
(Rule 1) secret variables?yes Ü (Rule 2)
no Ü 4
(Rule 2) an expression v is invertible in theonly occurrence of a random r?
yes Ü v ← r ; (Rule 1)
no Ü (Rule 3)
(Rule 3) is flag b = true?
yes Ü simplify; b ← false; (Rule 1)
no Ü 8
function Ex-t3(x1,x2,x3,x4,c):
r1 ← $
r2 ← $
y1 ← x1 + r1
y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1
t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
4 Ü distribution independent from the secret8 Ü might be used for an attack
![Page 44: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/44.jpg)
18/32
1. Show that a t-uple is independent from the secret
Inputs: t intermediate variables, b ← true
(Rule 1) secret variables?yes Ü (Rule 2)
no Ü 4
(Rule 2) an expression v is invertible in theonly occurrence of a random r?
yes Ü v ← r ; (Rule 1)
no Ü (Rule 3)
(Rule 3) is flag b = true?
yes Ü simplify; b ← false; (Rule 1)
no Ü 8
function Ex-t3(x1,x2,x3,x4,c):
r1 ← $
r2 ← $
y1 ← x1 + r1
y2 ← (x +x1 +x2 +x3)+ r2
y2 ← x3
t1 ← x2 + r1
t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
4 Ü distribution independent from the secret8 Ü might be used for an attack
![Page 45: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/45.jpg)
19/32
2. Extension to All Possible Sets
Problem: n intermediate variables Ü(n
t)
proofs
New Idea: proofs for sets of more than t variablesÏ find larger sets which cover all the intermediate variables is a hard
problemÏ two algorithms efficient in practice
X X̂ C(X̂
)
Algorithm 1:
1. select X = (t variables) and prove itsindependence
2. extend X to X̂ with moreobservations but still independence
3. recursively descend in set C(X̂
)4. merge X̂ and C
(X̂
)once they are
processed separately.
![Page 46: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/46.jpg)
19/32
2. Extension to All Possible Sets
Problem: n intermediate variables Ü(n
t)
proofs
New Idea: proofs for sets of more than t variablesÏ find larger sets which cover all the intermediate variables is a hard
problemÏ two algorithms efficient in practice
X X̂ C(X̂
)
Algorithm 1:
1. select X = (t variables) and prove itsindependence
2. extend X to X̂ with moreobservations but still independence
3. recursively descend in set C(X̂
)4. merge X̂ and C
(X̂
)once they are
processed separately.
![Page 47: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/47.jpg)
19/32
2. Extension to All Possible Sets
Problem: n intermediate variables Ü(n
t)
proofs
New Idea: proofs for sets of more than t variablesÏ find larger sets which cover all the intermediate variables is a hard
problemÏ two algorithms efficient in practice
X X̂ C(X̂
)
Algorithm 1:
1. select X = (t variables) and prove itsindependence
2. extend X to X̂ with moreobservations but still independence
3. recursively descend in set C(X̂
)4. merge X̂ and C
(X̂
)once they are
processed separately.
![Page 48: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/48.jpg)
19/32
2. Extension to All Possible Sets
Problem: n intermediate variables Ü(n
t)
proofs
New Idea: proofs for sets of more than t variablesÏ find larger sets which cover all the intermediate variables is a hard
problemÏ two algorithms efficient in practice
X
X̂ C(X̂
)
Algorithm 1:1. select X = (t variables) and prove its
independence
2. extend X to X̂ with moreobservations but still independence
3. recursively descend in set C(X̂
)4. merge X̂ and C
(X̂
)once they are
processed separately.
![Page 49: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/49.jpg)
19/32
2. Extension to All Possible Sets
Problem: n intermediate variables Ü(n
t)
proofs
New Idea: proofs for sets of more than t variablesÏ find larger sets which cover all the intermediate variables is a hard
problemÏ two algorithms efficient in practice
X X̂
C(X̂
)
Algorithm 1:1. select X = (t variables) and prove its
independence2. extend X to X̂ with more
observations but still independence
3. recursively descend in set C(X̂
)4. merge X̂ and C
(X̂
)once they are
processed separately.
![Page 50: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/50.jpg)
19/32
2. Extension to All Possible Sets
Problem: n intermediate variables Ü(n
t)
proofs
New Idea: proofs for sets of more than t variablesÏ find larger sets which cover all the intermediate variables is a hard
problemÏ two algorithms efficient in practice
X X̂ C(X̂
)Algorithm 1:
1. select X = (t variables) and prove itsindependence
2. extend X to X̂ with moreobservations but still independence
3. recursively descend in set C(X̂
)
4. merge X̂ and C(X̂
)once they are
processed separately.
![Page 51: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/51.jpg)
19/32
2. Extension to All Possible Sets
Problem: n intermediate variables Ü(n
t)
proofs
New Idea: proofs for sets of more than t variablesÏ find larger sets which cover all the intermediate variables is a hard
problemÏ two algorithms efficient in practice
X X̂ C(X̂
)Algorithm 1:
1. select X = (t variables) and prove itsindependence
2. extend X to X̂ with moreobservations but still independence
3. recursively descend in set C(X̂
)4. merge X̂ and C
(X̂
)once they are
processed separately.
![Page 52: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/52.jpg)
20/32
2. Extension to All Possible Sets: Example
function Ex-t3(x1,x2,x3,x4,c):r1 ← $
r2 ← $
y1 ← x1 + r1y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
X : 4X̂ : 4
C (X̂ ): 4
merge X̂ and C (X̂ ): 8
Ü 207 proofs instead of 286
![Page 53: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/53.jpg)
20/32
2. Extension to All Possible Sets: Example
function Ex-t3(x1,x2,x3,x4,c):r1 ← $
r2 ← $
y1 ← x1 + r1y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
X : 4
X̂ : 4
C (X̂ ): 4
merge X̂ and C (X̂ ): 8
Ü 207 proofs instead of 286
![Page 54: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/54.jpg)
20/32
2. Extension to All Possible Sets: Example
function Ex-t3(x1,x2,x3,x4,c):r1 ← $
r2 ← $
y1 ← x1 + r1y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
X : 4
X̂ : 4
C (X̂ ): 4
merge X̂ and C (X̂ ): 8
Ü 207 proofs instead of 286
![Page 55: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/55.jpg)
20/32
2. Extension to All Possible Sets: Example
function Ex-t3(x1,x2,x3,x4,c):r1 ← $
r2 ← $
y1 ← x1 + r1y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
X : 4
X̂ : 4
C (X̂ ): 4
merge X̂ and C (X̂ ): 8
Ü 207 proofs instead of 286
![Page 56: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/56.jpg)
20/32
2. Extension to All Possible Sets: Example
function Ex-t3(x1,x2,x3,x4,c):r1 ← $
r2 ← $
y1 ← x1 + r1y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
X : 4
X̂ : 4
C (X̂ ): 4
merge X̂ and C (X̂ ): 8
Ü 207 proofs instead of 286
![Page 57: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/57.jpg)
20/32
2. Extension to All Possible Sets: Example
function Ex-t3(x1,x2,x3,x4,c):r1 ← $
r2 ← $
y1 ← x1 + r1y2 ← (x +x1 +x2 +x3)+ r2t1 ← x2 + r1t2 ← (x2 + r1)+x3
y3 ← (x2 + r1 +x3)+ r2y4 ← c+ r2
return(y1,y2,y3,y4)
X : 4
X̂ : 4
C (X̂ ): 4
merge X̂ and C (X̂ ): 8
Ü 207 proofs instead of 286
![Page 58: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/58.jpg)
21/32
Application to the Sbox [CPRR13, Algorithm 4]
Method # tuples Security Complexity# sets time*
First-Order Maskingnaive
63 4
63 0.001sAlg. 1 17 0.001sAlg. 2 17 0.001s
Second-Order Maskingnaive
12,561 4
12,561 0.180sAlg. 1 851 0.046sAlg. 2 619 0.029s
Third-Order Maskingnaive
4,499,950 4
4,499,950 140.642sAlg. 1 68,492 9.923sAlg. 2 33,075 3.894s
Fourth-Order Maskingnaive
2,277,036,685 4
- unpracticalAlg. 1 8,852,144 2959.770sAlg. 2 3,343,587 879.235s
*run on a headless VM with a dual core (only one core is used in the computation) 64-bit processor clocked at 2GHz
![Page 59: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/59.jpg)
22/32
Benchmarks
Reference Target # tuples Security Complexity# sets time (s)
First-Order MaskingFSE13 full AES 17,206 4 3,342 128
MAC-SHA3 full Keccak-f 13,466 4 5,421 405Second-Order Masking
RSA06 Sbox 1,188,111 4 4,104 1.6491st -orderCHES10 Sbox 7,140 flaws (2) 866 0.045
CHES10 AES KS 23,041,866 4 771,263 340,745FSE13 2 rnds AES 25,429,146 4 511,865 1,295FSE13 4 rnds AES 109,571,806 4 2,317,593 40,169
Third-Order Masking3rd -orderRSA06 Sbox 2,057,067,320 flaws (98,176) 2,013,070 695
FSE13 Sbox(4) 4,499,950 4 33,075 3.894FSE13 Sbox(5) 4,499,950 4 39,613 5.036
Fourth-Order MaskingFSE13 Sbox (4) 2,277,036,685 4 3,343,587 879
Fifth-Order MaskingCHES10 ¯ 216,071,394 4 856,147 45
![Page 60: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/60.jpg)
23/32
Outline
Power-Analysis Attacks
Masking Countermeasure
Leakage Models
Security in the probing model
Construction of Secure Masking Schemes - Composition
![Page 61: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/61.jpg)
24/32
Current Issues in Composition
8
A refresh algorithm takes as input a sharing (xi )i≥0 of x and returns anew sharing (x ′
i )i≥0 of x such that (xi )i≥1 and (x ′i )i≥1 are mutually
independent.
![Page 62: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/62.jpg)
24/32
Current Issues in Composition
8
A refresh algorithm takes as input a sharing (xi )i≥0 of x and returns anew sharing (x ′
i )i≥0 of x such that (xi )i≥1 and (x ′i )i≥1 are mutually
independent.
![Page 63: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/63.jpg)
24/32
Current Issues in Composition
8
A refresh algorithm takes as input a sharing (xi )i≥0 of x and returns anew sharing (x ′
i )i≥0 of x such that (xi )i≥1 and (x ′i )i≥1 are mutually
independent.
![Page 64: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/64.jpg)
24/32
Current Issues in Composition
8
A refresh algorithm takes as input a sharing (xi )i≥0 of x and returns anew sharing (x ′
i )i≥0 of x such that (xi )i≥1 and (x ′i )i≥1 are mutually
independent.
![Page 65: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/65.jpg)
24/32
Current Issues in Composition
8
A refresh algorithm takes as input a sharing (xi )i≥0 of x and returns anew sharing (x ′
i )i≥0 of x such that (xi )i≥1 and (x ′i )i≥1 are mutually
independent.
![Page 66: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/66.jpg)
25/32
Composition in the t-probing model
Contributions:
1. new algorithm to verify the security of compositionsÏ formal securityÏ any order
2. compiler to build a higher-order secure scheme from any Cimplementation
Ï efficientÏ any order
Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, andBenjamin Grégoire.Compositional Verification of Higher-Order Masking Application to a VerifyingMasking Compiler. ePrint 2015.
![Page 67: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/67.jpg)
26/32
Security properties in the t-probing model
if t is fixed: show that any set of t intermediate variables isindependent from the secret
if t is not fixed: show that any set of t intermediate variables canbe simulated with at most t shares of each input
3observations
a0 a1 a2 a3 (= a+a0 +a1 +a2)
c0 c1 c2 c3
function Linear-function-t(a0, ...,ai , ...at ):
for i = 0 to t
ci ← f (ai )
return (c0, ...,ci , ...,ct )
Ü straightforward for linear functionsÜ formal proofs with EasyCrypt and pen-and paper proofs for small
non-linear functions
![Page 68: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/68.jpg)
26/32
Security properties in the t-probing model
if t is fixed: show that any set of t intermediate variables isindependent from the secretif t is not fixed: show that any set of t intermediate variables canbe simulated with at most t shares of each input
3observations
a0 a1 a2 a3 (= a+a0 +a1 +a2)
c0 c1 c2 c3
function Linear-function-t(a0, ...,ai , ...at ):
for i = 0 to t
ci ← f (ai )
return (c0, ...,ci , ...,ct )
Ü straightforward for linear functionsÜ formal proofs with EasyCrypt and pen-and paper proofs for small
non-linear functions
![Page 69: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/69.jpg)
26/32
Security properties in the t-probing model
if t is fixed: show that any set of t intermediate variables isindependent from the secretif t is not fixed: show that any set of t intermediate variables canbe simulated with at most t shares of each input
3observations
a0 a1 a2 a3 (= a+a0 +a1 +a2)
c0 c1 c2 c3
function Linear-function-t(a0, ...,ai , ...at ):
for i = 0 to t
ci ← f (ai )
return (c0, ...,ci , ...,ct )
Ü straightforward for linear functions
Ü formal proofs with EasyCrypt and pen-and paper proofs for smallnon-linear functions
![Page 70: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/70.jpg)
26/32
Security properties in the t-probing model
if t is fixed: show that any set of t intermediate variables isindependent from the secretif t is not fixed: show that any set of t intermediate variables canbe simulated with at most t shares of each input
3observations
a0 a1 a2 a3 (= a+a0 +a1 +a2)
c0 c1 c2 c3
function Linear-function-t(a0, ...,ai , ...at ):
for i = 0 to t
ci ← f (ai )
return (c0, ...,ci , ...,ct )
Ü straightforward for linear functions
Ü formal proofs with EasyCrypt and pen-and paper proofs for smallnon-linear functions
![Page 71: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/71.jpg)
26/32
Security properties in the t-probing model
if t is fixed: show that any set of t intermediate variables isindependent from the secretif t is not fixed: show that any set of t intermediate variables canbe simulated with at most t shares of each input
3observations
a0 a1 a2 a3 (= a+a0 +a1 +a2)
c0 c1 c2 c3
function Linear-function-t(a0, ...,ai , ...at ):
for i = 0 to t
ci ← f (ai )
return (c0, ...,ci , ...,ct )
Ü straightforward for linear functionsÜ formal proofs with EasyCrypt and pen-and paper proofs for small
non-linear functions
![Page 72: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/72.jpg)
27/32
Current Issues
Constraint:t0 + t1 + t2 + t3 É tA0
t0observations
A1t1
observationsA2
t2observations
A3t3
observations
trobservations
tr + t3observations
![Page 73: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/73.jpg)
27/32
Current Issues
Constraint:t0 + t1 + t2 + t3 É tA0
t0observations
A1t1
observationsA2
t2observations
A3t3
observations
trobservations
tr + t3observations
![Page 74: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/74.jpg)
27/32
Current Issues
Constraint:t0 + t1 + t2 + t3 É tA0
t0observations
A1
t1observations
t1 + t3observations
A2
t2observations
t2 + t3observations
A3
t3observations
trobservations
tr + t3observations
![Page 75: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/75.jpg)
27/32
Current Issues
Constraint:t0 + t1 + t2 + t3 É tA0
t0observations
A1
t1observations
t1 + t3observations
A2
t2observations
t2 + t3observations
A3
t3observations
trobservations
tr + t3observations
![Page 76: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/76.jpg)
27/32
Current Issues
Constraint:t0 + t1 + t2 + t3 É tA0
t0observations
A1
t1observations
t1 + t3 + t2 + t3observations
A2
t2observations
A3
t3observations
trobservations
tr + t3observations
![Page 77: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/77.jpg)
27/32
Current Issues
Constraint:t0 + t1 + t2 + t3 É tA0
t0observations
A1
t1observations
t1 + t2 +2t3É t?observations
A2
t2observations
A3
t3observations
trobservations
tr + t3observations
![Page 78: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/78.jpg)
27/32
Current Issues
Constraint:t0 + t1 + t2 + t3 É tA0
t0observations
A1
t1observations
t1 + t2 +2t3É t?observations
A2
t2observations
A3
t3observations
trobservations
tr + t3observations
![Page 79: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/79.jpg)
27/32
Current Issues
Constraint:t0 + t1 + t2 + t3 É t
Constraint:t0 + t1 + t2 + t3 + tr É tA0
t0observations
A1t1
observationsA2
t2observations
A3t3
observations
trobservations
tr + t3observations
![Page 80: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/80.jpg)
27/32
Current Issues
Constraint:t0 + t1 + t2 + t3 É t
Constraint:t0 + t1 + t2 + t3 + tr É tA0
t0observations
A1t1
observationsA2
t2observations
A3t3
observations
trobservations
tr + t3observations
![Page 81: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/81.jpg)
27/32
Current Issues
Constraint:t0 + t1 + t2 + t3 É t
Constraint:t0 + t1 + t2 + t3 + tr É tA0
t0observations
A1t1
observationsA2
t2observations
t2 + t3observations
A3
t3observations
trobservations
tr + t3observations
![Page 82: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/82.jpg)
27/32
Current Issues
Constraint:t0 + t1 + t2 + t3 É t
Constraint:t0 + t1 + t2 + t3 + tr É tA0
t0observations
A1t1
observationsA2
t2observations
t2 + t3observations
A3
t3observations
trobservations
tr + t3observations
![Page 83: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/83.jpg)
27/32
Current Issues
Constraint:t0 + t1 + t2 + t3 É t
Constraint:t0 + t1 + t2 + t3 + tr É tA0
t0observations
A1
t1observations
t1 + t2 +2t3 + trÉ t?observations
A2
t2observations
A3
t3observations
trobservations
tr + t3observations
![Page 84: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/84.jpg)
28/32
Stronger security property for Refresh
Strong Non-Interference in the t-probing model:if t is not fixed: show that any set of t intermediate variables with
- t1 on internal variables- t2 = t − t1 on the outputs
can be simulated with at most t1 shares of each input
2 internalobservations
+ 1 outputobservation
a0 a1 a2 a3
c0 c1 c2 c3
![Page 85: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/85.jpg)
29/32
Secure Composition
Constraint:t0 + t1 + t2 + t3 + tr É tA0
t0observations
A1t1
observationsA2
t2observations
A3t3
observations
trobservations
tr internalobservations+t3 output
observations
t3 outputobservations
![Page 86: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/86.jpg)
29/32
Secure Composition
Constraint:t0 + t1 + t2 + t3 + tr É tA0
t0observations
A1t1
observationsA2
t2observations
A3t3
observations
trobservations
tr internalobservations+t3 output
observations
t3 outputobservations
![Page 87: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/87.jpg)
29/32
Secure Composition
Constraint:t0 + t1 + t2 + t3 + tr É tA0
t0observations
A1t1
observationsA2
t2observations
t2 + t3observations
A3
t3observations
trobservations
tr internalobservations+t3 output
observations
t3 outputobservations
![Page 88: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/88.jpg)
29/32
Secure Composition
Constraint:t0 + t1 + t2 + t3 + tr É tA0
t0observations
A1t1
observationsA2
t2observations
t2 + t3observations
A3
t3observations
trobservations
tr internalobservations+t3 output
observations
t3 outputobservations
![Page 89: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/89.jpg)
29/32
Secure Composition
Constraint:t0 + t1 + t2 + t3 + tr É tA0
t0observations
A1
t1observations
t1 + t2 + t3 + trobservations
A2
t2observations
A3
t3observations
trobservations
tr internalobservations+t3 output
observations
t3 outputobservations
![Page 90: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/90.jpg)
29/32
Secure Composition
Constraint:t0 + t1 + t2 + t3 + tr É tA0
t0observations
A1
t1observations
t1 + t2 + t3 + trobservations
A2
t2observations
A3
t3observations
trobservations
tr internalobservations+t3 output
observations
t3 outputobservations
![Page 91: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/91.jpg)
29/32
Secure Composition
Constraint:t0 + t1 + t2 + t3 + tr É tA0
t0observations
t0 + t1 + t2 + t3 + trobservations
A1
t1observations
A2
t2observations
A3
t3observations
trobservations
tr internalobservations+t3 output
observations
t3 outputobservations
![Page 92: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/92.jpg)
29/32
Secure Composition
Constraint:t0 + t1 + t2 + t3 + tr É tA0
t0observations
t0 + t1 + t2 + t3 + trobservations
É t 4
A1
t1observations
A2
t2observations
A3
t3observations
trobservations
tr internalobservations+t3 output
observations
t3 outputobservations
![Page 93: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/93.jpg)
30/32
Secure Composition
Automatic tool for C-based algorithms
Ï unprotected algorithm Ü higher-order masked algorithmÏ example for AES S-box
x
·2
⊗
x
·2
⊗
8
x
·2
⊗
4
![Page 94: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/94.jpg)
30/32
Secure Composition
Automatic tool for C-based algorithms
Ï unprotected algorithm Ü higher-order masked algorithmÏ example for AES S-box
x
·2
⊗
x
·2
⊗
8
x
·2
⊗
4
![Page 95: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/95.jpg)
30/32
Secure Composition
Automatic tool for C-based algorithms
Ï unprotected algorithm Ü higher-order masked algorithmÏ example for AES S-box
x
·2
⊗
x
·2
⊗
8
x
·2
⊗
4
![Page 96: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/96.jpg)
30/32
Secure Composition
Automatic tool for C-based algorithms
Ï unprotected algorithm Ü higher-order masked algorithmÏ example for AES S-box
x
·2
⊗
x
·2
⊗
8
x
·2
⊗
4
![Page 97: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/97.jpg)
31/32
Some Results
Resource usage statistics for generating masked algorithms (at anyorder) from some unmasked implementations1
Scheme # Refresh Time MemoryAES (¯) 2/Sbox 0.09s 4MoAES (x ¯g(x)) 0 0.05s 4MoKeccak with Refresh 0 121.20 456MoKeccak 600 2728.00s 22870MoSimon 67 0.38s 15MoSpeck 61 6.22s 38Mo
1On a Intel(R) Xeon(R) CPU E5-2667 0 @ 2.90GHz with 64Go of memory runningLinux (Fedora)
![Page 98: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/98.jpg)
31/32
Some Results
Resource usage statistics for generating masked algorithms (at anyorder) from some unmasked implementations1
Scheme # Refresh Time MemoryAES (¯) 2/Sbox 0.09s 4MoAES (x ¯g(x)) 0 0.05s 4MoKeccak with Refresh 0 121.20s 456MoKeccak 600 2728.00s 22870MoSimon 67 0.38s 15MoSpeck 61 6.22s 38Mo
1On a Intel(R) Xeon(R) CPU E5-2667 0 @ 2.90GHz with 64Go of memory runningLinux (Fedora)
![Page 99: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/99.jpg)
32/32
ConclusionMasking
Security
Realismmodels close enough
to the reality
Proofsformal proofs of security
Efficiency
[EC15] formal proofs of masking
schemes
[ePrint15] generation of formally proven
masking schemes at any order
[EC16] improvement of the ran-
domness complexity for some
multiplications
Ü extend the verification to higher orders
using composition
Ü integrate transition/glitch-based model
Ü build practical experiments for both
attacks and new countermeasures
Ü still reduce the randomness in
multiplications
![Page 100: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/100.jpg)
32/32
ConclusionMasking
Security
Realismmodels close enough
to the reality
Proofsformal proofs of security
Efficiency
[EC15] formal proofs of masking
schemes
[ePrint15] generation of formally proven
masking schemes at any order
[EC16] improvement of the ran-
domness complexity for some
multiplications
Ü extend the verification to higher orders
using composition
Ü integrate transition/glitch-based model
Ü build practical experiments for both
attacks and new countermeasures
Ü still reduce the randomness in
multiplications
![Page 101: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/101.jpg)
32/32
ConclusionMasking
Security
Realismmodels close enough
to the reality
Proofsformal proofs of security
Efficiency
[EC15] formal proofs of masking
schemes
[ePrint15] generation of formally proven
masking schemes at any order
[EC16] improvement of the ran-
domness complexity for some
multiplications
Ü extend the verification to higher orders
using composition
Ü integrate transition/glitch-based model
Ü build practical experiments for both
attacks and new countermeasures
Ü still reduce the randomness in
multiplications
![Page 102: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/102.jpg)
32/32
ConclusionMasking
Security
Realismmodels close enough
to the reality
Proofsformal proofs of security
Efficiency
[EC15] formal proofs of masking
schemes
[ePrint15] generation of formally proven
masking schemes at any order
[EC16] improvement of the ran-
domness complexity for some
multiplications
Ü extend the verification to higher orders
using composition
Ü integrate transition/glitch-based model
Ü build practical experiments for both
attacks and new countermeasures
Ü still reduce the randomness in
multiplications
![Page 103: On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022050121/5f51770049f4b948da1f1292/html5/thumbnails/103.jpg)
32/32
ConclusionMasking
Security
Realismmodels close enough
to the reality
Proofsformal proofs of security
Efficiency
[EC15] formal proofs of masking
schemes
[ePrint15] generation of formally proven
masking schemes at any order
[EC16] improvement of the ran-
domness complexity for some
multiplications
Ü extend the verification to higher orders
using composition
Ü integrate transition/glitch-based model
Ü build practical experiments for both
attacks and new countermeasures
Ü still reduce the randomness in
multiplications