Hardware Masking, Revisited

MaskingHardware masking schemes have shown many advances in the past few years. Through a series of publications their implementation cost has dropped significantly and flaws have been fixed where present. Despite these advancements it seems that a limit has been reached when implementing masking schemes on FPGA platforms. Indeed, even with a correct transition from the masking scheme to the masking realization (i.e., when the implementation is not buggy) it has been shown that the implementation can still exhibit unexpected leakage, e.g., through variations in placement and routing. In this work, we show that the reason for such unexpected leakages is the violation of an underlying assumption made by all masking schemes, i.e., that the leakage of the circuit is a linear sum of leakages associated to each share. In addition to the theory of VLSI which supports our claim, we perform a wide range of experiments based on an FPGA) to find out under what circumstances this causes a masked hardware implementation to show undesirable leakage. We further illustrate case studies, where publicly-known secure designs exhibit first-order leakage when being operated at certain conditions.

[1]  Elena Trichina,et al.  Combinational Logic Design for AES SubByte Transformation on Masked Data , 2003, IACR Cryptol. ePrint Arch..

[2]  Lejla Batina,et al.  A Very Compact "Perfectly Masked" S-Box for AES , 2008, ACNS.

[3]  Vincent Rijmen,et al.  Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches , 2011, Journal of Cryptology.

[4]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[5]  Ingrid Verbauwhede,et al.  A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation , 2004, Proceedings Design, Automation and Test in Europe Conference and Exhibition.

[6]  Kevin Skadron,et al.  Architecture implications of pads as a scarce resource , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[7]  Vincent Rijmen,et al.  Does Coupling Affect the Security of Masked Implementations? , 2017, COSADE.

[8]  P. Rohatgi,et al.  A testing methodology for side channel resistance , 2011 .

[9]  Christof Paar,et al.  The First Thorough Side-Channel Hardware Trojan , 2017, ASIACRYPT.

[10]  Einar Snekkenes,et al.  Security Implications of Crosstalk in Switching CMOS Gates , 2010, ISC.

[11]  Amir Moradi,et al.  Leakage Assessment Methodology - A Clear Roadmap for Side-Channel Evaluations , 2015, CHES.

[12]  Zhuyuan Liu,et al.  FPGA core PDN design optimization , 2011, 2011 IEEE International Symposium on Electromagnetic Compatibility.

[13]  Svetla Nikova,et al.  Securing the PRESENT Block Cipher Against Combined Side-Channel Analysis and Fault Attacks , 2017, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[14]  Emmanuel Prouff,et al.  Masking against Side-Channel Attacks: A Formal Security Proof , 2013, EUROCRYPT.

[15]  Stefan Mangard,et al.  Reconciling d+1 Masking in Hardware and Software , 2017, CHES.

[16]  Thomas Eisenbarth,et al.  A Tale of Two Shares: Why Two-Share Threshold Implementation Seems Worthwhile-and Why it is Not , 2016, IACR Cryptol. ePrint Arch..

[17]  Denis Flandre,et al.  Scaling Trends for Dual-Rail Logic Styles Against Side-Channel Attacks: A Case-Study , 2017, COSADE.

[18]  Eby G. Friedman,et al.  Scaling trends of on-chip power distribution noise , 2002, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[19]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[20]  Oscar Reparaz,et al.  Detecting Flawed Masking Schemes with Leakage Detection Tests , 2016, FSE.

[21]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[22]  I. Verbauwhede,et al.  A dynamic and differential CMOS logic with signal independent power consumption to withstand differential power analysis on smart cards , 2002, Proceedings of the 28th European Solid-State Circuits Conference.

[23]  Einar Snekkenes,et al.  Layout Dependent Phenomena A New Side-channel Power Model , 2012, J. Comput..

[24]  Stefan Mangard,et al.  Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order , 2016, IACR Cryptol. ePrint Arch..

[25]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[26]  Mehdi Baradaran Tahoori,et al.  Analysis of transient voltage fluctuations in FPGAs , 2016, 2016 International Conference on Field-Programmable Technology (FPT).

[27]  Matthieu Rivain,et al.  How Fast Can Higher-Order Masking Be in Software? , 2017, EUROCRYPT.

[28]  Stefan Mangard,et al.  An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order , 2017, CT-RSA.

[29]  Jean-Max Dutertre,et al.  Evidence of an information leakage between logically independent blocks , 2015, CS2@HiPEAC.

[30]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[31]  Begül Bilgin,et al.  Threshold implementations : as countermeasure against higher-order differential power analysis , 2015 .

[32]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[33]  Vincent Rijmen,et al.  A Side-Channel Analysis Resistant Description of the AES S-Box , 2005, FSE.

[34]  François-Xavier Standaert,et al.  Shuffling against Side-Channel Attacks: A Comprehensive Study with Cautionary Note , 2012, ASIACRYPT.

[35]  Begül Bilgin,et al.  Higher-Order Threshold Implementation of the AES S-Box , 2015, CARDIS.

[36]  Resve A. Saleh,et al.  Power Supply Noise in SoCs: Metrics, Management, and Measurement , 2007, IEEE Design & Test of Computers.

[37]  Thomas Eisenbarth,et al.  Correlation-Enhanced Power Analysis Collision Attack , 2010, CHES.

[38]  Ken Eguro,et al.  Information Leakage Between FPGA Long Wires , 2016, ArXiv.

[39]  Brent E. Nelson,et al.  RapidSmith 2: A Framework for BEL-level CAD Exploration on Xilinx FPGAs , 2015, FPGA.

[40]  Amir Moradi,et al.  Side-Channel Resistant Crypto for Less than 2,300 GE , 2011, Journal of Cryptology.

[41]  Amir Moradi,et al.  Assessment of Hiding the Higher-Order Leakages in Hardware - What Are the Achievements Versus Overheads? , 2015, CHES.

[42]  Ingrid Verbauwhede,et al.  Consolidating Masking Schemes , 2015, CRYPTO.

[43]  Vincent Rijmen,et al.  Higher-Order Threshold Implementations , 2014, ASIACRYPT.

[44]  Stefan Mangard,et al.  Successfully Attacking Masked AES Hardware Implementations , 2005, CHES.

[45]  Gang Wang,et al.  Moats and Drawbridges: An Isolation Primitive for Reconfigurable Hardware Based Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[46]  Mehdi Baradaran Tahoori,et al.  An inside job: Remote power analysis attacks on FPGAs , 2018, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[47]  Syed Kareem Uddin Trade-OFFS For Threshold Implementations Illustrated on AES , 2017 .

[48]  Shidhartha Das,et al.  Modeling and characterization of the system-level Power Delivery Network for a dual-core ARM Cortex-A57 cluster in 28nm CMOS , 2015, 2015 IEEE/ACM International Symposium on Low Power Electronics and Design (ISLPED).

[49]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[50]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[51]  P. Rohatgi,et al.  Test Vector Leakage Assessment ( TVLA ) methodology in practice , 2013 .

[52]  G. Edward Suh,et al.  FPGA-Based Remote Power Side-Channel Attacks , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[53]  Tim Güneysu,et al.  Affine Equivalence and Its Application to Tightening Threshold Implementations , 2015, SAC.

[54]  Daniel E. Holcomb,et al.  FPGA Side Channel Attacks without Physical Access , 2018, 2018 IEEE 26th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM).

[55]  P. Larsson Power supply noise in future IC's: a crystal ball reading , 1999, Proceedings of the IEEE 1999 Custom Integrated Circuits Conference (Cat. No.99CH36327).

[56]  François-Xavier Standaert,et al.  A note on the security of threshold implementations with d+1 input shares , 2016, IACR Cryptol. ePrint Arch..

[57]  Meeta Sharma Gupta,et al.  Understanding Voltage Variations in Chip Multiprocessors using a Distributed Power-Delivery Network , 2007, 2007 Design, Automation & Test in Europe Conference & Exhibition.

[58]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[59]  Adrian Thillard,et al.  Randomness Complexity of Private Circuits for Multiplication , 2016, EUROCRYPT.

[60]  John D. Corbett The Xilinx Isolation Design Flow for Fault-Tolerant Systems , 2013 .

[61]  Jim Tørresen,et al.  The Xilinx Design Language (XDL): Tutorial and use cases , 2011, 6th International Workshop on Reconfigurable Communication-Centric Systems-on-Chip (ReCoSoC).

[62]  François-Xavier Standaert,et al.  Making Masking Security Proofs Concrete - Or How to Evaluate the Security of Any Leaking Device , 2015, EUROCRYPT.

[63]  Amir Moradi,et al.  Moments-Correlating DPA , 2016, IACR Cryptol. ePrint Arch..

[64]  Stefan Mangard,et al.  Formal Verification of Masked Hardware Implementations in the Presence of Glitches , 2018, IACR Cryptol. ePrint Arch..