Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification

We propose a new approach for building efficient, provably secure, and practically hardened implementations of masked algorithms. Our approach is based on a Domain Specific Language in which users can write efficient assembly implementations and fine-grained leakage models. The latter are then used as a basis for formal verification, allowing for the first time formal guarantees for a broad range of device-specific leakage effects not addressed by prior work. The practical benefits of our approach are demonstrated through a case study of the PRESENT S-Box: we develop a highly optimized and provably secure masked implementation, and show through practical evaluation based on TVLA that our implementation is practically resilient. Our approach significantly narrows the gap between formal verification of masking and practical security.

[1]  Kostas Papagiannopoulos,et al.  Mind the Gap: Towards Secure 1st-Order Masking in Software , 2017, COSADE.

[2]  David Novo,et al.  Sleuth: Automated Verification of Software Power Analysis Countermeasures , 2013, CHES.

[3]  Pierre-Évariste Dagand,et al.  Tornado: Automatic Generation of Probing-Secure Masked Bitsliced Implementations , 2020, EUROCRYPT.

[4]  Stefan Mangard,et al.  Formal Verification of Masked Hardware Implementations in the Presence of Glitches , 2018, IACR Cryptol. ePrint Arch..

[5]  Michael Tunstall,et al.  Compiler Assisted Masking , 2012, CHES.

[6]  Yael Tauman Kalai,et al.  A Survey of Leakage-Resilient Cryptography , 2019, IACR Cryptol. ePrint Arch..

[7]  Elisabeth Oswald,et al.  Share-slicing: Friend or Foe? , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[8]  François-Xavier Standaert,et al.  Hardware Private Circuits: From Trivial Composition to Full Verification , 2020, IEEE Transactions on Computers.

[9]  Lejla Batina,et al.  Rosita: Towards Automatic Elimination of Power-Analysis Leakage in Ciphers , 2019, IACR Cryptol. ePrint Arch..

[10]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[11]  Begül Bilgin,et al.  Consolidating Security Notions in Hardware Masking , 2019, IACR Cryptol. ePrint Arch..

[12]  Elisabeth Oswald,et al.  Towards Practical Tools for Side Channel Aware Software Engineering: 'Grey Box' Modelling for Instruction Leakages , 2017, USENIX Security Symposium.

[13]  Emmanuel Prouff,et al.  Masking against Side-Channel Attacks: A Formal Security Proof , 2013, EUROCRYPT.

[14]  François-Xavier Standaert,et al.  Composable Masking Schemes in the Presence of Physical Defaults and the Robust Probing Model , 2018, IACR Cryptol. ePrint Arch..

[15]  François Durvaux,et al.  How to Certify the Leakage of a Chip? , 2014, IACR Cryptol. ePrint Arch..

[16]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[17]  Benjamin Grégoire,et al.  Verified Proofs of Higher-Order Masking , 2015, EUROCRYPT.

[18]  Adrian Thillard,et al.  Randomness Complexity of Private Circuits for Multiplication , 2016, EUROCRYPT.

[19]  Sonia Belaïd,et al.  Tight Private Circuits: Achieving Probing Security with the Least Refreshing , 2018, IACR Cryptol. ePrint Arch..

[20]  Benjamin Grégoire,et al.  maskVerif: Automated Verification of Higher-Order Masking in Presence of Physical Defaults , 2019, ESORICS.

[21]  Patrick Schaumont,et al.  Formal Verification of Software Countermeasures against Side-Channel Attacks , 2014, ACM Trans. Softw. Eng. Methodol..

[22]  Sebastian Faust,et al.  Amortizing Randomness Complexity in Private Circuits , 2017, IACR Cryptol. ePrint Arch..

[23]  Jean-Sébastien Coron,et al.  Formal Verification of Side-channel Countermeasures via Elementary Circuit Transformations , 2018, IACR Cryptol. ePrint Arch..

[24]  François Durvaux,et al.  Towards easy leakage certification: extended version , 2017, Journal of Cryptographic Engineering.

[25]  Benjamin Grégoire,et al.  Strong Non-Interference and Type-Directed Higher-Order Masking , 2016, CCS.

[26]  Johann Großschädl,et al.  Micro-Architectural Power Simulator for Leakage Assessment of Cryptographic Software on ARM Cortex-M3 Processors , 2018, IACR Cryptol. ePrint Arch..

[27]  Thomas Eisenbarth,et al.  A Tale of Two Shares: Why Two-Share Threshold Implementation Seems Worthwhile-and Why it is Not , 2016, IACR Cryptol. ePrint Arch..

[28]  Josep Balasch,et al.  On the Cost of Lazy Engineering for Masked Software Implementations , 2014, CARDIS.

[29]  Amir Moradi,et al.  Leakage Assessment Methodology - A Clear Roadmap for Side-Channel Evaluations , 2015, CHES.

[30]  Nikita Veshchikov,et al.  SILK: high level of abstraction leakage simulator for side channel analysis , 2014, PPREW@ACSAC.