Formally proved security of assembly code against power analysis

In his keynote speech at CHES 2004, Kocher advocated that side-channel attacks were an illustration that formal cryptography was not as secure as it was believed because some assumptions (e.g., no auxiliary information is available during the computation) were not modeled. This failure is caused by formal methods’ focus on models rather than implementations. In this paper, we present formal methods and tools for designing protected code and proving its security against power analysis. These formal methods avoid the discrepancy between the model and the implementation by working on the latter rather than on a high-level model. Indeed, our methods allow us (a) to automatically insert a power balancing countermeasure directly at the assembly level, and to prove the correctness of the induced code transformation; and (b) to prove that the obtained code is balanced with regard to a reasonable leakage model. We also show how to characterize the hardware to use the resources which maximize the relevancy of the model. The tools implementing our methods are then demonstrated in a case study on an 8-bit AVR smartcard for which we generate a provably protected present implementation that reveals to be at least 250 times more resistant to CPA attacks.

[1]  Markus Dürmuth,et al.  A Provably Secure and Efficient Countermeasure against Timing Attacks , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[2]  Michael Tunstall,et al.  Compiler Assisted Masking , 2012, CHES.

[3]  Aria Shahverdi,et al.  Balanced Encoding to Mitigate Power Analysis: A Case Study , 2014, CARDIS.

[4]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[5]  Cristina García Testal,et al.  Digital object identifier , 2001 .

[6]  François-Xavier Standaert,et al.  Algebraic Side-Channel Attacks , 2009, Inscrypt.

[7]  Jan Trobitius,et al.  Anwendung der "Common Criteria for Information Technology Security Evaluation" (CC) / ISO 15408 auf ein SOA Registry-Repository , 2007, Informatiktage.

[8]  Adrian Thillard,et al.  Success through Confidence: Evaluating the Effectiveness of a Side-Channel Attack , 2013, CHES.

[9]  George S. Taylor,et al.  Balanced self-checking asynchronous logic for smart card applications , 2003, Microprocess. Microsystems.

[10]  Claude Carlet,et al.  Analysis of the algebraic side channel attack , 2012, Journal of Cryptographic Engineering.

[11]  Tim Güneysu,et al.  Compact Implementation and Performance Evaluation of Block Ciphers in ATtiny Devices , 2012, AFRICACRYPT.

[12]  Stefan Mangard,et al.  Masked Dual-Rail Pre-charge Logic: DPA-Resistance Without Routing Constraints , 2005, CHES.

[13]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[14]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[15]  Eli Biham,et al.  A Fast New DES Implementation in Software , 1997, FSE.

[16]  Claude Carlet,et al.  Higher-Order Masking Schemes for S-Boxes , 2012, FSE.

[17]  Jan Reineke,et al.  CacheAudit: A Tool for the Static Analysis of Cache Side Channels , 2013, TSEC.

[18]  Christof Paar,et al.  Higher Order Masking of the AES , 2006, CT-RSA.

[19]  Jean-Sébastien Coron,et al.  Side Channel Cryptanalysis of a Higher Order Masking Scheme , 2007, CHES.

[20]  Sylvain Guilley,et al.  Side-channel leakage and trace compression using normalized inter-class variance , 2014, IACR Cryptol. ePrint Arch..

[21]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[22]  David A. Basin,et al.  An information-theoretic model for adaptive side-channel attacks , 2007, CCS '07.

[23]  Patrick Schaumont,et al.  Using Virtual Secure Circuit to Protect Embedded Software from Side-Channel Attacks , 2013, IEEE Transactions on Computers.

[24]  Ingrid Verbauwhede,et al.  Place and Route for Secure Standard Cell Design , 2004, CARDIS.

[25]  François-Xavier Standaert,et al.  Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices , 2010, AFRICACRYPT.

[26]  Patrick Schaumont,et al.  Formal Verification of Software Countermeasures against Side-Channel Attacks , 2014, ACM Trans. Softw. Eng. Methodol..

[27]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[28]  Ingrid Verbauwhede,et al.  A digital design flow for secure integrated circuits , 2006, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[29]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[30]  Sylvain Guilley,et al.  The "Backend Duplication" Method , 2005, CHES.

[31]  Sylvain Guilley,et al.  A Theoretical Study of Kolmogorov-Smirnov Distinguishers: Side-Channel Analysis vs. Differential Cryptanalysis , 2014, IACR Cryptol. ePrint Arch..

[32]  Stefan Mangard,et al.  One for All - All for One: Unifying Standard DPA Attacks , 2009, IACR Cryptol. ePrint Arch..

[33]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[34]  Theodosis Mourouzis,et al.  Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis , 2011, IACR Cryptol. ePrint Arch..

[35]  Yuval Ishai,et al.  Private Circuits II: Keeping Secrets in Tamperable Circuits , 2006, EUROCRYPT.

[36]  Philippe Hoogvorst Software Implementation of Dual-Rail Representation , 2011 .

[37]  Sylvain Guilley,et al.  WDDL is Protected against Setup Time Violation Attacks , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[38]  Guido Bertoni,et al.  Security Evaluation of WDDL and SecLib Countermeasures against Power Attacks , 2008, IEEE Transactions on Computers.

[39]  Christophe Giraud,et al.  Fault Analysis of Infective AES Computations , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[40]  Stefan Mangard,et al.  Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations , 2006, CHES.

[41]  Tim Güneysu,et al.  Generic Side-Channel Countermeasures for Reconfigurable Devices , 2011, CHES.

[42]  Sylvain Guilley,et al.  BCDL: A high speed balanced DPL for FPGA with global precharge and no early evaluation , 2010, 2010 Design, Automation & Test in Europe Conference & Exhibition (DATE 2010).

[43]  Mohamed I. Elmasry,et al.  Modeling and comparing CMOS implementations of the C-element , 1998, IEEE Trans. Very Large Scale Integr. Syst..

[44]  Julien Bringer,et al.  Study of a Novel Software Constant Weight Implementation , 2014, CARDIS.

[45]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[46]  Stefan Mangard,et al.  One for all - all for one: unifying standard differential power analysis attacks , 2011, IET Inf. Secur..

[47]  Elisabeth Oswald,et al.  Pinpointing side-channel information leaks in web applications , 2012, Journal of Cryptographic Engineering.

[48]  François-Xavier Standaert,et al.  Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA , 2009, CHES.

[49]  Sylvain Guilley,et al.  Differential Power Analysis Model and Some Results , 2004, CARDIS.

[50]  Sylvain Guilley,et al.  NICV: Normalized inter-class variance for detection of side-channel leakage , 2014, 2014 International Symposium on Electromagnetic Compatibility, Tokyo.

[51]  Ingrid Verbauwhede,et al.  A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation , 2004, Proceedings Design, Automation and Test in Europe Conference and Exhibition.