On the Power of Expansion: More Efficient Constructions in the Random Probing Model

The random probing model is a leakage model in which each wire of a circuit leaks with a given probability p. This model enjoys practical relevance thanks to a reduction to the noisy leakage model, which is admitted as the right formalization for power and electromagnetic side-channel attacks. In addition, the random probing model is much more convenient than the noisy leakage model to prove the security of masking schemes. In a recent work, Ananth, Ishai, and Sahai (CRYPTO 2018) introduce a nice expansion strategy to construct random probing secure circuits. Their construction tolerates a leakage probability of 2−26, which is the first quantified achievable leakage probability in the random probing model. In a follow-up work, Beläıd, Coron, Prouff, Rivain, and Taleb (CRYPTO 2020) generalize their idea and put forward a complete and practical framework to generate random probing secure circuits. The so-called expanding compiler can bootstrap simple base gadgets as long as they satisfy a new security notion called random probing expandability (RPE). They further provide an instantiation of the framework which tolerates a 2−8 leakage probability in complexity O(κ) where κ denotes the security parameter. In this paper, we provide an in-depth analysis of the RPE security notion. We exhibit the first upper bounds for the main parameter of a RPE gadget, which is known as the amplification order. We further show that the RPE notion can be made tighter and we exhibit strong connections between RPE and the strong non-interference (SNI) composition notion. We then introduce the first generic constructions of gadgets achieving RPE for any number of shares and with nearly optimal amplification orders and provide an asymptotic analysis of such constructions. Last but not least, we introduce new concrete constructions of small gadgets achieving maximal amplification orders. This allows us to obtain much more efficient instantiations of the expanding compiler: we obtain a complexity of O(κ) for a slightly better leakage probability, as well as O(κ) for a slightly lower leakage probability.

[1]  Benjamin Grégoire,et al.  Strong Non-Interference and Type-Directed Higher-Order Masking , 2016, CCS.

[2]  Stefan Dziembowski,et al.  Simple Refreshing in the Noisy Leakage Model , 2019, ASIACRYPT.

[3]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[4]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[5]  Benjamin Grégoire,et al.  Improved parallel mask refreshing algorithms: generic solutions with parametrized non-interference and automated optimizations , 2019, Journal of Cryptographic Engineering.

[6]  Benjamin Grégoire,et al.  Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model , 2017, EUROCRYPT.

[7]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[8]  Rina Zeitoun,et al.  Side-channel Masking with Pseudo-Random Generator , 2020, IACR Cryptol. ePrint Arch..

[9]  Yuval Ishai,et al.  Private Circuits: A Modular Approach , 2018, IACR Cryptol. ePrint Arch..

[10]  Miklós Ajtai,et al.  Secure computation with information leaking to an adversary , 2011, STOC.

[11]  Adrian Thillard,et al.  Randomness Complexity of Private Circuits for Multiplication , 2016, EUROCRYPT.

[12]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[13]  Jean-Sébastien Coron,et al.  Higher Order Masking of Look-up Tables , 2014, IACR Cryptol. ePrint Arch..

[14]  Emmanuel Prouff,et al.  Random Probing Security: Verification, Composition, Expansion and New Constructions , 2020, IACR Cryptol. ePrint Arch..

[15]  Jean-Sébastien Coron,et al.  Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme , 2016, CHES.

[16]  Emmanuel Prouff,et al.  Masking against Side-Channel Attacks: A Formal Security Proof , 2013, EUROCRYPT.

[17]  Marcin Andrychowicz,et al.  Circuit Compilers with O(1/\log (n)) Leakage Rate , 2016, EUROCRYPT.

[18]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[19]  Jean-Sébastien Coron,et al.  Higher-Order Side Channel Security and Mask Refreshing , 2013, FSE.