Analysis and Design of Masking Schemes for Secure Cryptographic Implementations

Masking is the central topic of this thesis based on publications. Masking is a technique that allows the secure execution of cryptographic algorithms in untrusted environments. More concretely, masking provides security guarantees even if an adversary observes side-channel leakage. We first propose a methodology to attack masked implementations more quickly. Our method is relevant in practice since it allows to carry out attacks that before took months in days. The proposed method first locates the relevant time samples for an attack and then only attacks those. For this purpose we rely on versatile information-theoretic tools. The second selected paper in this thesis deals with Di erential Power Analysis, masking and bit-slicing at very high clock speeds, such as those typically found in today’s smartphones and personal electronic devices. We present an attack on an ARM Cortex-A8 running at 1 GHz, and then apply the principles of gate-level masking to develop a DPA-resistant bit-sliced AES implementation. In our third selected paper, we propose a new masking strategy for a post-quantum public-key algorithm: ring-LWE. Our solution is essentially arithmetic masking with a bespoke probabilistic decoder. Our approach fits in a standard FPGA and incurs manageable performance overheads. We explain in our fourth paper similarities and di erences between theoretical and practical instances of masking schemes. These observations allow us to break some masking schemes proposed in literature and transfer attractive features from one scheme to another. To conclude, in the fifth paper we describe a simple, yet powerful tool to detect flaws in masking schemes. Sound masking schemes can be surprisingly di cult to design (especially if they provide higher-order security guarantees); our tool assists the design process of a masking scheme by assessing the soundness of a masking scheme at the algorithmic level before implementing it on an actual device. iii

[1]  Robert Könighofer,et al.  A Fast and Cache-Timing Resistant Implementation of the AES , 2008, CT-RSA.

[2]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[3]  Benjamin Grégoire,et al.  Verified Proofs of Higher-Order Masking , 2015, EUROCRYPT.

[4]  Jerry den Hartog,et al.  You Cannot Hide behind the Mask: Power Analysis on a Provably Secure S-Box Implementation , 2009, WISA.

[5]  François-Xavier Standaert,et al.  LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations , 2014, FSE.

[6]  Christof Paar,et al.  Pushing the Limits: A Very Compact and a Threshold Implementation of AES , 2011, EUROCRYPT.

[7]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[8]  Oscar Reparaz A note on the security of Higher-Order Threshold Implementations , 2015, IACR Cryptol. ePrint Arch..

[9]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[10]  Christophe Giraud,et al.  An Implementation of DES and AES, Secure against Some Attacks , 2001, CHES.

[11]  Zhizhang Chen,et al.  A Case Study of Side-Channel Analysis Using Decoupling Capacitor Power Measurement with the OpenADC , 2012, FPS.

[12]  Frederik Vercauteren,et al.  A masked ring-LWE implementation , 2015, IACR Cryptol. ePrint Arch..

[13]  Deian Stefan,et al.  Fast Software AES Encryption , 2010, FSE.

[14]  William P. Marnane,et al.  Correlation Power Analysis of Large Word Sizes , 2007 .

[15]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[16]  Alexandre Venelli,et al.  Efficient Entropy Estimation for Mutual Information Analysis Using B-Splines , 2010, WISTP.

[17]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[18]  Tanja Lange,et al.  The Security Impact of a New Cryptographic Library , 2012, LATINCRYPT.

[19]  Markus Kasper,et al.  The World is Not Enough: Another Look on Second-Order DPA , 2010, IACR Cryptol. ePrint Arch..

[20]  Emmanuel Prouff,et al.  Statistical Analysis of Second Order Differential Power Analysis , 2009, IEEE Transactions on Computers.

[21]  Emmanuel Prouff,et al.  On the Practical Security of a Leakage Resilient Masking Scheme , 2014, CT-RSA.

[22]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[23]  Dan Page,et al.  Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel , 2002, IACR Cryptol. ePrint Arch..

[24]  Jean-Sébastien Coron,et al.  Side Channel Cryptanalysis of a Higher Order Masking Scheme , 2007, CHES.

[25]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[26]  Thomas S. Messerges,et al.  Using Second-Order Power Analysis to Attack DPA Resistant Software , 2000, CHES.

[27]  Marc Joye,et al.  On Second-Order Differential Power Analysis , 2005, CHES.

[28]  Emmanuel Prouff,et al.  Theoretical and practical aspects of mutual information-based side channel analysis , 2010, Int. J. Appl. Cryptogr..

[29]  Lubos Gaspar,et al.  FPGA Implementations of SPRING - And Their Countermeasures against Side-Channel Attacks , 2014, CHES.

[30]  Frederik Vercauteren,et al.  Somewhat Practical Fully Homomorphic Encryption , 2012, IACR Cryptol. ePrint Arch..

[31]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[32]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[33]  P. Rohatgi,et al.  Test Vector Leakage Assessment ( TVLA ) methodology in practice , 2013 .

[34]  Jean-Sébastien Coron,et al.  Higher Order Masking of Look-up Tables , 2014, IACR Cryptol. ePrint Arch..

[35]  Welch Bl THE GENERALIZATION OF ‘STUDENT'S’ PROBLEM WHEN SEVERAL DIFFERENT POPULATION VARLANCES ARE INVOLVED , 1947 .

[36]  Mitsuru Matsui,et al.  On the Power of Bitslice Implementation on Intel Core2 Processor , 2007, CHES.

[37]  Elisabeth Oswald,et al.  A Comprehensive Evaluation of Mutual Information Analysis Using a Fair Evaluation Framework , 2011, CRYPTO.

[38]  Jean-Sébastien Coron,et al.  Attack and Improvement of a Secure S-Box Calculation Based on the Fourier Transform , 2008, CHES.

[39]  Akashi Satoh,et al.  A Compact Rijndael Hardware Architecture with S-Box Optimization , 2001, ASIACRYPT.

[40]  François Durvaux,et al.  From Improved Leakage Detection to the Detection of Points of Interests in Leakage Traces , 2016, EUROCRYPT.

[41]  Ingrid Verbauwhede,et al.  DPA, Bitslicing and Masking at 1 GHz , 2015, IACR Cryptol. ePrint Arch..

[42]  Frederik Vercauteren,et al.  Compact and Side Channel Secure Discrete Gaussian Sampling , 2014, IACR Cryptol. ePrint Arch..

[43]  Christof Paar,et al.  Gaussian Mixture Models for Higher-Order Side Channel Analysis , 2007, CHES.

[44]  Josep Balasch,et al.  On the Cost of Lazy Engineering for Masked Software Implementations , 2014, CARDIS.

[45]  Philippe Pierre Pebay,et al.  Formulas for robust, one-pass parallel computation of covariances and arbitrary-order statistical moments. , 2008 .

[46]  Chester Rebeiro,et al.  Pushing the Limits of High-Speed GF(2 m ) Elliptic Curve Scalar Multiplication on FPGAs , 2012, CHES.

[47]  Stefan Dziembowski,et al.  Unifying Leakage Models: From Probing Attacks to Noisy Leakage , 2018, Journal of Cryptology.

[48]  Lejla Batina,et al.  Mutual Information Analysis: a Comprehensive Study , 2011, Journal of Cryptology.

[49]  Oscar Reparaz,et al.  Detecting Flawed Masking Schemes with Leakage Detection Tests , 2016, FSE.

[50]  Michael Naehrig,et al.  Improved Security for a Ring-Based Fully Homomorphic Encryption Scheme , 2013, IMACC.

[51]  Eli Biham,et al.  A Fast New DES Implementation in Software , 1997, FSE.

[52]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[53]  I. Verbauwhede,et al.  A dynamic and differential CMOS logic with signal independent power consumption to withstand differential power analysis on smart cards , 2002, Proceedings of the 28th European Solid-State Circuits Conference.

[54]  Joseph Bonneau,et al.  Cache-Collision Timing Attacks Against AES , 2006, CHES.

[55]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[56]  Peter Schwabe,et al.  Faster and Timing-Attack Resistant AES-GCM , 2009, CHES.

[57]  P. Rohatgi,et al.  A testing methodology for side channel resistance , 2011 .

[58]  Siddika Berna Ors Yalcin,et al.  Differential power analysis attack considering decoupling capacitance effect , 2009, 2009 European Conference on Circuit Theory and Design.

[59]  Sorin A. Huss,et al.  On the Design of Hardware Building Blocks for Modern Lattice-Based Encryption Schemes , 2012, CHES.

[60]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[61]  Giovanni Agosta,et al.  Compiler-based side channel vulnerability analysis and optimized countermeasures application , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[62]  Stefan Mangard,et al.  Side-Channel Leakage of Masked CMOS Gates , 2005, CT-RSA.

[63]  Christophe Giraud,et al.  Provably Secure S-Box Implementation Based on Fourier Transform , 2006, CHES.

[64]  Stefan Mangard,et al.  Practical Second-Order DPA Attacks for Masked Smart Card Implementations of Block Ciphers , 2006, CT-RSA.

[65]  Jean-Sébastien Coron,et al.  Higher-Order Side Channel Security and Mask Refreshing , 2013, FSE.

[66]  Bruno Robisson,et al.  ElectroMagnetic analysis (EMA) of software AES on Java mobile phones , 2011, 2011 IEEE International Workshop on Information Forensics and Security.

[67]  Thanh-Ha Le,et al.  Mutual Information Analysis under the View of Higher-Order Statistics , 2010, IWSEC.

[68]  Ingrid Verbauwhede,et al.  Theory and Practice of a Leakage Resilient Masking Scheme , 2012, ASIACRYPT.

[69]  Vincent Rijmen,et al.  Threshold Implementations Against Side-Channel Attacks and Glitches , 2006, ICICS.

[70]  David A. Wagner,et al.  Towards Efficient Second-Order Power Analysis , 2004, CHES.

[71]  Amir Moradi,et al.  Side-Channel Resistant Crypto for Less than 2,300 GE , 2011, Journal of Cryptology.

[72]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[73]  Jean-Sébastien Coron,et al.  Statistics and secret leakage , 2000, TECS.

[74]  François-Xavier Standaert,et al.  Mutual Information Analysis: How, When and Why? , 2009, CHES.

[75]  P. Rohatgi,et al.  Mobile Device Security : The case for side channel resistance , 2012 .

[76]  中嶋 純子,et al.  Cryptographic Hardware and Embedded Systems (CHES'99)国際会議参加報告 , 1999 .

[77]  Frederik Vercauteren,et al.  Compact Ring-LWE Cryptoprocessor , 2014, CHES.

[78]  Christof Paar,et al.  Higher Order Masking of the AES , 2006, CT-RSA.

[79]  Vincent Rijmen,et al.  A More Efficient AES Threshold Implementation , 2014, AFRICACRYPT.

[80]  Stefan Mangard,et al.  An AES Smart Card Implementation Resistant to Power Analysis Attacks , 2006, ACNS.

[81]  Bart Preneel,et al.  Mutual Information Analysis , 2008, CHES.

[82]  Bruce Schneier,et al.  Side channel cryptanalysis of product ciphers , 2000 .

[83]  Stefan Mangard,et al.  Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations , 2006, CHES.

[84]  Ingrid Verbauwhede,et al.  Consolidating Masking Schemes , 2015, CRYPTO.

[85]  Vincent Rijmen,et al.  Higher-Order Threshold Implementations , 2014, ASIACRYPT.

[86]  Sylvain Guilley,et al.  A Pre-processing Composition for Secret Key Recovery on Android Smartphone , 2014, WISTP.

[87]  David Canright,et al.  A Very Compact S-Box for AES , 2005, CHES.

[88]  Vincent Rijmen,et al.  Threshold Implementations of all 3x3 and 4x4 S-boxes , 2012, IACR Cryptol. ePrint Arch..

[89]  Elena Trichina,et al.  Combinational Logic Design for AES SubByte Transformation on Masked Data , 2003, IACR Cryptol. ePrint Arch..

[90]  David Novo,et al.  Sleuth: Automated Verification of Software Power Analysis Countermeasures , 2013, CHES.

[91]  Phuong Ha Nguyen,et al.  Enabling 3-Share Threshold Implementations for all 4-Bit S-Boxes , 2013, ICISC.

[92]  Ingrid Verbauwhede,et al.  Revisiting Higher-Order DPA Attacks: , 2010, CT-RSA.

[93]  Robert H. Sloan,et al.  Power Analysis Attacks of Modular Exponentiation in Smartcards , 1999, CHES.

[94]  Ingrid Verbauwhede,et al.  A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation , 2004, Proceedings Design, Automation and Test in Europe Conference and Exhibition.

[95]  Patrick Schaumont,et al.  QMS: Evaluating the side-channel resistance of masked software from source code , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[96]  Vincent Rijmen,et al.  Threshold implementations of small S-boxes , 2014, Cryptography and Communications.

[97]  Jean-Sébastien Coron,et al.  Conversion of Security Proofs from One Leakage Model to Another: A New Issue , 2012, COSADE.

[98]  P. Kocher,et al.  Di erential Power Analysis , 1999 .

[99]  Tim Güneysu,et al.  Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware , 2013, Selected Areas in Cryptography.

[100]  Elisabeth Oswald,et al.  An ASIC Implementation of the AES SBoxes , 2002, CT-RSA.

[101]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[102]  Chris Peikert,et al.  Lattice Cryptography for the Internet , 2014, PQCrypto.

[103]  Amir Moradi,et al.  Leakage Assessment Methodology - A Clear Roadmap for Side-Channel Evaluations , 2015, CHES.

[104]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[105]  Marc Joye,et al.  Side-Channel Analysis , 2005, Encyclopedia of Cryptography and Security.

[106]  Ingrid Verbauwhede,et al.  Selecting Time Samples for Multivariate DPA Attacks , 2012, CHES.