Introduction to Masking
Leakage Squeezing
Conclusion
Leakage Squeezing of Order Two
Claude CARLET1 , Jean-Luc DANGER2,3 ,
Sylvain GUILLEY2,3 and Houssem MAGHREBI2 .
1
LAGA, UMR 7539, CNRS, Department of Mathematics,
University of Paris XIII and University of Paris VIII,
2 rue de la liberté, 93 526 Saint-Denis Cedex, France.
2 TELECOM-ParisTech, Crypto Group,
37/39 rue Dareau, 75 634 Paris Cedex 13, France.
3
Secure-IC S.A.S., 80 avenue des Buttes de Coësmes,
35 700 Rennes, France.
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Outline
1
Introduction to Masking
Side-Channel Analysis: Overview
Definition of dth-Order Masking
Leakage Function: Strategies for the Defender and the
Attacker
Attack Scenario: Distinguisher
2
Leakage Squeezing
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
3
Conclusion
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
No protection...
Side-Channel Analysis: Overview
Definition of dth-Order Masking
Leakage Function: Strategies for the Defender and the Attacker
Attack Scenario: Distinguisher
secrets are gone
Fact:
manipulating a variable leaks.
Z
ù
Z
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Side-Channel Analysis: Overview
Definition of dth-Order Masking
Leakage Function: Strategies for the Defender and the Attacker
Attack Scenario: Distinguisher
Side-Channel Analysis: Spying Internals
Z
L
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Side-Channel Analysis: Overview
Definition of dth-Order Masking
Leakage Function: Strategies for the Defender and the Attacker
Attack Scenario: Distinguisher
Protection...
extracting secrets is harder
Masking:
splitting Z (in 2, ... or more, e.g. d
1)
Z `M ù k M ù
Attacks: joint pZ ` M, M q leaks on Z .
Modulo: leakage function, noise.
Z ⊕M
0110
1010
10
M
! Joint leakage L
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Side-Channel Analysis: Overview
Definition of dth-Order Masking
Leakage Function: Strategies for the Defender and the Attacker
Attack Scenario: Distinguisher
Definition of dth-Order Masking
Sensitive Variables
A sensitive variable Z is hidden in d
1 shares Si , such as:
Z is a deterministic function of all the Si , but
Z
KK pSi qi PI if |I | ¤ d.
Examples
Additive Boolean Masking:
The sharing is done in the group pFn2 , `q
Z
À
d
i 0 Si .
Additive Arithmetic Masking:
The sharing is done in the group pZ2n , `q
Z
Ð
d
i 0 Si
°
d
i 0 Si
mod 2n .
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Side-Channel Analysis: Overview
Definition of dth-Order Masking
Leakage Function: Strategies for the Defender and the Attacker
Attack Scenario: Distinguisher
Leakage Function
General Setup to Capture the Leakage Function
In the optimal case for the attacker, each share leaks Si
independently through Li
Li pSi q attacker’s
function
device’s
function
pSi q
defender’s
function
Examples
Defender’s function: bijection F for the leakage squeezing, Id
otherwise
Device’s function: Hamming Weight (HW) if no additional
effort is done on the hardware
Attacker’s function: assuming the “power” x
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
ÞÑ x p
Leakage Squeezing of Order Two
i
Introduction to Masking
Leakage Squeezing
Conclusion
Side-Channel Analysis: Overview
Definition of dth-Order Masking
Leakage Function: Strategies for the Defender and the Attacker
Attack Scenario: Distinguisher
Side-Channel Attacks Prevention
“A setup similar to coding in digital communications, where the
goal is to make it hard for the receiver to decode the signal”.
Defense: counter-measure
Masking =
Sharing + Encoding
Registers:
S0
S1
F1 (S1 )
S2
F2 (S2 )
[device under attack]
Sensitive
variable:
Z
Shares:
S0
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
(Side)-Channel
Non-injective
and noisy
leakage
function
wH
L
N (0, σ 2 )
Attack
Information retrieval
“decoding Z”
(exhaustive search)
1) Measure L
2) Compute L i
3) Test:
?
Var[E[L i |Z]] 6= 0
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Side-Channel Analysis: Overview
Definition of dth-Order Masking
Leakage Function: Strategies for the Defender and the Attacker
Attack Scenario: Distinguisher
Exploitation
Measured Combination
(first result)
The attacker
computes the optimal combination, i.e. the
±
product di0 Li pSi q
However, the attacker does not know the shares . . .
so, she simply checks whether there is a dependence, in
average, with Z z:
E
d
¹
Li pSi q | Z
z 2nd
d
â
Li pz q
i 0
i 0
General Theorem for Additive Masking
Boolean:
Arithmetic:
the attack fails
the attack fails
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
ðñ
ðñ
Â
d
i 0 Li
d
i 0 Li
Ò
pz q is constant;
pz q is constant.
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Side-Channel Analysis: Overview
Definition of dth-Order Masking
Leakage Function: Strategies for the Defender and the Attacker
Attack Scenario: Distinguisher
Optimal combination?
The reason is that Li are actually measured noisy;
E
General polynomial
in R L0 S0 ,
, Ld Sd
r p q p qs
hkkkkkkkkkkkkkkikkkkkkkkkkkkkkj
d
¸
¹
αi
αi
i i
i 0
αi Nd 1
β
p qP
L pS
q |Z z pSi qα | Z z d
α
pα qPpN q βα E i 0 Li pSi q | Z z
The smallest noise happens when @i, αi 1.
°
°
pαi qPNd 1 βαi E
d
i
1
±
d
i 0 Li
±
i
i
i
(i.e.
@i, αi ¡ 0).
Order of the Optimal Attack (i.e. estimation with fewest noise)
°
i
pi
¥d
1.
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Side-Channel Analysis: Overview
Definition of dth-Order Masking
Leakage Function: Strategies for the Defender and the Attacker
Attack Scenario: Distinguisher
Introduction to Masking
Leakage Squeezing
Conclusion
Attack Feasibility Condition
Distinguishing Property
E
d
¹
Li pSi q | Z
z 2nd
i 0
d
â
Li pz q
...
i 0
Actually, the attacker guesses mainly Z , depending on a
exhaustive search on keys
For the correct key, there is a dependance, but not otherwise,
since we assume Z pk q K
K Z pk k q (approximately)
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Side-Channel Analysis: Overview
Definition of dth-Order Masking
Leakage Function: Strategies for the Defender and the Attacker
Attack Scenario: Distinguisher
Success Criteria
Characterization in Terms of Boolean Functions Fourier Transform
The attack fails
ðñ
ðñ
d
â
i 0
d
¹
Li pz q does not depend on z
(1)
Lpi paq 0, @a 0
(2)
i 0
Recall that Li typically writes Li Gi HW Fi ;
W.l.o.g., when Fi are linear, we can take F0 Id in Eqn. (1),
simply by using Fi1 Fi F01 instead
°
°
Goal: find Fi such as i d pGi q i pi is maximal
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
Introduction to Masking
Leakage Squeezing
Conclusion
Classical Result
No Leakage Squeezing
Li
(X
HWp
i
p
z
Theorem: HW
pa q 0
Results
If Di such as pi
If @i, pi
` X1 Z)
ðñ
HWpaq ¡ p
0, the attack fails (we need all the shares)
¡ 0, the attack works.
Minimal degree of a successful attack:
ḑ
pi
i 0
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
ḑ
1d
1
i 0
Leakage Squeezing of Order Two
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
Introduction to Masking
Leakage Squeezing
Conclusion
No Leakage Squeezing
n bits
X ⊕M
simultaneous
leakage L
M
a
b
n bits
Combinational
glitch-free logic
(e.g. memory)
X
M
C
R
X′
M′
n bits
Final values of
the registers
a′
X′ ⊕ M ′
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
(algorithm iterations)
Initial values of
the registers
n bits
b′
M′
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
Enhanced Results with Leakage Squeezing
Goal
We want a family of Li : Fn2
@a 0, ±di0 Lpi paq 0
Ñ Z such that
If all the Li are identical (equal to L), this is equivalent to
p
L n 0.
F2
Strategy
(second result)
Dispatch the constraint on the many Li .
We use this property, for a 0:
ðñ
@q1 ¤ q,
@b, HWpbq ¤ q,
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
{
q1
HW
F pa q 0
bz
F pa q 0
Leakage Squeezing of Order Two
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
Introduction to Masking
Leakage Squeezing
Conclusion
First-Order Leakage Squeezing
Initial values of
the registers
n bits
X ⊕M
F (M )
a
b
n bits
Combinational
glitch-free logic
(e.g. memory)
X
M
C
R
X′
M′
n bits
Final values of
the registers
F −1
a′
′
X ⊕M
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
F
simultaneous
leakage L
(algorithm iterations)
n bits
b′
′
F (M ′ )
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Example with d
1 and F
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
Linear
Id)
@a 0, L0paq 0 ðñ HWpaq ¡ 1
Condition on share 0 (F0
p
F , F paq Id a)
@a 0, L1paq 0 ðñ @b, HWpbq ¤ 1, b F paq 0
Now, b F paq 0 ðñ b M a,
Condition on share 1 (F1
p
z
z
where M is the inverse of the transpose of
Id, i.e.
Id
Altogther
Because of the condition on Lp0 , we only need Lp1 paq 0 for a
such that HWpaq 1
But thus we must check that @b, HWpb q ¤ 1, b
M a
This is correct, as M a has Hamming weight n 1 1
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
Theorem of AfricaCrypt’2012 [MCGD12]
Theorem
With one mask, the minimal order of the best attack is not 2,
but
it is equal to the dual distance of the graph of F , or
to the correlation-immunity of the indicator of F plus the
number one.
For F linear
It is equal to the maximal minimal distance of the graph of F .
E.g.: 4 for n 4 or 5 for n 8 .
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
Second-Order Leakage Squeezing
Initial values of
the registers
n bits
X ⊕M
F1 (M1 )
a
n bits
n bits
F2 (M2 )
b
c
F1−1
F2−1
M2
Combinational
glitch-free logic
(e.g. memory)
X
n bits
C
n bits
X′
n bits
Final values of
the registers
X ⊕M
R1
′
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
R2
M2′
M1′
F1
b′
a′
′
M1
F1 (M1′ )
F2
c′
F2 (M2′ )
Leakage Squeezing of Order Two
simultaneous
leakage L
(algorithm iterations)
n bits
Introduction to Masking
Leakage Squeezing
Conclusion
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
Second-Order Leakage Squeezing
Device (defender)
leakage squeezing
non
injective
function
Measures (attacker)
optimal combination
masking
sensitive
variable
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
sensitive
variable
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Hence the leakage: L
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
` M12 ` M22, F1pM1q ` F1pM1 ` M12q, F2pM2q ` F2pM2 ` M22qq
HWpZ ` M12 ` M22, DM 2 F1pM1q, DM 2 F2pM2qq .
HWpZ
1
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
2
Leakage Squeezing of Order Two
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
Introduction to Masking
Leakage Squeezing
Conclusion
So attacks fail at order d if for all p, q and r such as
p q r ¤ d, the function
z
.
ÞÑ
¸
f pz q
¸
HWp pz
m12 ,m22 m1 ,m2
¸
HWp z
`
m12 ,m22
¸
m12 ,m22
m12 ` m22 q HWq pDm12 F1 pm1 qq HWr pDm22 F2 pm2 qq
m12 ` m22
¸
HWq Dm12 F1 pm1 q
m1
HWp z
`
HWp
b
`
2
m12 ` m2
EpHWq
EpHWq Dm12 F1 pM1 q
Dpq F1 pM1 qq
b
EpHWr
¸
m2
q
HWr Dm22 F2 pm2 q
EpHWr Dm22 F2 pM2 q
Dpq F2 pM2 qq
(
z
(3)
p q
is constant.
Thus fˆ is null everywhere except in zero:
fˆ
p
z
HW
EpHWq {
Dpq F1 pM1 qq EpHWr
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
DpqF2pM2qq
{
Leakage Squeezing of Order Two
q
.
Introduction to Masking
Leakage Squeezing
Conclusion
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
In summary, to resist at order d, we are attempting to find two
bijections F1 and F2 such as:
@a P Fn2 ,
p
z
HW
paq 0 or EpHWq {
DpqF1pM qqpaq 0
or EpHWr {
DpqF2pM qqpaq 0 (4)
for every triple of integers p, q and r such as p
being the targeted protection order.
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
q
r
Leakage Squeezing of Order Two
¤ d, d
Introduction to Masking
Leakage Squeezing
Conclusion
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
Proposition
Let F1 be a bijection such that the security is reached at order d
with one mask. Then, by introducing a second mask processed
through whatever bijection F2 , the security is reached at order at
least d 1.
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
F1 and F2 are assumed to be linear
Thus d min tHWpaq HWpL1 paqq HWpL2 paqq 1; a 0u,
which is exactly the minimal distance of the code
tpx, Lt1px q, Lt2px qq; x P Fn2 u (of rate 1{3 and with three disjoint
information sets) minus the number 1.
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
No Leakage Squeezing
Leakage Squeezing of Order One
Leakage Squeezing of Order Two
Solutions when F1 and F2 are Linear
New records in high-order attacks resistance
Old values:
n 4 bit: r8, 4, 4s (linear)
n 8 bit: r16, 8, 5s (linear) / p16, 256, 6q (non-linear)
New values:
n 4 bit: r12, 4, 6s (linear)
n 8 bit: r24, 8, 8s (linear)
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
A high-order leakage squeezing countermeasure allows:
... to increase the security
n 4 bit: from first successful HO-CPA of order 2 to order 6
n 8 bit: from first successful HO-CPA of order 2 to order 8
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Acknowledgments
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Acknowledgments
Special thanks to Secure-IC S.A.S. for financing this mission:
Visit http://www.secure-ic.com; the company is hiring.
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Leakage Squeezing of Order Two
Claude CARLET1 , Jean-Luc DANGER2,3 ,
Sylvain GUILLEY2,3 and Houssem MAGHREBI2 .
1
LAGA, UMR 7539, CNRS, Department of Mathematics,
University of Paris XIII and University of Paris VIII,
2 rue de la liberté, 93 526 Saint-Denis Cedex, France.
2 TELECOM-ParisTech, Crypto Group,
37/39 rue Dareau, 75 634 Paris Cedex 13, France.
3
Secure-IC S.A.S., 80 avenue des Buttes de Coësmes,
35 700 Rennes, France.
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two
Introduction to Masking
Leakage Squeezing
Conclusion
Houssem Maghrebi, Claude Carlet, Sylvain Guilley, and Jean-Luc
Danger.
Optimal First-Order Masking with Linear and Non-linear Bijections.
In Aikaterini Mitrokotsa and Serge Vaudenay, editors,
AFRICACRYPT, volume 7374 of Lecture Notes in Computer
Science, pages 360–377. Springer, 2012.
C. Carlet, J.-L. Danger, S. Guilley & H. Maghrebi
Leakage Squeezing of Order Two