Parallel Implementations of Masking Schemes
and the Bounded Moment Leakage Model
G. Barthe, F. Dupressoir, S. Faust,
B. Grégoire, F.-X. Standaert, P.-Y. Strub
IMDEA (Spain), Univ. Surrey (UK), Univ. Bochum (Germany), INRIA SophiaAntipolis (France), UCL (Belgium), Ecole Polytechnique (France)
EUROCRYPT 2017, Paris, France
Outline
• Introduction / motivation
•
•
Side-channel attacks and noise
Masking and leakage models
• Bounded moment model
•
•
•
•
•
Masking intuition & BMM definition
Probing security ⇒ BM security
Parallel multiplication (& refreshing)
BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
Conclusions
Outline
• Introduction / motivation
•
•
Side-channel attacks and noise
Masking and leakage models
• Bounded moment model
•
•
•
•
•
Masking intuition & BMM definition
Probing security ⇒ BM security
Parallel multiplication (& refreshing)
BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
Conclusions
1
Side-channel attacks
success probability
computation
𝟐𝟏𝟐𝟖
264
20
32
64
96
𝟏𝟐𝟖
# of measurements
• ≈ physical attacks that decreases security
exponentially in the # of measurements
Noise (hardware countermeasures)
2
Noise (hardware countermeasures)
2
Noise (hardware countermeasures)
• Additive noise ≈ cost × 2 ⇒ security × 2
⇒ not a good (crypto) security parameter
2
Outline
• Introduction / motivation
•
•
Side-channel attacks and noise
Masking and leakage models
• Bounded moment model
•
•
•
•
•
Masking intuition & BMM definition
Probing security ⇒ BM security
Parallel multiplication (& refreshing)
BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
Conclusions
Masking (≈ noise amplification)
• Example: Boolean encoding
𝑦 = 𝑦1 ⊕ 𝑦2 ⊕ ⋯ ⊕ 𝑦𝑑−1 ⊕ 𝑦𝑑
• With 𝑦1 , 𝑦2 , … , 𝑦𝑑−2 , 𝑦𝑑−1 ← {0,1}𝑛
3
4
Masking (abstract view)
• Probing security (Ishai, Sahai, Wagner 2003)
𝑦 = 𝑦1 ⊕ 𝑦2 ⊕ ⋯ ⊕ 𝑦𝑑−1 ⊕ 𝑦𝑑
?
4
Masking (abstract view)
• Probing security (Ishai, Sahai, Wagner 2003)
𝑦 = 𝑦1 ⊕ 𝑦2 ⊕ ⋯ ⊕ 𝑦𝑑−1 ⊕ 𝑦𝑑
?
• 𝑑 − 1 probes do not reveal anything on 𝑦
4
Masking (abstract view)
• Probing security (Ishai, Sahai, Wagner 2003)
𝑦 = 𝑦1 ⊕ 𝑦2 ⊕ ⋯ ⊕ 𝑦𝑑−1 ⊕ 𝑦𝑑
y
• But 𝑑 probes completely reveal 𝑦
5
Masking (concrete view)
• Probing security (Ishai, Sahai, Wagner 2003)
𝑦 = 𝑦1 ⊕ 𝑦2 ⊕ ⋯ ⊕ 𝑦𝑑−1 ⊕ 𝑦𝑑
?
• Bounded information leakage MI(𝑌𝑖 ; 𝐿)𝑑
5
Masking (concrete view)
• Probing security (Ishai, Sahai, Wagner 2003)
𝑦 = 𝑦1 ⊕ 𝑦2 ⊕ ⋯ ⊕ 𝑦𝑑−1 ⊕ 𝑦𝑑
?
• Noisy leakage security (Prouff, Rivain 2013)
5
Masking (concrete view)
• Probing security (Ishai, Sahai, Wagner 2003)
noise and independence
• Noisy leakage security (Prouff, Rivain 2013)
(Duc, Dziembwski, Faust 2014)
𝑦 = 𝑦1 ⊕ 𝑦2 ⊕ ⋯ ⊕ 𝑦𝑑−1 ⊕ 𝑦𝑑
Motivation / open questions
1. What happens with parallel implementations?
•
For example: one probe reveals the shares’ sum
6
6
Motivation / open questions
1. What happens with parallel implementations?
•
For example: one probe reveals the shares’ sum
2. How to test physical independence? (consolidating)
?
?
6
Motivation / open questions
1. What happens with parallel implementations?
•
For example: one probe reveals the shares’ sum
2. How to test physical independence? (consolidating)
?
?
• W/O directly working in the noisy leakage model
Outline
• Introduction / motivation
•
•
Side-channel attacks and noise
Masking and leakage models
• Bounded moment model
•
•
•
•
•
Masking intuition & BMM definition
Probing security ⇒ BM security
Parallel multiplication (& refreshing)
BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
Conclusions
Masking statistical intuition
• 2-share / 1-bit example, serial implementation
𝐿1 = 𝑦1 + 𝑛1
𝐿2 = 𝑦2 + 𝑛2
7
Masking statistical intuition
7
• 2-share / 1-bit example, parallel implementation
𝐿1 = 𝑦1 + 𝑛1
𝐿2 = 𝑦2 + 𝑛2
𝐿 = 𝑦1 + 𝑦2 + 𝑛
Masking statistical intuition
7
• 2-share / 1-bit example, parallel implementation
𝐿1 = 𝑦1 + 𝑛1
(informal). An implementation is
𝐿2 =Definition
𝑦2 + 𝑛2
secure at order 𝑜 in the bounded moment
model if all mixed statistical moments of order
up to 𝑜 of its leakage vectors are independent
of any sensitive variable manipulated
𝐿 = 𝑦1 + 𝑦2 + n
Outline
• Introduction / motivation
•
•
Side-channel attacks and noise
Masking and leakage models
• Bounded moment model
•
•
•
•
•
Masking intuition & BMM definition
Probing security ⇒ BM security
Parallel multiplication (& refreshing)
BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
Conclusions
Abstract reduction (answer to Q1)
8
• Theorem (informal). A parallel implementation is
secure at order 𝑜 in the BMM if its serialization is
secure at order 𝑜 in the probing model where
•
•
Adv𝑝𝑟 can (typically) probe 𝑜 = 𝑑 − 1 wires
Adv𝑏𝑚 can observe any 𝐿 = 𝑑𝑖=1 𝛼𝑖 ∙ 𝑦𝑖
Abstract reduction
8
• Theorem (informal). A parallel implementation is
secure at order 𝑜 in the BMM if its serialization is
secure at order 𝑜 in the probing model where
•
•
Adv𝑝𝑟 can (typically) probe 𝑜 = 𝑑 − 1 wires
Adv𝑏𝑚 can observe any 𝐿 = 𝑑𝑖=1 𝛼𝑖 ∙ 𝑦𝑖
• Intuition: summing the shares (in ℝ) does not
break the independent leakage assumption
Abstract reduction
8
• Theorem (informal). A parallel implementation is
secure at order 𝑜 in the BMM if its serialization is
secure at order 𝑜 in the probing model where
•
•
Adv𝑝𝑟 can (typically) probe 𝑜 = 𝑑 − 1 wires
Adv𝑏𝑚 can observe any 𝐿 = 𝑑𝑖=1 𝛼𝑖 ∙ 𝑦𝑖
• Intuition: summing the shares (in ℝ) does not
break the independent leakage assumption
• Main ≠ between probing and BM security
•
•
Adv𝑏𝑚 can sum over all the shares!
BM security is weaker (moments vs. distributions)
Concrete consequence
• If physically independent leakages, BM security
extends to actual measurements (e.g., 𝑑 = 3)
9
Concrete consequence (answer to Q2)
• If physically independent leakages, BM security
extends to actual measurements (e.g., 𝑑 = 3)
• If not, leakages are not independent
9
Outline
• Introduction / motivation
•
•
Side-channel attacks and noise
Masking and leakage models
• Bounded moment model
•
•
•
•
•
Masking intuition & BMM definition
Probing security ⇒ BM security
Parallel multiplication (& refreshing)
BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
Conclusions
10
Serial multiplication
• ISW 2003: multiplication 𝑐 = 𝑎 × 𝑏
𝒂𝟏 𝒃𝟐
𝒂𝟐 𝒃𝟐
𝒂𝟑 𝒃𝟐
𝒂𝟏 𝒃𝟑
𝟎
𝒂𝟐 𝒃𝟑 ⊕ −𝒓𝟏
−𝒓𝟐
𝒂𝟑 𝒃𝟑
partial products
𝒓𝟏
𝟎
−𝒓𝟑
refresh
𝒄𝟏
𝒓𝟐
𝒓𝟑 ⇒ 𝒄𝟐
𝒄𝟑
𝟎
compress
𝒂𝟏 𝒃𝟏
𝒂𝟐 𝒃𝟏
𝒂𝟑 𝒃𝟏
10
Serial multiplication
• ISW 2003: multiplication 𝑐 = 𝑎 × 𝑏
𝒂𝟏 𝒃𝟐
𝒂𝟐 𝒃𝟐
𝒂𝟑 𝒃𝟐
𝒂𝟏 𝒃𝟑
𝟎
𝒂𝟐 𝒃𝟑 ⊕ −𝒓𝟏
−𝒓𝟐
𝒂𝟑 𝒃𝟑
partial products
𝒓𝟏
𝟎
−𝒓𝟑
𝒄𝟏
𝒓𝟐
𝒓𝟑 ⇒ 𝒄𝟐
𝒄𝟑
𝟎
compress
𝒂𝟏 𝒃𝟏
𝒂𝟐 𝒃𝟏
𝒂𝟑 𝒃𝟏
refresh
• AES S-box (𝑛 = 8) implementation
•
•
•
•
𝑎 = 𝑎1 ⊕ 𝑎2 ⊕ ⋯ ⊕ 𝑎𝑑 (e.g., 𝑑 = 8)
Each register stores an 𝑎𝑖 (i.e., a GF 28 element)
Memory ∝ 𝑛 ∙ 𝑑, Time: ∝ 𝒅𝟐 GF 28 mult.
AES S-box ≈ 3 multiplications (& 4 squarings)
11
Parallel multiplication
• Main tweak: interleave & regularize
𝒓𝟏
𝒂𝟏 𝒃𝟏
𝒂𝟏 𝒃𝟑
𝒂𝟐 𝒃𝟐 ⊕ 𝒓𝟐 ⊕ 𝒂𝟐 𝒃𝟏
𝒓𝟑
𝒂𝟑 𝒃𝟑
𝒂𝟑 𝒃𝟐
𝒓𝟑
𝒄𝟏
𝒂𝟑 𝒃𝟏
𝒂𝟏 𝒃𝟐 ⊕ 𝒓𝟏 ⇒ 𝒄𝟐
𝒓𝟐
𝒄𝟑
𝒂𝟐 𝒃𝟑
refresh
11
Parallel multiplication
• Main tweak: interleave & regularize
𝒓𝟏
𝒂𝟏 𝒃𝟏
𝒂𝟏 𝒃𝟑
𝒂𝟐 𝒃𝟐 ⊕ 𝒓𝟐 ⊕ 𝒂𝟐 𝒃𝟏
𝒓𝟑
𝒂𝟑 𝒃𝟑
𝒂𝟑 𝒃𝟐
𝒓𝟑
𝒄𝟏
𝒂𝟑 𝒃𝟏
𝒂𝟏 𝒃𝟐 ⊕ 𝒓𝟏 ⇒ 𝒄𝟐
𝒓𝟐
𝒄𝟑
𝒂𝟐 𝒃𝟑
refresh
• AES S-box (𝑛 = 8) implementation
•
•
•
•
𝑎 = 𝑎1 ⊕ 𝑎2 ⊕ ⋯ ⊕ 𝑎𝑑 (e.g., 𝑑 = 8)
Each register stores 𝑛 𝑎𝑖 ’s (i.e., GF 2 elements)
Memory ∝ 𝑛 ∙ 𝑑, Time: ∝ 𝒅 GF 2 mult. (i.e., ANDs)
AES bitslice S-box ≈ 32 AND gates (& 83 XORs)
11
Parallel multiplication
• Main tweak: interleave & regularize
𝒓𝟏
𝒂𝟏 𝒃𝟏
𝒂𝟏 𝒃𝟑
𝒂𝟐 𝒃𝟐 ⊕ 𝒓𝟐 ⊕ 𝒂𝟐 𝒃𝟏
𝒓𝟑
𝒂𝟑 𝒃𝟑
𝒂𝟑 𝒃𝟐
𝒓𝟑
𝒄𝟏
𝒂𝟑 𝒃𝟏
𝒂𝟏 𝒃𝟐 ⊕ 𝒓𝟏 ⇒ 𝒄𝟐
𝒓𝟐
𝒄𝟑
𝒂𝟐 𝒃𝟑
refresh
• AES S-box (𝑛 = 8) implementation
•
•
•
•
𝑎 = 𝑎1 ⊕ 𝑎2 ⊕ ⋯ ⊕ 𝑎𝑑 (e.g., 𝑑 = 8)
Each register stores 𝑛 𝑎𝑖 ’s (i.e., GF 2 elements)
Memory ∝ 𝑛 ∙ 𝑑, Time: ∝ 𝒅 GF 2 mult. (i.e., ANDs)
AES bitslice S-box ≈ 32 AND gates (& 83 XORs)
⇒ Performance gains with large 𝑑’s (8, 16, 32)
Security analysis
12
• We analyzed the SNI security of the gadgets
≈ composable probing security (Barthe et al. 2016)
Security analysis
12
• We analyzed the SNI security of the gadgets
≈ composable probing security (Barthe et al. 2016)
• Iterating (𝑑 − 1)/3 refresh is SNI for 𝑑 < 12
Security analysis
12
• We analyzed the SNI security of the gadgets
≈ composable probing security (Barthe et al. 2016)
• Iterating (𝑑 − 1)/3 refresh is SNI for 𝑑 < 12
• Multiplication is more tricky…
Outline
• Introduction / motivation
•
•
Side-channel attacks and noise
Masking and leakage models
• Bounded moment model
•
•
•
•
•
Masking intuition & BMM definition
Probing security ⇒ BM security
Parallel multiplication (& refreshing)
BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
Conclusions
Specialized encodings
• Probing security is stronger than BM security
•
(And also stronger than noisy leakage security)
• Is it sometimes “too strong”?
•
i.e., breaks designs that are secure against DPA
13
Specialized encodings
• Probing security is stronger than BM security
•
(And also stronger than noisy leakage security)
• Is it sometimes “too strong”?
•
i.e., breaks designs that are secure against DPA
• Example: Boolean encoding (2 shares)
𝑦 = 𝑦1 ⊕ 𝑦2
13
13
Specialized encodings
• Probing security is stronger than BM security
•
(And also stronger than noisy leakage security)
• Is it sometimes “too strong”?
•
i.e., breaks designs that are secure against DPA
• Example: Boolean encoding (2 shares)
𝑦 = 𝑦1 ⊕ 𝑦2
• IP masking in GF(28 ) with “non-mixing” leakages
2
𝑦=
𝑝𝑖 × 𝑠𝑖
𝑖=1
𝑝2 = 1
𝑝2 = 5
𝑝2 = 7
Outline
• Introduction / motivation
•
•
Side-channel attacks and noise
Masking and leakage models
• Bounded moment model
•
•
•
•
•
Masking intuition & BMM definition
Probing security ⇒ BM security
Parallel multiplication (& refreshing)
BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
Conclusions
Continuous security
14
• So far we discussed “one-shot” probing attacks
Continuous security
14
• So far we discussed “one-shot” probing attacks
• Yet, side-channel attacks are usually continuous
•
i.e, accumulate information
from multiple executions
Continuous security
14
• So far we discussed “one-shot” probing attacks
• Yet, side-channel attacks are usually continuous
•
i.e, accumulate information
from multiple executions
• Typical issue: refreshing by add a share of 0
•
•
•
•
Frequently used in practice
Yet insecure in the continuous probing model
What does it mean concretely?
i.e., can we (sometimes) use such a refreshing?
Continuous probing attack
• Target: refresh(𝑎) = 𝑎 ⊕ 𝑟 ⊕ rot(𝑟)
step 1
(1)
𝑎1
(1)
𝑎2
(1)
𝑎3
(1)
𝑎4
Accumulated knowledge: ∅
15
Continuous probing attack
• Target: refresh(𝑎) = a ⊕ 𝑟 ⊕ rot(𝑟)
step 1
(1)
𝑎1
(1)
𝑎2
(1)
𝑎3
(1)
𝑎4
Accumulated knowledge: ∅
15
Continuous probing attack
• Target: refresh(𝑎) = a ⊕ 𝑟 ⊕ rot(𝑟)
step 1
(1)
𝑎1
(1)
𝑎2
(1)
𝑎3
(1)
𝑎4
Accumulated knowledge:
(1)
𝑎1
15
Continuous probing attack
• Target: refresh(𝑎) = a ⊕ 𝑟 ⊕ rot(𝑟)
step 1
step 2
(1)
𝑟1
(1)
𝑟2
(1)
𝑟3
(1)
𝑟4
𝑎1
𝑎2
𝑎3
𝑎4
(2)
𝑟4
(2)
𝑎1
(2)
𝑟1
(2)
𝑟2
(2)
𝑟3
(2)
(2)
𝑎2
(2)
𝑎3
(2)
𝑎4
(2)
(2)
(2)
Accumulated knowledge:
(1)
𝑎1
15
Continuous probing attack
• Target: refresh(𝑎) = a ⊕ 𝑟 ⊕ rot(𝑟)
step 1
step 2
(1)
𝑟1
(1)
𝑟2
(1)
𝑟3
(1)
𝑟4
𝑎1
𝑎2
𝑎3
𝑎4
(2)
𝑟4
(2)
𝑎1
(2)
𝑟1
(2)
𝑟2
(2)
𝑟3
(2)
(2)
𝑎2
(2)
𝑎3
(2)
𝑎4
(2)
(2)
(2)
Accumulated knowledge:
(1)
𝑎1
15
Continuous probing attack
• Target: refresh(𝑎) = a ⊕ 𝑟 ⊕ rot(𝑟)
step 1
step 2
(1)
𝑟1
(1)
𝑟2
(1)
𝑟3
(1)
𝑟4
𝑎1
𝑎2
𝑎3
𝑎4
(2)
𝑟4
(2)
𝑎1
(2)
𝑟1
(2)
𝑟2
(2)
𝑟3
(2)
(2)
𝑎2
(2)
𝑎3
(2)
𝑎4
(2)
(2)
(2)
Accumulated knowledge:
(1)
𝑎1
15
15
Continuous probing attack
• Target: refresh(𝑎) = a ⊕ 𝑟 ⊕ rot(𝑟)
step 1
step 2
(1)
𝑟1
(1)
𝑟2
(1)
𝑟3
(1)
𝑟4
𝑎1
𝑎2
𝑎3
𝑎4
(2)
𝑟4
(2)
𝑎1
(2)
𝑟1
(2)
𝑟2
(2)
𝑟3
(2)
(2)
𝑎2
(2)
𝑎3
(2)
𝑎4
(2)
(2)
(2)
Accumulated knowledge:
(2)
𝑎1
⊕
(2)
𝑎2
15
Continuous probing attack
• Target: refresh(𝑎) = a ⊕ 𝑟 ⊕ rot(𝑟)
step 1
step 2
(1)
𝑟1
(1)
𝑟2
(1)
𝑟3
(1)
𝑟4
𝑎1
𝑎2
𝑎3
𝑎4
(2)
𝑟4
(2)
𝑟1
(2)
𝑟2
(2)
𝑟3
step 3
(2)
𝑎1
(2)
𝑟1
(2)
𝑎2
(2)
𝑎3
(2)
𝑎4
(2)
𝑟2
(2)
𝑟3
(2)
𝑟4
Accumulated knowledge:
(2)
𝑎1
⊕
(3)
𝑟4
(3)
𝑟1
(3)
𝑟2
(3)
𝑟3
(2)
𝑎2
(3)
𝑎1
(3)
(3)
𝑎2
(3)
𝑎3
(3)
𝑎4
(3)
(3)
(3)
15
Continuous probing attack
• Target: refresh(𝑎) = a ⊕ 𝑟 ⊕ rot(𝑟)
step 1
step 2
(1)
𝑟1
(1)
𝑟2
(1)
𝑟3
(1)
𝑟4
𝑎1
𝑎2
𝑎3
𝑎4
(2)
𝑟4
(2)
𝑟1
(2)
𝑟2
(2)
𝑟3
step 3
(2)
𝑎1
(2)
𝑟1
(2)
𝑎2
(2)
𝑎3
(2)
𝑎4
(2)
𝑟2
(2)
𝑟3
(2)
𝑟4
Accumulated knowledge:
(2)
𝑎1
⊕
(3)
𝑟4
(3)
𝑟1
(3)
𝑟2
(3)
𝑟3
(2)
𝑎2
(3)
𝑎1
(3)
(3)
𝑎2
(3)
𝑎3
(3)
𝑎4
(3)
(3)
(3)
15
Continuous probing attack
• Target: refresh(𝑎) = a ⊕ 𝑟 ⊕ rot(𝑟)
step 1
step 2
(1)
𝑟1
(1)
𝑟2
(1)
𝑟3
(1)
𝑟4
𝑎1
𝑎2
𝑎3
𝑎4
(2)
𝑟4
(2)
𝑟1
(2)
𝑟2
(2)
𝑟3
step 3
(2)
𝑎1
(2)
𝑟1
(2)
𝑎2
(2)
𝑎3
(2)
𝑎4
(2)
𝑟2
(2)
𝑟3
(2)
𝑟4
Accumulated knowledge:
(2)
𝑎1
⊕
(3)
𝑟4
(3)
𝑟1
(3)
𝑟2
(3)
𝑟3
(2)
𝑎2
(3)
𝑎1
(3)
(3)
𝑎2
(3)
𝑎3
(3)
𝑎4
(3)
(3)
(3)
15
Continuous probing attack
• Target: refresh(𝑎) = a ⊕ 𝑟 ⊕ rot(𝑟)
step 1
step 2
(1)
𝑟1
(1)
𝑟2
(1)
𝑟3
(1)
𝑟4
𝑎1
𝑎2
𝑎3
𝑎4
(2)
𝑟4
(2)
𝑟1
(2)
𝑟2
(2)
𝑟3
step 3
(2)
𝑎1
(2)
𝑟1
(2)
𝑎2
(2)
𝑎3
(2)
𝑎4
(2)
𝑟2
(2)
𝑟3
(2)
𝑟4
Accumulated knowledge:
(3)
𝑎1
⊕
(3)
𝑟4
(3)
𝑟1
(3)
𝑟2
(3)
𝑟3
(3)
𝑎2
(3)
𝑎1
(3)
𝑎2
(3)
𝑎3
(3)
𝑎4
⊕
(3)
(3)
(3)
(3)
(3)
𝑎3
15
Continuous probing attack
• Target: refresh(𝑎) = a ⊕ 𝑟 ⊕ rot(𝑟)
step 1
step 2
(1)
𝑟1
(1)
𝑟2
(1)
𝑟3
(1)
𝑟4
𝑎1
𝑎2
𝑎3
𝑎4
(2)
𝑟4
(2)
𝑟1
(2)
𝑟2
(2)
𝑟3
step 3
(2)
𝑎1
(2)
𝑟1
(2)
𝑎2
(2)
𝑎3
(2)
𝑎4
(3)
𝑟4
(2)
𝑟2
(2)
𝑟3
(2)
𝑟4
(3)
𝑎1
(3)
𝑟1
(3)
𝑟2
(3)
𝑟3
(3)
(3)
𝑎2
(3)
𝑎3
(3)
𝑎4
(3)
(3)
(3)
⇒ After 𝑑 iterations, 𝑎 is learned in full by Adv𝑝𝑟
…
15
Continuous probing attack
• Target: refresh(𝑎) = a ⊕ 𝑟 ⊕ rot(𝑟)
step 1
step 2
(1)
𝑟1
(1)
𝑟2
(1)
𝑟3
(1)
𝑟4
𝑎1
𝑎2
𝑎3
𝑎4
(2)
𝑟4
(2)
𝑟1
(2)
𝑟2
(2)
𝑟3
step 3
(2)
𝑎1
(2)
𝑟1
(2)
𝑎2
(2)
𝑎3
(2)
𝑎4
(3)
𝑟4
(2)
𝑟2
(2)
𝑟3
(2)
𝑟4
(3)
𝑎1
(3)
𝑟1
(3)
𝑟2
(3)
𝑟3
(3)
(3)
𝑎2
(3)
𝑎3
(3)
𝑎4
(3)
…
(3)
(3)
⇒ After 𝑑 iterations, 𝑎 is learned in full by Adv𝑝𝑟
•
Not possible in the BMM. Intuition: adaptation does
not help since Adv𝑏𝑚 can anyway sum over all shares!
15
Continuous probing attack
• Target: refresh(𝑎) = a ⊕ 𝑟 ⊕ rot(𝑟)
step 1
step 2
(1)
𝑟1
(1)
𝑟2
(1)
𝑟3
(1)
𝑟4
𝑎1
𝑎2
𝑎3
𝑎4
(2)
𝑟4
(2)
𝑟1
(2)
𝑟2
(2)
𝑟3
step 3
(2)
𝑎1
(2)
𝑟1
(2)
𝑎2
(2)
𝑎3
(2)
𝑎4
(3)
𝑟4
(2)
𝑟2
(2)
𝑟3
(2)
𝑟4
(3)
𝑎1
(3)
𝑟1
(3)
𝑟2
(3)
𝑟3
(3)
(3)
𝑎2
(3)
𝑎3
(3)
𝑎4
(3)
…
(3)
(3)
⇒ After 𝑑 iterations, 𝑎 is learned in full by Adv𝑝𝑟
•
Impact: refresh( . ) can be used to refresh the key of a
key homomorphic primitive (⇒ fully linear overheads)
Outline
• Introduction / motivation
•
•
Side-channel attacks and noise
Masking and leakage models
• Bounded moment model
•
•
•
•
•
Masking intuition & BMM definition
Probing security ⇒ BM security
Parallel multiplication (& refreshing)
BM security ⇏ probing security
• Inner product masking (with “non-mixing” leakages)
• Continuous security & refreshing gadgets
Conclusions
Conclusions
• Probing security is relevant to parallel implem.
16
16
Conclusions
• Probing security is relevant to parallel implem.
• BMM suggests a principled path to security eval.
probing security
[DDF14]
+ noise,
noisy leakages security
bounded moment security
16
Conclusions
• Probing security is relevant to parallel implem.
• BMM suggests a principled path to security eval.
probing security
[DDF14]
+ noise,
noisy leakages security
bounded moment security
• Parallel implem. are appealing for masking
•
Leverage the memory needed to store shares
16
Conclusions
• Probing security is relevant to parallel implem.
• BMM suggests a principled path to security eval.
probing security
[DDF14]
+ noise,
noisy leakages security
bounded moment security
• Parallel implem. are appealing for masking
•
Leverage the memory needed to store shares
• Cont. probing security sometimes “too strong”
THANKS
http://perso.uclouvain.be/fstandae/
© Copyright 2026 Paperzz