Oscar Reparaz

On the Cost of Lazy Engineering for Masked Software Implementations

Masking is one of the most popular countermeasures to mitigate side-channel analysis. Yet, its deployment in actual cryptographic devices is well known to be challenging, since designers have to ensure that the leakage corresponding to different shares is independent. Several works have shown that such an independent leakage assumption may be contradicted in practice, because of physical effects such as “glitches” or “transition-based” leakages. As a result, implementing masking securely can be a time-consuming engineering problem. This is in strong contrast with recent and promising approaches for the automatic insertion of countermeasures exploiting compilers, that aim to limit the development time of side-channel resistant software. Motivated by this contrast, we question what can be hoped for these approaches – or more generally for masked software implementations based on careless assembly generation. For this purpose, our first contribution is a simple reduction from security proofs obtained in a (usual but not always realistic) model where leakages depend on the intermediate variables manipulated by the target device, to security proofs in a (more realistic) model where the transitions between these intermediate variables are leaked. We show that the cost of moving from one context to the other implies a division of the security order by two for masking schemes. Next, our second and main contribution is to provide a comprehensive empirical validation of this reduction, based on two microcontrollers, several (handwritten and compiler-based) ways of generating assembly codes, with and without “recycling” the randomness used for sharing. These experiments confirm the relevance of our analysis, and therefore quantify the cost of lazy engineering for masking.

DPA, Bitslicing and Masking at 1 GHz

We present DPA attacks on an ARM Cortex-A8 processor running at 1 GHz. This high-end processor is typically found in portable devices such as phones and tablets. In our case, the processor sits in a single board computer and runs a full-fledged Linux operating system. The targeted AES implementation is bitsliced and runs in constant time and constant flow. We show that, despite the complex hardware and software, high clock frequencies and practical measurement issues, the implementation can be broken with DPA starting from a few thousand measurements of the electromagnetic emanation of a decoupling capacitor near the processor. To harden the bitsliced implementation against DPA attacks, we mask it using principles of hardware gate-level masking. We evaluate the security of our masked implementation against first-order and second-order attacks. Our experiments show that successful attacks require roughly two orders of magnitude more measurements.

Selecting time samples for multivariate DPA attacks

Masking on the algorithm level, i.e. concealing all sensitive intermediate values with random data, is a popular countermeasure against DPA attacks. A properly implemented masking scheme forces an attacker to apply a higher-order DPA attack. Such attacks are known to require a number of traces growing exponentially in the attack order, and computational power growing combinatorially in the number of time samples that have to be exploited jointly. We present a novel technique to identify such tuples of time samples before key recovery, in black-box conditions and using only known inputs (or outputs). Attempting key recovery only once the tuples have been identified can reduce the computational complexity of the overall attack substantially, e.g. from months to days. Experimental results based on power traces of a masked software implementation of the AES confirm the effectiveness of our method and show exemplary speed-ups.

Higher-Order Threshold Implementation of the AES S-Box

In this paper we present a threshold implementation of the Advanced Encryption Standards S-box which is secure against first- and second-order power analysis attacks. This security guarantee holds even in the presence of glitches, and includes resistance against bivariate attacks. The design requires an area of 7849 Gate Equivalents and 126 bits of randomness per S-box execution. The implementation is tested on an FPGA platform and its security claim is supported by practical leakage detection tests.

A Masked Ring-LWE Implementation

Lattice-based cryptography has been proposed as a postquantum public-key cryptosystem. In this paper, we present a masked ring-LWE decryption implementation resistant to first-order side-channel attacks. Our solution has the peculiarity that the entire computation is performed in the masked domain. This is achieved thanks to a new, bespoke masked decoder implementation. The output of the ring-LWE decryption are Boolean shares suitable for derivation of a symmetric key. We have implemented a hardware architecture of the masked ring-LWE processor on a Virtex-II FPGA, and have performed side channel analysis to confirm the soundness of our approach. The area of the protected architecture is around 2000 LUTs, a \(20\,\%\) increase with respect to the unprotected architecture. The protected implementation takes 7478 cycles to compute, which is only a factor \(\times 2.6\) larger than the unprotected implementation.

Additively Homomorphic Ring-LWE Masking

In this paper, we present a new masking scheme for ring-LWE decryption. Our scheme exploits the additively-homomorphic property of the existing ring-LWE encryption schemes and computes an additive-mask as an encryption of a random message. Our solution differs in several aspects from the recent masked ring-LWE implementation by Reparaz et al. presented at CHESi¾ź2015; most notably we do not require a masked decoder but work with a conventional, unmasked decoder. As such, we can secure a ring-LWE implementation using additive masking with minimal changes. Our masking scheme is also very generic in the sense that it can be applied to other additively-homomorphic encryption schemes.

Low-energy encryption for medical devices: security adds an extra design dimension

Smart medical devices will only be smart if they also include technology to provide security and privacy. In practice this means the inclusion of cryptographic algorithms of sufficient cryptographic strength. For battery operated devices or for passively powered devices, these cryptographic algorithms need highly efficient, low power, low energy realizations. Moreover, unique to cryptographic implementations is that they also need protection against physical tampering either active or passive. This means that countermeasures need to be included during the design process. Similar to design for low energy, design for physical protection needs to be addressed at all design abstraction levels. Differently, while skipping one optimization step in a design for low energy or low power, merely reduces the battery life time, skipping a countermeasure, means opening the door for a possible attack. Designing for security requires a thorough threat analysis and a balanced selection of countermeasures. This paper will discuss the different abstraction layers and design methods applied to obtain low power/low energy and at the same time side-channel and fault attack resistant cryptographic implementations. To provide a variety of security features, including location privacy, it is clear that medical devices need public key cryptography (PKC). It will be illustrated with the design of a low energy elliptic curve based public key programmable co-processor. It only needs 5.1μJ of energy in a 0.13 μm CMOS technology for one point multiplication and includes a selected set of countermeasures against physical attacks.

A Note on the Use of Margins to Compare Distinguishers

Relative distinguishing margins are becoming a popular measure for comparing distinguishers. This paper presents some examples that show that this measure, although informative and intuitively sound, should not be taken alone as benchmark of distinguishers.

Generic DPA Attacks: Curse or Blessing?

Generic DPA attacks, such as MIA, have been recently proposed as a method to mount DPA attacks without the need for possibly restrictive assumptions on the leakage behaviour. Previous work identified some shortcomings of generic DPA attacks when attacking injective targets (such as the AES Sbox output). In this paper, we focus on that particular property of generic DPA attacks and explain limitations, workarounds and advantages. Firstly we show that the original fix to address this issue (consisting of dropping bits on predictions to destroy the injectivity) works in practice. Secondly, we describe how a determined attacker can circumvent the issue of attacking injective targets and mount a generic attack on the AES using previously mentioned non-injective targets. Thirdly, we explain important and attractive properties of generic attacks, such as being effective under any leakage behaviour. Consequently, we are able to recover keys even if the attacker only observes an encrypted version of the leakage, for instance when a device is using bus encryption with a constant key. The same property also allows to mount attacks on later rounds of the AES with a reduced number of key hypotheses compared to classical DPA. All main observations are supported by experimental results, when possible on real measurements.

Masking AES With d+1 Shares in Hardware

Masking requires splitting sensitive variables into at least d+1 shares to provide security against DPA attacks at order d. To this date, this minimal number has only been deployed in software implementations of cryptographic algorithms and in the linear parts of their hardware counterparts. So far there is no hardware construction that achieves this lower bound if the function is nonlinear and the underlying logic gates can glitch. In this paper, we give practical implementations of the AES using d+1 shares aiming at first- and second-order security even in the presence of glitches. To achieve this, we follow the conditions presented by Reparaz et al. at CRYPTO 2015 to allow hardware masking schemes, like Threshold Implementations, to provide theoretical higher-order security with d+1 shares. The decrease in number of shares has a direct impact in the area requirements: our second-order DPA resistant core is the smallest in area so far, and its S-box is 50% smaller than the current smallest Threshold Implementation of the AES S-box with similar security and attacker model. We assess the security of our masked cores by practical side-channel evaluations. The security guarantees are met with 100 million traces.