SoK: Design Tools for Side-Channel-Aware Implementations

Side-channel attacks that leak sensitive information through a computing device's interaction with its physical environment have proven to be a severe threat to devices' security, particularly when adversaries have unfettered physical access to the device. Traditional approaches for leakage detection measure the physical properties of the device. Hence, they cannot be used during the design process and fail to provide root cause analysis. An alternative approach that is gaining traction is to automate leakage detection by modeling the device. The demand to understand the scope, benefits, and limitations of the proposed tools intensifies with the increase in the number of proposals. In this SoK, we classify approaches to automated leakage detection based on the model's source of truth. We classify the existing tools on two main parameters: whether the model includes measurements from a concrete device and the abstraction level of the device specification used for constructing the model. We survey the proposed tools to determine the current knowledge level across the domain and identify open problems. In particular, we highlight the absence of evaluation methodologies and metrics that would compare proposals' effectiveness from across the domain. We believe that our results help practitioners who want to use automated leakage detection and researchers interested in advancing the knowledge and improving automated leakage detection

Secure Context Switching of Masked Software Implementations

Cryptographic software running on embedded devices requires protection against physical side-channel attacks such as power analysis. Masking is a widely deployed countermeasure against these attacksand is directly implemented on algorithmic level. Many works study the security of masked cryptographic software on CPUs, pointing out potential problems on algorithmic/microarchitecture-level, as well as corresponding solutions, and even show masked software can be implemented efficiently and with strong (formal) security guarantees. However, these works also make the implicit assumption that software is executed directly on the CPU without any abstraction layers in-between, i.e., they focus exclusively on the bare-metal case. Many practical applications, including IoT and automotive/industrial environments, require multitasking embedded OSs on which masked software runs as one out of many concurrent tasks. For such applications, the potential impact of events like context switches on the secure execution of masked software has not been studied so far at all. In this paper, we provide the first security analysis of masked cryptographic software spanning all three layers (SW, OS, CPU). First, we apply a formal verification approach to identify leaks within the execution of masked software that are caused by the embedded OS itself, rather than on algorithmic or microarchitecture level. After showing that these leaks are primarily caused by context switching, we propose several different strategies to harden a context switching routine against such leakage, ultimately allowing masked software from previous works to remain secure when being executed on embedded OSs. Finally, we present a case study focusing on FreeRTOS, a popular embedded OS for embedded devices, running on a RISC-V core, allowing us to evaluate the practicality and ease of integration of each strategy

Classical leakage-resilient circuits from quantum fault-tolerant computation

Tese (doutorado)—Universidade de Brasília, Instituto de Ciências Exatas, Departamento de Ciência da Computação, 2015.Implementações físicas de algoritmos criptográficos vazam informação, o que os torna vulneráveis aos chamados ataques de canal lateral. Atualmente, criptografia é utilizada em uma variedade crescente de cenários, e frequentemente a suposição de que a execução de criptossistemas é fisicamente isolada não é realista. A área de resistência a vazamentos propõe mitigar ataques de canal lateral projetando protocolos que são seguros mesmo se a informação vaza durante a execução. Neste trabalho, estudamos computação resistente a vazamento, que estuda o problema de executar computação universal segura na presença de vazamento. Computação quântica tolerante a falhas se preocupa com o problema de ruído em computadores quânticos. Uma vez que é extremamente difícil isolar sistemas quânticos de ruído, a área de tolerância a falhas propões esquemas para executar computações corretamente mesmo se há algum ruído. Existe uma conexão entre resistência a vazamento e tolerância a falhas. Neste trabalho, mostramos que vazamento em um circuito clássico é uma forma de ruído, quando o circuito é interpretado como um circuito quântico. Posteriormente, provamos que para um modelo de vazamento arbitrário, existe um modelo de ruído correspondente para o qual um circuito que é tolerante a falhas de acordo com um modelo de ruído também é resistente a vazamento de acordo com o modelo de vazamento dado. Também mostramos como utilizar construções para tolerância a falhas para implementar circuitos clássicos que são seguros em modelos de vazamento específicos. Isto é feito estabelecendo critérios para os quais circuitos quânticos podem ser convertidos em circuitos clássicos de certa forma que a propriedade de resistência a vazamentos é preservada. Usando estes critérios, convertemos uma implementação de computação quântica tolerante a falhas em um compilador resistente a vazamentos clássicos, isto é, um esquema que compila um circuito arbitrário em um circuito de mesma funcionalidade que é resistente a vazamentos.Physical implementations of cryptographic algorithms leak information, which makes them vulnerable to so-called side-channel attacks. Cryptography is now used in an ever-increasing variety of scenarios, and the assumption that the execution of cryptosystems is physically insulated is often not realistic. The field of leakage resilience proposes to mitigate side-channel attacks by designing protocols that are secure even if information leaks during execution. In this work, we study leakage-resilient computation, which concerns the problem of performing secure universal computation in the presence of leakage. Fault-tolerant quantum computation is concerned with the problem of noise in quantum computers. Since it is very hard to insulate quantum systems from noise, fault tolerance proposes schemes for performing computations correctly even if some noise is present. It turns out that there exists a connection between leakage resilience and fault tolerance. In this work, we show that leakage in a classical circuit is a form of noise, when the circuit is interpreted as quantum. We then prove that for an arbitrary leakage model, there exists a corresponding noise model in which a circuit that is fault-tolerant against the noise model is also resilient against the given leakage model. We also show how to use constructions for fault tolerance to implement classical circuits that are secure in specific leakage models. This is done by establishing criteria in which quantum circuits can be converted into classical circuits in such a way that the leakage resilience property is preserved. Using these criteria, we convert an implementation of universal fault-tolerant quantum computation into a classical leakageresilient compiler, i.e., a scheme that compiles an arbitrary circuit into a circuit of the same functionality that is leakage-resilient

Bringing Theory Closer to Practice in Post-quantum and Leakage-resilient Cryptography

Modern cryptography pushed forward the need of having provable security. Whereas ancient cryptography was only relying on heuristic assumptions and the secrecy of the designs, nowadays researchers try to make the security of schemes to rely on mathematical problems which are believed hard to solve. When doing these proofs, the capabilities of potential adversaries are modeled formally. For instance, the black-box model assumes that an adversary does not learn anything from the inner-state of a construction. While this assumption makes sense in some practical scenarios, it was shown that one can sometimes learn some information by other means, e.g., by timing how long the computation take. In this thesis, we focus on two different areas of cryptography. In both parts, we take first a theoretical point of view to obtain a result. We try then to adapt our results so that they are easily usable for implementers and for researchers working in practical cryptography. In the first part of this thesis, we take a look at post-quantum cryptography, i.e., at cryptographic primitives that are believed secure even in the case (reasonably big) quantum computers are built. We introduce HELEN, a new public-key cryptosystem based on the hardness of the learning from parity with noise problem (LPN). To make our results more concrete, we suggest some practical instances which make the system easily implementable. As stated above, the design of cryptographic primitives usually relies on some well-studied hard problems. However, to suggest concrete parameters for these primitives, one needs to know the precise complexity of algorithms solving the underlying hard problem. In this thesis, we focus on two recent hard-problems that became very popular in post-quantum cryptography: the learning with error (LWE) and the learning with rounding problem (LWR). We introduce a new algorithm that solves both problems and provide a careful complexity analysis so that these problems can be used to construct practical cryptographic primitives. In the second part, we look at leakage-resilient cryptography which studies adversaries able to get some side-channel information from a cryptographic primitive. In the past, two main disjoint models were considered. The first one, the threshold probing model, assumes that the adversary can put a limited number of probes in a circuit. He then learns all the values going through these probes. This model was used mostly by theoreticians as it allows very elegant and convenient proofs. The second model, the noisy-leakage model, assumes that every component of the circuit leaks but that the observed signal is noisy. Typically, some Gaussian noise is added to it. According to experiments, this model depicts closely the real behaviour of circuits. Hence, this model is cherished by the practical cryptographic community. In this thesis, we show that making a proof in the first model implies a proof in the second model which unifies the two models and reconciles both communities. We then look at this result with a more practical point-of-view. We show how it can help in the process of evaluating the security of a chip based solely on the more standard mutual information metric

Why Cryptography Should Not Rely on Physical Attack Complexity

This book presents two practical physical attacks. It shows how attackers can reveal the secret key of symmetric as well as asymmetric cryptographic algorithms based on these attacks, and presents countermeasures on the software and the hardware level that can help to prevent them in the future. Though their theory has been known for several years now, since neither attack has yet been successfully implemented in practice, they have generally not been considered a serious threat. In short, their physical attack complexity has been overestimated and the implied security threat has been underestimated. First, the book introduces the photonic side channel, which offers not only temporal resolution, but also the highest possible spatial resolution. Due to the high cost of its initial implementation, it has not been taken seriously. The work shows both simple and differential photonic side channel analyses. Then, it presents a fault attack against pairing-based cryptography. Due to the need for at least two independent precise faults in a single pairing computation, it has not been taken seriously either. Based on these two attacks, the book demonstrates that the assessment of physical attack complexity is error-prone, and as such cryptography should not rely on it. Cryptographic technologies have to be protected against all physical attacks, whether they have already been successfully implemented or not. The development of countermeasures does not require the successful execution of an attack but can already be carried out as soon as the principle of a side channel or a fault attack is sufficiently understood

Theory and Practice of a Leakage Resilient Masking Scheme

A recent trend in cryptography is to formally prove the leakage resilience of cryptographic implementations - that is, one formally shows that a scheme remains provably secure even in the presence of side channel leakage. Although many of the proposed schemes are secure in a surprisingly strong model, most of them are unfortunately rather inefficient and come without practical security evaluations nor implementation attempts. In this work, we take a further step towards closing the gap between theoretical leakage resilient cryptography and more practice-oriented research. In particular, we show that masking countermeasures based on the inner product do not only exhibit strong theoretical leakage resilience, but moreover provide better practical security or efficiency than earlier masking countermeasures. We demonstrate the feasibility of inner product masking by giving a secured implementation of the AES for an 8-bit processor. © International Association for Cryptologic Research 2012.status: publishe