Random Probing Security: Verification, Composition, Expansion and New Constructions

International audienceThe masking countermeasure is among the most powerful countermeasures to counteract side-channel attacks. Leakage models have been exhibited to theoretically reason on the security of such masked implementations. So far, the most widely used leakage model is the probing model defined by Ishai, Sahai, and Wagner at (CRYPTO 2003). While it is advantageously convenient for security proofs, it does not capture an adversary exploiting full leakage traces as, e.g., in horizontal attacks. Those attacks target the multiple manipulations of the same share to reduce noise and recover the corresponding value. To capture a wider class of attacks another model was introduced and is referred to as the random probing model. From a leakage parameter p, each wire of the circuit leaks its value with probability p. While this model much better reflects the physical reality of side channels, it requires more complex security proofs and does not yet come with practical constructions. In this paper, we define the first framework dedicated to the random probing model. We provide an automatic tool, called VRAPS, to quantify the random probing security of a circuit from its leakage probability. We also formalize a composition property for secure random probing gadgets and exhibit its relation to the strong non-interference (SNI) notion used in the context of probing security. We then revisit the expansion idea proposed by Ananth, Ishai, and Sahai (CRYPTO 2018) and introduce a compiler that builds a random probing secure circuit from small base gadgets achieving a random probing expandability property. We instantiate this compiler with small gadgets for which we verify the expected properties directly from our automatic tool. Our construction can tolerate a leakage probability up to 2 −8 , against 2 −25 for the previous construction, with a better asymptotic complexity

Complexity of configurators relative to integrations and field of application

Configurators are applied widely to automate the specification processes at companies. The literature describes industrial application of configurators supporting both sales and engineering processes, where configurators supporting the engineering processes are described more challenging. Moreover, configurators are commonly integrated to various IT systems within companies. Complexity of configurators is an important factor when it comes to performance, development and maintenance of the systems. Yet, a direct comparison of the complexity based on the different application and IT integrations is not addressed to great extent in the literature. Thus, this paper analyses the relationship of complexity of the configurators, which is based on parameters (rules and attributes), in terms of first different applications of configurators (sales and engineering), and second integrations to other IT systems. The research method adopted in the paper is based on a survey followed with interviews where the unit of analysis is based on operating configurators within a company

Targeting A3 and A2A adenosine receptors in the fight against cancer

Introduction: There is a vicious cycle of tumor hypoxia, high adenosine levels, immune suppression and cancer growth that involves the use of adenosine receptor ligands in tumors. After several years of research, the candidates emerging as promising new anticancer drugs are A3 adenosine receptor agonists and A2A receptor antagonists. Areas covered: The authors give an updated overview of the field related to A3 receptor agonists and A2A receptor antagonists in cancer and propose their perspectives on the status of these compounds in oncology. The rationale for the modulation of adenosine receptors in cancer is addressed, starting from the first in vitro evidence of their efficacy up to the animal and clinical studies. Expert opinion: A3 and A2A receptors are attractive targets in oncologic therapy due to their involvement in cancer progression and immune-resistance. Of relevance, the A3 subtype is also a tumor marker to be used in a personalized drug treatment program while the A2A receptor, playing a non-redundant role in immunomodulation, may be blocked in combination with checkpoint inhibitors to improve their efficacy. The future will reveal how successful this approach is in the fight against cancer

Amortizing Randomness Complexity in Private Circuits

Cryptographic implementations are vulnerable to Side Channel Analysis (SCA), where an adversary exploits physical phenomena such as the power consumption to reveal sensitive information. One of the most widely studied countermeasures against SCA are masking schemes. A masking scheme randomizes intermediate values thereby making physical leakage from the device harder to exploit. Central to any masking scheme is the use of randomness, on which the security of any masked algorithm heavily relies. But since randomness is very costly to produce in practice, it is an important question whether we can reduce the amount of randomness needed while still guaranteeing standard security properties such as t-probing security introduced by Ishai, Sahai and Wagner (CRYPTO 2003). In this work we study the question whether internal randomness can be re-used by several gadgets, thereby reducing the total amount of randomness needed. We provide new techniques for masking algorithms that significantly reduce the amount of randomness and achieve better overall efficiency than known constructions for values of t that are most relevant for practical settings

Security Evaluation Against Side-Channel Analysis at Compilation Time

International audienceMasking countermeasure is implemented to thwart side-channel attacks. The maturity of high-order masking schemes has reached the level where the concepts are sound and proven. For instance, Rivain and Prouff proposed a full-fledged AES at CHES 2010. Some non-trivial fixes regarding refresh functions were needed though. Now, industry is adopting such solutions, and for the sake of both quality and certification requirements , masked cryptographic code shall be checked for correctness using the same model as that of the the theoretical protection rationale (for instance the probing leakage model). Seminal work has been initiated by Barthe et al. at EUROCRYPT 2015 for automated verification at higher orders on concrete implementations. In this paper, we build on this work to actually perform verification from within a compiler, so as to enable timely feedback to the developer. Precisely , our methodology enables to provide the actual security order of the code at the intermediate representation (IR) level, thereby identifying possible flaws (owing either to source code errors or to compiler optimizations). Second, our methodology allows for an exploitability analysis of the analysed IR code. In this respect, we formally handle all the symbolic expressions in the static single assignment (SSA) representation to build the optimal distinguisher function. This enables to evaluate the most powerful attack, which is not only function of the masking order d, but also on the number of leaking samples and of the expressions (e.g., linear vs non-linear leakages). This scheme allows to evaluate the correctness of a masked cryptographic code, and also its actual security in terms of number of traces in a given deployment context