Private Circuits: A Modular Approach

We consider the problem of protecting general computations against constant-rate random leakage. That is, the computation is performed by a randomized boolean circuit that maps a randomly encoded input to a randomly encoded output, such that even if the value of every wire is independently leaked with some constant probability $p > 0$, the leakage reveals essentially nothing about the input. In this work we provide a conceptually simple, modular approach for solving the above problem, providing a simpler and self-contained alternative to previous constructions of Ajtai (STOC 2011) and Andrychowicz et al.\ (Eurocrypt 2016). We also obtain several extensions and generalizations of this result. In particular, we show that for every leakage probability $p<1$, there is a finite basis $\mathbb{B}$ such that leakage-resilient computation with leakage probability $p$ can be realized using circuits over the basis $\mathbb{B}$. We obtain similar positive results for the stronger notion of leakage tolerance, where the input is not encoded, but the leakage from the entire computation can be simulated given random $p\u27$-leakage of input values alone, for any $p<p\u27<1$. Finally, we complement this by a negative result, showing that for every basis $\mathbb{B}$ there is some leakage probability $p<1$ such that for any $p\u27<1$, leakage tolerance as above cannot be achieved in general

Random Probing Security: Verification, Composition, Expansion and New Constructions

International audienceThe masking countermeasure is among the most powerful countermeasures to counteract side-channel attacks. Leakage models have been exhibited to theoretically reason on the security of such masked implementations. So far, the most widely used leakage model is the probing model defined by Ishai, Sahai, and Wagner at (CRYPTO 2003). While it is advantageously convenient for security proofs, it does not capture an adversary exploiting full leakage traces as, e.g., in horizontal attacks. Those attacks target the multiple manipulations of the same share to reduce noise and recover the corresponding value. To capture a wider class of attacks another model was introduced and is referred to as the random probing model. From a leakage parameter p, each wire of the circuit leaks its value with probability p. While this model much better reflects the physical reality of side channels, it requires more complex security proofs and does not yet come with practical constructions. In this paper, we define the first framework dedicated to the random probing model. We provide an automatic tool, called VRAPS, to quantify the random probing security of a circuit from its leakage probability. We also formalize a composition property for secure random probing gadgets and exhibit its relation to the strong non-interference (SNI) notion used in the context of probing security. We then revisit the expansion idea proposed by Ananth, Ishai, and Sahai (CRYPTO 2018) and introduce a compiler that builds a random probing secure circuit from small base gadgets achieving a random probing expandability property. We instantiate this compiler with small gadgets for which we verify the expected properties directly from our automatic tool. Our construction can tolerate a leakage probability up to 2 −8 , against 2 −25 for the previous construction, with a better asymptotic complexity

Synthesis, characterization and antifungal activity of a series of manganese(II) and copper(II) complexes with ligands derived from reduced N,N′-O-phenylenebis(salicylideneimine)

A series of manganese(II) and copper(II) complexes with reduced Schiff bases derived from o-phenylenediamine has been prepared and characterized by elemental analysis, TG measurements, ESR, magnetic measurements, FTIR, UV–Visible spectra and conductivity. These complexes were found to be [MnL(H2O)n] and [CuL](H2O)n species with n = 0–2. Their antifungal activity was evaluated on different human fungi including yeasts of the Candida genus (C. albicans, C. glabrata, C. tropicalis and C. parapsilopsis) some opportunistic moulds belonging to the Aspergillus (A. fumigatus, A. terreus and A. flavus), Scedosporium genus (S. apiospermum and S. prolificans) and some dermatophytes (M. gypseum, M. persicolor, T. mentagrophytes, M. canis and T. tonsurans). The manganese complexes showed a significant growth inhibition of the dermatophytes tested and fungi of the genus Scedosporium. This is very interesting as these fungi are usually poorly susceptible to current antifungal including Amphotericin B and Itraconazole chosen as reference in this study

Synthesis, characterisation and antifungal activity of a series of Cobalt(II) and Nickel(II) complexes with ligands derived from reduced N, N′-o-Phenylenebis(Salicylideneimine)

The synthesis and characterisation by elemental analysis, conductivity, FTIR, UV–Visible, ESR and magnetic measurements are described for a series of complexes of nickel(II) and cobalt(II) with three ligands (H2L1–3) derived from reduced N, N′-o-Phenylenebis(salicylideneimine). The complexes formed are identified as neutral species, where the ligands are coordinated through N and O donor atoms. The formulae obtained for the complexes are: [CoL(H2O)2] with octahedral geometry and [NiL] with tetrahedral geometry. Their antifungal activity is evaluated towards human pathogenic fungi including yeasts of the Candida genus, some opportunistic moulds belonging to the Aspergillus, Scedosporium genus and some dermatophytes. The cobalt complexes show a significant growth inhibition of yeasts tested and also to fungi of the genus Scedosporium which is of interest because these fungi are usually poorly susceptible to current antifungal including Amphotericin B and Itraconazole, chosen as reference in this study. The activity data show that the metal complexes are more potent than the parent ligand

Reconciling d+1 Masking in Hardware and Software

The continually growing number of security-related autonomous devices require efficient mechanisms to counteract low-cost side-channel analysis (SCA) attacks like differential power analysis. Masking provides a high resistance against SCA at an adjustable level of security. A high level of security, however, goes hand in hand with an increasing demand for fresh randomness which also affects other implementation costs. Since software based masking has other security requirements than masked hardware implementations, the research in these fields have been quite separated from each other over the last ten years. One important practical difference is that recently published software based masking schemes show a lower randomness footprint than hardware masking schemes. In this work we combine existing software and hardware based masking schemes into a unified masking approach (UMA). We demonstrate how UMA can be used to protect software and hardware implementations likewise, and for lower randomness costs especially for hardware implementations. Theoretical considerations as well as practical implementation results are then used to compare this unified masking approach to other schemes from different perspectives and at different levels of security

Formal Verification of Masked Hardware Implementations in the Presence of Glitches

Masking provides a high level of resistance against side-channel analysis. However, in practice there are many possible pitfalls when masking schemes are applied, and implementation flaws are easily overlooked. Over the recent years, the formal verification of masked software implementations has made substantial progress. In contrast to software implementations, hardware implementations are inherently susceptible to glitches. Therefore, the same methods tailored for software implementations are not readily applicable. In this work, we introduce a method to formally verify the security of masked hardware implementations that takes glitches into account. Our approach does not require any intermediate modeling steps of the targeted implementation and is not bound to a certain leakage model. The verification is performed directly on the circuit’s netlist, and covers also higher-order and multivariate flaws. Therefore, a sound but conservative estimation of the Fourier coefficients of each gate in the netlist is calculated, which characterize statistical dependence of the gates on the inputs and thus allow to predict possible leakages. In contrast to existing practical evaluations, like t-tests, this formal verification approach makes security statements beyond specific measurement methods, the number of evaluated leakage traces, and the evaluated devices. Furthermore, flaws detected by the verifier are automatically localized. We have implemented our method on the basis of an SMT solver and demonstrate the suitability on a range of correctly and incorrectly protected circuits of different masking schemes and for different protection orders. Our verifier is efficient enough to prove the security of a full masked AES S-box, and of the Keccak S-box up to the third protection order

Appropriate referral and selection of patients with chronic pain for spinal cord stimulation: European consensus recommendations and e-health tool

Background: Spinal cord stimulation (SCS) is an established treatment for chronic neuropathic, neuropathic-like and ischaemic pain. However, the heterogeneity of patients in daily clinical practice makes it often challenging to determine which patients are eligible for this treatment, resulting in undesirable practice variations. This study aimed to establish patient-specific recommendations for referral and selection of SCS in chronic pain. Methods: A multidisciplinary European panel used the RAND/UCLA Appropriateness Method (RUAM) to assess the appropriateness of (referral for) SCS for 386 clinical scenarios in four pain areas: chronic low back pain and/or leg pain, complex regional pain syndrome, neuropathic pain syndromes and ischaemic pain syndromes. In addition, the panel identified a set of psychosocial factors that are relevant to the decision for SCS treatment. Results: Appropriateness of SCS was strongly determined by the neuropathic or neuropathic-like pain component, location and spread of pain, anatomic abnormalities and previous response to therapies targeting pain processing (e.g. nerve block). Psychosocial factors considered relevant for SCS selection were as follows: lack of engagement, dysfunctional coping, unrealistic expectations, inadequate daily activity level, problematic social support, secondary gain, psychological distress and unwillingness to reduce high-dose opioids. An educational e-health tool was developed that combines clinical and psychosocial factors into an advice on referral/selection for SCS. Conclusions: The RUAM was useful to establish a consensus on patient-specific criteria for referral/selection for SCS in chronic pain. The e-health tool may help physicians learn to apply an integrated approach of clinical and psychosocial factors. Significance: Determining the eligibility of SCS in patients with chronic pain requires careful consideration of a variety of clinical and psychosocial factors. Using a systematic approach to combine evidence from clinical studies and expert opinion, a multidisciplinary European expert panel developed detailed recommendations to support appropriate referral and selection for SCS in chronic pain. These recommendations are available as an educational e-health tool (https://www.scstool.org/)

Secure Multiplication for Bitslice Higher-Order Masking: Optimisation and Comparison

In this paper, we optimize the performances and compare several recent masking schemes in bitslice on 32-bit arm devices, with a focus on multiplication. Our main conclusion is that efficiency (or randomness) gains always come at a cost, either in terms of composability or in terms of resistance against horizontal attacks. Our evaluations should therefore allow a designer to select a masking scheme based on implementation constraints and security requirements. They also highlight the increasing feasibility of (very) high-order masking that are offered by increasingly powerful embedded devices, with new opportunities of high-security devices in various contexts

Tight Private Circuits: Achieving Probing Security with the Least Refreshing

Masking is a common countermeasure to secure implementations against side-channel attacks. In 2003, Ishai, Sahai, and Wagner introduced a formal security model, named t-probing model, which is now widely used to theoretically reason on the security of masked implementations. While many works have provided security proofs for small masked components, called gadgets, within this model, no formal method allowed to securely compose gadgets with a tight number of shares (namely, t + 1) until recently. In 2016, Barthe et al. filled this gap with maskComp, a tool checking the security of masking schemes composed of several gadgets. This tool can achieve provable security with tight number of shares by inserting mask-refreshing gadgets at carefully selected locations. However the method is not tight in the sense that there exists some compositions of gadgets for which it cannot exhibit a flaw nor prove the security. As a result, it is overconservative and might insert more refresh gadgets than actually needed to ensure t-probing security. In this paper, we exhibit the first tool, referred to as tightPROVE, able to clearly state whether a shared circuit composed of standard gadgets (addition, multiplication, and refresh) is t-probing secure or not. Given such a composition, our tool either produces a probing-security proof (valid at any order) or exhibits a security flaw that directly implies a probing attack at a given order. Compared to maskComp, tightPROVE can drastically reduce the number of required refresh gadgets to get a probing security proof, and thus the randomness requirement for some secure shared circuits. We apply our method to a recent AES implementation secured with higher-order masking in bitslice and we show that we can save all the refresh gadgets involved in the s-box layer, which results in an significant performance gain