IronMask: Versatile Verification of Masking Security

This paper introduces IronMask, a new versatile verification tool for masking security. IronMask is the first to offer the verification of standard simulation-based security notions in the probing model as well as recent composition and expandability notions in the random probing model. It supports any masking gadgets with linear randomness (e.g. addition, copy and refresh gadgets) as well as quadratic gadgets (e.g. multiplication gadgets) that might include non-linear randomness (e.g. by refreshing their inputs), while providing complete verification results for both types of gadgets. We achieve this complete verifiability by introducing a new algebraic characterization for such quadratic gadgets and exhibiting a complete method to determine the sets of input shares which are necessary and sufficient to perform a perfect simulation of any set of probes. We report various benchmarks which show that IronMask is competitive with state-of-the-art verification tools in the probing model (maskVerif, scVerif, SILVER, matverif). IronMask is also several orders of magnitude faster than VRAPS --the only previous tool verifying random probing composability and expandability-- as well as SILVER --the only previous tool providing complete verification for quadratic gadgets with non-linear randomness. Thanks to this completeness and increased performance, we obtain better bounds for the tolerated leakage probability of state-of-the-art random probing secure compilers

Custom Instruction Support for Modular Defense against Side-channel and Fault Attacks

International audienceThe design of software countermeasures against active and passive adversaries is a challenging problem that has been addressed by many authors in recent years. The proposed solutions adopt a theoretical foundation (such as a leakage model) but often do not offer concrete reference implementations to validate the foundation. Contributing to the experimental dimension of this body of work, we propose a customized processor called SKIVA that supports experiments with the design of countermeasures against a broad range of implementation attacks. Based on bitslice programming and recent advances in the literature, SKIVA offers a flexible and modular combination of countermeasures against power-based and timing-based side-channel leakage and fault injection. Multiple configurations of side-channel protection and fault protection enable the programmer to select the desired number of shares and the desired redundancy level for each slice. Recurring and security-sensitive operations are supported in hardware through custom instruction-set extensions. The new instructions support bitslicing, secret-share generation, redundant logic computation, and fault detection. We demonstrate and analyze multiple versions of AES from a side-channel analysis and a fault-injection perspective, in addition to providing a detailed performance evaluation of the protected designs. To our knowledge, this is the first validated end-to-end implementation of a modular bitslice-oriented countermeasure

Usuba, compilateur bitslicing optimisant

Bitslicing is a technique commonly used in cryptography to implement high-throughput parallel and constant-time symmetric primitives. However, writing, optimizing and protecting bitsliced implementations by hand are tedious tasks, requiring knowledge in cryptography, CPU microarchitectures and side-channel attacks. The resulting programs tend to be hard to maintain due to their high complexity. To overcome those issues, we propose Usuba, a high-level domain-specific language to write symmetric cryptographic primitives. Usuba allows developers to write high-level specifications of ciphers without worrying about the actual parallelization: an Usuba program is a scalar description of a cipher, from which the Usuba compiler (Usubac) automatically produces vectorized bitsliced code. When targeting high-end Intel CPUs, the Usubac applies several domain-specific optimizations, such as interleaving and custom instruction-scheduling algorithms. We are thus able to match the throughputs of hand-tuned assembly and C implementations of several widely used ciphers. Futhermore, in order to protect cryptographic implementations on embedded devices against side-channel attacks, we extend our compiler in two ways. First, we integrate into Usubac state-of-the-art techniques in higher-order masking to generate implementations that are provably secure against power-analysis attacks. Second, we implement a backend for SKIVA, a custom 32-bit CPU enabling the combination of countermeasures against power-based and timing-based leakage, as well as fault injection.Le bitslicing est une technique utilisée pour implémenter des primitives cryptographiques efficaces et s'exécutant en temps constant. Cependant, écrire, optimiser, et sécuriser manuellement des programmes bitslicés est une tâche fastidieuse, nécessitant des connaissances en cryptographie, en microarchitecture des processeurs et en attaques par canaux cachés. Afin de remédier à ces difficultés, nous proposons Usuba, un langage dédié permettant d'implémenter des algorithmes de cryptographie symétrique. Usuba permet aux développeurs d'écrire des spécifications de haut niveau sans se soucier de leur parallélisation: un programme Usuba est une description scalaire d'une primitive, à partir de laquelle le compilateur Usuba, Usubac, produit automatiquement un code bitslicé et vectorisé. Afin de produire du code efficace pour les processeurs haut de gamme, Usubac applique plusieurs optimisations spécialement conçues pour les primitives cryptographiques, telles que l'entrelacement et l'ordonnancement d'instructions. Ainsi, le code produit par notre compilateur offre des performances comparables à du code assembleur ou C optimisé à la main. De plus, afin de générer des implémentations sécurisées contre des attaques par canaux cachés, nous proposons deux extensions de Usubac. Lorsque les attaques par analyse de courant sont un risque à considérer, Usubac est capable de protéger les implémentations qu'il produit à l'aide de masquage booléen. Si, additionnellement, des attaques par injection de fautes doivent être prévenues, alors Usubac peut générer du code pour SKIVA, un processeur 32-bit offrant des instructions permettant de combiner des contre-mesures pour du code bitslicé

Usuba, compilateur bitslicing optimisant

Bitslicing is a technique commonly used in cryptography to implement high-throughput parallel and constant-time symmetric primitives. However, writing, optimizing and protecting bitsliced implementations by hand are tedious tasks, requiring knowledge in cryptography, CPU microarchitectures and side-channel attacks. The resulting programs tend to be hard to maintain due to their high complexity. To overcome those issues, we propose Usuba, a high-level domain-specific language to write symmetric cryptographic primitives. Usuba allows developers to write high-level specifications of ciphers without worrying about the actual parallelization: an Usuba program is a scalar description of a cipher, from which the Usuba compiler (Usubac) automatically produces vectorized bitsliced code. When targeting high-end Intel CPUs, the Usubac applies several domain-specific optimizations, such as interleaving and custom instruction-scheduling algorithms. We are thus able to match the throughputs of hand-tuned assembly and C implementations of several widely used ciphers. Futhermore, in order to protect cryptographic implementations on embedded devices against side-channel attacks, we extend our compiler in two ways. First, we integrate into Usubac state-of-the-art techniques in higher-order masking to generate implementations that are provably secure against power-analysis attacks. Second, we implement a backend for SKIVA, a custom 32-bit CPU enabling the combination of countermeasures against power-based and timing-based leakage, as well as fault injection.Le bitslicing est une technique utilisée pour implémenter des primitives cryptographiques efficaces et s'exécutant en temps constant. Cependant, écrire, optimiser, et sécuriser manuellement des programmes bitslicés est une tâche fastidieuse, nécessitant des connaissances en cryptographie, en microarchitecture des processeurs et en attaques par canaux cachés. Afin de remédier à ces difficultés, nous proposons Usuba, un langage dédié permettant d'implémenter des algorithmes de cryptographie symétrique. Usuba permet aux développeurs d'écrire des spécifications de haut niveau sans se soucier de leur parallélisation: un programme Usuba est une description scalaire d'une primitive, à partir de laquelle le compilateur Usuba, Usubac, produit automatiquement un code bitslicé et vectorisé. Afin de produire du code efficace pour les processeurs haut de gamme, Usubac applique plusieurs optimisations spécialement conçues pour les primitives cryptographiques, telles que l'entrelacement et l'ordonnancement d'instructions. Ainsi, le code produit par notre compilateur offre des performances comparables à du code assembleur ou C optimisé à la main. De plus, afin de générer des implémentations sécurisées contre des attaques par canaux cachés, nous proposons deux extensions de Usubac. Lorsque les attaques par analyse de courant sont un risque à considérer, Usubac est capable de protéger les implémentations qu'il produit à l'aide de masquage booléen. Si, additionnellement, des attaques par injection de fautes doivent être prévenues, alors Usubac peut générer du code pour SKIVA, un processeur 32-bit offrant des instructions permettant de combiner des contre-mesures pour du code bitslicé

Usuba, Optimizing & Trustworthy Bitslicing Compiler

International audienceBitslicing is a programming technique commonly used in cryptography that consists in (efficiently) implementing a combinatorial circuit in software. It results in a massively parallel program, immune to cache-timing attacks by design. However, writing a program in bitsliced form requires extreme minutia. This paper introduces Usuba, a synchronous dataflow language producing bitsliced C code. Usuba is both a domain-specific language – providing syntactic support for the implementation of cryptographic algorithms – as well as a domain-specific compiler – taking advantage of well-defined semantics invariants to perform various optimizations before handing the generated code to an (optimizing) C compiler. On the Data Encryption Standard (DES) algorithm, we show that Usuba outperforms a reference, hand-tuned implementation by 15% (using Intel's 64 bits general-purpose registers and depending on the underlying C compiler) whilst our implementation also transparently supports modern SIMD extensions (SSE, AVX, AVX-512), other architectures (ARM Neon, IBM Altivec) as well as multiple processors through an OpenMP backend