On Secure Embedded Token Design

Hoerder, Simon; Järvinen, Kimmo; Page, Daniel

doi:10.1007/978-3-642-38530-8_8

Cited by 1 publication

(1 citation statement)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, with the technology outbreak, platforms such as advanced Systems-On-a Chip (SoCs), smartphones, Automotive, IoTs and standard desktops are powerful enough to execute efficiently such schemes. Specifically, with the growing popularity of applications that require dedicated hardware or use such platforms, which can benefit from garbling schemes and secure computation, designing and executing special purpose GC-hardware is inevitable [JKSS10,HJP13]. For some examples we can consider one-time programs and obfuscation [GKR08, JKSS10, KSNO17, ZCD + 19], post-quantum signature schemes [JKO13, AHIV17, CDG + 17, KKW18] and verifiable computation [GGP10,LMR22].…”

Section: Introductionmentioning

confidence: 99%

Garbled Circuits from an SCA Perspective

Levi

Hazay²

2023

TCHES

View full text Add to dashboard Cite

Garbling schemes, invented in the 80’s by Yao (FOCS’86), have been a versatile and fundamental tool in modern cryptography. A prominent application of garbled circuits is constant round secure two-party computation, which led to a long line of study of this object, where one of the most influential optimizations is Free-XOR (Kolesnikov and Schneider ICALP’08), introducing a global offset Δ for all garbled wire values where XOR gates are computed locally without garbling them. To date, garbling schemes were not studied per their side-channel attacks (SCA) security characteristics, even though SCA pose a significant security threat to cryptographic devices. In this research we, demonstrate that adversaries utilizing advanced SCA tools such as horizontal attacks, mixed with advanced hypothesis building and standard (vertical) SCA tools, can jeopardize garbling implementations.Our main observation is that garbling schemes utilizing a global secret Δ open a door to quite trivial side-channel attacks. We model our side-channel attacks on the garbler’s device and discuss the asymmetric setting where various computations are not performed on the evaluator side. This enables dangerous leakage extraction on the garbler and renders our attack impossible on the evaluator’s side.Theoretically, we first demonstrate on a simulated environment, that such attacks are quite devastating. Concretely, our attack is capable of extracting Δ when the circuit embeds only 8 input non-linear gates with fifth/first-order attack Success-Rates of 0.65/0.7. With as little as 3 such gates, our attack reduces the first-order Guessing Entropy of Δ from 128 to ∼ 48-bits. We further demonstrate our attack via an implementation and power measurements data over an STM 32-bit processor software implementing circuit garbling, and discuss their limitations and mitigation tactics on logical, protocol and implementation layers.

show abstract

Section: Introductionmentioning

confidence: 99%