Optimal Amplification of Noisy Leakages

Dziembowski, Stefan; Faust, Sebastian; Skorski, Maciej

doi:10.1007/978-3-662-49099-0_11

Cited by 12 publications

(10 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It can be checked that the parity of Hw(x⊕R, R) equals the parity of Hw(x) which reveals one full bit of information on x (hence the hiddenness assumption collapses). Those considerations are reminiscent to recent works proposing to use additive masking in prime fields for low-noise applications [DFS16,MMMS22].…”

Section: Simple Definition and Examplesmentioning

confidence: 84%

High Order Side-Channel Security for Elliptic-Curve Implementations

Belaïd

Rivain

2022

TCHES

View full text Add to dashboard Cite

Elliptic-curve implementations protected with state-of-the-art countermeasures against side-channel attacks might still be vulnerable to advanced attacks that recover secret information from a single leakage trace. The effectiveness of these attacks is boosted by the emergence of deep learning techniques for side-channel analysis which relax the control or knowledge an adversary must have on the target implementation. In this paper, we provide generic countermeasures to withstand these attacks for a wide range of regular elliptic-curve implementations. We first introduce a framework to formally model a regular algebraic program which consists of a sequence of algebraic operations indexed by key-dependent values. We then introduce a generic countermeasure to protect these types of programs against advanced single-trace side-channel attacks. Our scheme achieves provable security in the noisy leakage model under a formal assumption on the leakage of randomized variables. To demonstrate the applicability of our solution, we provide concrete examples on several widely deployed scalar multiplication algorithms and report some benchmarks for a protected implementation on a smart card.

show abstract

Section: Simple Definition and Examplesmentioning

confidence: 84%

High Order Side-Channel Security for Elliptic-Curve Implementations

Belaïd

Rivain

2022

TCHES

View full text Add to dashboard Cite

show abstract

“…This is especially true in the context of low-end embedded devices [BS21] and in the context of hardware implementations when static leakage is exploitable (see the following subsection). Interestingly, this issue has also been considered from the theoretical viewpoint by Dziembowski et al, who studied the amplification of noisy leakages and conclude that prime-order fields are better suited for low-noise masking [DFS16]. A recent report confirms the practical impact of this observation by providing first information theoretic evaluations of a concrete cryptographic primitive additively masked with a prime-field encoding [MMMS22].…”

Section: Masking With Insufficient Noisementioning

confidence: 99%

“…We insist that, as illustrated by Figure 6, these benefits are not caused by a reduced Signal-to-Noise Ratio (SNR) in the prime-field case, but indeed by the algebraic incompatibility of leakage function and prime-field operations (since the SNRs per share are similar for both encodings). We also note that the theoretical security analysis of prime masking in [DFS16] only requires the leakage function to be non-injective (which then leads to trivial attacks anyway) for security amplification. So the interest of prime masking should be quite technology-independent.…”

Section: Dynamic Power Attacksmentioning

confidence: 99%

“…Since prime fields contribute to security in the context of fresh re-keying, by making the cipher operations and their leakage less compatible [DMMS21], it appears natural to investigate whether such a tweak can help in the context of additive masking as well. Interestingly, this idea also benefits from strong theoretical support, as Dziembowski et al showed that masking in prime fields can be used to amplify arbitrarily low noise levels, while masking in fields of composite order always carries the risk that no noise amplification takes place [DFS16].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Prime-Field Masking in Hardware and its Soundness against Low-Noise SCA Attacks

Cassiers

Masure²,

Momin³

et al. 2023

TCHES

View full text Add to dashboard Cite

A recent study suggests that arithmetic masking in prime fields leads to stronger security guarantees against passive physical adversaries than Boolean masking. Indeed, it is a common observation that the desired security amplification of Boolean masking collapses when the noise level in the measurements is too low. Arithmetic encodings in prime fields can help to maintain an exponential increase of the attack complexity in the number of shares even in such a challenging context. In this work, we contribute to this emerging topic in two main directions. First, we propose novel masked hardware gadgets for secure squaring in prime fields (since squaring is non-linear in non-binary fields) which prove to be significantly more resource-friendly than corresponding masked multiplications. We then formally show their local and compositional security for arbitrary orders. Second, we attempt to >experimentally evaluate the performance vs. security tradeoff of prime-field masking. In order to enable a first comparative case study in this regard, we exemplarily consider masked implementations of the AES as well as the recently proposed AESprime. AES-prime is a block cipher partially resembling the standard AES, but based on arithmetic operations modulo a small Mersenne prime. We present cost and performance figures for masked AES and AES-prime implementations, and experimentally evaluate their susceptibility to low-noise side-channel attacks. We consider both the dynamic and the static power consumption for our low-noise analyses and emulate strong adversaries. Static power attacks are indeed known as a threat for side-channel countermeasures that require a certain noise level to be effective because of the adversary’s ability to reduce the noise through intra-trace averaging. Our results show consistently that for the noise levels in our practical experiments, the masked prime-field implementations provide much higher security for the same number of shares. This compensates for the overheads prime computations lead to and remains true even if / despite leaking each share with a similar Signal-to-Noise Ratio (SNR) as their binary equivalents. We hope our results open the way towards new cipher designs tailored to best exploit the advantages of prime-field masking.

show abstract

“…In order to circumvent this issue, Dziembowski et al showed that the finite group in which the masking operates should not have any non-trivial subgroup, which characterizes prime fields [20]. This seed result has recently triggered an interest for prime-field masking in symmetric cryptography.…”

Section: Introductionmentioning

confidence: 99%

Connecting Leakage-Resilient Secret Sharing to Practice: Scaling Trends and Physical Dependencies of Prime Field Masking

Faust,

Masure,

Micheli

et al. 2024

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Symmetric ciphers operating in (small or mid-size) prime fields have been shown to be promising candidates to maintain security against low-noise (or even noise-free) side-channel leakage. In order to design prime ciphers that best trade physical security and implementation efficiency, it is essential to understand how side-channel security evolves with the field size (i.e., scaling trends). Unfortunately, it has also been shown that such scaling trends depend on the leakage functions and cannot be explained by the standard metrics used to analyze Boolean masking with noise. In this work, we therefore initiate a formal study of prime field masking for two canonical leakage functions: bit leakages and Hamming weight leakages. By leveraging theoretical results from the leakage-resilient secret sharing literature, we explain formally why (1) bit leakages correspond to a worst-case and do not encourage operating in larger fields, and (2) an opposite conclusion holds for Hamming weight leakages, where increasing the prime field modulus p can contribute to a security amplification that is exponential in the number of shares, with log(p) seen as security parameter like the noise variance in Boolean masking. We combine these theoretical results with simulated experiments and show that the interest masking in larger prime fields can degrade gracefully when leakage functions slightly deviate from the Hamming weight abstraction, motivating further research towards characterizing (ideally wide) classes of leakage functions offering such guarantees.

show abstract

Optimal Amplification of Noisy Leakages

Cited by 12 publications

References 22 publications

High Order Side-Channel Security for Elliptic-Curve Implementations

High Order Side-Channel Security for Elliptic-Curve Implementations

Prime-Field Masking in Hardware and its Soundness against Low-Noise SCA Attacks

Connecting Leakage-Resilient Secret Sharing to Practice: Scaling Trends and Physical Dependencies of Prime Field Masking

Contact Info

Product

Resources

About