Proceedings 2021 Network and Distributed System Security Symposium 2021
DOI: 10.14722/ndss.2021.23137
|View full text |Cite
|
Sign up to set email alerts
|

Rosita: Towards Automatic Elimination of Power-Analysis Leakage in Ciphers

Abstract: Since their introduction over two decades ago, physical side-channel attacks have presented a serious security threat. While many ciphers' implementations employ masking techniques to protect against such attacks, they often leak secret information due to unintended interactions in the hardware. We present ROSITA, a code rewrite engine that uses a leakage emulator which we amended to correctly emulate the microarchitecture of a target system. We use ROSITA to automatically protect a masked implementation of AE… Show more

Help me understand this report
View preprint versions

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1

Citation Types

0
8
0

Year Published

2021
2021
2024
2024

Publication Types

Select...
5
1
1

Relationship

1
6

Authors

Journals

citations
Cited by 18 publications
(10 citation statements)
references
References 75 publications
(100 reference statements)
0
8
0
Order By: Relevance
“…The accuracy of such simulators depends on the set of experiments used to learn the model. Recently, ELMO has been extended into ELMO* in order to better model register or memory reuse as well as interaction between non consecutive instructions [23]. As for MAPS [14], it has been built using the RTL description of the Arm Cortex-M3.…”
Section: Related Workmentioning
confidence: 99%
See 2 more Smart Citations
“…The accuracy of such simulators depends on the set of experiments used to learn the model. Recently, ELMO has been extended into ELMO* in order to better model register or memory reuse as well as interaction between non consecutive instructions [23]. As for MAPS [14], it has been built using the RTL description of the Arm Cortex-M3.…”
Section: Related Workmentioning
confidence: 99%
“…In order to remove the micro-architectural leakage, the ROSITA tool [23] automates leaking pattern replacement detected by using ELMO* and non specific t-tests. The iterative process is able to remove most leakages from three implementations but fails for one implementation.…”
Section: Related Workmentioning
confidence: 99%
See 1 more Smart Citation
“…These phenomena can halve the security order, making the first order masking (with two shares or mask and masked intermediate value) vulnerable even to first-order attacks [3]. This is important since this is the most widely used scheme in practice, because of the complexities involved in higher-order masking [43].…”
Section: Masking Protected Implementationsmentioning
confidence: 99%
“…Nonetheless, as mentioned above, if masking is not properly implemented the implementation can be vulnerable to first-order attacks: It is important to ensure that the two parts of the same secret (mask and masked intermediate value) are not handled too closely [43]. For instance, authors in [54] claim that when the mask leakage is included in the observation time window, (first-order) TAs can relate the dependence between the mask and the masked variable leakage.…”
Section: Profiling Attacks On Maskingmentioning
confidence: 99%