Share-slicing: Friend or Foe?

Gao, Si; Marshall, Ben; Page, Daniel; Oswald, Elisabeth

doi:10.46586/tches.v2020.i1.152-174

Cited by 17 publications

(15 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Second, the parallel nature of the sharesliced implementations makes their evaluation significantly easier in terms of statistical modeling, since removing the need to characterize multivariate distributions as in the bitslice case. Finally, shareslicing has been shown to be a more risky solution (than bitslicing) in terms of security order reductions due to glitches when implemented in an ARM Cortex device [GMPO20]. So while not precluding the possibility that sharesliced implementations can lead to secure and efficient designs in other contexts, bitslicing seems to be a more conservative approach for the devices that we investigate in the current state-of-the-art.…”

Section: Related Workmentioning

confidence: 99%

“…Then, the same bitwise operation on native words can again be applied. For a masked implementation, a similar approach can be taken by additionally ensuring that each share of a given encoding is placed in a different slice (in order to avoid the shareslicing glitch issue observed in [GMPO20]). Additionally, the bitwise operations are replaced by masked gadgets from such as the ones of Appendix A.…”

Section: Goudarzi and Rivain's Bitslice Masked Implementationsmentioning

confidence: 99%

See 1 more Smart Citation

Breaking Masked Implementations with Many Shares on 32-bit Software Platforms

Bronchain

Standaert

2021

TCHES

View full text Add to dashboard Cite

We explore the concrete side-channel security provided by state-of-theart higher-order masked software implementations of the AES and the (candidate to the NIST Lightweight Cryptography competition) Clyde, in ARM Cortex-M0 and M3 devices. Rather than looking for possibly reduced security orders (as frequently considered in the literature), we directly target these implementations by assuming their maximum security order and aim at reducing their noise level thanks to multivariate, horizontal and analytical attacks. Our investigations point out that the Cortex-M0 device has so limited physical noise that masking is close to ineffective. The Cortex-M3 shows a better trend but still requires a large number of shares to provide strong security guarantees. Practically, we first exhibit a full 128-bit key recovery in less than 10 traces for a 6-share masked AES implementation running on the Cortex-M0 requiring 232 enumeration power. A similar attack performed against the Cortex-M3 with 5 shares require 1,000 measurements with 244 enumeration power. We then show the positive impact of lightweight block ciphers with limited number of AND gates for side-channel security, and compare our attacks against a masked Clyde with the best reported attacks of the CHES 2020 CTF. We complement these experiments with a careful information theoretic analysis, which allows interpreting our results. We also discuss our conclusions under the umbrella of “backwards security evaluations” recently put forwards by Azouaoui et al. We finally extrapolate the evolution of the proposed attack complexities in the presence of additional countermeasures using the local random probing model proposed at CHES 2020.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Goudarzi and Rivain's Bitslice Masked Implementationsmentioning

confidence: 99%

Breaking Masked Implementations with Many Shares on 32-bit Software Platforms

Bronchain

Standaert

2021

TCHES

View full text Add to dashboard Cite

show abstract

“…For non-bitsliced designs, accidental unmasking has been demonstrated when a mask m overwrites a masked variable m ⊕ v [1,36] For bitsliced designs, the risk is lower because each share resides at a different bit-index. Still, bitslices may interfere with each other in unexpected manners [19]. In SKIVA, the SUBROT instruction shifts shares over bit-positions using a dedicated data-path.…”

Section: Hardware Support For Aggregated Bitslice Operationsmentioning

confidence: 99%

Custom Instruction Support for Modular Defense Against Side-Channel and Fault Attacks

Kiaei

Mercadier

Dagand

et al. 2021

Constructive Side-Channel Analysis and Secure Design

View full text Add to dashboard Cite

The design of software countermeasures against active and passive adversaries is a challenging problem that has been addressed by many authors in recent years. The proposed solutions adopt a theoretical foundation (such as a leakage model) but often do not offer concrete reference implementations to validate the foundation. Contributing to the experimental dimension of this body of work, we propose a customized processor called SKIVA that supports experiments with the design of countermeasures against a broad range of implementation attacks. Based on bitslice programming and recent advances in the literature, SKIVA offers a flexible and modular combination of countermeasures against power-based and timing-based side-channel leakage and fault injection. Multiple configurations of side-channel protection and fault protection enable the programmer to select the desired number of shares and the desired redundancy level for each slice. Recurring and security-sensitive operations are supported in hardware through custom instruction-set extensions. The new instructions support bitslicing, secret-share generation, redundant logic computation, and fault detection. We demonstrate and analyze multiple versions of AES from a side-channel analysis and a fault-injection perspective, in addition to providing a detailed performance evaluation of the protected designs. To our knowledge, this is the first validated end-to-end implementation of a modular bitslice-oriented countermeasure.

show abstract

“…However, as mentioned above, algorithms that use high-order masking are significantly more complex in terms of resources they require, than simple firstorder masking. Moreover, Gao et al [42] demonstrate that glitches may further reduce the security level of masked implementations.…”

Section: A Side-channel Attacksmentioning

confidence: 99%

Rosita: Towards Automatic Elimination of Power-Analysis Leakage in Ciphers

Shelton¹,

Samwel²,

Batina³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Since their introduction over two decades ago, physical side-channel attacks have presented a serious security threat. While many ciphers' implementations employ masking techniques to protect against such attacks, they often leak secret information due to unintended interactions in the hardware. We present ROSITA, a code rewrite engine that uses a leakage emulator which we amended to correctly emulate the microarchitecture of a target system. We use ROSITA to automatically protect a masked implementation of AES and show the absence of exploitable leakage at only a 11% penalty to the performance.

show abstract

Share-slicing: Friend or Foe?

Cited by 17 publications

References 15 publications

Breaking Masked Implementations with Many Shares on 32-bit Software Platforms

Breaking Masked Implementations with Many Shares on 32-bit Software Platforms

Custom Instruction Support for Modular Defense Against Side-Channel and Fault Attacks

Rosita: Towards Automatic Elimination of Power-Analysis Leakage in Ciphers

Contact Info

Product

Resources

About