Tornado: Automatic Generation of Probing-Secure Masked Bitsliced Implementations

Belaïd, Sonia; Dagand, Pierre-Évariste; Mercadier, Darius; Rivain, Matthieu; Wintersdorff, Raphaël

doi:10.1007/978-3-030-45727-3_11

Cited by 21 publications

(11 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…when J is a given set with |J| t 2 and W is the output of LeakingWires(G, p) satisfies (10), which concludes the proof.…”

Section: A Proof Of Propositionsupporting

confidence: 52%

“…Namely, verification tools are now able to produce a security proof or identify potential attacks from the description of a masked implementation at up to some masking orders (i.e., < 5) [4,14,11]. In the same vein, compilers have been built to automatically generate masked implementations at any order given the high level description of a primitive [5,11,10]. Nevertheless, no equivalent framework has yet been proposed to verify the security of implementations in the random probing model.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Random Probing Security: Verification, Composition, Expansion and New Constructions

Belaïd

Coron

Prouff

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The masking countermeasure is among the most powerful countermeasures to counteract side-channel attacks. Leakage models have been exhibited to theoretically reason on the security of such masked implementations. So far, the most widely used leakage model is the probing model defined by Ishai, Sahai, and Wagner at (CRYPTO 2003). While it is advantageously convenient for security proofs, it does not capture an adversary exploiting full leakage traces as, e.g., in horizontal attacks. Those attacks target the multiple manipulations of the same share to reduce noise and recover the corresponding value. To capture a wider class of attacks another model was introduced and is referred to as the random probing model. From a leakage parameter p, each wire of the circuit leaks its value with probability p. While this model much better reflects the physical reality of side channels, it requires more complex security proofs and does not yet come with practical constructions. In this paper, we define the first framework dedicated to the random probing model. We provide an automatic tool, called VRAPS, to quantify the random probing security of a circuit from its leakage probability. We also formalize a composition property for secure random probing gadgets and exhibit its relation to the strong non-interference (SNI) notion used in the context of probing security. We then revisit the expansion idea proposed by Ananth, Ishai, and Sahai (CRYPTO 2018) and introduce a compiler that builds a random probing secure circuit from small base gadgets achieving a random probing expandability property. We instantiate this compiler with small gadgets for which we verify the expected properties directly from our automatic tool. Our construction can tolerate a leakage probability up to 2 −8 , against 2 −25 for the previous construction, with a better asymptotic complexity.

show abstract

“…when J is a given set with |J| t 2 and W is the output of LeakingWires(G, p) satisfies (10), which concludes the proof.…”

Section: A Proof Of Propositionsupporting

confidence: 52%

Section: Introductionmentioning

confidence: 99%

Random Probing Security: Verification, Composition, Expansion and New Constructions

Belaïd

Coron

Prouff

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…The fullVerif tool we propose is the first one that can verify the composability of concrete hardware implementations including glitches. The most similar tool is Tornado [31], which works for software implementations on micro-controllers. Some other works are less directly comparable, either because they span multiple table cells or because they aim at different goals.…”

Section: Related Workmentioning

confidence: 99%

Hardware Private Circuits: From Trivial Composition to Full Verification

Cassiers

Grégoire

Levi

et al. 2021

IEEE Trans. Comput.

View full text Add to dashboard Cite

The design of glitch-resistant higher-order masking schemes is an important challenge in cryptographic engineering. A recent work by Moos et al. (CHES 2019) showed that most published schemes (and all efficient ones) exhibit local or composability flaws at high security orders, leaving a critical gap in the literature on hardware masking. In this paper, we first extend the simulatability framework of Belaïd et al. (EUROCRYPT 2016) and prove that a compositional strategy that is correct without glitches remains valid with glitches. We then use this extended framework to prove the first masked gadgets that enable trivial composition with glitches at arbitrary orders. We show that the resulting "Hardware Private Circuits" approach the implementation efficiency of previous (flawed) schemes. We finally investigate how trivial composition can serve as a basis for a tool that allows verifying full masked hardware implementations (e.g., of complete block ciphers) at any security order from their HDL code. As side products, we improve the randomness complexity of the best published refreshing gadgets, show that some S-box representations allow latency reductions and confirm practical claims based on implementation results.

show abstract

“…Next, we give a list of papers that either evaluate the side-channel and fault resistance of Ascon or elaborate protection mechanisms against side-channel and fault attacks [4,7,12,[28][29][30]50,51,55,60,68,[77][78][79]83].…”

Section: Implementation Security and Robustnessmentioning

confidence: 99%

Ascon v1.2: Lightweight Authenticated Encryption and Hashing

et al. 2021

View full text Add to dashboard Cite

Authenticated encryption satisfies the basic need for authenticity and confidentiality in our information infrastructure. In this paper, we provide the specification of Ascon-128 and Ascon-128a. Both authenticated encryption algorithms provide efficient authenticated encryption on resource-constrained devices and on high-end CPUs. Furthermore, they have been selected as the “primary choice” for lightweight authenticated encryption in the final portfolio of the CAESAR competition. In addition, we specify the hash function Ascon-Hash, and the extendable output function Ascon-Xof. Moreover, we complement the specification by providing a detailed overview of existing cryptanalysis and implementation results.

show abstract

Tornado: Automatic Generation of Probing-Secure Masked Bitsliced Implementations

Cited by 21 publications

References 27 publications

Random Probing Security: Verification, Composition, Expansion and New Constructions

Random Probing Security: Verification, Composition, Expansion and New Constructions

Hardware Private Circuits: From Trivial Composition to Full Verification

Ascon v1.2: Lightweight Authenticated Encryption and Hashing

Contact Info

Product

Resources

About