Masking Proofs are Tight (and How to Exploit it in Security Evaluations).

In this paper, we show that by taking advantage of the tightness of masking security proofs, we can significantly simplify this evaluation task in a very general manner. ... This is especially true when countermeasures such as masking are implemented since in this case: (i) the amount of measurements to perform a key recovery may become prohibitive for certification laboratories ... This work has been funded in parts by the ERC project 724725 (acronym SWORD). ...

doi:10.1007/978-3-319-78375-8_13 fatcat:7nfrs7mc2jh35ovsjw7m6suqay

by the target device, to security proofs in a (more realistic) model where the transitions between these intermediate variables are leaked. ... Yet, its deployment in actual cryptographic devices is well known to be challenging, since designers have to ensure that the leakage corresponding to different shares is independent. ... In practice though, security proofs for masking heavily rely on an independence assumption. ...

doi:10.1007/978-3-319-16763-3_5 fatcat:xqkkai7b2bclppjvwzmdpvkv2y

In particular, we re-state their main proof for the masking countermeasure based on a mutual information metric, which is frequently used in concrete physical security evaluations. ... Thanks to these tools, we argue that masking with non-independent leakages may provide improved security levels in certain scenarios. ... This work has been funded in parts by the ERC project 280141 (CRASH). ...

doi:10.1007/s00145-018-9277-0 fatcat:plkoujkigbgebbbjtqdtfhihqe

In particular, we re-state their main proof for the masking countermeasure based on a mutual information metric, which is frequently used in concrete physical security evaluations. ... Thanks to these tools, we argue that masking with non-independent leakages may provide improved security levels in certain scenarios. ... This work has been funded in parts by the ERC project 280141 (CRASH). ...

doi:10.1007/978-3-662-46800-5_16 fatcat:6osh7j6upveutezcycxko3cs7y

This eliminates the need for a binary verifier and, instead, leverages the soundness proof of the compiler to prove the security of the sandboxing transformation. ... To ensure that the untrusted module cannot escape its sandbox, existing approaches such as Google's Native Client rely on a binary verifier to check that all memory accesses are within the sandbox. ... Section 7 presents the design of our runtime library and how it exploits compiler support. Experimental results are detailed in Sect. 8. Section 9 presents related work and Sect. 10 concludes. ...

doi:10.1007/978-3-030-17184-1_18 fatcat:hoqmb4tyazdkfp42ejkavs3oya

In this paper, we study the performances and security of recent masking algorithms specialized to parallel implementations in a 32-bit embedded software platform, for the standard AES Rijndael and the ... This methodology allows us to both bound the security level of our implementations in a principled manner and to assess the risks of overstated security based on well understood parameters. ... This work has been funded in parts by the INNOVIRIS project SCAUT and by the European Commission through the ERC project 724725 and the H2020 project REASSURE. ...

doi:10.1007/978-3-319-66787-4_30 fatcat:k5jft5vp6jheje3cg7a3yq7qay

In addition, we study a masked beamforming scheme that radiates power isotropically in all directions and show that it attains near-optimal performance in the high SNR regime. ... Insights into the scaling behavior of the capacity in the large antenna regime as well as extensions to ergodic fading channels are also provided. ... ACKNOWLEDGMENT The authors would like to thank Y. C. Eldar and A. ...

doi:10.1109/tit.2010.2048445 fatcat:mszojjr2cbhprd26hdc5hktbni

While many works have provided security proofs for small masked components, called gadgets, within this model, no formal method allowed to securely compose gadgets with a tight number of shares (namely ... As a result, it is overconservative and might insert more refresh gadgets than actually needed to ensure t-probing security. ... Acknowledgments We would like to thank François-Xavier Standaert and Gaëtan Cassiers for their in-depth review and helpful comments. ...

doi:10.1007/978-3-030-03329-3_12 fatcat:k7bcv6xmcrdhzar2gal5tq5s4e

We then use it to propose new improved algorithms, leading to better tradeoffs between randomness complexity and noise rate, and suggesting the possibility to design efficient masked multiplication algorithms ... It captures a sufficient requirement for designing masked implementations in a trivial way, by combining PINI multiplications and linear operations performed share by share. ... This conclusion is based on quantitative but heuristic evaluations in the LRPM. Obtaining tight proofs in the RPM is an interesting open problem. ...

doi:10.13154/tches.v2019.i2.162-198 dblp:journals/tches/CassiersS19 fatcat:ggngfqbbgfgxvk67fh5kzdztwa

DOAJ OJS

Our solution has been evaluated within several security metrics, proving its efficiency against side-channel attacks in realistic scenarios. ... Side-channel attacks are an important concern for the security of cryptographic algorithms. ... We thank anonymous reviewers of FSE 2016 for the various constructive comments and suggestions. ...

doi:10.1007/978-3-662-52993-5_12 fatcat:zc3ojhwtezhgpnawj3frlxiaji

In this work, we investigate how to thwart invariance exploitation at the mode level, namely by assuring that a mode never evaluates its underlying primitive under any invariance. ... We further demonstrate how the model composes, and apply it to the keyed sponge construction. ... The security model is outlined in Sect. 3.1, and Even-Mansour and its security in the invariant permutation model are stated in Sect. 3.2. The security proof is given in Sect. 3.3. ...

doi:10.1007/s10623-021-00850-2 fatcat:g7gxepprufbkdgxlhsruvia45y

Open Access

Both constructions are efficient and easy to mask, since they are key homomorphic or almost key homomorphic. ... In the case of symmetric algorithms, it is rather key evolution that is exploited. ... More importantly, it is the starting point of most of the (e.g. template and regression-based) attacks that are usually considered in sidechannel security evaluations [20, 56] . ...

doi:10.1007/978-3-662-53008-5_10 fatcat:xy63yuhrf5ajpexha2bdjhlkru

It was the fifth in the series of the Dagstuhl seminars "Symmetric Cryptography" held in 2007, 2009, 2012, and 2014. ... The first section describes the seminar topics and goals in general. ... We show in particular how recent advancements in computing discrete logarithms over finite fields of characteristic 2 can be exploited in a constructive way to realize highly efficient, constant-time masking ...

doi:10.4230/dagrep.6.1.34 dblp:journals/dagstuhl-reports/ArmknechtINP16 fatcat:3p4woms76ncrdm5hkd2iempk74

In this paper we study the two fundamental functionalities oblivious polynomial evaluation in the exponent and set-intersection, and introduce a new technique for designing efficient secure protocols for ... Our protocols are secure under full simulation-based definitions in the presence of malicious adversaries. ... Proof: We prove security for each corruption case separately. We assume that the simulator is given m X and m Y as part of its auxiliary input. ...

doi:10.1007/s00145-017-9263-y fatcat:6ozcdk355zdd5l4yb5pvbuahhu

In this paper we study the two fundamental functionalities oblivious polynomial evaluation in the exponent and set-intersection, and introduce a new technique for designing efficient secure protocols for ... Our protocols are secure under full simulation-based definitions in the presence of malicious adversaries. ... Proof: We prove security for each corruption case separately. We assume that the simulator is given m X and m Y as part of its auxiliary input. ...

doi:10.1007/978-3-662-46497-7_4 fatcat:qxra4n7m25hf7kkklepqsce3ua

Masking Proofs Are Tight and How to Exploit it in Security Evaluations [chapter]

Preserved Fulltext

On the Cost of Lazy Engineering for Masked Software Implementations [chapter]

Preserved Fulltext

Making Masking Security Proofs Concrete (Or How to Evaluate the Security of Any Leaking Device), Extended Version

Preserved Fulltext

Making Masking Security Proofs Concrete [chapter]

Preserved Fulltext

Compiling Sandboxes: Formally Verified Software Fault Isolation [chapter]

Preserved Fulltext

Very High Order Masking: Efficient Implementation and Security Evaluation [chapter]

Preserved Fulltext

Secure Transmission With Multiple Antennas I: The MISOME Wiretap Channel

Preserved Fulltext

Tight Private Circuits: Achieving Probing Security with the Least Refreshing [chapter]

Preserved Fulltext

Towards Globally Optimized Masking: From Low Randomness to Low Noise Rate

Preserved Fulltext

There Is Wisdom in Harnessing the Strengths of Your Enemy: Customized Encoding to Thwart Side-Channel Attacks [chapter]

Preserved Fulltext

On the Resilience of Even-Mansour to Invariant Permutations

Preserved Fulltext

Towards Sound Fresh Re-keying with Hard (Physical) Learning Problems [chapter]

Preserved Fulltext

Symmetric Cryptography (Dagstuhl Seminar 16021)

Preserved Fulltext

Oblivious Polynomial Evaluation and Secure Set-Intersection from Algebraic PRFs

Preserved Fulltext

Oblivious Polynomial Evaluation and Secure Set-Intersection from Algebraic PRFs [chapter]

Preserved Fulltext