Abstract
Composability and robustness against physical defaults (e.g., glitches) are two highly desirable properties for secure implementations of masking schemes. While tools exist to guarantee them separately, no current formalism enables their joint investigation. In this paper, we solve this issue by introducing a new model, the robust probing model, that is naturally suited to capture the combination of these properties. We first motivate this formalism by analyzing the excellent robustness and low randomness requirements of first-order threshold implementations, and highlighting the difficulty to extend them to higher orders. Next, and most importantly, we use our theory to design and prove the first higher-order secure, robust and composable multiplication gadgets. While admittedly inspired by existing approaches to masking (e.g., Ishai-Sahai-Wagner-like, threshold, domain-oriented), these gadgets exhibit subtle implementation differences with these state-of-the-art solutions (none of which being provably composable and robust). Hence, our results illustrate how sound theoretical models can guide practically-relevant implementations.
Highlights
While tools exist to guarantee them separately, no current formalism enables their joint investigation. We solve this issue by introducing a new model, the robust probing model, that is naturally suited to capture the combination of these properties. We first motivate this formalism by analyzing the excellent robustness and low randomness requirements of first-order threshold implementations, and highlighting the difficulty to extend them to higher orders
In order to motivate our new model, we argue that higher-order secure gadgets combining resistance against physical defaults and composability are not straightforward to design with existing tools
While usually based on similar patterns, higher-order masked multiplications can differ in the way they deal with composability and robustness thanks to refreshings and memory elements
Summary
We follow with our main contribution, which is to provide a formal tool to analyze such higher-order masked implementations For this purpose, we introduce a new robust probing model which tweaks the original probing model in order to capture a wide class of physical defaults and can naturally be combined with existing notions of composability. We note that besides the interesting consolidating nature of the designs and proofs we provide, a recent follow-up work [MMSS18] showed that the lack of probing security proofs in previous hardware-oriented glitch-resistant masking schemes (e.g., [RBN+15a, CRB+16, GMK16, GMK17, GM17]) leads to probing security flaws as the number of shares in these schemes increases It shows the necessity of the robust probing model by exhibiting that satisfying glitch-resistance (thanks to the non-completeness property of threshold implementations) and composability (thanks to SNI) separately is not enough to be glitch-robust and composable
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
