Abstract

Power side-channel attacks, which can deduce secret data via statistical analysis, have become a serious threat. Masking is an effective countermeasure for reducing the statistical dependence between secret data and side-channel information. However, designing masking algorithms is an error-prone process. In this paper, we propose a hybrid approach combing type inference and model-counting to verify masked arithmetic programs against side-channel attacks. The type inference allows an efficient, lightweight procedure to determine most observable variables whereas model-counting accounts for completeness. In case that the program is not perfectly masked, we also provide a method to quantify the security level of the program. We implement our methods in a tool QMVerif and evaluate it on cryptographic benchmarks. The experimental results show the effectiveness and efficiency of our approach.

Highlights

  • Side-channel attacks aim to infer secret data by exploiting statistical dependence between secret data and non-functional observations such as execution time [33], power consumption [34], and electromagnetic radiation [46]

  • The power consumption of a device executing the instruction c = p ⊕ k usually depends on the secret k, and this can be exploited via differential power analysis (DPA) [37] to deduce k

  • We have proposed a hybrid approach combing type inference and model-counting to verify masked arithmetic programs against first-order side-channel attacks

Read more

Summary

Introduction

Side-channel attacks aim to infer secret data (e.g. cryptographic keys) by exploiting statistical dependence between secret data and non-functional observations such as execution time [33], power consumption [34], and electromagnetic radiation [46]. Type systems have been widely used in the verification of side channel attacks with early work [9,38], where masking compilers are provided which can transform an input program into a functionally equivalent program that is resistant to first-order DPA These systems either are limited to certain operations (i.e., ⊕ and table look-up), or suffer from unsoundness and incompleteness under the threshold probing model. The main differences are, first of all, QIF targets fully-fledged programs (including branching and loops) so program analysis techniques (e.g. symbolic execution) are needed, while we deal with more specialized (transformed) masked programs in straight-line forms; second, to measure the information leakage quantitatively, our measure is based on the notion QMS which is correlated with the number of power traces needed to successfully infer the secret, while QIF is based on a more general sense of information theory; third, for calculating such a measure, both works rely on model-counting. This was briefly mentioned in, e.g., [36], but without implementation

Preliminaries
Cryptographic Programs
Quantitative Masking Strength
Type System
Reduction Heuristics
Perfect Masking Verification
QMS Computing
Practical Evaluation
Experimental Results on Boolean Programs
Experimental Results on Arithmetic Programs
Conclusion
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call