Paper 2021/1521

Security evaluation against side-channel analysis at compilation time

Nicolas Bruneau, Charles Christen, Jean-Luc Danger, Adrien Facon, and Sylvain Guilley

Abstract

Masking countermeasure is implemented to thwart side-channel attacks. The maturity of high-order masking schemes has reached the level where the concepts are sound and proven. For instance, Rivain and Prouff proposed a full-fledged AES at CHES 2010. Some non-trivial fixes regarding refresh functions were needed though. Now, industry is adopting such solutions, and for the sake of both quality and certification requirements, masked cryptographic code shall be checked for correctness using the same model as that of the the theoretical protection rationale (for instance the probing leakage model). Seminal work has been initiated by Barthe et al. at EUROCRYPT 2015 for automated verification at higher orders on concrete implementations. In this paper, we build on this work to actually perform verification from within a compiler, so as to enable timely feedback to the developer. Precisely, our methodology enables to provide the actual security order of the code at the intermediate representation (IR) level, thereby identifying possible flaws (owing either to source code errors or to compiler optimizations). Second, our methodology allows for an exploitability analysis of the analysed IR code. In this respect, we formally handle all the symbolic expressions in the static single assignment (SSA) representation to build the optimal distinguisher function. This enables to evaluate the most powerful attack, which is not only function of the masking order $d$, but also on the number of leaking samples and of the expressions (e.g., linear vs non-linear leakages). This scheme allows to evaluate the correctness of a masked cryptographic code, and also its actual security in terms of number of traces in a given deployment context (characterized by a leakage model of the target CPU and the signal-to-noise ratio of the platform).

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Minor revision. A2C 2019: Algebra, Codes and Cryptology
DOI
10.1007/978-3-030-36237-9_8
Keywords
Cryptographic codecompilationintermediate representation (IR)static single assignment (SSA)side-channel analysismasking protectioncompositional countermeasureformal analysisoptimal side-channel attacksTaylor expansion of distinguishers.
Contact author(s)
sylvain guilley @ secure-ic com
History
2021-11-22: received
Short URL
https://ia.cr/2021/1521
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/1521,
      author = {Nicolas Bruneau and Charles Christen and Jean-Luc Danger and Adrien Facon and Sylvain Guilley},
      title = {Security evaluation against side-channel analysis at compilation time},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/1521},
      year = {2021},
      doi = {10.1007/978-3-030-36237-9_8},
      url = {https://eprint.iacr.org/2021/1521}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.