Cryptology ePrint Archive: Report 2021/1671

IronMask: Versatile Verification of Masking Security

Sonia Belaïd and Darius Mercadier and Matthieu Rivain and Abdul Rahman Taleb

Abstract: This paper introduces IronMask, a new versatile verification tool for masking security. IronMask is the first to offer the verification of standard simulation-based security notions in the probing model as well as recent composition and expandability notions in the random probing model. It supports any masking gadgets with linear randomness (e.g. addition, copy and refresh gadgets) as well as quadratic gadgets (e.g. multiplication gadgets) that might include non-linear randomness (e.g. by refreshing their inputs), while providing complete verification results for both types of gadgets. We achieve this complete verifiability by introducing a new algebraic characterization for such quadratic gadgets and exhibiting a complete method to determine the sets of input shares which are necessary and sufficient to perform a perfect simulation of any set of probes. We report various benchmarks which show that IronMask is competitive with state-of-the-art verification tools in the probing model (maskVerif, scVerif, SILVER, matverif). IronMask is also several orders of magnitude faster than VRAPS --the only previous tool verifying random probing composability and expandability-- as well as SILVER --the only previous tool providing complete verification for quadratic gadgets with non-linear randomness. Thanks to this completeness and increased performance, we obtain better bounds for the tolerated leakage probability of state-of-the-art random probing secure compilers.

Category / Keywords: Side-channel security, masking, physical defaults, automatic verification, complete verification, composition, probing model, random probing model, IronMask

Original Publication (with minor differences): 43rd IEEE Symposium on Security and Privacy 2022

Date: received 20 Dec 2021

Contact author: abdul taleb at cryptoexperts com

Available format(s): PDF | BibTeX Citation

Version: 20211221:122806 (All versions of this report)

Short URL: ia.cr/2021/1671


[ Cryptology ePrint archive ]