Formal Verification of Masking Countermeasures for Arithmetic Programs

Cryptographic algorithms are widely used to protect data privacy in many aspects of daily lives. Unfortunately, programs implementing cryptographic algorithms may be vulnerable to practical power side-channel attacks, which may infer private data via statistical analysis. To thwart these attacks, several masking schemes have been proposed, giving rise to effective countermeasures for reducing the statistical correlation between private data and power consumptions. However, programs that rely on secure masking schemes are not secure a priori. Indeed, designing effective masking programs is a labor intensive and error-prone task. Although some techniques have been proposed for formally verifying masking countermeasures and for quantifying masking strength, they are currently limited to Boolean programs and suffer from low accuracy. In this work, we propose an approach for formally verifying masking countermeasures of arithmetic programs. Our approach is more accurate for arithmetic programs and more scalable for Boolean programs comparing to the existing approaches. It is essentially a synergistic integration of type inference and model-counting based methods, armed with domain specific heuristics. The type inference system allows a fast deduction of leakage-freeness of most intermediate computations, the model-counting based methods accounts for completeness, namely, to eliminate spurious flaws, and the heuristics facilitate both type inference and model-counting based reasoning, which improve scalability and efficiency in practice. In case that the program does contain leakage, we provide a method to quantify its masking strength. A distuiguished feature of our type sytem lies in its support of compositonal reasoning when verifying programs with procedure calls, so the need of inlining procedures can be significantly reduced. We have implemented our methods in a verification tool QMVERIF which has been extensively evaluated on cryptographic benchmarks including full AES, DES and MAC-Keccak. The experimental results demonstrate the effectiveness and efficiency of our approach, especially for compositional reasoning. In particular, our tool is able to automatically prove leakage-freeness of arithmetic programs for which only manual proofs exist so far; it is also significantly faster than the state-of-the-art tools: EasyCrypt on common arithmetic programs, QMSINFER, SC Sniffer and maskVerif on Boolean programs.

[1]  Michael Tunstall,et al.  Compiler Assisted Masking , 2012, CHES.

[2]  Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes , 2017, PROOFS@CHES.

[3]  Chao Wang,et al.  CANAL: A Cache Timing Analysis Framework via LLVM Transformation , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[4]  Ronald L. Rivest,et al.  Improved Analysis of Some Simplified Variants of RC6 , 1999, FSE.

[5]  Thomas S. Messerges,et al.  Securing the AES Finalists Against Power Analysis Attacks , 2000, FSE.

[6]  Meng Wu,et al.  Abstract interpretation under speculative execution , 2019, PLDI.

[7]  Vincent Rijmen,et al.  A Side-Channel Analysis Resistant Description of the AES S-Box , 2005, FSE.

[8]  Patrick Schaumont,et al.  Formal Verification of Software Countermeasures against Side-Channel Attacks , 2014, ACM Trans. Softw. Eng. Methodol..

[9]  Chao Wang,et al.  Synthesis of Masking Countermeasures against Side Channel Attacks , 2014, CAV.

[10]  Dawu Gu,et al.  Inner Product Masking for Bitslice Ciphers and Security Order Amplification for Linear Leakages , 2016, CARDIS.

[11]  Johann Großschädl,et al.  Cryptographic Side-Channels from Low-Power Cache Memory , 2007, IMACC.

[12]  Jean-Sébastien Coron,et al.  Side Channel Cryptanalysis of a Higher Order Masking Scheme , 2007, CHES.

[13]  Tevfik Bultan,et al.  String analysis for side channels with segmented oracles , 2016, SIGSOFT FSE.

[14]  Lejla Batina,et al.  A Very Compact "Perfectly Masked" S-Box for AES , 2008, ACNS.

[15]  François-Xavier Standaert,et al.  Provable Order Amplification for Code-Based Masking: How to Avoid Non-Linear Leakages Due to Masked Operations , 2019, IEEE Transactions on Information Forensics and Security.

[16]  Jakub Breier,et al.  Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code , 2018, IACR Cryptol. ePrint Arch..

[17]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[18]  Benjamin Grégoire,et al.  Synthesis of Fault Attacks on Cryptographic Implementations , 2014, IACR Cryptol. ePrint Arch..

[19]  Benjamin Grégoire,et al.  Strong Non-Interference and Type-Directed Higher-Order Masking , 2016, CCS.

[20]  Amir Moradi,et al.  Side-Channel Leakage through Static Power - Should We Care about in Practice? , 2014, CHES.

[21]  Tevfik Bultan,et al.  Synthesis of Adaptive Side-Channel Attacks , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[22]  Patrick Schaumont,et al.  SMT-Based Verification of Software Countermeasures against Side-Channel Attacks , 2014, TACAS.

[23]  Chao Wang,et al.  Verifying and Quantifying Side-channel Resistance of Masked Software Implementations , 2019, ACM Trans. Softw. Eng. Methodol..

[24]  Jean-Sébastien Coron,et al.  Conversion of Security Proofs from One Leakage Model to Another: A New Issue , 2012, COSADE.

[25]  Jean-Sébastien Coron,et al.  Improved High-Order Conversion From Boolean to Arithmetic Masking , 2018, IACR Cryptol. ePrint Arch..

[26]  Jean-Sébastien Coron,et al.  High Order Masking of Look-up Tables with Common Shares , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[27]  Xuejia Lai,et al.  A Proposal for a New Block Encryption Standard , 1991, EUROCRYPT.

[28]  Armin Biere,et al.  Boolector 2 . 0 system description , 2015 .

[29]  Claude Carlet,et al.  Theory of masking with codewords in hardware: low-weight dth-order correlation-immune Boolean functions , 2013, IACR Cryptol. ePrint Arch..

[30]  Weiwei Shan,et al.  Differential Power Analysis of 8-Bit Datapath AES for IoT Applications , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[31]  Stefan Mangard,et al.  Formal Verification of Masked Hardware Implementations in the Presence of Glitches , 2018, IACR Cryptol. ePrint Arch..

[32]  Benjamin Grégoire,et al.  Verified Proofs of Higher-Order Masking , 2015, EUROCRYPT.

[33]  Vittorio Zaccaria,et al.  Symbolic Analysis of Higher-Order Side Channel Countermeasures , 2017, IEEE Transactions on Computers.

[34]  Christof Paar,et al.  Pushing the Limits: A Very Compact and a Threshold Implementation of AES , 2011, EUROCRYPT.

[35]  Corina S. Pasareanu,et al.  Symbolic Side-Channel Analysis for Probabilistic Programs , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[36]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[37]  Stefan Mangard,et al.  Higher-Order Side-Channel Protected Implementations of KECCAK , 2017, 2017 Euromicro Conference on Digital System Design (DSD).

[38]  Corina S. Pasareanu,et al.  Multi-run Side-Channel Analysis Using Symbolic Execution and Max-SMT , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[39]  Josep Balasch,et al.  On the Cost of Lazy Engineering for Masked Software Implementations , 2014, CARDIS.

[40]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[41]  Jean-Sébastien Coron High-Order Conversion from Boolean to Arithmetic Masking , 2017, CHES.

[42]  Michael Tunstall,et al.  Constant-time higher-order Boolean-to-arithmetic masking , 2018, Journal of Cryptographic Engineering.

[43]  Benjamin Grégoire,et al.  maskVerif: Automated Verification of Higher-Order Masking in Presence of Physical Defaults , 2019, ESORICS.

[44]  Meng Wu,et al.  Eliminating timing side-channel leaks using program repair , 2018, ISSTA.

[45]  Christophe Clavier,et al.  Differential Power Analysis in the Presence of Hardware Countermeasures , 2000, CHES.

[46]  Alan J. Hu,et al.  Precisely Measuring Quantitative Information Flow: 10K Lines of Code and Beyond , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[47]  Stefan Mangard,et al.  A Simple Power-Analysis (SPA) Attack on Implementations of the AES Key Expansion , 2002, ICISC.

[48]  Meng Wu,et al.  Synthesis of Fault-Attack Countermeasures for Cryptographic Circuits , 2016, CAV.

[49]  Meng Wu,et al.  Adversarial symbolic execution for detecting concurrency-related cache timing leaks , 2018, ESEC/SIGSOFT FSE.

[50]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[51]  Thomas S. Messerges,et al.  Using Second-Order Power Analysis to Attack DPA Resistant Software , 2000, CHES.

[52]  Jean-Sébastien Coron,et al.  Secure Conversion between Boolean and Arithmetic Masking of Any Order , 2014, CHES.

[53]  Jia Di,et al.  Mitigating power- and timing-based side-channel attacks using dual-spacer dual-rail delay-insensitive asynchronous logic , 2013, Microelectron. J..

[54]  Cliff B. Jones,et al.  Specification and Design of (Parallel) Programs , 1983, IFIP Congress.

[55]  Joxan Jaffar,et al.  Precise Cache Timing Analysis via Symbolic Execution , 2016, 2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS).

[56]  Gilles Barthe,et al.  Leakage Resilience against Concurrent Cache Attacks , 2014, POST.

[57]  Jan Reineke,et al.  CacheAudit: A Tool for the Static Analysis of Cache Side Channels , 2013, TSEC.

[58]  Pankaj Rohatgi,et al.  Introduction to differential power analysis , 2011, Journal of Cryptographic Engineering.

[59]  Patrick Schaumont,et al.  Quantitative Masking Strength: Quantifying the Power Side-Channel Resistance of Software Code , 2015, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[60]  David Novo,et al.  Sleuth: Automated Verification of Software Power Analysis Countermeasures , 2013, CHES.

[61]  David R. Kaeli,et al.  Effective Simple-Power Analysis Attacks of Elliptic Curve Cryptography on Embedded Systems , 2018, 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[62]  Patrick Schaumont,et al.  QMS: Evaluating the side-channel resistance of masked software from source code , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[63]  Louis Goubin,et al.  A Sound Method for Switching between Boolean and Arithmetic Masking , 2001, CHES.

[64]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[65]  Marcelo d'Amorim,et al.  Quantifying information leaks using reliability analysis , 2014, SPIN.

[66]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[67]  Tachio Terauchi,et al.  Compositional Synthesis of Leakage Resilient Programs , 2016, POST.

[68]  Claude Carlet,et al.  Higher-Order Masking Schemes for S-Boxes , 2012, FSE.

[69]  Inès Ben El Ouahma,et al.  Side-channel robustness analysis of masked assembly codes using a symbolic approach , 2019, Journal of Cryptographic Engineering.

[70]  Gilles Barthe,et al.  Verifying Constant-Time Implementations , 2016, USENIX Security Symposium.

[71]  Matthias J. Kannwischer,et al.  Differential Power Analysis of XMSS and SPHINCS , 2018, COSADE.

[72]  Jean-Sébastien Coron,et al.  Formal Verification of Side-channel Countermeasures via Elementary Circuit Transformations , 2018, IACR Cryptol. ePrint Arch..

[73]  Srinivas Vivek,et al.  Fast evaluation of polynomials over binary finite fields and application to side-channel countermeasures , 2015, Journal of Cryptographic Engineering.

[74]  Daniel Kroening,et al.  Decision Procedures - An Algorithmic Point of View , 2008, Texts in Theoretical Computer Science. An EATCS Series.

[75]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[76]  Tevfik Bultan,et al.  Symbolic path cost analysis for side-channel detection , 2018, ISSTA.

[77]  Isil Dillig,et al.  Precise Detection of Side-Channel Vulnerabilities using Quantitative Cartesian Hoare Logic , 2017, CCS.

[78]  Sonia Belaïd,et al.  Tight Private Circuits: Achieving Probing Security with the Least Refreshing , 2018, IACR Cryptol. ePrint Arch..

[79]  Xiao Liu,et al.  CacheD: Identifying Cache-Based Timing Channels in Production Software , 2017, USENIX Security Symposium.

[80]  Pasquale Malacaria,et al.  Abstract model counting: a novel approach for quantification of information leaks , 2014, AsiaCCS.

[81]  Laurent Mauborgne,et al.  Automatic Quantification of Cache Side-Channels , 2012, CAV.

[82]  Jason Smith,et al.  The SIMON and SPECK Families of Lightweight Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[83]  Emmanuel Prouff,et al.  Masking against Side-Channel Attacks: A Formal Security Proof , 2013, EUROCRYPT.

[84]  Michael Hicks,et al.  Decomposition instead of self-composition for proving the absence of timing channels , 2017, PLDI.

[85]  Giovanni Agosta,et al.  A code morphing methodology to automate power analysis countermeasures , 2012, DAC Design Automation Conference 2012.

[86]  Christof Paar,et al.  Higher Order Masking of the AES , 2006, CT-RSA.

[87]  Chao Wang,et al.  Mitigating power side channels during compilation , 2019, ESEC/SIGSOFT FSE.

[88]  Patrick Schaumont,et al.  Security by compilation: an automated approach to comprehensive side-channel resistance , 2017, SIGL.

[89]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[90]  Andreas Zeller,et al.  Quantifying the Information Leakage in Cache Attacks via Symbolic Execution , 2019, ACM Trans. Embed. Comput. Syst..

[91]  Zheng Guo,et al.  Ridge-Based DPA: Improvement of Differential Power Analysis For Nanoscale Chips , 2018, IEEE Transactions on Information Forensics and Security.

[92]  François-Xavier Standaert,et al.  Composable Masking Schemes in the Presence of Physical Defaults and the Robust Probing Model , 2018, IACR Cryptol. ePrint Arch..

[93]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[94]  Johannes Blömer,et al.  Provably Secure Masking of AES , 2004, IACR Cryptol. ePrint Arch..

[95]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[96]  Jean-Sébastien Coron,et al.  Higher-Order Side Channel Security and Mask Refreshing , 2013, FSE.

[97]  Sylvain Guilley,et al.  RSM: A small and fast countermeasure for AES, secure against 1st and 2nd-order zero-offset SCAs , 2012, 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[98]  Pasquale Malacaria,et al.  Information Theory and Security: Quantitative Information Flow , 2010, SFM.

[99]  Ingrid Verbauwhede,et al.  Consolidating Masking Schemes , 2015, CRYPTO.

[100]  Paolo Ienne,et al.  A first step towards automatic application of power analysis countermeasures , 2011, 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC).

[101]  Jean-Sébastien Coron,et al.  On Boolean and Arithmetic Masking against Differential Power Analysis , 2000, CHES.

[102]  Dongho Won,et al.  On Differential Power Analysis Attack on the Addition Modular 2N Operation of Smart Cards , 2003, Security and Management.

[103]  Jean-Sébastien Coron,et al.  Higher Order Masking of Look-up Tables , 2014, IACR Cryptol. ePrint Arch..

[104]  Jun Zhang,et al.  Quantitative Verification of Masked Arithmetic Programs against Side-Channel Attacks , 2019, TACAS.

[105]  Axel Legay,et al.  Scalable Approximation of Quantitative Information Flow in Programs , 2018, VMCAI.

[106]  Kouichi Itoh,et al.  Address-Bit Differential Power Analysis of Cryptographic Schemes OK-ECDH and OK-ECDSA , 2002, CHES.