TY - GEN
T1 - Verified proofs of higher-order masking
AU - Barthe, Gilles
AU - Belaïd, Sonia
AU - Dupressoir, François
AU - Fouque, Pierre Alain
AU - Grégoire, Benjamin
AU - Strub, Pierre Yves
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2015.
PY - 2015/1/1
Y1 - 2015/1/1
N2 - In this paper, we study the problem of automatically verifying higher-order masking countermeasures. This problem is important in practice, since weaknesses have been discovered in schemes that were thought secure, but is inherently exponential: for t-order masking, it involves proving that every subset of t intermediate variables is distributed independently of the secrets. Some tools have been proposed to help cryptographers check their proofs, but are often limited in scope. We propose a new method, based on program verification techniques, to check the independence of sets of intermediate variables from some secrets. Our new language-based characterization of the problem also allows us to design and implement several algorithms that greatly reduce the number of sets of variables that need to be considered to prove this independence property on all valid adversary observations. The result of these algorithms is either a proof of security or a set of observations on which the independence property cannot be proved. We focus on AES implementations to check the validity of our algorithms. We also confirm the tool’s ability to give useful information when proofs fail, by rediscovering existing attacks and discovering new ones.
AB - In this paper, we study the problem of automatically verifying higher-order masking countermeasures. This problem is important in practice, since weaknesses have been discovered in schemes that were thought secure, but is inherently exponential: for t-order masking, it involves proving that every subset of t intermediate variables is distributed independently of the secrets. Some tools have been proposed to help cryptographers check their proofs, but are often limited in scope. We propose a new method, based on program verification techniques, to check the independence of sets of intermediate variables from some secrets. Our new language-based characterization of the problem also allows us to design and implement several algorithms that greatly reduce the number of sets of variables that need to be considered to prove this independence property on all valid adversary observations. The result of these algorithms is either a proof of security or a set of observations on which the independence property cannot be proved. We focus on AES implementations to check the validity of our algorithms. We also confirm the tool’s ability to give useful information when proofs fail, by rediscovering existing attacks and discovering new ones.
KW - Automatic tools
KW - EasyCrypt
KW - Higher-order masking
U2 - 10.1007/978-3-662-46800-5_18
DO - 10.1007/978-3-662-46800-5_18
M3 - Conference contribution
AN - SCOPUS:84942576221
SN - 9783662467992
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 457
EP - 485
BT - Advances in Cryptology – EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
A2 - Fischlin, Marc
A2 - Oswald, Elisabeth
PB - Springer Verlag
T2 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2015
Y2 - 26 April 2015 through 30 April 2015
ER -