Skip to content

Share-slicing: Friend or Foe?

Research output: Contribution to journalArticle

Standard

Share-slicing: Friend or Foe? / Gao, Si; Marshall, Ben; Page, Daniel; Oswald, M E.

In: IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), Vol. 2020, No. 1, 19.11.2019, p. 152-174.

Research output: Contribution to journalArticle

Harvard

Gao, S, Marshall, B, Page, D & Oswald, ME 2019, 'Share-slicing: Friend or Foe?', IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), vol. 2020, no. 1, pp. 152-174. https://doi.org/10.13154/tches.v2020.i1.152-174

APA

Gao, S., Marshall, B., Page, D., & Oswald, M. E. (2019). Share-slicing: Friend or Foe? IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), 2020(1), 152-174. https://doi.org/10.13154/tches.v2020.i1.152-174

Vancouver

Gao S, Marshall B, Page D, Oswald ME. Share-slicing: Friend or Foe? IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES). 2019 Nov 19;2020(1):152-174. https://doi.org/10.13154/tches.v2020.i1.152-174

Author

Gao, Si ; Marshall, Ben ; Page, Daniel ; Oswald, M E. / Share-slicing: Friend or Foe?. In: IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES). 2019 ; Vol. 2020, No. 1. pp. 152-174.

Bibtex

@article{759dc2b353554b06a06a16da5661f2ea,
title = "Share-slicing: Friend or Foe?",
abstract = "Masking is a well loved and widely deployed countermeasure against side channel attacks, in particular in software. Under certain assumptions (w.r.t. independence and noise level), masking provably prevents attacks up to a certain security order and leads to a predictable increase in the number of required leakages for successful attacks beyond this order. The noise level in typical processors where software masking is used may not be very high, thus low masking orders are not sufficient for real world security. Higher order masking however comes at a great cost, and therefore a number techniques have been published over the years that make such implementations more efficient via parallelisation in the form of bit or share slicing. We take two highly regarded schemes (ISW and Barthe et al.), and some corresponding open source implementations that make use of share slicing, and discuss their true security on an ARM Cortex-M0 and an ARM Cortex-M3 processor (both from the LPC series). We show that micro-architectural features ofthe M0 and M3 undermine the independence assumptions made in masking proofs and thus their theoretical guarantees do not translate into practice (even worse it seems unpredictable at which order leaks can be expected). Our results demonstrate how difficult it is to link theoretical security proofs to practical real-world security guarantees.",
author = "Si Gao and Ben Marshall and Daniel Page and Oswald, {M E}",
note = "The acceptance date for this record is provisional and based upon the month of publication for the article.",
year = "2019",
month = "11",
day = "19",
doi = "10.13154/tches.v2020.i1.152-174",
language = "English",
volume = "2020",
pages = "152--174",
journal = "IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES)",
issn = "2569-2925",
number = "1",

}

RIS - suitable for import to EndNote

TY - JOUR

T1 - Share-slicing: Friend or Foe?

AU - Gao, Si

AU - Marshall, Ben

AU - Page, Daniel

AU - Oswald, M E

N1 - The acceptance date for this record is provisional and based upon the month of publication for the article.

PY - 2019/11/19

Y1 - 2019/11/19

N2 - Masking is a well loved and widely deployed countermeasure against side channel attacks, in particular in software. Under certain assumptions (w.r.t. independence and noise level), masking provably prevents attacks up to a certain security order and leads to a predictable increase in the number of required leakages for successful attacks beyond this order. The noise level in typical processors where software masking is used may not be very high, thus low masking orders are not sufficient for real world security. Higher order masking however comes at a great cost, and therefore a number techniques have been published over the years that make such implementations more efficient via parallelisation in the form of bit or share slicing. We take two highly regarded schemes (ISW and Barthe et al.), and some corresponding open source implementations that make use of share slicing, and discuss their true security on an ARM Cortex-M0 and an ARM Cortex-M3 processor (both from the LPC series). We show that micro-architectural features ofthe M0 and M3 undermine the independence assumptions made in masking proofs and thus their theoretical guarantees do not translate into practice (even worse it seems unpredictable at which order leaks can be expected). Our results demonstrate how difficult it is to link theoretical security proofs to practical real-world security guarantees.

AB - Masking is a well loved and widely deployed countermeasure against side channel attacks, in particular in software. Under certain assumptions (w.r.t. independence and noise level), masking provably prevents attacks up to a certain security order and leads to a predictable increase in the number of required leakages for successful attacks beyond this order. The noise level in typical processors where software masking is used may not be very high, thus low masking orders are not sufficient for real world security. Higher order masking however comes at a great cost, and therefore a number techniques have been published over the years that make such implementations more efficient via parallelisation in the form of bit or share slicing. We take two highly regarded schemes (ISW and Barthe et al.), and some corresponding open source implementations that make use of share slicing, and discuss their true security on an ARM Cortex-M0 and an ARM Cortex-M3 processor (both from the LPC series). We show that micro-architectural features ofthe M0 and M3 undermine the independence assumptions made in masking proofs and thus their theoretical guarantees do not translate into practice (even worse it seems unpredictable at which order leaks can be expected). Our results demonstrate how difficult it is to link theoretical security proofs to practical real-world security guarantees.

U2 - 10.13154/tches.v2020.i1.152-174

DO - 10.13154/tches.v2020.i1.152-174

M3 - Article

VL - 2020

SP - 152

EP - 174

JO - IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES)

JF - IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES)

SN - 2569-2925

IS - 1

ER -