Side-channel masking countermeasure requires to be constant time to be secure
Side-Channel Attacks (SCAs) are known to be one of the main physical threats for devices. Although they are theoretically proven to be resistant to algebraic cryptanalysis, the actual implementation of cryptographic algorithms may leak information about secret parameters when they are executed on an end-user device. Such a problem may occur when someone exploits its physical behavior, such as its power consumption, electro-magnetic (EM) emanations or execution time of targeted computations. Measurements require equipment like a probe or an oscilloscope, but the divide-and-conquer strategy reduces the strength of the cryptosystem by attacking small parts of the secrets separately. In such a context, when properly configured, SCAs can be performed within a few moments.
Fortunately, there are many countermeasures to mitigate these threats, such as noise addition, constant-time operations, shuffling or masking schemes. Since each of these is intended to protect against specific attacks, developers and designers are used to implementing a combination of protections to secure devices against as many attacks as possible.
The effect of masking schemes against vertical Side-Channel Attacks
Vertical SCAs aim at recovering a secret parameter like a key or a plaintext, by exploiting statistical dependencies between observable physical activity, and the secret itself. They require a target node, which is an intermediate value of the targeted algorithm, and is considered the clock period of interest for the attack. Vertical SCAs such as the Power/EM correlation attacks require the activity traces be synchronized to this clock period of interest, in other words the algorithmic operation being processed must always be the same for each computation.
The purpose of a masking scheme is to protect implementations by avoiding these statistical dependencies. To do this, sensitive values are randomized (e.g., Boolean masking uses an exclusive or (XOR) between these values and a random one – which is called a mask), and thus become masked values. When the sensitive values are split using a single random value, this is called a first-order masking scheme.
Actually, while vertical SCAs are very effective against unprotected algorithms, desynchronizations at the clock period of interest increase the difficulty of such an attack, and a first-order (or higher-order) masking scheme causes the correlational power analysis (CPA) to fail.
Desynchronizations may ruin a masking scheme
In order to cover as many threats as possible, other countermeasures may be used in combination with the masking scheme. A common idea is to make the algorithms asynchronous, which can effectively protect against Timing Attacks and, again, increase the difficulty of achieving a successful vertical SCA.
Nevertheless, it is really important that the developers and designers care about how this desynchronization is produced. Indeed, a perfect end-to-end masking scheme can be ruined because of this, and thus the secrets broken. By finding and exploiting the real leakage model of their use case, Secure-IC’s experts have proven that such a side-channel leakage is a real threat that can be used to improve the attack’s efficiency.
Recommendations
We would like to remind developers and designers of the importance of a constant execution time, since it can be exploited not only by timing- or cache-based attacks, but can also make a vertical SCA possible. However, such a side-channel leakage can be detected at a pre-silicon stage: therefore, we recommend to always perform a pre-silicon security evaluation of both secure software and designs. In particular, Secure-IC’s tool called Catalyzr™ allows dynamic analyses on software at the register level. The data generated can identify leakages at the earliest stage, and attribute them to the assembly operations that need to be corrected.
Do you have questions on this topic and on our protection solutions? We are here to help.
Contact us