Quantile: Quantifying Information Leakage

Vedad Hadzic; Gaëtan Cassiers; Robert Primas; Stefan Mangard; Roderick Bloem

doi:10.46586/tches.v2024.i1.433-456

Quantile: Quantifying Information Leakage

Vedad Hadzic, Gaëtan Cassiers, Robert Primas, Stefan Mangard, Roderick Bloem

Research output: Contribution to journal › Article › peer-review

Abstract

The masking countermeasure is very effective against side-channel attacks such as differential power analysis. However, the design of masked circuits is a challenging problem since one has to ensure security while minimizing performance overheads. The security of masking is often studied in the t-probing model, and multiple formal verification tools can verify this notion. However, these tools generally cannot verify large masked computations due to computational complexity.
We introduce a new verification tool named Quantile, which performs randomized simulations of the masked circuit in order to bound the mutual information between the leakage and the secret variables. Our approach ensures good scalability with the circuit size and results in proven statistical security bounds. Further, our bounds are quantitative and, therefore, more nuanced than t-probing security claims: by bounding the amount of information contained in the lower-order leakage, Quantile can evaluate the security provided by masking even when they are not 1-probing secure, i.e., when they are classically considered as insecure. As an example, we apply Quantile to masked circuits of Prince and AES, where randomness is aggressively reused.

Original language	English
Pages (from-to)	433-456
Number of pages	24
Journal	IACR Transactions on Cryptographic Hardware and Embedded Systems
Volume	2024
Issue number	1
DOIs	https://doi.org/10.46586/tches.v2024.i1.433-456
Publication status	Published - 4 Dec 2023

Keywords

side-channel analysis
simulation
Side-channel attacks
Masking
Verification

ASJC Scopus subject areas

Software
Artificial Intelligence
Signal Processing
Hardware and Architecture
Computer Networks and Communications
Computer Graphics and Computer-Aided Design

Access to Document

10.46586/tches.v2024.i1.433-456Licence: CC BY 4.0

Cite this

@article{22bc714d48c044b2b45915f91af7d52d,

title = "Quantile: Quantifying Information Leakage",

abstract = "The masking countermeasure is very effective against side-channel attacks such as differential power analysis. However, the design of masked circuits is a challenging problem since one has to ensure security while minimizing performance overheads. The security of masking is often studied in the t-probing model, and multiple formal verification tools can verify this notion. However, these tools generally cannot verify large masked computations due to computational complexity.We introduce a new verification tool named Quantile, which performs randomized simulations of the masked circuit in order to bound the mutual information between the leakage and the secret variables. Our approach ensures good scalability with the circuit size and results in proven statistical security bounds. Further, our bounds are quantitative and, therefore, more nuanced than t-probing security claims: by bounding the amount of information contained in the lower-order leakage, Quantile can evaluate the security provided by masking even when they are not 1-probing secure, i.e., when they are classically considered as insecure. As an example, we apply Quantile to masked circuits of Prince and AES, where randomness is aggressively reused.",

keywords = "side-channel analysis, simulation, Side-channel attacks, Masking, Verification",

author = "Vedad Hadzic and Ga{\"e}tan Cassiers and Robert Primas and Stefan Mangard and Roderick Bloem",

year = "2023",

month = dec,

day = "4",

doi = "10.46586/tches.v2024.i1.433-456",

language = "English",

volume = "2024",

pages = "433--456",

journal = "IACR Transactions on Cryptographic Hardware and Embedded Systems",

issn = "2569-2925",

publisher = "Ruhr-University of Bochum",

number = "1",

}

TY - JOUR

T1 - Quantile: Quantifying Information Leakage

AU - Hadzic, Vedad

AU - Cassiers, Gaëtan

AU - Primas, Robert

AU - Mangard, Stefan

AU - Bloem, Roderick

PY - 2023/12/4

Y1 - 2023/12/4

N2 - The masking countermeasure is very effective against side-channel attacks such as differential power analysis. However, the design of masked circuits is a challenging problem since one has to ensure security while minimizing performance overheads. The security of masking is often studied in the t-probing model, and multiple formal verification tools can verify this notion. However, these tools generally cannot verify large masked computations due to computational complexity.We introduce a new verification tool named Quantile, which performs randomized simulations of the masked circuit in order to bound the mutual information between the leakage and the secret variables. Our approach ensures good scalability with the circuit size and results in proven statistical security bounds. Further, our bounds are quantitative and, therefore, more nuanced than t-probing security claims: by bounding the amount of information contained in the lower-order leakage, Quantile can evaluate the security provided by masking even when they are not 1-probing secure, i.e., when they are classically considered as insecure. As an example, we apply Quantile to masked circuits of Prince and AES, where randomness is aggressively reused.

AB - The masking countermeasure is very effective against side-channel attacks such as differential power analysis. However, the design of masked circuits is a challenging problem since one has to ensure security while minimizing performance overheads. The security of masking is often studied in the t-probing model, and multiple formal verification tools can verify this notion. However, these tools generally cannot verify large masked computations due to computational complexity.We introduce a new verification tool named Quantile, which performs randomized simulations of the masked circuit in order to bound the mutual information between the leakage and the secret variables. Our approach ensures good scalability with the circuit size and results in proven statistical security bounds. Further, our bounds are quantitative and, therefore, more nuanced than t-probing security claims: by bounding the amount of information contained in the lower-order leakage, Quantile can evaluate the security provided by masking even when they are not 1-probing secure, i.e., when they are classically considered as insecure. As an example, we apply Quantile to masked circuits of Prince and AES, where randomness is aggressively reused.

KW - side-channel analysis

KW - simulation

KW - Side-channel attacks

KW - Masking

KW - Verification

UR - http://www.scopus.com/inward/record.url?scp=85178870949&partnerID=8YFLogxK

U2 - 10.46586/tches.v2024.i1.433-456

DO - 10.46586/tches.v2024.i1.433-456

M3 - Article

SN - 2569-2925

VL - 2024

SP - 433

EP - 456

JO - IACR Transactions on Cryptographic Hardware and Embedded Systems

JF - IACR Transactions on Cryptographic Hardware and Embedded Systems

IS - 1

ER -

Quantile: Quantifying Information Leakage

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

AWARE - Hardware-Ensured Software Security