International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Share-slicing: Friend or Foe?

Authors:
Si Gao , University of Bristol, Bristol
Ben Marshall , University of Bristol, Bristol
Daniel Page , University of Bristol, Bristol
Elisabeth Oswald , University of Bristol, Bristol, UK; University of Klagenfurt, Klagenfurt
Download:
DOI: 10.13154/tches.v2020.i1.152-174
URL: https://tches.iacr.org/index.php/TCHES/article/view/8396
Search ePrint
Search Google
Presentation: Slides
Abstract: Masking is a well loved and widely deployed countermeasure against side channel attacks, in particular in software. Under certain assumptions (w.r.t. independence and noise level), masking provably prevents attacks up to a certain security order and leads to a predictable increase in the number of required leakages for successful attacks beyond this order. The noise level in typical processors where software masking is used may not be very high, thus low masking orders are not sufficient for real world security. Higher order masking however comes at a great cost, and therefore a number techniques have been published over the years that make such implementations more efficient via parallelisation in the form of bit or share slicing. We take two highly regarded schemes (ISW and Barthe et al.), and some corresponding open source implementations that make use of share slicing, and discuss their true security on an ARM Cortex-M0 and an ARM Cortex-M3 processor (both from the LPC series). We show that micro-architectural features of the M0 and M3 undermine the independence assumptions made in masking proofs and thus their theoretical guarantees do not translate into practice (even worse it seems unpredictable at which order leaks can be expected). Our results demonstrate how difficult it is to link theoretical security proofs to practical real-world security guarantees.
Video from TCHES 2019
BibTeX
@article{tches-2019-29958,
  title={Share-slicing: Friend or Foe?},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2020, Issue 1},
  pages={152-174},
  url={https://tches.iacr.org/index.php/TCHES/article/view/8396},
  doi={10.13154/tches.v2020.i1.152-174},
  author={Si Gao and Ben Marshall and Daniel Page and Elisabeth Oswald},
  year=2019
}