CryptoDB
Quantile: Quantifying Information Leakage
| Authors: |
|
|---|---|
| Download: | |
| Abstract: | The masking countermeasure is very effective against side-channel attacks such as differential power analysis. However, the design of masked circuits is a challenging problem since one has to ensure security while minimizing performance overheads. The security of masking is often studied in the t-probing model, and multiple formal verification tools can verify this notion. However, these tools generally cannot verify large masked computations due to computational complexity.We introduce a new verification tool named Quantile, which performs randomized simulations of the masked circuit in order to bound the mutual information between the leakage and the secret variables. Our approach ensures good scalability with the circuit size and results in proven statistical security bounds. Further, our bounds are quantitative and, therefore, more nuanced than t-probing security claims: by bounding the amount of information contained in the lower-order leakage, Quantile can evaluate the security provided by masking even when they are not 1-probing secure, i.e., when they are classically considered as insecure. As an example, we apply Quantile to masked circuits of Prince and AES, where randomness is aggressively reused. |
BibTeX
@article{tches-2023-33674,
title={Quantile: Quantifying Information Leakage},
journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
publisher={Ruhr-Universität Bochum},
volume={024 No. 1},
pages={433-456},
url={https://tches.iacr.org/index.php/TCHES/article/view/11258},
doi={10.46586/tches.v2024.i1.433-456},
author={Vedad Hadžic and Gaëtan Cassiers and Robert Primas and Stefan Mangar and Roderick Bloem},
year=2023
}