Emmanuel Prouff

French Network and Information Security Agency · Hardware Security Lab

In the context of side-channel countermeasures, threshold implementations (TI) have been introduced in 2006 by Nikova et al. to defeat attacks which exploit hardware effects called glitches. On several aspects, TI may be seen as an extension of another classical side-channel countermeasure, called masking, which is essentially based on the sharing...

The masking countermeasure is among the most powerful countermeasures to counteract side-channel attacks. Leakage models have been exhibited to theoretically reason on the security of such masked implementations. So far, the most widely used leakage model is the probing model defined by Ishai, Sahai, and Wagner at (CRYPTO 2003). While it is advanta...

Recent works have demonstrated that deep learning algorithms were efficient to conduct security evaluations of embedded systems and had many advantages compared to the other methods. Unfortunately, their hyper-parametrization has often been kept secret by the authors who only discussed on the main design principles and on the attack efficiencies in...

In the context of side-channel countermeasures, threshold implementations (TI) have been introduced in 2006 by Nikova et al. to defeat attacks in presence of hardware effects called glitches. On several aspects, TI may be seen as an extension of another classical side-channel countermeasure, called masking, which is essentially based on the sharing...

We consider multi-party information-theoretic private protocols, and specifically their randomness complexity. The randomness complexity of private protocols is of interest both because random bits are considered a scarce resource, and because of the relation between that complexity measure and other complexity measures of boolean functions such as...

Recently, several studies have been published on the application of deep learning to enhance Side-Channel Attacks (SCA). These seminal works have practically validated the soundness of the approach, especially against implementations protected by masking or by jittering. Concurrently, important open issues have emerged. Among them, the relevance of...

Recently, several studies have been published on the application of deep learning to enhance Side-Channel Attacks (SCA). These seminal works have practically validated the soundness of the approach, especially against implementations protected by masking or by jittering. Concurrently, important open issues have emerged. Among them, the relevance of...

In Side-Channel Analysis (SCA), several papers have shown that neural networks could be trained to efficiently extract sensitive information from implementations running on embedded devices. This paper introduces a new tool called Gradient Visualization that aims to proceed a post-mortem information leakage characterization after the successful tra...

This paper presents the results of several successful profiled side-channel attacks against a secure implementation of the RSA algorithm. The implementation was running on a ARM Core SC 100 completed with a certified EAL4+ arithmetic co-processor. The analyses have been conducted by three experts’ teams, each working on a specific attack path and e...

Neural Networks (NN) are today increasingly used in Machine Learning where they have become deeper and deeper to accurately model or classify high-level abstractions of data. Their development however also gives rise to important data privacy risks. This observation motives Microsoft researchers to propose a framework, called Cryptonets. The core i...

We describe an industrial case study of the application of zero-knowledge Succinct Non-interactive Argument of Knowledge techniques to enable a client to securely outsource the signature of a confidential document he owns to a digital signature provider. On the one hand, the client gets a valid standard signature of his confidential document while...

Masking is a class of well-known countermeasure against side-channel analysis (SCAs) by employing the idea of secret sharing. The theoretical security proof model of higher order masking was initiated by Ishai, Sahai and Wagner (ISW), and Barthe el al. pushed forward it by proposing a more refine security definition named as t-SNI security. In CHES...

To strengthen the resistance of countermeasures based on secret sharing,several works have suggested to use the scheme introduced by Shamir in 1978, which proposes to use the evaluation of a random d-degree polynomial into n ≥ d + 1 public points to share the sensitive data. Applying the same principles used against the classical Boolean sharing, a...

To strengthen the resistance of countermeasures based on secret sharing,several works have suggested to use the scheme introduced by Shamir in 1978, which proposes to use the evaluation of a random d-degree polynomial into n ≥ d + 1 public points to share the sensitive data. Applying the same principles used against the classical Boolean sharing, a...

In the context of the security evaluation of cryptographic implementations, profiling attacks (aka Template Attacks) play a fundamental role. Nowadays the most popular Template Attack strategy consists in approximating the information leakages by Gaussian distributions. Nevertheless this approach suffers from the difficulty to deal with both the tr...

The notion of privacy in the probing model, introduced by Ishai, Sahai, and Wagner in 2003, is nowadays frequently involved to assess the security of circuits manipulating sensitive information. However, provable security in this model still comes at the cost of a significant overhead both in terms of arithmetic complexity and randomness complexity...

On one hand collision attacks have been introduced in the context of side-channel analysis for attackers who exploit repeated code with the same data without having any knowledge of the leakage model. On the other hand, stochastic attacks have been introduced to recover leakage models of internally processed intermediate secret variables. Both tech...

To reduce the memory and timing complexity of the Side-Channel Attacks (SCA), dimensionality reduction techniques are usually applied to the measurements. They aim to detect the so-called Points of Interest (PoIs), which are time samples which (jointly) depend on some sensitive information (e.g. secret key sub-parts), and exploit them to extract in...

In this paper, we consider the multi-bit Differential Power Analysis (DPA) in the Hamming weight model. In this regard, we revisit the definition of Transparency Order (\(\mathsf {TO}\)) from the work of Prouff (FSE 2005) and find that the definition has certain limitations. Although this work has been quite well referred in the literature, surpris...

Template attack is the most common and powerful profiled side channel attack. It relies on a realistic assumption regarding the noise of the device under attack: the probability density function of the data is a multivariate Gaussian distribution. To relax this assumption, a recent line of research has investigated new profiling approaches mainly b...

A common countermeasure against side-channel attacks consists in using the masking scheme originally introduced by Ishai, Sahai and Wagner (ISW) at Crypto 2003, and further generalized by Rivain and Prouff at CHES 2010. The countermeasure is provably secure in the probing model, and it was showed by Duc, Dziembowski and Faust at Eurocrypt 2014 that...

We describe a new technique for improving the efficiency of the masking countermeasure against side-channel attacks. Our technique is based on using common shares between secret variables, in order to reduce the number of finite field multiplications. Our algorithms are proven secure in the ISW probing model with \(n \geqslant t+1\) shares against...

Recent studies have shown high interest in statistical methods dedicated to the prediction of the maximum confidence levels in simulations and measurements for risk assessment in electromagnetic compatibility. In particular, it has been shown that one of the main issues remains the access to a number of samples allowing the assessment of the risks...

Many cryptographic algorithms are vulnerable to side channel analysis and several leakage models have been introduced to better understand these flaws. In 2003, Ishai, Sahai and Wagner introduced the d-probing security model, in which an attacker can observe at most d intermediate values during a processing. They also proposed an algorithm that sec...

Side Channel Analysis (SCA) is a class of attacks that exploits leakage of information from a cryptographic implementation during execution. To thwart it, masking is a common countermeasure. The principle is to randomly split every sensitive intermediate variable occurring in the computation into several shares and the number of shares, called the...

Advanced Side-Channel Analyses make use of dimensionality reduction techniques to reduce both the memory and timing complexity of the attacks. The most popular methods to effectuate such a reduction are the Principal Component Analysis (PCA) and the Linear Discriminant Analysis (LDA). They indeed lead to remarkable efficiency gains but their use in...

A side-channel analysis of multiplication in \(\mathsf {GF}(2^{128})\) has recently been published by Belaïd, Fouque and Gérard at Asiacrypt 2014, with an application to AES-GCM. Using the least significant bit of the Hamming weight of the multiplication result, the authors have shown how to recover the secret multiplier efficiently. However such l...

Recent studies have shown a high interest in statistical methods dedicated to the prediction of the maximum confidence in simulation and measurements for Electromagnetic Compatibility. In particular, it has been shown that one of the main issues remains the access to a number of samples allowing estimating the risks with regard to the test set-up r...

The probing security model is very popular to prove the sidechannel security of cryptographic implementations protected by masking. A common approach to secure nonlinear functions in this model is to represent them as polynomials over a binary field and to secure their nonlinear multiplications thanks to a method introduced by Ishai, Sahai and Wagn...

Recent studies have shown a high interest in statistical methods dedicated to the prediction of the maximum confidence in simulation and measurements for Electromagnetic Compatibility. In particular, it has been shown that one of the main issues remains the access to a number of samples allowing estimating the risks with regard to the test set-up r...

Elliptic curve cryptography is today widely spread in embedded systems and the protection of their implementation against side-channel attacks has been largely investigated. At CHES 2012, a countermeasure has been proposed which adapts Montgomery’s arithmetic to randomize the intermediate results during scalar point multiplications. The approach tu...

Recent studies have shown a high interest in statistical methods dedicated to the prediction of worst case scenarios in Electromagnetic Compatibility. In particular, it has been shown that the extremal types theorem allows for avoiding the use of the statistical terminal points and safe margins in the design of protective devices. Nevertheless, its...

The resistance of a cryptographic implementation with regards to side-channel analysis is often quantified by measuring the success rate of a given attack. This approach cannot always be followed in practice, especially when the implementation includes some countermeasures that may render the attack too costly for an evaluation purpose, but not cos...

Many applications of embedded devices require the generation of cryptographic secret parameters during the life cycle of the product. In such an unsafe context, several papers have shown that key generation algorithms are vulnerable to side-channel attacks. This is in particular the case of the generation of the secret prime factors in RSA. Until n...

A method for evaluating a function of a finite field of characteristic p into itself, for an element x of the field, uses an evaluation, for the element x, of a polynomial formed by a plurality of monomials. The evaluation of the polynomial includes the following steps: determining monomials the degree of which is an integer power of the characteri...

Low Entropy Masking Schemes (LEMS) are a recent countermeasure against side-channel attacks. They aim at reducing the ran-domness requirements of masking schemes under certain (adversarial and implementation) conditions. Previous works have put forward the interest of this approach when such conditions are met. We complement these investigations by...

To defeat side-channel attacks, the implementation of block cipher algorithms in embedded devices must include dedicated countermeasures. To this end, security designers usually apply secret sharing techniques and build masking schemes to securely operate an shared data. The popularity of this approach can be explained by the fact that it enables f...

Electromagnetic intelligence and attacks pose unacceptable risks for the security and safety of critical networks and more specifically the power network. In this paper, it is pointed out how the use of the excess model allows to extrapolate the very high level of spurious compromising emanations induced by an information system in realistic power...

In the recent years, side channel analysis has received a lot of attention, and attack techniques have been improved. Side channel analysis of second order is now successful in breaking implementations of block ciphers supposed to be efiectively protected. This progress shows not only the practicability of second order attacks, but also the need fo...

Implementations of cryptographic algorithms are vulnerable to Side-Channel Analyses extracting information from the device behaviour. When such an attack targets the manipulation of several, say d, intermediate variables then it is said to be a d th-order one. A privileged way to circumvent this type of attacks is to split any key-dependent variabl...

A method for creating a group signature of a message to be implemented by a member of a group in a system, the system including a trust authority, the group including at least the member provided with a secure portable electronic entity including storage elements and computing elements wherein are implanted a cryptographic algorithm. The method inc...

This article deeply analyses high-order (HO) Boolean masking countermeasures against side-channel attacks in contexts where the shares are manipulated simultaneously and the correlation coefficient is used as a statistical distinguisher. The latter attacks are sometimes referred to as zero-offset High-Order Correlation Power Analysis (HO-CPA). In p...

Since the introduction of side channel attacks in the nineties, a large amount of work has been devoted to their effectiveness and efficiency improvements. On the one side, general results and conclusions are drawn in theoretical frameworks, but the latter ones are often set in a too ideal context to capture the full complexity of an attack perform...

A method of executing an algorithm includes protecting an electronic device by affine masking. The electronic device executes operations on secret variables x, the secret variables x being binary vectors of a given size N other than zero. The method further includes replacing the secret variables x using an affine masking operation, by the followin...

Side-channel attacks usually apply a divide-and-conquer strategy, separately recovering different parts of the secret. Their efficiency in practice relies on the adversary ability to precisely assess the success or unsuccess of each of these recoveries. This makes the study of the attack success rate a central problem in side channel analysis. In t...

Elliptic curves based algorithms are nowadays widely spread among embedded systems. They indeed have the double advantage of providing efficient implementations with short certificates and of being relatively easy to secure against side-channel attacks. As a matter of fact, when an algorithm with constant execution flow is implemented together with...

Since the preliminary works of Kocher et al. in the nineties, studying and enforcing the resistance of cryptographic implementations against side channel analysis (SCA) is became a dynamic and prolific area of embedded security. Stochastic attacks, introduced by Schindler et al., form one of the main families of SCA and they offer a valuable altern...

Safety and security of critical infrastructures rely on the robustness of the involved systems to electromagnetic interferences from the electromagnetic compatibility point of view. In recent years, documented electromagnetic interferences attacks have demonstrated the susceptibility of devices (F. Sabath, European Electromagnetics EUROEM 2012, pp....

Modelling the power-grid network is of fundamental interest to analyse the conducted propagation of unintentional and intentional electromagnetic interferences. The propagation is indeed highly influenced by the channel behaviour. In this paper, we investigate the effects of appliances and the position of cables in a low voltage network. First, the...

A method for data cryptographic processing, that is implemented by an electronic entity and includes the conversion of input data (M′i−1), masked by an input mask (X), into output data, the conversion using a conversion table (S), and the method including the following steps: for at least one plurality of possible values (A) for the input mask (X),...

Masking is a well-known countermeasure to protect block cipher implementations against side-channel attacks. The principle is to randomly split every sensitive intermediate variable occurring in the computation into d+1 shares, where d is called the masking order and plays the role of a security parameter. Although widely used in practice, masking...

Nous nous intéressons ici à la Compatibilité Électromagnétique de structures complexes. L’étude de tels systèmes nécessite a priori de réaliser des simulations ou d’effectuer des mesures pour la totalité des configurations possibles. Une telle exhaustivité est rarement envisageable en pratique, une analyse de Monte-Carlo est alors privilégiée afin...

Modelling the distribution network is of fundamental interest to analyse the conducted propagation of unintentional and intentional electromagnetic interferences in the power-grid. The propagation is indeed highly influenced by channel behaviour. In this paper we investigate the effects of appliances and the position of cables in the network. First...

Au sein d’infrastructures critiques, l’immunité et l’émissivité des équipements électroniques, au sens de la Compatibilité Électromagnétique (CEM), sont deux enjeux majeurs de sécurité et de sûreté de fonctionnement. Les normes civiles et militaires de CEM définissent des niveaux de tolérance garantissant le fonctionnement de ces équipements avec u...

Masking is a widely used countermeasure to protect block cipher implementations against side-channel attacks. The principle is to split every sensitive intermediate variable occurring in the computation into \(d+1\) shares, where \(d\) is called the masking order and plays the role of a security parameter. A masked implementation is then said to ac...

Statistical studies involved in risk management mainly focus on general tendencies which are considered as sufficient for non-critical applications. This implies laying aside extreme events which may nonetheless be crucial to the security of critical facilities. In light of this observation, it is proposed here to follow the opposite approach and t...

Since the introduction of side-channel attacks in the nineties, RSA implementations have been a privileged target. A wide variety of countermeasures have been proposed and most of practical attacks are nowadays efficiently defeated by them. However, in a recent work published at ICICS 2010, Clavier et al.have pointed out that almost all the existin...

At CHES 2011 Goubin and Martinelli described a new countermeasure against side-channel analysis for AES based on Shamir's secret-sharing scheme. In the present paper, we exhibit a flaw in this scheme and we show that it is always theoretically broken by a first-order side-channel analysis. As a consequence of this attack, only a slight adaptation o...

Since their introduction in 1996, the effectiveness of side channel attacks has been highly improved and many countermeasures have been invalidated. A very common countermeasure consists in randomizing sensitive variables of algorithms by masking techniques. In this paper, we propose a new way to apply this strategy to secure hardware implementatio...

To guarantee the security of a cryptographic implementation against Side Channel Attacks, a common approach is to formally prove the security of the corresponding scheme in a model as pertinent as possible. Nowadays, security proofs for masking schemes in the literature are usually conducted for models where only the manipulated data are assumed to...

Differential power analysis is a powerful cryptanalytic technique that exploits information leaking from physical implementations of cryptographic algorithms. During the two last decades, numerous variations of the original principle have been published. In particular, the univariate case, where a single instantaneous leakage is exploited, has attr...

Masking is a common countermeasure against side-channel attacks. The principle is to randomly split every sensitive intermediate variable occurring in the computation into d+1 shares, where d is called the masking order and plays the role of a security parameter. The main issue while applying masking to protect a block cipher implementation is to d...

One protection of cryptographic implementations against side-channel attacks is the masking of the sensitive variables. In this article, we present a first-order masking that does not leak information when the registers change values according to some specific (and realistic) rules. This countermeasure applies to all devices that leak a function of...

Higher-order side channel attacks is a class of powerful techniques against cryptographic implementations. Their complexity grows exponentially with the order, but for small orders (e.g. 2 and 3) recent studies have demonstrated that they pose a serious threat in practice. In this context, it is today of great importance to design software counterm...

Side Channel Analysis (SCA) is a class of attacks that exploit leakage of information from a cryptographic implementation during execution. To thwart it, masking is a common strategy that aims at hiding correlation between the manipulated secret key and the physical measures. Even though the soundness of masking has often been argued, its applicati...

Mutual Information Analysis is a generic side-channel distinguisher that has been introduced at CHES 2008. It aims to allow successful attacks requiring minimum assumptions and knowledge of the target device by the adversary. In this paper, we compile recent contributions and applications of MIA in a comprehensive study. From a theoretical point of...