Tornado is a compiler producing masked bitsliced implementations proven secure in the bit/register probing model. It was introduced in the following publication
Tornado: Automatic Generation of Probing-Secure Masked Bitsliced Implementations
by
- Sonia Belaïd
- Pierre-Evariste Dagand
- Darius Mercadier
- Matthieu Rivain
- Raphaël Wintersdorff
Tornado is composed of (a modified version of) usuba and tightPROVE+ (an extension of tightPROVE).
Respective documentation for each tools separately can be found in
src/usuba/Readme.md and src/tightPROVEp/manual.txt.
What follows is the documentation for their combination. If you just
want to use the tool, we recommand that you first read
src/usuba/Readme.md, which explains how to use Usuba. To then use
Tornado, just add the flags -tp -ua-masked (and optionally
-light-inline) to your usubac compile lines.
-
Our artefact (the Tornado compiler & supporting benchmarks) is distributed through a Docker container. The first step is thus to install Docker on your machine:
On Debian & Ubuntu:
sudo apt-get install docker.ioorsudo apt-get install docker-ceOn Arch:sudo pacman -S dockerOn other platforms, please refer to:https://docs.docker.com/install/ -
To make our container, run:
make -
To interact with the toolchain, run:
docker run -ti --hostname dadaubuntu tornado /bin/bashwhich will give you a shell inside the container
You need to install SageMath 8.9 or later. This can be done either via your distribution's packages, or from source (or precompiled binaries) on www.sagemath.org.
src/usuba/Readme.md explains how to install Usuba. In a nutshell:
cd src/usuba
./install_deps.pl
./configure.pl # See bellow
Note that before running configure.pl, you should edit
src/usuba/config.json with the path of you sage binary. See
src/usuba/config.json.help for more details.
Once you have installed SageMath as well as Usuba's dependencies, you
can run src/make. This will compile Usuba with the correct paths for
sage and tightPROVE+.
This will create a binary named tornado in the current folder. This
binary can be used like usubac.
Once you have installed TightPROVE+, Usuba, and Tornado, you can test that your tornado build works by running:
./simple_test/run.pl
This will run tornado on simple_test/ace_f.ua, which an Usuba
implementation of the f function from the cipher ACE. run.pl will
try to compile this Usuba code using Tornado, and will make sure that
the result contains a refresh, as it should.
If this script prints Tornado seems to work., then you are good to
go, and you may start using Tornado.
tornado can be used in the same fashion as usubac, with a few more
flags. Mainly:
-
-tp: calls tightPROVE+ to insert refreshes as needed. -
-ua-masked: masks the code generated byusubacwithinusubac. Loop fusion is performed, as well as constant-propagation within multiplications. -
-masked: masks the code generated byusubacwhen emittingCcode. No optmizations related to masking are performed. We recommand using this flag rather than-ua-maskedfor debugging, but you should switch to-ua-maskedin production for better performances. -
-light-inline: Usuba's previous behaviour was to perform very aggressive inlining, as it was targetting high-end intel CPUs, with large amount of RAM. However, in our setting, it is better to keep binary size low and avoid inlining too many functions. Using this flag, only functions explicitely marked with_inlineare inlined.
Furthermore, we highly recommand that you pass on either -B or -V
to tornado, depending on whether you compile your source to
respectively bitsliced or nsliced code.
The C codes generated will use a macro called MASKING_ORDER that
will not be be defined. In order to compile them at a given order,
you'll need of either #define MASKING_ORDER <n> or to pass
-DMASKING_ORDER=<n> to your C compiler.
For more examples on how to use tornado, we refer to the files
src/usuba/gen_nist_benchs.sh, and src/usuba/gen_nist_benchs_masked.sh.
Be aware that compiling a cipher with -tp will take some time in all
likelyhood. However, since there is a cache, subsequent compilation
should be faster. If you are in a hurry, you can always omit the
-tp flag, which means that tornado will not call tightPROVE+ to
insert additional refreshes. Be careful however, since the resulting
code might be vulnerable.
You will find a lot of cipher implementations in src/usuba/samples/usuba.
Take for instance the cipher Ace, whose usuba implementation is to
be found in src/usuba/samples/usuba/ace.ua. As it is, it's currently
vulnerable due to a lack of refreshing of x inside its function f.
You can compile it to bitslice and vslice masked code using:
./tornado -B -light-inline -tp -ua-masked -o ace_bitslice.c usuba/samples/usuba/ace.ua
./tornado -V -light-inline -tp -ua-masked -o ace_nslice.c usuba/samples/usuba/ace.ua
This will produce two C files. Inspecting them will reveal that the
f function of the nsliced implementation contains an refresh, which
wasn't in the original source. (the bitsliced implementation doesn't
need this refresh)
You can find a lot of ciphers in Usuba inside src/usuba/samples/usuba.
More details can be found about the ciphers from the NIST lightweight
cipher competition in src/usuba/nist/. The structure of this directory
is as follows:
-
src/usuba/nist/<cipher>/usuba/uacontains basic correctness-checking for Usuba generated code: themain.crun usuba-generated versions of the ciphers as well as reference implementations, and make sure the results are the same. (foldersua_maskedserve the same purposes but for masked implementations) -
src/usuba/nist/<cipher>/usuba/benchcontains C codes generated from Usuba implementations as well as reference implementations, destined to be benchmarked. On an Intel CPU, you can use the scriptssrc/usuba/bench_nist.plandsrc/usuba/bench_nist_masked.plto benchmark those implementations.
- Usuba is under MIT license
- tightPROVE+ is under GPLv3