## **FINE-GRAINED**

# LEAKAGE MODELS

# & VERIFICATION OF SOFTWARE MASKING

Marc Gourjon VERISICC Seminar 2022 SEPTEMBER 2022



PUBLIC

NXP, THE NXP LOGO AND NXP SECURE CONNECTIONS FOR A SMARTER WORLD ARE TRADEMARKS OF NXP B.V. ALL OTHER PRODUCT OR SERVICE NAMES ARE THE PROPERTY OF THEIR RESPECTIVE OWNERS. © 2022 NXP B.V.



## Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification

Gilles Barthe<sup>1,2</sup>, Marc Gourjon<sup>3,4</sup>, Benjamin Grégoire<sup>5</sup>, Maximilian Orlt<sup>6</sup>, Clara Paglialonga<sup>6</sup> and Lars Porth<sup>6</sup>

<sup>1</sup> MPI-SP, Germany
 <sup>2</sup> IMDEA Software Institute, Spain gjbarthe@gmail.com
 <sup>3</sup> Hamburg University of Technology, Germany, firstname.lastname@tuhh.de
 <sup>4</sup> NXP Semiconductors, Germany
 <sup>5</sup> Inria, France, firstname.lastname@inria.fr
 <sup>6</sup> TU Darmstadt, Germany, firstname.lastname@tu-darmstadt.de

scVerif: <u>https://github.com/scverif/scverif</u> Gadgets: <u>https://github.com/scverif/gadgets</u> Contract: <u>https://eprint.iacr.org/2022/565.pdf</u> Kyber: <u>https://eprint.iacr.org/2021/483.pdf</u>

#### Power Contracts: Provably Complete Power Leakage Models for Processors

Roderick Bloem\* Graz University of Technology Graz, Austria Barbara Gigerl Graz University of Technology Graz, Austria Marc Gourjon Hamburg University of Technology Hamburg, Germany NXP Semiconductors Hamburg, Germany

Robert Primas Graz University of Technology Graz, Austria

These works received funding from the Federal Ministry of Education and Research (BMBF) as part of the VE-Jupiter project (grant number 16ME0231K).

Vedad Hadžić Graz University of Technology Graz, Austria Stefan Mangard Graz University of Technology Graz, Austria



masked\_program.s







In this talk

-

-



NC 5 PUBLIC

- Physical computation on CPU
  - Electrical charge flowing
  - Charge = State = bit =  $\{1,0\}$  = key?



- Physical computation on CPU
  - Electrical charge flowing
  - Charge = State = bit =  $\{1,0\}$  = key?



- Physical computation on CPU
  - Electrical charge flowing
  - Charge = State = bit =  $\{1,0\}$  = key?





- Physical computation on CPU
  - Electrical charge flowing
  - Charge = State = bit =  $\{1,0\}$  = key?





#### MASKING

- Split all secret (dependent) data
  - $-k = k_0 \oplus k_1 \oplus \dots \oplus k_{n-1}$
  - Information theoretical security guarantee
    - Prove no information on any secret key can be retrieved under certain assumption
    - $\rightarrow$  Adversaries must recover at least d < n shares



#### MASKING

- Split all secret (dependent) data
  - $-k = k_0 \oplus k_1 \oplus \dots \oplus k_{n-1}$
  - Information theoretical security guarantee
    - Prove no information on any secret key can be retrieved under certain assumption
    - $\rightarrow$  Adversaries must recover at least d < n shares



```
masked AND z = x \land y

Inputs: (x_0, x_1, ..., x_{n-1}), (y_0, y_1, ..., y_{n-1})

For i = 0 to n - 1

z_i \leftarrow x_i \land y_i

For i = 0 to n - 1

For j = i + 1 to n - 1

r \leftarrow \{0, 1\}

r' \leftarrow (r \oplus (x_i \land y_j)) \oplus (x_j \land y_i)

z_i \leftarrow z_i \oplus r

z_j \leftarrow z_j \oplus r'

Return (z_0, z_1, ..., z_{n-1})
```

Proven secure!

## <u>*d*th</u> -Order probing security



Proven secure!

## <u>*d*th</u> -Order probing security



Proven secure!

## <u>*d*th</u> -Order probing security



Proven secure!

## <u>*d*th</u> -Order probing security





Leakage model := What is observable via side-channel

- Computational / value leakage
- Different & more observations possible in practice

• Application to entire ciphers (e.g., Kyber)



• Application to entire ciphers (e.g., Kyber)



• Application to entire ciphers (e.g., Kyber)



- Application to entire ciphers (e.g., Kyber)
- Hand-crafted compositions, specialized algorithms for efficient gadgets



- Compilers will break security
  - → Assembly programming

- Compilers will break security
  - → Assembly programming

- Compilers will break security
  - → Assembly programming

- Functional correctness
- Adhere to observables intermediates in security proof
- Adhere to proven composition
- Randomness (re-use)

- Compilers will break security
   → Assembly programming
- Functional correctness
- Adhere to observables intermediates in security proof
- Adhere to proven composition
- Randomness (re-use)

$$r' \leftarrow r \oplus ((x_i \wedge y_j) \oplus (x_j \wedge y_i))$$
?

- Compilers will break security
   → Assembly programming
- Functional correctness
- Adhere to observables intermediates in security proof
- Adhere to proven composition
- Randomness (re-use)
- Device-specific leakage



$$r' \leftarrow r \oplus ((x_i \wedge y_j) \oplus (x_j \wedge y_i))$$
?

#### MORE REALISTIC POWER LEAKAGE





- Side-Channel = physical phenomenon
  - Not just computation leakage
  - Much more observations
- Gap in provable security
  - Any leakage observable in practice which is not captured by a proof of security













Problem: Same program has differen *t* microarchitecture



Cause: Processor's implementation → microarchitecture

#### DEVICE-SPECIFIC LEAKAGE (2) MICROARCHITECTURE









Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model. Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert. CHES 2018.

#### DEVICE-SPECIFIC LEAKAGE (2) MICROARCHITECTURE









Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model. Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, François-Xavier Standaert. CHES 2018.


















































¢

xor rD, rN, rM leak HD(rN, rM)

and rD, rN, rM leak HD(rN, rM)











xor rD, rN, rM
 leak HD(rN, previous(rN))
 leak HD(rM, previous(rM))

```
and rD, rN, rM
    leak HD(rN, previous(rN))
    leak HD(rM, previous(rM))
```



xor rD, rN, rM leak HD(rN, rM)







- Remainder of DSL does not expose leakage
- May effect efficiency of hardened implementations





- Remainder of DSL does not expose leakage
- May effect efficiency of hardened implementations





- Remainder of DSL does not expose leakage
- May effect efficiency of hardened implementations

• leak( HD(value\_1, value\_2) );





HD(value\_1, value\_2) HW(value\_1)

- Remainder of DSL does not expose leakage
- May effect efficiency of hardened implementations





- Remainder of DSL does not expose leakage
- May effect efficiency of hardened implementations



- Remainder of DSL does not expose leakage
- May effect efficiency of hardened implementations

# Formal leakage model in GENOA := SAIL DSL [1] + leak [2]



[2]: Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification. Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglialonga, Lars Porth. CHES 2021.

# Formal leakage model in GENOA := SAIL DSL [1] + leak [2]



[2]: Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification. Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglialonga, Lars Porth. CHES 2021.

# Formal leakage model in GENOA := SAIL DSL [1] + leak [2]



[2]: Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification. Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglialonga, Lars Porth. CHES 2021.

# Formal leakage model in GENOA := SAIL DSL [1] + leak [2]

```
// see license in Listing L
// execute a XOR instruction
execute (XOR(rs2, rs1, rd)) = {
  let rs1 val = X(rs1);
                          // read register rs1
 let rs2 val = X(rs2);
                                 // read register rs2
  let result = rs1_val ^ rs2_val;
                                  // compute XOR operation
  leak(HD(X(rs1), X(rs2)));
                                  // leakage between operands
  leak( X(rs1), X(rs2) );
                          // leakage between operands
  leak( X(rd), result );
                                  // transition leakage, e.g., HD
 X(rd) = result;
                                  // write result to rd
 return RETIRE SUCCESS
```

[2]: Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification. Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglialonga, Lars Porth. CHES 2021.

# Formal leakage model in GENOA := SAIL DSL [1] + leak [2]

```
// see license in Listing L
// execute a XOR instruction
execute (XOR(rs2, rs1, rd)) = {
  let rs1 val = X(rs1);
                                  // read register rs1
 let rs2 val = X(rs2);
                                   // read register rs2
  let result = rs1_val ^ rs2_val;
                                   // compute XOR operation
  leak(HD(X(rs1), X(rs2)));
                                   // leakage between operands
                           // leakage between operands
  leak( X(rs1), X(rs2) );
  leak( X(rd), result );
                                   // transition leakage, e.g., HD
 X(rd) = result;
                                    // write result to rd
  return RETIRE SUCCESS
```



[2]: Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification. Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglialonga, Lars Porth. CHES 2021.

... xor x1, x2, x3 and x4, x5, x6











```
...
xor x1, x2, x3
    rf_pA = x2
and x4, x5, x6
    leak (x5, rf_pA)
```

```
...
// see license in Listing L
                                                   // execute a XOR instruction, similar for AND
execute (XOR(rs2, rs1, rd)) = {
  let rs1_val = X(rs1);
  let rs2_val = X(rs2);
  let result = rs1_val ^ rs2_val;
  leak( X(rs1), rf_pA); // leak of rs1 & previous rs1
  rf_pA = rs1_val; // leakage state to remember operand 1
  X(rd) = result;
  return RETIRE_SUCCESS
}
```





PUBLIC 57







One contract for many processors

```
// see license in Listing L
                                        // execute a XOR instruction
                                             -
execute (XOR(rs2, rs1, rd)) = {
 let rs1_val = X(rs1);
                                        .....
 let rs2_val = X(rs2);
  let result = rs1_val ^ rs2_val;
 leak( X(rs1), rf_pA,
         X(rs2), rf_pB);
  rf_pA = rs1_val;
  rf pB = rs2 val;
 X(rd) = result;
 return RETIRE_SUCCESS
}
```

One contract for many processors





# One contract for many processors





| ••• |     |     |    |
|-----|-----|-----|----|
| xor | x1, | x2, | x3 |
| xor | x0, | x0, | x0 |
| and | x4, | x5, | x6 |

•••

PUBLIC 61

One contract for many processors







•••

One contract for many processors







•••

- Contract enables to execute entire programs symbolically
- See License in Listing L

```
// execute a decoded instruction
function clause execute (RTYPE(rs2, rs1, rd, op)) = {
  let rs1_val = X(rs1); // read register rs1
 let rs2 val = X(rs2);
  common_leakage(rs1_val, rs2_val);
  let result = match op { // match-case
   RISCV_ADD => rs1_val + rs2_val, // compute ADD operation
         . . .
   RISCV AND => rs1 val & rs2 val,
 };
  overwrite leakage(rd, result);
 X(rd) = result;
                                   // write result to rd
 return RETIRE SUCCESS
}
```

- Contract enables to execute entire programs symbolically
- See License in Listing L

```
// decode or encode an ADD instruction
// add rd rs1 rs2 ==> RTYPE(rs2, rs1, rd, RISCV_ADD)
mapping clause encdec = RTYPE(rs2, rs1, rd, RISCV_ADD)
<-> 0b0000000 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011
```

```
// execute a decoded instruction
function clause execute (RTYPE(rs2, rs1, rd, op)) = {
  let rs1 val = X(rs1); // read register rs1
  let rs2 val = X(rs2);
  common leakage(rs1 val, rs2 val);
  let result = match op { // match-case
   RISCV ADD => rs1 val + rs2 val, // compute ADD operation
         . . .
   RISCV AND => rs1 val & rs2 val,
  };
  overwrite leakage(rd, result);
 X(rd) = result;
                                   // write result to rd
 return RETIRE SUCCESS
```

- Contract enables to execute entire programs symbolically
- See License in Listing L

```
function common_leakage(rs1_val, rs2_val) = {
    leak(rs1_val, rs2_val, rf_pA, rf_pB,
    mem_last_addr, mem_last_read);
    rf_pA = rs1_val;
    rf_pB = rs2_val; /* update read ports */
    mem_last_read = 0; /* clear data memory port */
```

```
// decode or encode an ADD instruction
// add rd rs1 rs2 ==> RTYPE(rs2, rs1, rd, RISCV_ADD)
mapping clause encdec = RTYPE(rs2, rs1, rd, RISCV_ADD)
<-> 0b0000000 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011
```

```
// execute a decoded instruction
function clause execute (RTYPE(rs2, rs1, rd, op)) = {
  let rs1 val = X(rs1); // read register rs1
  let rs2 val = X(rs2);
  common leakage(rs1 val, rs2 val);
 let result = match op { // match-case
   RISCV ADD => rs1 val + rs2 val, // compute ADD operation
         . . .
   RISCV AND => rs1 val & rs2 val,
  };
  overwrite leakage(rd, result);
 X(rd) = result;
                                   // write result to rd
 return RETIRE SUCCESS
}
```

NP

- Contract enables to execute entire programs symbolically
- See License in Listing L

```
function step_ibex (op : bits(32)) -> bool = {
    nextPC = PC + 4;
```

```
let instruction = encdec(op);
let ret = execute(instruction);
```

```
let success : bool =
    match ret {
        RETIRE_SUCCESS => true,
        RETIRE_FAIL => false
    };
    tick_pc();
    return success
}
```

```
function common_leakage(rs1_val, rs2_val) = {
    leak(rs1_val, rs2_val, rf_pA, rf_pB,
    mem_last_addr, mem_last_read);
    rf_pA = rs1_val;
    rf_pB = rs2_val; /* update read ports */
    mem_last_read = 0; /* clear data memory port */
```

```
// decode or encode an ADD instruction
// add rd rs1 rs2 ==> RTYPE(rs2, rs1, rd, RISCV_ADD)
mapping clause encdec = RTYPE(rs2, rs1, rd, RISCV_ADD)
<-> 0b000000 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011
```

```
// execute a decoded instruction
function clause execute (RTYPE(rs2, rs1, rd, op)) = {
   let rs1_val = X(rs1); // read register rs1
   let rs2_val = X(rs2);
```

```
common_leakage(rs1_val, rs2_val);
```

```
overwrite_leakage(rd, result);
```

```
X(rd) = result;
return RETIRE_SUCCESS
```

// write result to rd

# GENOA VS. IL

Models for scVerif written in IL
 scVerif does not (yet) support Genoa

- Important differences
  - No bitvectors
  - Hardcoded assembly frontend
    - No decoding of opcodes
    - No step function
    - Symbolic addresses

| Algorithm 3 Simplified power side-channel leakage me | odel for $CM0+$ instructions.             |
|------------------------------------------------------|-------------------------------------------|
| 1: var R0; var R1; var R12; var PC;                  | ▷ Global registers                        |
| 2: var opA; var opB; var opR; var opW;               | $\triangleright$ Global leakage state     |
| 3: macro XOR (rd, rn) {                              |                                           |
| 4: leak $\{opA, rd, opB, rn\};$                      | $\triangleright$ combination of revenants |
| 5: EMITTRANSITIONLEAK( $rd, rd \oplus rn$ );         |                                           |
| 6: EMITREVENANTLEAK(opA, rd);                        |                                           |
| 7: EMITREVENANTLEAK(opB, rn);                        |                                           |
| 8: $rd \leftarrow rd \oplus rn;$                     |                                           |
| 9: }                                                 |                                           |

# MODEL-BASED SECURITY ASSESSMENT



masked\_program.s



## MODEL-BASED SECURITY ASSESSMENT



PUBLIC 72

### MODEL-BASED SECURITY ASSESSMENT


• Write test, measure, eat, sleep, repeat



| ••• |     |     |    |
|-----|-----|-----|----|
| xor | x1, | x2, | x3 |
| and | x4, | x5, | x6 |

•••

























## **PROVABLY COMPLETE LEAKAGE MODELS**

#### Power Contracts: Provably Complete Power Leakage Models for Processors

program.s Roderick Bloem\* Barbara Gigerl Marc Gourjon Graz University of Technology Graz University of Technology Hamburg University of Technology Hamburg, Germany Graz, Austria Graz, Austria NXP Semiconductors Hamburg, Germany Vedad Hadžić Robert Primas Stefan Mangard Graz University of Technology Graz University of Technology Graz University of Technology Graz, Austria Graz, Austria Graz, Austria Contract = Model Leakage + Instruction Semantic tool to check modelcompleteness 

# **PROVABLY COMPLETE LEAKAGE MODELS**

#### Power Contracts: Provably Complete Power Leakage Models for Processors

Roderick Bloem\* Graz University of Technology Graz, Austria Barbara Gigerl Graz University of Technology Graz, Austria Marc Gourjon Hamburg University of Technology Hamburg, Germany NXP Semiconductors Hamburg, Germany

Vedad Hadžić Graz University of Technology Graz, Austria Stefan Mangard Graz University of Technology Graz, Austria Robert Primas Graz University of Technology Graz, Austria



 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract

$$\boxed{[P]}^{c} \left(\sigma_{0}^{c}\right)$$



 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract

$$\begin{bmatrix} \mathbf{P} \end{bmatrix}^{c} \left( \sigma_{0}^{c} \right) : \qquad \sigma_{0}^{c} \xrightarrow{\mathcal{L}_{0}^{c}} \sigma_{1}^{c} \xrightarrow{\mathcal{L}_{1}^{c}} \dots \xrightarrow{\mathcal{L}_{n-1}^{c}} \sigma_{n}^{c}$$

$$\begin{bmatrix} \mathbf{P} \end{bmatrix}^{h} \left( \sigma_{0}^{h} \right) : \qquad \sigma_{0}^{h} \xrightarrow{\mathcal{L}_{0}^{h}} \sigma_{1}^{h} \xrightarrow{\mathcal{L}_{1}^{h}} \dots \xrightarrow{\mathcal{L}_{m-1}^{h}} \sigma_{m}^{h}$$

$$f$$
starting state

 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract

$$\begin{bmatrix} \mathbf{P} \end{bmatrix}^{c} \left( \sigma_{0}^{c} \right) : \qquad \sigma_{0}^{c} \xrightarrow{\mathcal{L}_{0}^{c}} \sigma_{1}^{c} \xrightarrow{\mathcal{L}_{1}^{c}} \dots \xrightarrow{\mathcal{L}_{n-1}^{c}} \sigma_{n}^{c}$$

$$\begin{bmatrix} \mathbf{P} \end{bmatrix}^{h} \left( \sigma_{0}^{h} \right) : \qquad \sigma_{0}^{h} \xrightarrow{\mathcal{L}_{0}^{h}} \sigma_{1}^{h} \xrightarrow{\mathcal{L}_{1}^{h}} \dots \xrightarrow{\mathcal{L}_{m-1}^{h}} \sigma_{m}^{h}$$

$$\begin{bmatrix} \mathbf{P} \end{bmatrix}^{c} \left( \sigma_{0}^{h} \right) : \qquad \sigma_{0}^{h} \xrightarrow{\mathcal{L}_{0}^{h}} \sigma_{1}^{h} \xrightarrow{\mathcal{L}_{1}^{h}} \dots \xrightarrow{\mathcal{L}_{m-1}^{h}} \sigma_{m}^{h}$$

$$\begin{bmatrix} \mathbf{P} \end{bmatrix}^{c} \left( \sigma_{0}^{h} \right) : \qquad \mathbf{P} \end{bmatrix} \xrightarrow{\mathbf{P}} \left( \sigma_{0}^{h} \right) : \qquad \mathbf{P} \end{bmatrix} \xrightarrow{\mathbf{P}} \left( \sigma_{0}^{h} \right) : \qquad \mathbf{P}$$

NKP

 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract

Definition 6 (Compliance:  $\llbracket \cdot \rrbracket^h \vdash_{\mathcal{M}} \llbracket \cdot \rrbracket^c$ ).

NKP

 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract



Definition 6 (Compliance:  $\llbracket \cdot \rrbracket^h \vdash_{\mathcal{M}} \llbracket \cdot \rrbracket^c$ ).

 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract
 Modeled leakage



Definition 6 (Compliance:  $\llbracket \cdot \rrbracket^h \vdash_{\mathcal{M}} \llbracket \cdot \rrbracket^c$ ).

PUBLIC 92

 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract
 Modeled leakage



DEFINITION 6 (COMPLIANCE:  $\llbracket \cdot \rrbracket^h \vdash_{\mathcal{M}} \llbracket \cdot \rrbracket^c$ ).

PUBLIC 93

# VERIFYING COMPLETENESS IN A NUTSHELL (2) CHECKING THE ABILITY TO MODEL HW LEAKAGE FROM CONTRACT LEAKS

• Is there a function f(e1, e2) = y such that  $y = \lambda_g$  for all executions of a program?

$$= \mathcal{L}_{i}^{c} := \{ \dots, \text{ leak}(\text{ e1, e2}), \dots \}$$

- Rationale for model reduction:
  - If I know e1, e2 which are exposed in the contract, then
  - I can simulate the observation of leakage  $\lambda_g$  of gate g in HW which an adversary could make

THEOREM 2 (MODEL REDUCTION).

# VERIFYING COMPLETENESS IN A NUTSHELL (2) CHECKING THE ABILITY TO MODEL HW LEAKAGE FROM CONTRACT LEAKS

• Is there a function  $f(e_1, e_2) = y$  such that  $y = \lambda_a$  for all executions of a program?

$$\begin{array}{c} \blacksquare & \mathcal{L}_{i}^{c} := \{ \dots, 1 \text{eak}(\text{e1, e2}), \dots \} \\ & \exists f(e1, e2) = \lambda_{g} ? \\ & \blacksquare & \mathcal{L}_{j}^{h} := \{ \dots, \lambda_{g}(\sigma_{j-1}^{h}, \sigma_{j}^{h}), \dots \} \end{array}$$

- Rationale for model reduction:
  - If I know e1, e2 which are exposed in the contract, then
  - I can simulate the observation of leakage  $\lambda_g$  of gate g in HW which an adversary could make

Theorem 2 (Model Reduction).

# VERIFYING COMPLETENESS IN A NUTSHELL (2) CHECKING THE ABILITY TO MODEL HW LEAKAGE FROM CONTRACT LEAKS

• Is there a function f(e1, e2) = y such that  $y = \lambda_a$  for all executions of a program?

$$\begin{array}{c} \blacksquare & \mathcal{L}_{i}^{c} := \{ ..., 1 \text{eak}(\text{e1, e2}), ... \} \\ & \exists f(e1, e2) = \lambda_{g} ? \\ & \blacksquare & \mathcal{L}_{j}^{h} := \{ ..., \lambda_{g}(\sigma_{j-1}^{h}, \sigma_{j}^{h}), ... \} \end{array}$$

- Rationale for model reduction:
  - If I know e1, e2 which are exposed in the contract, then
  - I can simulate the observation of leakage  $\lambda_g$  of gate g in HW which an adversary could make

Theorem 2 (Model Reduction).

Provably complete leakage models for processors

#### LEAKAGE MODELS FOR SECURITY RESEARCH

More use-cases for fine-grained leakage model

- Foundation for power leakage emulators
- Statistical evaluation
- Masking centric
- Automated leakage mitigation
- Automated application of countermeasures



masked\_program.s

# LEAKAGE MODELS FOR SECURITY RESEARCH



More use-cases for fine-grained leakage model

- Foundation for power leakage emulators
- Statistical evaluation
- Masking centric
- Automated leakage mitigation
- Automated application of countermeasures

## LEAKAGE MODELS FOR SECURITY RESEARCH

More use-cases for fine-grained leakage model

- Foundation for power leakage emulators
- Statistical evaluation
- Masking centric
- Automated leakage mitigation
- Automated application of countermeasures



resilience against physical adversary

# Verification of Resilience in Fine-Grained Models



PUBLIC

NXP, THE NXP LOGO AND NXP SECURE CONNECTIONS FOR A SMARTER WORLD ARE TRADEMARKS OF NXP B.V. ALL OTHER PRODUCT OR SERVICE NAMES ARE THE PROPERTY OF THEIR RESPECTIVE OWNERS. © 2022 NXP B.V.

101

# MODEL-BASED SECURITY ASSESSMENT



masked\_program.s



#### MODEL-BASED SECURITY ASSESSMENT



PUBLIC 103

#### MODEL-BASED SECURITY ASSESSMENT







 Prove security w.r.t. all device specific leakage at fixed security order



- Prove security w.r.t. all device specific leakage at fixed security order
- Executable Arm / RISC-V assembly implementations



- Prove security w.r.t. all device specific leakage at fixed security order
- Executable Arm / RISC-V assembly implementations
- Stateful non-interference



- Prove security w.r.t. all device specific leakage at fixed security order
- Executable Arm / RISC-V assembly implementations
- Stateful non-interference
- PINI + probing security


# STATEFUL NON-INTERFERENCE

- Gadget
  - Masked secret inputs x<sub>in</sub>
  - Randomness r
  - Public input state  $s_{in}$  (indep. of  $x_{in}$  and r)
  - Secret outputs yout
  - Public output state sout
  - Exposes internal observable leakage L
- Stateful *t*-Strong Non-Interference
  - 1. Any set of  $t_{int}$  observations on internal leakage *L* in combination with  $t_{out}$  observations on outputs  $s_{out}$  s.t.  $t_{int} + t_{out} \le t$ , combined with any number of observations on public output state  $s_{out}$  can be simulated from just *t* input shares and the input state  $s_{in}$ .
  - 2. The output state  $s_{out}$  can be simulated from only the input state  $s_{in}$ .

# Stateful (Strong) Non-Interference

- Ensure removal of residue
  - Registers
  - Stack
  - Leakage state

# SECURE COMPOSITION WITH STATEFUL (S)NI

- Well known
  - Secure + insecure code  $\Rightarrow$  secure
- Side-Channel
  - Resilient + Resilient ⇒ Resilient
  - Observed knowledge propagates
  - Especially residue



# SECURE COMPOSITION WITH STATEFUL (S)NI

- Well known
  - Secure + insecure code ⇒ secure
- Side-Channel
  - Resilient + Resilient ⇒ Resilient
  - Observed knowledge propagates
  - Especially residue



Stateful notions ensure removal of residue

 $\rightarrow$  Standard (S)NI composition rules restored in stateful setting

# SECURE COMPOSITION WITH STATEFUL (S)NI

- Well known
  - Secure + insecure code ⇒ secure
- Side-Channel
  - Resilient + Resilient ⇒ Resilient
  - Observed knowledge propagates
  - Especially residue

```
annotate andOrder1
...
output public r0
...
output public r7
output public stack
```



Stateful notions ensure removal of residue

→ Standard (S)NI composition rules restored in stateful setting





annotate andOrder1
 region mem w32 a[0:1]



```
Pointers to
                     uint32_t* andOrder1( uint32_t* entropy
                                                                            •
                                                                                      r
                                              uint32 t output[2],
                                                                                      y<sub>0</sub>, y<sub>1</sub>
                                                                                      x_0^{(0)}, x_1^{(0)}
x_0^{(1)}, x_1^{(1)}
                                               const uint32_t input1[2] ,
                                               const uint32 t input2[2] );
annotate andOrder1
  region mem w32 a[0:1]
  region mem w32 b[0:1]
  region mem w32 c[0:1]
  region mem w32 rnd[0:0]
  init r0 [rnd 0]
  init r1 [c 0]
  init r2 [a 0]
  init r3 [b 0]
```

```
Pointers to
                     uint32_t* andOrder1( uint32_t* entropy
                                                                                     r
                                                                            .
                                              uint32 t output[2],
                                                                                     y<sub>0</sub>, y<sub>1</sub>
                                              const uint32_t input1[2] ,
                                                                                     x_0^{(0)}, x_1^{(0)}
x_0^{(1)}, x_1^{(1)}
                                              const uint32 t input2[2] );
annotate andOrder1
  region mem w32 a[0:1]
  region mem w32 b[0:1]
  region mem w32 c[0:1]
  region mem w32 rnd[0:0]
  region mem w32 stack[-2:-1]
  init r0 [rnd 0]
  init r1 [c 0]
  init r2 [a 0]
  init r3 [b 0]
  init sp [stack 0]
  init lr exit
```

- MaskVerif
  - Provides verification algorithms for high-level algorithms
  - No addressable memory  $\rightarrow$  just arrays with static indices
  - No control-flow

- MaskVerif
  - Provides verification algorithms for high-level algorithms
  - No addressable memory  $\rightarrow$  just arrays with static indices
  - No control-flow
- Partial evaluation
  - Evaluate control flow
  - Resolve memory accesses

- MaskVerif
  - Provides verification algorithms for high-level algorithms
  - No addressable memory  $\rightarrow$  just arrays with static indices
  - No control-flow
- Partial evaluation
  - Evaluate control flow
  - Resolve memory accesses

Annotate andOrder1:

```
region mem w32 rnd[0:2]
init r0 [rnd 0]
```

- MaskVerif
  - Provides verification algorithms for high-level algorithms
  - No addressable memory  $\rightarrow$  just arrays with static indices
  - No control-flow
- Partial evaluation
  - Evaluate control flow
  - Resolve memory accesses

```
Annotate andOrder1:
```

```
region mem w32 rnd[0:2]
init r0 [rnd 0]
```

```
...
LDR r4, 0x04(r0)
```

- MaskVerif
  - Provides verification algorithms for high-level algorithms
  - No addressable memory  $\rightarrow$  just arrays with static indices
  - No control-flow
- Partial evaluation
  - Evaluate control flow
  - Resolve memory accesses

```
Annotate andOrder1 rnd[1]
  region mem w32 rnd[0:2]
  init r0 [rnd 0]
```

```
LDR r4, 0x04(r0)
```

•••

...

```
evaluates to: r4 \leftarrow rnd[1]
```

- MaskVerif
  - Provides verification algorithms for high-level algorithms
  - No addressable memory  $\rightarrow$  just arrays with static indices
  - No control-flow
- Partial evaluation
  - Evaluate control flow
  - Resolve memory accesses

Annotate andOrder*1* rnd[1] region mem w32 rnd[0:2] init r0 [rnd 0]

LDR r4, 0x04(r0)

•••

...

```
evaluates to: r4 \leftarrow rnd[1]
```

$$\begin{split} & \frac{\llbracket e_i \rrbracket_{\mu}^{\rho} = (\vartheta_i, e'_i)}{\llbracket o(e_1, \dots, e_n) \rrbracket_{\mu}^{\rho} = (\tilde{o}(\vartheta_1, \dots, \vartheta_n), o(e'_1, \dots, e'_n))} \quad \overline{\llbracket x \rrbracket_{\mu}^{\rho} = (\mu(x), x)} \\ & \frac{\llbracket e \rrbracket_{\mu}^{\rho} = (n, e')}{\llbracket x[e] \rrbracket_{\mu}^{\rho} = (\mu(x)[n], x[n])} \quad \frac{\llbracket e \rrbracket_{\mu}^{\rho} = (\langle x, \text{ofs} \rangle, e')}{\llbracket \langle e \rangle \rrbracket_{\mu}^{\rho} = (\rho(x)[\text{ofs}], x[\text{ofs}])} \\ & \frac{i = \chi \leftarrow e \quad i' = \chi' \leftarrow e' \quad \llbracket \chi \rrbracket_{\mu}^{\rho} = (\vartheta', \chi') \quad \llbracket e \rrbracket_{\mu}^{\rho} = (\vartheta, e') \quad (\mu, \rho) \{\chi' \leftarrow \vartheta\} = (\mu', \rho')}{\langle p, i; c, \mu, \rho, ec \rangle \rightsquigarrow \langle p, c, \mu', \rho', ec; i' \rangle} \\ & \frac{\llbracket e_i \rrbracket_{\mu}^{\rho} = (\vartheta_i, e'_i)}{[\text{leak} \{e_1, \dots, e_j\} \rightarrowtail \text{leak} \{e'_1, \dots, e'_j\}} \quad \frac{i = \text{goto } e \quad \llbracket e \rrbracket_{\mu}^{\rho} = (l, e') \quad p_l = c'}{\langle p, i; c, \mu, \rho, ec \rangle \leadsto \langle p, c_b; c, \mu, \rho, ec \rangle} \\ & \frac{i = \text{if } e \ c_t \ c_f \quad \llbracket e \rrbracket_{\mu}^{\rho} = (b, e')}{\langle p, i; c, \mu, \rho, ec \rangle \rightsquigarrow \langle p, c_b; c, \mu, \rho, ec \rangle} \quad \frac{i = \text{while } e \ c_w \quad i' = (\text{if } e \ c_w; i); c}{\langle p, i; c, \mu, \rho, ec \rangle \leadsto \langle p, i', \mu, \rho, ec \rangle} \end{split}$$

# VERIFICATION FLOW OF SCVERIF

- Represent program code using modeled instruction semantics
- 2. Partially evaluate using annotations
- 3. Verify resulting symbolic trace (representing the executed program) with maskVerif
- 4. Report verification result to user



#### TOOL ASSISTED OPTIMIZATION STRATEGIES FOR EFFICIENT MASKING

- Applied to masked Present S-box
  - speedup in dev time, speedup in exec time & program size
  - + fine-tuning to device-specific leakage
  - scVerif + gadgets publicly available
- Also applied to Kyber modules
  - Very large
  - still phy. leakage free without conservative choices
- Linear compositions share-wise

$$\hat{\mathcal{F}}(a, b, c) = \left( \left( \hat{\mathcal{F}}_i(a_i, b_i, c_i), \text{CLEAR}_i \right)_{i \in [d]}, \text{FCLEAR} \right)$$

- Merging of non-linear gadgets
  - Reduce memory access at increased complexity





#### MASKING IN REAL APPLICATIONS

- Application to entire ciphers (e.g., Kyber)
- Hand-crafted composition, specialized algorithms for efficient gadgets







**Figure 6:** Results of TVLA assessment: the top row shows decompressed comparison for (a)  $1^{\text{st}}$  order without randomness, (b)  $1^{\text{st}}$  order with randomness, and (c)  $2^{\text{nd}}$  order with randomness, while the bottom row shows 1-bit compression for (d)  $1^{\text{st}}$  order without randomness, (e)  $1^{\text{st}}$  order with randomness, and (f)  $2^{\text{nd}}$  order with randomness. The x axis represents sample point index  $\times 10^6$ .

- Partial evaluation
  - memcpy with symbolic size
- Generic order

- Partial evaluation
  - memcpy with symbolic size
- Generic order
- Secret dependent memory accesses
  - Masked table lookup ?!

- Partial evaluation
  - memcpy with symbolic size
- Generic order
- Secret dependent memory accesses
  - Masked table lookup ?!

```
void A2B(boolean_share_t x, arith_share_t a) {
    uint16_t R, a0;
    rng(&R, KYBER_Q_BITSIZE);
    a0 = csubq(a[0] + KYBER_Q - r_a);
    a0 = csubq(a0 + a[1]);
    x[0] = L[a0] ^ R;
    x[1] = r_b R;
}
```

Figure 5: LUT-based arithmetic to Boolean version based on [Deb12].

- Partial evaluation
  - memcpy with symbolic size
- Generic order
- Secret dependent memory accesses



Figure 5: LUT-based arithmetic to Boolean version based on [Deb12].

# VERIFYING LOOK-UP-TABLES WITH SECRET DEPENDENT MEMORY ACCESS

- Replace LDR by virtual LUT instruction
  - Express semantic of lookup table without memory access

LDR rD, rIDX val ← mem[rIDX] LUT rD, rIDX val ← f[rIDX]

### VERIFYING LOOK-UP-TABLES WITH SECRET DEPENDENT MEMORY ACCESS

- Replace LDR by virtual LUT instruction
  - Express semantic of lookup table without memory access

LDR rD, rIDX val ← mem[rIDX] LUT rD, rIDX val ← f[rIDX]

Algorithm 3 Simplified scVerif code to represent table lookups for formal verification.



# SUMMARY

- Fine-grained models for software masking
  - Reliable & accurate
  - User-defined arbitrary leakage behavior
  - Not sacrificing efficiency

Verification time Gadget # Instr. # Clear. t Netlist Contract AND 2 62 10< 1 s 🗸 284.63 s 🗸 Refresh 32.85 s 🗸 2 19 0 < 1 s 🗸 50.79 s 🗸 XOR 2 16 1 < 1 s 🗸 NOT 2 5 < 1 s 🗸 63.32 s 🗸 0

- scVerif
  - Fast verification
  - Accurate error reports
  - Support specialized constructions
  - Support highly-efficient masking

#### LISTING L LICENSE OF SHOWN CODE-SNIPPETS

RISCV Sail Model

This Sail RISC-V architecture model, comprising all files and directories except for the snapshots of the Lem and Sail libraries in the prover\_snapshots directory (which include copies of their licences), is subject to the BSD two-clause licence below.

Copyright (c) 2017-2021 Prashanth Mundkur, Rishiyur S. Nikhil and Bluespec Inc., Jon French, Brian Campbell, Robert Norton-Wright, Alasdair Armstrong, Thomas Bauereiss, Shaked Flur, Christopher Pulte, Peter Sewell, Alexander Richardson, Hesham Almatary, Jessica Clarke, Microsoft, for contributions by Robert Norton-Wright and Nathaniel Wesley Filardo, Peter Rugg and Aril Computer Corp., for contributions by Scott Johnson.

Copyright 2020-2022 - TUHH, TU Graz

All rights reserved.

This software was developed by the above within the Rigorous Engineering of Mainstream Systems (REMS) project, partly funded by EPSRC grant EP/K008528/1, at the Universities of Cambridge and Edinburgh.

This software was developed by SRI International and the University of Cambridge Computer Laboratory (Department of Computer Science and Technology) under DARPA/AFRL contract FA8650-18-C-7809 ("CIFV"), and under DARPA contract HR0011-18-C-0016 ("ECATS") as part of the DARPA SSITH research programme.

This project has received funding from the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement 789108, ELVER).

This software has received funding from the Federal Ministry of Education and Research (BMBF) as part of the VE-Jupiter project grant 16ME0231K.

This work was supported by the Austrian Research Promotion Agency (FFG) through the FERMION project (grant number 867542).

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.



# SECURE CONNECTIONS FOR A SMARTER WORLD

NXP, THE NXP LOGO AND NXP SECURE CONNECTIONS FOR A SMARTER WORLD ARE TRADEMARKS OF NXP B.V. ALL OTHER PRODUCT OR SERVICE NAMES ARE THE PROPERTY OF THEIR RESPECTIVE OWNERS. © 2022 NXP B.V.