# A TALE OF RESILIENCE

# On the Practical Security of Masked Software Implementations

SCAN **READ** 





- 1 Univ. Grenoble Alpes, CEA, List, F-38000 Grenoble, France
- 2 Thales DIS, France
- 3 Sorbonne Université, CNRS, LIP6, F-75005 Paris, France









#### MICRO-ARCHITECTURE-INDUCED LEAKAGE



- Micro-architecture designs rely on memory elements, invisible from the
- Memory transitions potentially recombine share values, jeopardizing the proven security of masking [1, 2]
- Parallel manipulation of shares might induce exploitable leakage.
  - No work considered its impact on masking.

# PARALLEL PROCESSING OF SHARES (PPS)

Pipelined micro-architectures might process several shares in parallel.



- At cycle # K + 3, the microarchitecture reads X0 from the memory.
- In the meanwhile, the XOR's inputs are read from the Register File.
- The micro-architecture handles X0 and X1 at the same time (red square).
- One observation gets both X0 and X1.

PPS leakage model: SHW(X0, X1) = HW(X0) + HW(X1)

We designed several software benchmarks to characterize the impact of PPS. We observe a correlation between the PPS leakage model and the side-channel measurements.



- Left plot: correlation analysis on above instruction sequence.
- Test: inputs are the shares X0 and X1.
- Control: inputs are random variables.

#### DIFFERENT TYPES OF MASKING

The practical security of masking relies on the chosen masking scheme.



- Left picture: Mutual Information of 1<sup>st</sup> order encodings
- Transitions: HD(X0, X1) = $HW(X0, \bigoplus X1)$
- PPS: SHW(X0, X1) = HW(X0) +HW(X1)
- For IPM, transitions (HD) do not leak information (MI = 0).

Boolean (BM) Arithmetic-Sum (ASM) Inner-Product (IPM)  $X = X_0 \oplus (L_1 * X_1)$  $X = X_0 \oplus X_1$  $X = X_0 \coprod X_1$ 

#### THE PRACTICAL SECURITY OF ENCODINGS

Memory transitions and PPS can leak information on multiple shares. But in practice, what security provide the different masking encodings?

#### SIMPLE 1<sup>st</sup> ORDER CORRELATION ANALYSIS





According to the theoretical results, a 1st order analysis can't exploit PPS leakage.

Memory transitions easily leak the BMed value. On the other hand, ASM leaks less whereas IPM does not.

#### 1<sup>st</sup> ORDER CORRELATION WITH PRE-PROCESSING



- We can pre-process the power trace to detect 1st order leakage when PPS takes place.
- For each sample s, keep the traces for which s' value is under (or above) a given threshold k.
- Hence, we convert higher-order leakages into lower-order ones [4].

#### **EXPLOITING MOMENT-BASED LEAKAGE MODELS**





- Previous analyses relied on the *Hamming* Weight model.
- Such model better suits the structure of BM.
- We can use the first-order moment of ASM and IPM's leakage distribution to build better leakage models.

#### **EXPLOITING PPS vs IPM**



- We combine trace pre-processing and first-order moment leakage models to exploit PPS-based leakage.
- Left figure: improved correlation with respect to using Hamming Weight model, both for ASM and IPM

# THE PRACTICAL SECURITY OF MASKED AES-128 4.





The ASM implementation shows low resilience to transition-based leakages.

IPM can be broken via PPS-based leakage exploitation, although resilient to transitionbased leakages by design.

The log/alog-based

multiplication applies log function to shares. Transitions of log(share) leaks in IPM implementation.

#### **CONTRIBUTIONS SUMMARY**



Our work provides new insights concerning the impact of the micro-architecture on the practical security of masked software implementations.

- PPS-based leakage is observable in the software context.
- PPS leakage can be exploited against all the considered masking schemes by slightly adapting [4].
- We exhibit two attacks against IPM: one via PPS leakages, one via the transitionbased leakage from the logarithm representation of masking encodings in the finite field multiplication.

### REFERENCES

[1] B. Marshall et al., "MIRACLE: micro-architectural leakage evaluation A study of micro-architectural power leakage

across many devices," TCHES, 2022.

[2] B. Gigerl et al. "Secure and efficient software masking on superscalar pipelined processors,", ASIACRYPT, 2021. [3] O. Bronchain et. al, "Leakage certification revisited: Bounding model errors in side-channel security evaluations," in CRYPTO, 2019.

[4] T. Moos and A. Moradi, "On the easiness of turning higher-order leakages into first-order,", COSADE, 2017.