

On the modelling of the processor microarchitecture for masked software verification

Karine HEYDEMANN, Thales/Sorbonne University Journées du GDR Sécurité Informatique, 24th June 2025

### Plan

- 1. Background on Side-Channel Attacks
- 2. Masked Implementation Verification
- 3. Microarchitecture modelling for masked software verification

THALES 2/2

### **Introduction: Side-Channel Attacks**



THALES 3/29

#### The power consumption of a CPU-based device differs with the executed instructions

> Example of a naive fast exponentiation



<sup>1.</sup> also used for synchronizing a fault injection



#### The power consumption of a CPU-based device differs with the executed instructions

Example of a naive fast exponentiation



<sup>1.</sup> also used for synchronizing a fault injection



#### The power consumption of a CPU-based device differs with the executed instructions

> Example of a naive fast exponentiation



<sup>1.</sup> also used for synchronizing a fault injection

#### The power consumption of a CPU-based device differs with the executed instructions

> Example of a naive fast exponentiation



> Typical exploitation example: Simple Power Analysis (SPA) [Mangard et al., 2010] 1

<sup>1.</sup> also used for synchronizing a fault injection

### **Power Consumption of Data**

#### The power comsumption of an instruction depends on its data

> Simple leakage model: Hamming Weight of data

DPA Book [Mangard et al., 2010] extract



### **Power Consumption of Data**

#### The power comsumption of an instruction depends on its data

> Simple leakage model: Hamming Weight of data

DPA Book [Mangard et al., 2010] extract



- > Simple but works in practice!
- Typical exploitation examples: Differential Power Analysis [Kocher et al., 1999] and Correlation Power Analysis [Brier et al., 2004]

### **Counter-measure Against SCA**

#### **Hiding**

- > Add noise to reduce the signal to noise ratio
- > Examples: dummy instruction, instruction or loop shuffling, semantic variants (function or instruction)
- > Does not remove leakage but makes it harder to exploit (more traces are needed)

### **Masking**

- Make the manipulated data statistically independent from the secret values
- > Can be formally proven
- > Power measurements are theoretically independent of the secret

# Masking

#### At order d

- > Split a secret s into d+1 parts (a.k.a shares)  $s_0, s_1, ..., s_d$  such than  $s=s_0 \star s_1 \star ... \star s_d$ 
  - $\gt{s}_0, ..., s_{d-1}$  are d uniform randoms (a.k.a "masks")
  - $> S_d = S \star S_0 \star S_1 \star ... \star S_{d_1}$
- > Any combination of less than d shares is statistically independant from the secret
- > First-order boolean masking:
  - > s<sub>0</sub> is a uniform random
  - $> s_1 = s_0 \oplus s$

- > Consider 2 boolean shared values a = (a0, a1) and b = (b0,b1) at order 1
- > How to securely compute c, also shared, such that c = a.b?



- > Consider 2 boolean shared values a = (a0, a1) and b = (b0,b1) at order 1
- > How to securely compute c, also shared, such that c = a.b?
  - > We want c0 and c1 such that c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) without computing a and b

- Consider 2 boolean shared values a = (a0, a1) and b = (b0,b1) at order 1
- > How to securely compute c, also shared, such that c = a.b?
  - > We want c0 and c1 such that c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) without computing a and b
  - > NB: c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) = (a0.b0  $\oplus$  a0.b1  $\oplus$  a1.b0  $\oplus$  a1.b1)

- Consider 2 boolean shared values a = (a0, a1) and b = (b0,b1) at order 1
- How to securely compute c, also shared, such that c = a.b?
  - > We want c0 and c1 such that c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) without computing a and b
  - > NB: c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) = (a0.b0  $\oplus$  a0.b1  $\oplus$  a1.b0  $\oplus$  a1.b1)
    - $\Rightarrow$  need to compute all the products (.) and reduce the computation (+)

- Consider 2 boolean shared values a = (a0, a1) and b = (b0,b1) at order 1
- How to securely compute c, also shared, such that c = a.b?
  - > We want c0 and c1 such that c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) without computing a and b
  - > NB: c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) = (a0.b0  $\oplus$  a0.b1  $\oplus$  a1.b0  $\oplus$  a1.b1)
    - $\Rightarrow$  need to compute all the products (.) and reduce the computation (+)
    - $\Rightarrow$  any reduction of two terms leads to a leakage of a or b

- Consider 2 boolean shared values a = (a0, a1) and b = (b0,b1) at order 1
- > How to securely compute c, also shared, such that c = a.b?
  - > We want c0 and c1 such that c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) without computing a and b
  - > NB: c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) = (a0.b0  $\oplus$  a0.b1  $\oplus$  a1.b0  $\oplus$  a1.b1)
    - $\Rightarrow$  need to compute all the products (.) and reduce the computation (+)
    - $\Rightarrow$  any reduction of two terms leads to a leakage of a or b
    - e.g c0 = a0.b0  $\oplus$  a0.b1, c1 = a1.b0  $\oplus$  a1.b1 leaks b

- Consider 2 boolean shared values a = (a0, a1) and b = (b0,b1) at order 1
- How to securely compute c, also shared, such that c = a.b?
  - > We want c0 and c1 such that c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) without computing a and b
  - > NB: c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) = (a0.b0  $\oplus$  a0.b1  $\oplus$  a1.b0  $\oplus$  a1.b1)
    - $\Rightarrow$  need to compute all the products (.) and reduce the computation (+)
    - ⇒ any reduction of two terms leads to a leakage of a or b
    - e.g c0 = a0.b0  $\oplus$  a0.b1, c1 = a1.b0  $\oplus$  a1.b1 leaks b
    - e.g c0 = a0.b0  $\oplus$  a1.b1, c1 = a1.b0  $\oplus$  a0.b1 leaks a and b

- Consider 2 boolean shared values a = (a0, a1) and b = (b0,b1) at order 1
- How to securely compute c, also shared, such that c = a.b?
  - > We want c0 and c1 such that c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) without computing a and b
  - > NB: c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) = (a0.b0  $\oplus$  a0.b1  $\oplus$  a1.b0  $\oplus$  a1.b1)
    - $\Rightarrow$  need to compute all the products (.) and reduce the computation (+)
    - $\Rightarrow$  any reduction of two terms leads to a leakage of a or b
    - e.g c0 = a0.b0  $\oplus$  a0.b1, c1 = a1.b0  $\oplus$  a1.b1 leaks b
    - e.g c0 = a0.b0  $\oplus$  a1.b1, c1 = a1.b0  $\oplus$  a0.b1 leaks a and b
    - ⇒ additionnal randoms are necessary to make the computation secure

- Consider 2 boolean shared values a = (a0, a1) and b = (b0,b1) at order 1
- How to securely compute c, also shared, such that c = a.b?
  - > We want c0 and c1 such that c0  $\oplus$  c1 = (a0  $\oplus$  a1).(b0  $\oplus$  b1) without computing a and b

```
> NB: c0 \oplus c1 = (a0 \oplus a1).(b0 \oplus b1)
= (a0.b0 \oplus a0.b1 \oplus a1.b0 \oplus a1.b1)
```

- $\Rightarrow$  need to compute all the products (.) and reduce the computation (+)
- ⇒ any reduction of two terms leads to a leakage of a or b

```
e.g c0 = a0.b0 \oplus a0.b1, c1 = a1.b0 \oplus a1.b1 leaks b
```

e.g c0 = a0.b0 
$$\oplus$$
 a1.b1, c1 = a1.b0  $\oplus$  a0.b1 leaks a and b

- $\Rightarrow$  additionnal randoms are necessary to make the computation secure
- Different masking schemes have been proposed ISW-AND [Ishai et al., 2003], DOM-AND [Gross et al., 2016], TI-AND [Nikova et al., 2006]

## **Example: Masked AND at Order 1**



9 / 29

### **Example: Masked AND at Order 1**



## **Example: Masked AND at Order 1**



```
;r0:a0, r1:b0, r2:a1, r3:b1, r6:c[] r7:r

and.w r4, r0, r3; a0 & b1
eors r4, r7; t0 = (a0 & b1) ^ r
and.w r5, r2, r1; a1 & b0
ands r0, r1; a0 & b0
ands r3, r2; b1 & a1
eors r4, r5; t1 = t0 ^ (a1 & b0)
eors r0, r7; c0 = (a0 & b0) ^ r
eors r4, r3; c1 = t1 ^ (a1 & b1)
str r0, [r6, #0]
str r4, [r6, #4]
```

### Plan

- 1. Background on Side-Channel Attacks
- 2. Masked Implementation Verification
- 3. Microarchitecture modelling for masked software verification

THALES 12/2

### **Empirically**

> Perform power simulations or acquisitions then use statistical metrics, such as the t-test



### **Empirically**

> Perform power simulations or acquisitions then use statistical metrics, such as the t-test



Pros: Complex circuits/software analysis

Cons: No guarantee, leakages are difficult to

locate

MAPS [Corre et al., 2018], PROLEAD [Müller and Moradi, 2022], ELMO [McCann et al., 2017] or ROSITA [Shelton et al., 2021]

### **Formally**

> Label input values as secret, mask or public, and prove the absence of leakage for a chosen attacker model and a leakage model

#### d-probing model [Ishai et al., 2003]

- > The attacker has d probes that can capture d intermediate values during the execution
- > Assume a value leakage model

THALES 14/2

#### **Formally**

Label input values as secret, mask or public, and prove the absence of leakage for a chosen attacker model and a leakage model

#### d-probing model [Ishai et al., 2003]

- > The attacker has d probes that can capture d intermediate values during the execution
- > Assume a value leakage model

#### Example with a method based on symbolic expression

Masked Implementation

```
tmp = (a0 & b1) ^ rnd;
*c0 = tmp ^ (a1 & b0);
tmp = (a0 & b0) ^ rnd;
*c1 = tmp ^ (a1 & b1);
```

#### **Formally**

Label input values as secret, mask or public, and prove the absence of leakage for a chosen attacker model and a leakage model

#### d-probing model [Ishai et al., 2003]

- > The attacker has d probes that can capture d intermediate values during the execution
- > Assume a value leakage model

#### Example with a method based on symbolic expression



14 / 29

#### **Formally**

Label input values as secret, mask or public, and prove the absence of leakage for a chosen attacker model and a leakage model

#### d-probing model [Ishai et al., 2003]

- > The attacker has d probes that can capture d intermediate values during the execution
- > Assume a value leakage model

#### Example with a method based on symbolic expression



#### **Formally**

Label input values as secret, mask or public, and prove the absence of leakage for a chosen attacker model and a leakage model

#### d-probing model [Ishai et al., 2003]

- > The attacker has d probes that can capture d intermediate values during the execution
- > Assume a value leakage model

#### Example with a method based on symbolic expression



#### **Formally**

Label input values as secret, mask or public, and prove the absence of leakage for a chosen attacker model and a leakage model

#### d-probing model [Ishai et al., 2003]

- > The attacker has d probes that can capture d intermediate values during the execution
- > Assume a value leakage model

#### Example with a method based on symbolic expression



#### **Formally**

Label input values as secret, mask or public, and prove the absence of leakage for a chosen attacker model and a leakage model

#### d-probing model [Ishai et al., 2003]

- > The attacker has d probes that can capture d intermediate values during the execution
- > Assume a value leakage model

#### Example with a method based on symbolic expression



#### **Formally**

Label input values as secret, mask or public, and prove the absence of leakage for a chosen attacker model and a leakage model

#### d-probing model [Ishai et al., 2003]

- > The attacker has d probes that can capture d intermediate values during the execution
- > Assume a value leakage model

Pros: Absence of secret leakage is guaranteed for the chosen model, easier to locate and undestand leakages

Cons: Scalability issues, potential false positive, proven-secure implementations in the *d*-probing model can leak

MaskVerif [Barthe et al., 2019], ARISTI [Ben El Ouahma et al., 2019], LeakageVerif [Meunier et al., 2023], VerifMSI [Meunier and Taleb, 2023]

### **Formally**

> Label input values as secret, mask or public, and prove the absence of leakage for a chosen attacker model and a leakage model

#### d-probing model with transition

- > The attacker has d probes that can capture **transitions** during the execution
- Assume a transition leakage model

THALES 15/2

#### **Formally**

Label input values as secret, mask or public, and prove the absence of leakage for a chosen attacker model and a leakage model

#### d-probing model with transition

- > The attacker has d probes that can capture **transitions** during the execution
- > Assume a transition leakage model

#### Example with a method based on symbolic expression



THALES 15/29

### **How To Verify a Masked Implementation?**

#### **Formally**

Label input values as secret, mask or public, and prove the absence of leakage for a chosen attacker model and a leakage model

#### d-probing model with transition

- > The attacker has d probes that can capture **transitions** during the execution
- > Assume a transition leakage model

#### Example with a method based on symbolic expression



THALES 15/29

### **How To Verify a Masked Implementation?**

#### **Formally**

Label input values as secret, mask or public, and prove the absence of leakage for a chosen attacker model and a leakage model

#### d-probing model with transition

- > The attacker has d probes that can capture **transitions** during the execution
- > Assume a transition leakage model

#### Example with a method based on symbolic expression



15 / 29

> Perform verification at the assembly level to detect vulnerabilities post-compilation

### **Proven Leakage-Free Implementation in Practice**

Software "ISW And" proven leakage-free at the ISA level in the value leakage model and transition leakage model (GPRs).

```
1; r0:a0, r1:b0, r2:a1, r3:b1, r6:c[] r7:m
2 and.w r4, r0, r3; a0 & b1
3 eors r4, r7; t0 = (a0 & b1) ^ m
4 and.w r5, r2, r1; a1 & b0
5 ands r0, r1; a0 & b0
6 ands r3, r2; b1 & a1
7 eors r4, r5; t1 = t0 ^ (a1 & b0)
8 eors r0, r7; c0 = (a0 & b0) ^ m
9 eors r4, r3; c1 = t1 ^ (a1 & b1)
10 str r0, [r6, #0]
11
12
```

THALES 16/29

### **Proven Leakage-Free Implementation in Practice**

> Software "ISW And" proven leakage-free at the ISA level in the value leakage model and transition

leakage model (GPRs).

```
; r0:a0, r1:b0, r2:a1, r3:b1, r6:c[] r7:m
and.w r4, r0, r3; a0 & b1
3 eors r4, r7; t0 = (a0 & b1) ^ m
and.w r5, r2, r1; a1 & b0
ands r0, r1; a0 & b0
ands r3, r2; b1 & a1
eors r4, r5; t1 = t0 ^ (a1 & b0)
eors r0, r7; c0 = (a0 & b0) ^ m
eors r4, r3; c1 = t1 ^ (a1 & b1)
str r0, [r6, #0]

12
```



### **Proven Leakage-Free Implementation in Practice**

> Software "ISW And" proven leakage-free at the ISA level in the value leakage model and transition

leakage model (GPRs).

```
1 ;r0:a0, r1:b0, r2:a1, r3:b1, r6:c[] r7:m
2 and.w r4, r0, r3; a0 & b1
3 eors r4, r7 ; t0 = (a0 & b1) ^ m
4 and.w r5, r2, r1; a1 & b0
5 ands r0, r1 ; a0 & b0
6 ands r3, r2 ; b1 & a1
7 eors r4, r5 ; t1 = t0 ^ (a1 & b0)
8 eors r0, r7 ; c0 = (a0 & b0) ^ m
9 eors r4, r5 ; t1 = t1 ^ (a1 & b1)
10 str r0, [r6, #0]
11 str r4, [r6, #4]
```



Need for modelling leakage happening in the circuit at the micro-architectural level while software is executed to capture leakage that can not be modeled at ISA level

#### Plan

- 1. Background on Side-Channel Attacks
- 2. Masked Implementation Verification
- 3. Microarchitecture modelling for masked software verification

THALES 17/2

# ARMISTICE: Micro-Architectural Leakage Modelling for Masked Software Formal Verification

Arnaud de Grandmaison<sup>2</sup>, Karine Heydemann, Quentin L. Meunier<sup>3</sup> published in IEEE Transaction Computer-Aided Design 2022 and presented at the conference CASES 2022

<sup>3.</sup> Sorbonne Université/LIP6



<sup>2.</sup> Arm

Arm Cortex-M3: modeled from the Verilog source code

Arm Cortex-M3: modeled from the Verilog source code



- Arm Cortex-M3: modeled from the Verilog source code
- Memoire: black-box approach (no HDL description available)



- Arm Cortex-M3: modeled from the Verilog source code
- Memoire: black-box approach (no HDL description available)
- Design of several micro-benchmarks a.k.a. "leakage test vectors":
  - Detection of leakage sources (black-box)



- Arm Cortex-M3: modeled from the Verilog source code
- Memoire: black-box approach (no HDL description available)
- Design of several micro-benchmarks a.k.a. "leakage test vectors":
  - Detection of leakage sources (black-box)





- Arm Cortex-M3: modeled from the Verilog source code
- Memoire: black-box approach (no HDL description available)
- Design of several micro-benchmarks a.k.a. "leakage test vectors":
  - Detection of leakage sources (black-box)
  - Validation (white-box)





- Arm Cortex-M3: modeled from the Verilog source code
- Memoire: black-box approach (no HDL description available)
- Design of several micro-benchmarks a.k.a. "leakage test vectors":
  - Detection of leakage sources (black-box)
  - Validation (white-box)
  - Ranking





#### **Leakage Test Vectors**

- > 77 carefully designed test vectors
  - 31 for the data path components involved in each instruction
  - > 5 for forwarding mechanisms
  - 7 for the writing back into the register file
  - 34 for analysis of the LSU and the modelling of the memory.
- > Description and results online: https: //www-soc.lip6.fr/armistice



# **Findings Using Leakage Vectors**

- Leakage without any link to the data manipulated by instructions!
  - Instruction encodings (16-bit versus 32-bit) can impact leakage
  - Part of immediate in the encoding can be used to read the register bank
  - > Forwarding mechanism
- > Intra-word leakage in the LSU
- The required number of traces varies with the source of leakage
- > ...
- We did not have the RTL version corresponding to the CPU of our target!













 PortA:
 m1
 0

 PortB
 m0
 k ⊕ m0

 MuxRegA / RegA:
 m1
 m1 ⊕ m0

 MuxRegB / RegB:
 m0
 k ⊕ m0

 ALUQUI
 m1 ⊕ m0
 k ⊕ m1



 PortA:
 m1
 0
 m1

 PortB
 m0
 k ⊕ m0
 k

 MuxRegA / RegA:
 m1
 m1 ⊕ m0
 m0

 MuxRegB / RegB:
 m0
 k ⊕ m0
 k

 ALUOut
 m1 ⊕ m0
 k ⊕ m1
 k ⊕ m0

#### **ARMISTICE Framework**



THALES 23/29

### Back on the Leaking "ISW And"

|    | Instructions     | Leaks: expr. name      |  |
|----|------------------|------------------------|--|
| I1 | and.wr5, r2, r1  | MuxRegA, RegA: e0      |  |
|    |                  | RegB: <i>e</i> 1       |  |
| 12 | ands r0, r1      | PortA, RegA: e2        |  |
|    |                  | AluOut: e3             |  |
| 13 | ands r3, r2      | AluOut: e4             |  |
| 14 | eors r4, r5      | RegB: <i>e</i> 5       |  |
| 15 | eors r0, r7      | AluOut: e6             |  |
| 16 | eors r4, r3      | AluOut: <i>e</i> 7     |  |
| 17 | str r0, [r6, #0] | -                      |  |
| 18 | str r4, [r6, #4] | PortB, RegB, DataReg,  |  |
|    |                  | DataOut, BufferMem: e7 |  |

| Nom        | Expression                                                             | Fuites  |
|------------|------------------------------------------------------------------------|---------|
| <i>e</i> 0 | a0 · b1 ⊕ a1                                                           | a, c    |
| e1         | a0 · b1 ⊕ b0                                                           | b, c    |
| e2         | a0 ⊕ a1                                                                | a, c    |
| <i>e</i> 3 | <i>a</i> 0 · <i>b</i> 0 ⊕ <i>a</i> 1 · <i>b</i> 0                      | a, c    |
| e4         | a0 · b0 ⊕ a1 · b1                                                      | a, b, c |
| <i>e</i> 5 | a1 · b0 ⊕ b1                                                           | b, c    |
| <i>e</i> 6 | $a0 \cdot b0 \oplus a0 \cdot b1 \oplus a1 \cdot b0$                    | a, b, c |
| e7         | $a0 \cdot b0 \oplus a0 \cdot b1 \oplus a1 \cdot b0 \oplus a1 \cdot b1$ | a, b, c |



#### **ARMISTICE Results Validation**

#### 8 masked applications from the litterature

#### **Results summary**

- > Absence of leakage in the value based model for correct masking schemes
- At least one secret leakage due to micro-architecture in all programs, even those designed to be secured w.r.t. the Arm Cortex-M3 micro-architecture (Dilithium AND and A2B)
- > At least one leakage for 22 out of 27 modeled components

THALES 25/3

# Accuracy and Exploitability (1/2)

- > Manual analysis of the leakage resulting from the first round of the Key Schedule
- > 8 considered expressions (simplest ones)
- > Experimental leakage assessment using specific t-test with 500,000 traces

# Accuracy and Exploitability (1/2)

- > Manual analysis of the leakage resulting from the first round of the Key Schedule
- > 8 considered expressions (simplest ones)
- > Experimental leakage assessment using specific t-test with 500,000 traces



### Accuracy and Exploitability (2/2)

#### Leakages found but not observed

- > 8-bit transition in a GPR, not observable
- > 8-bit transition on Bus B, not observable
- > Stall cycle from the memory, could be removed with a better memory model

# Accuracy and Exploitability (2/2)

#### **Leakages found but not observed**

- > 8-bit transition in a GPR, not observable
- > 8-bit transition on Bus B, not observable
- > Stall cycle from the memory, could be removed with a better memory model

#### Leveraging ARMISTICE output

Addition of carefully designed instructions to clean the part of the data path involved in the leaking transition



#### **Conclusion and Future Work**

#### ARMISTICE

- > A framework for formally proving the absence of secret leakage in a masked code
- > Based on the micro-architectural details of a Arm Cortex-M3 core and a memory model
- > Model close to reality, good match between found leakages and observed leakages
- Locates secret leakages in time and space along with the corresponding expressions, which in turn can help remove them

#### **Future work**

- > Avoid the manual generation of the micro-architecture model
  - ⇒ Automate the verification from a RTL description, a binary code and information on shares (secrets and masks) and sources of randoms
- > Consider glitches
- ⇒ Noé Amiot, current PhD on this topic at LIP6, stay tuned!

# Thank you

and many thanks to Quentin Meunier<sup>4</sup>, Noé Amiot <sup>4</sup> and Simon Tollec <sup>5</sup> for their slides!

4. LIP6/Sorbonne University

5. Thales



#### References I



Ben El Ouahma, I., Meunier, Q. L., Heydemann, K., and Encrenaz, E. (2019). Side-channel robustness analysis of masked assembly codes using a symbolic approach. Journal of Cryptographic Engineering, 9:231–242.

Brier, E., Clavier, C., and Olivier, F. (2004).
Correlation power analysis with a leakage model.

In Joye, M. and Quisquater, J.-J., editors, <u>CHES 2004</u>, volume 3156 of <u>LNCS</u>, pages 16–29. Springer, Berlin, Heidelberg.

#### **References II**



Corre, Y. L., Großschädl, J., and Dinu, D. (2018).

Micro-architectural power simulator for leakage assessment of cryptographic software on ARM Cortex-M3 processors.

In Fan, J. and Gierlichs, B., editors, <u>COSADE 2018</u>, volume 10815 of <u>LNCS</u>, pages 82–98. Springer, Cham.



De Grandmaison, A., Heydemann, K., and Meunier, Q. L. (2022).

Armistice: Microarchitectural leakage modeling for masked software formal verification.

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 41(11):3733–3744.



Gross, H., Mangard, S., and Korak, T. (2016).

Domain-oriented masking: Compact masked hardware implementations with arbitrary protection order. In Proceedings of the 2016 ACM Workshop on Theory of Implementation Security, TIS '16, page 3, New York, NY, USA. Association for Computing Machinery.



Ishai, Y., Sahai, A., and Wagner, D. (2003).

Private circuits: Securing hardware against probing attacks.

In Annual International Cryptology Conference, pages 463–481. Springer.

#### References III

Kocher, P. C., Jaffe, J., and Jun, B. (1999).

Differential power analysis.

In Wiener, M. J., editor, <u>CRYPTO'99</u>, volume 1666 of <u>LNCS</u>, pages 388–397. Springer, Berlin, Heidelberg.

Mangard, S., Oswald, E., and Popp, T. (2010).

Power Analysis Attacks: Revealing the Secrets of Smart Cards.

Springer Publishing Company. Incorporated, 1st edition.

McCann, D., Oswald, E., and Whitnall, C. (2017).

Towards practical tools for side channel aware software engineering: 'grey box' modelling for instruction leakages.

In Kirda, E. and Ristenpart, T., editors, <u>USENIX Security 2017</u>, pages 199–216. USENIX Association.

Meunier, Q. and Taleb, A. (2023).

Verifmsi: Practical verification of hardware and software masking schemes implementations.

In 20th International Conference on Security and Cryptography, volume 1, pages 520–527. SciTePress.

#### **References IV**



Meunier, Q. L., Pons, E., and Heydemann, K. (2023). Leakageverif: Efficient and scalable formal verification of leakage in symbolic expressions. volume 49, page 3359,Äi3375. IEEE Press.



Müller, N. and Moradi, A. (2022).
PROLEAD A probing-based hardware leakage detection tool.
IACR TCHES, 2022(4):311–348.



Nikova, S., Rechberger, C., and Rijmen, V. (2006).

Threshold implementations against side-channel attacks and glitches.

In Ning, P., Qing, S., and Li, N., editors, Information and Communications Security, pages 529–545, Berlin, Heidelberg. Springer Berlin Heidelberg.



Shelton, M. A., Samwel, N., Batina, L., Regazzoni, F., Wagner, M., and Yarom, Y. (2021). Rosita: Towards automatic elimination of power-analysis leakage in ciphers. In NDSS 2021. The Internet Society.