Cryptology ePrint Archive: Report 2021/1110
Secure and Efficient Software Masking on Superscalar Pipelined Processors
Barbara Gigerl and Robert Primas and Stefan Mangard
Abstract: Physical side-channel attacks like power analysis pose a serious threat to cryptographic devices in real-world applications. Consequently, devices implement algorithmic countermeasures like masking.
In the past, works on the design and verification of masked software implementations have mostly focused on simple microprocessors that find usage on smart cards. However, many other applications such as in the automotive industry require side-channel protected cryptographic computations on much more powerful CPUs. In such situations, the security loss due to complex architectural side-effects, the corresponding performance degradation, as well as discussions of suitable probing models and verification techniques are still vastly unexplored research questions.
We answer these questions and perform a comprehensive analysis of more complex processor architectures in the context of masking-related side effects. First, we analyze the RISC-V SweRV core — featuring a 9-stage pipeline, two execution units, and load/store buffers — and point out a significant gap between security in a simple software probing model and practical security on such CPUs. More concretely, we show that architectural side effects of complex CPU architectures can significantly reduce the protection order of masked software, both via formal analysis in the hardware probing model, as well as empirically via gate-level timing simulations. We then discuss the options of fixing these problems in hardware or leaving them as constraints to software. Based on these software constraints, we formulate general rules for the design of masked
software on more complex CPUs. Finally, we compare several implementation strategies for masking schemes and present in a case study that designing secure masked software for complex CPUs is still possible with overhead as low as 13%.
Category / Keywords: applications / masking, verification, side-channel analysis, swerv, glitches, application-level processors, coco, probing model
Original Publication (in the same form): IACR-ASIACRYPT-2021
Date: received 31 Aug 2021
Contact author: barbara gigerl at iaik tugraz at, robert primas at iaik tugraz at, stefan mangard at iaik tugraz at
Available format(s): PDF | BibTeX Citation
Version: 20210831:132623 (All versions of this report)
Short URL: ia.cr/2021/1110
[ Cryptology ePrint archive ]