Cryptology ePrint Archive: Report 2021/1181

Rosita++: Automatic Higher-Order Leakage Elimination from Cryptographic Code

Madura A. Shelton;Łukasz Chmielewski;Niels Samwel;Markus Wagner;Lejla Batina;Yuval Yarom

Abstract: Side-channel attacks are a major threat to the security of cryptographic implementations, particularly for small devices that are under the physical control of the adversary. While several strategies for protecting against side-channel attacks exist, these often fail in practice due to unintended interactions between values deep within the CPU. To detect and protect from side-channel attacks, several automated tools have recently been proposed; one of their common limitations is that they only support first-order leakage.

In this work, we present , the first automated tool for detecting and eliminating higher-order leakage from cryptographic implementations. Rosita++ proposes statistical and software-based tools to allow high-performance higher-order leakage detection. It then uses the code rewrite engine of Rosita (Shelton et al. NDSS 2021) to eliminate detected leakage. For the sake of practicality we evaluate Rosita++ against second and third order leakage, but our framework is not restricted to only these orders.

We evaluate Rosita++ against second-order leakage with three-share implementations of two ciphers, PRESENT and Xoodoo, and with the second-order Boolean-to-arithmetic masking, a core building block of masked implementations of many cryptographic primitives, including SHA-2, ChaCha and Blake. We show effective second-order leakage elimination at a performance cost of 36% for Xoodoo, 189% for PRESENT, and 29% for the Boolean-to-arithmetic masking. For third-order analysis, we evaluate Rosita++ against the third-order leakage using a four-share synthetic example that corresponds to typical four-share processing. Rosita++ correctly identified this leakage and applied code fixes.

Category / Keywords: applications / Power analysis leakage, multivariate leakage, automatic countermeasures

Original Publication (in the same form): 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS 2021)
DOI:
10.1145/3460120.3485380

Date: received 14 Sep 2021

Contact author: madura shelton at adelaide edu au, lukaszc at cs ru nl, nsamwel at cs ru nl, markus wagner at adelaide edu au, lejla at cs ru nl, yval at cs adelaide edu au

Available format(s): PDF | BibTeX Citation

Version: 20210914:180543 (All versions of this report)

Short URL: ia.cr/2021/1181


[ Cryptology ePrint archive ]