We lost some data between April 12 and April 14, but we expect to be able to recover most of it. If you submitted a paper between April 12 and April 14, you may have to resubmit it.

Paper 2021/1181

Rosita++: Automatic Higher-Order Leakage Elimination from Cryptographic Code

Madura A. Shelton, Łukasz Chmielewski, Niels Samwel, Markus Wagner, Lejla Batina, and Yuval Yarom


Side-channel attacks are a major threat to the security of cryptographic implementations, particularly for small devices that are under the physical control of the adversary. While several strategies for protecting against side-channel attacks exist, these often fail in practice due to unintended interactions between values deep within the CPU. To detect and protect from side-channel attacks, several automated tools have recently been proposed; one of their common limitations is that they only support first-order leakage. In this work, we present , the first automated tool for detecting and eliminating higher-order leakage from cryptographic implementations. Rosita++ proposes statistical and software-based tools to allow high-performance higher-order leakage detection. It then uses the code rewrite engine of Rosita (Shelton et al. NDSS 2021) to eliminate detected leakage. For the sake of practicality we evaluate Rosita++ against second and third order leakage, but our framework is not restricted to only these orders. We evaluate Rosita++ against second-order leakage with three-share implementations of two ciphers, PRESENT and Xoodoo, and with the second-order Boolean-to-arithmetic masking, a core building block of masked implementations of many cryptographic primitives, including SHA-2, ChaCha and Blake. We show effective second-order leakage elimination at a performance cost of 36% for Xoodoo, 189% for PRESENT, and 29% for the Boolean-to-arithmetic masking. For third-order analysis, we evaluate Rosita++ against the third-order leakage using a four-share synthetic example that corresponds to typical four-share processing. Rosita++ correctly identified this leakage and applied code fixes.

Available format(s)
Publication info
Published elsewhere. 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS 2021)
Power analysis leakagemultivariate leakageautomatic countermeasures
Contact author(s)
madura shelton @ adelaide edu au
lukaszc @ cs ru nl
nsamwel @ cs ru nl
markus wagner @ adelaide edu au
lejla @ cs ru nl
yval @ cs adelaide edu au
2021-09-14: received
Short URL
Creative Commons Attribution


      author = {Madura A.  Shelton and Łukasz Chmielewski and Niels Samwel and Markus Wagner and Lejla Batina and Yuval Yarom},
      title = {Rosita++: Automatic Higher-Order Leakage Elimination from Cryptographic Code},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1181},
      year = {2021},
      doi = {10.1145/3460120.3485380},
      note = {\url{https://eprint.iacr.org/2021/1181}},
      url = {https://eprint.iacr.org/2021/1181}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.