Paper 2023/1713

High-assurance zeroization

Santiago Arranz Olmos, Max Planck Institute for Security and Privacy
Gilles Barthe, Max Planck Institute for Security and Privacy, IMDEA Software
Ruben Gonzalez, Max Planck Institute for Security and Privacy, Neodyme AG
Benjamin Grégoire, Inria Sophia Antipolis - Méditerranée
Vincent Laporte, Inria Nancy - Grand-Est research centre
Jean-Christophe Léchenet, Inria Sophia Antipolis - Méditerranée
Tiago Oliveira, Max Planck Institute for Security and Privacy
Peter Schwabe, Max Planck Institute for Security and Privacy, Radboud University

In this paper we revisit the problem of erasing sensitive data from memory and registers during return from a cryptographic routine. While the problem and related attacker model is fairly easy to phrase, it turns out to be surprisingly hard to guarantee security in this model when implementing cryptography in common languages such as C/C++ or Rust. We revisit the issues surrounding zeroization and then present a principled solution in the sense that it guarantees that sensitive data is erased and it clearly defines when this happens. We implement our solution as extension to the formally verified Jasmin compiler and extend the correctness proof of the compiler to cover zeroization. We show that the approach seamlessly integrates with state-of-the-art protections against microarchitectural attacks by integrating zeroization into Libjade, a cryptographic library written in Jasmin with systematic protections against timing and Spectre-v1 attacks. We present benchmarks showing that in many cases the overhead of zeroization is barely measurable and that it stays below 2% except for highly optimized symmetric crypto routines on short inputs.

Available format(s)
Publication info
Published by the IACR in TCHES 2024
Secret erasureclear stack memorydefense in depthhigh-assurance cryptography
Contact author(s)
santiago arranz-olmos @ mpi-sp org
gilles barthe @ mpi-sp org
mail @ ruben-gonzalez de
benjamin gregoire @ inria fr
Vincent Laporte @ inria fr
jean-christophe lechenet @ inria fr
tiago oliveira @ mpi-sp org
2023-12-11: last of 2 revisions
2023-11-05: received
See all versions
Short URL
No rights reserved


      author = {Santiago Arranz Olmos and Gilles Barthe and Ruben Gonzalez and Benjamin Grégoire and Vincent Laporte and Jean-Christophe Léchenet and Tiago Oliveira and Peter Schwabe},
      title = {High-assurance zeroization},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1713},
      year = {2023},
      doi = {10.46586/tches.v2024.i1.375-397},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.