SlideShare a Scribd company logo
1 of 23
Download to read offline
Information Classification: General
CONTRIBUTE.
COLLABORATE.
COMMERCIALIZE.
December 8-10 | Virtual Event
Information Classification: General
December 8-10 | Virtual Event
Coco: Co-Design and Co-Verification of Masked Software
Implementations on CPUs
Barbara Gigerl
PhD Student
Technical University of Graz
#RISCVSUMMIT
Information Classification: General
About this presentation
Introduction Co-Verification Co-Design
Barbara Gigerl¹ and Vedad Hadzic¹ and Robert Primas¹ and Stefan Mangard¹ and Roderick Bloem¹: Co-Design and
Co-Verification of Masked Software Implementations on CPUs
¹Graz University of Technology
https://eprint.iacr.org/2020/1294
Information Classification: General
Introduction to Power Analysis
Information Classification: General
Side-channel attacks
• Exploit side-channel information
• Information leaked by a device unintentionally
Execution time Power consumption Electromagnetic radiation
Temperature
Sound Photon emission
Information Classification: General
Power Analysis Attacks
Oscilloscope
Cryptographic device
Power traces
Attacker
[Kocher, 1999]
Information Classification: General
The Masking countermeasure
• Power consumption depends on:
• What is done?
• Which data is involved?
• Masking [Chari, 1999]: Conceal secret 𝑠 by a random mask 𝑚:
𝑣𝑚 = 𝑠 ⊕ 𝑚 ⇔ 𝑠 = 𝑣𝑚 ⊕ 𝑚
• Cryptographic algorithm 𝑓 processes 𝑣𝑚 and 𝑚 individually
Break the dependency!
Information Classification: General
Co-Verification
Information Classification: General
• Formal security proofs are only done for SW
• Assumption: underlying HW is secure
• Goal: Co-Verification of Software and Hardware
The HW/SW Gap
CPU
Masking Scheme
SW HW
RISC-V Assembly Ibex Core
 
Information Classification: General
Co-Verification with Coco
• Coco
• Verify the execution of masked assembly implementations directly on a processor’s
netlist
• Check separation between shares
• Execution-aware verification: SW as a sequence of control signals
• SW must have constant control flow
Information Classification: General
Verification Flow
Masking Scheme
SW
RISC-V Assembly
CPU (Netlist)
HW
Ibex Core
Simulation
Execution
Trace
Annotation
x21: share 1
x4: share 1
mem[0x16]: share 2
mem[0x24]: mask
x17: unimportant
Verification
Yes, secure.
No, not secure.
Leak in cycle 8,
gate “mux_regread”.
Information Classification: General
Cycle 𝒏 Cycle 𝒏 + 𝟏 Cycle 𝒏 + 𝟐
Execution trace
𝑏 1 0 0
𝑥 𝑎 0 0
Stable correlation sets
𝑆𝑥
𝑡
𝑆𝑎
𝑛 {1} {1}
Transient correlation sets
𝑇𝑥
𝑡 𝑇𝑎
𝑛 𝑇𝑎
𝑛+1 {1}
Verification Flow
• Propagate labels through processor
• For each gate/register: construct correlation set (stable/transient)
Register
Comb. logic
AND
a
b
x
Information Classification: General
Co-Design
Information Classification: General
Target processor: Ibex
• RISC-V Ibex core
• 32-bit CPU with two-stage in-order single-issue
pipeline
• Simple microarchitecture but still contains most
important
components of every processor
• Part of the PULP Platform and the OpenTitan
project [ETH, 2017]
Information Classification: General
Co-Design of Ibex using Coco
• Securing Ibex with Coco:
1. Construct set of masked SW
2. Execute them with Ibex to get execution trace
3. Run verification with Coco
4. Fix problems, goto 1
• First: Coco confirms known problems¹  Software Constraints
• Second: Further problems, (almost) impossible to fix in software  Hardware Fixes
¹[Balasch, 2014], [Barthe, 2015], [Kostas, 2017], [Shelton, 2019]
Information Classification: General
AND
Register File
• Problems:
1. Switching wires in the multiplexer tree
2. Glitchy address signals
3. Unintended Reads
x1
x2
x3
MUX
L0
MUX
L0
Read Addr [5]
Read Addr [5]
…..
Write x1
MUX
Data
MUX
L0
Read Addr [4]
Read Port A
x1
x2
x3
AND
AND
OR
Read Port A
MUX
AND
Reg
Write Addr
Read Addr
One-Hot
5
32
Data
1
5
One-Hot
32
Reg
1
• Solution: Register Gating
Information Classification: General
Computation Units
• Problem: Computation units (ALU, MD, CSR) are always-active
• Instruction mul x5, x1, x2: Ibex will also compute 𝑥1 ⊕ 𝑥2 in ALU, …
• Problematic when using parallel implementations of masking
schemes [Barthe, 2017]
• Solution: Computation unit gating
• AND gates at the input of each unit connected to enable bit
Information Classification: General
Load/Store Operations
• Problem: Hidden LSU State
• Internal register for misaligned memory access
• Overwrite with counterpart causes leak
• Solution: Clear hidden LSU State
• Clear hidden register after memory access
Information Classification: General
Evaluation
• Area overhead: 9.9% (20.2 kGE vs 22.2 kGE)
Name
Runtim
e
(cycles)
Leaking
Cycle
Input
Shares
Fresh
Randomnes
s
Verification Runtime
Stable Transient
Trichina AND reg. [Trichina, 2003] 19 - 4 x 32 bit 32 bit 5 s 19 s
DOM AND reg.  13 12 4 x 32 bit 32 bit 2 s 12 s
DOM AES S-box [Boyar, 2012] 1900 - 16 x 16 bit 34 x 16 bit 18 m 4.75 h
DOM Keccak S-box 2nd order
[Groß, 2017]
474 - 15 x 32 bit 15 x 32 bit 3 m 1.3 h
DOM AND reg 3rd order [Groß, 2016] 65 - 8 x 32 bit 6 x 32 bit 44 s 2.5 m
Information Classification: General
Evaluation
T-test scores during the execution of a first-order DOM Keccak S-box using 100 000 power traces.
Original register file Secured register file
Information Classification: General
References
[Chari, 1999] Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. In Advances in Cryptology -
CRYPTO ’99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15-19, 1999, Proceedings, volume 1666 of Lecture Notes in Computer Science,
pages 398–412. Springer, 1999.
[Kocher, 1999] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In CRYPTO, volume 1666 of Lecture Notes in Computer Science, pages 388–397.Springer,
1999.
[Barthe, 2017] Gilles Barthe, François Dupressoir, Sebastian Faust, Benjamin Grégoire, François-Xavier Standaert, and Pierre-Yves Strub. Parallel implementations of masking schemes
and the bounded moment leakage model. In Advances in Cryptology - EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic
Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part I, volume 10210 of Lecture Notes in Computer Science, pages 535–566, 2017.
[Balasch, 2014] Josep Balasch, Benedikt Gierlichs, Vincent Grosso, Oscar Reparaz, and François-Xavier Standaert. On the cost of lazy engineering for masked software
implementations. In Smart Card Research and Advanced Applications - 13th International Conference, CARDIS 2014, Paris, France, November 5-7, 2014. Revised Selected Papers,
volume 8968 of Lecture Notes in Computer Science, pages 64–81. Springer, 2014.
[Barthe, 2015] Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire, and Pierre-Yves Strub. Verified proofs of higher-order masking. In Advances in
Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part
I, volume 9056 of Lecture Notes in Computer Science, pages 457–485. Springer, 2015.
[Kostas, 2017] Kostas Papagiannopoulos and Nikita Veshchikov. Mind the gap: Towards secure 1st-order masking in software. In Constructive Side-Channel Analysis and Secure Design
- 8th International Workshop, COSADE 2017, Paris, France, April 13-14, 2017, Revised Selected Papers, volume 10348 of Lecture Notes in Computer Science, pages 282–297. Springer,
2017.
[Shelton, 2019] Madura A. Shelton, Niels Samwel, Lejla Batina, Francesco Regazzoni, Markus Wagner, and Yuval Yarom. Rosita: Towards automatic elimination of power-analysis
leakage in ciphers., abs/1912.05183,2019.
Information Classification: General
References
[ETH, 2017] ETH Zurich and University of Bologna. Ibex Documentation. https://ibex-core.readthedocs.io/en/latest/index.html, accessed on Nov 11, 2020.
[Groß, 2016] Hannes Groß, Stefan Mangard, and Thomas Korak. Domain-oriented masking: Compact masked hardware implementations with arbitrary protection order. In Proceedings
of the ACM Workshop on Theory of Implementation Security, TIS@CCS 2016 Vienna, Austria, October, 2016, page 3. ACM, 2016.
[Boyar, 2012] Joan Boyar and René Peralta. A small depth-16 circuit for the AES s-box. In Information Security and Privacy Research - 27th IFIP TC 11 Information Security and Privacy
Conference, SEC 2012, Heraklion, Crete, Greece, June 4-6, 2012. Proceedings, volume 376 of IFIP Advances in Information and Communication Technology, pages 287–298. Springer,
2012.
[Groß, 2017] Hannes Groß, David Schaffenrath, and Stefan Mangard. Higher-order side-channel protected implementations of KECCAK. In Euromicro Conference on Digital System
Design, DSD 2017, Vienna, Austria, August 30 - Sept. 1,2017, pages 205–212. IEEE Computer Society, 2017.
[Trichina, 2003] Elena Trichina. Combinational logic design for AES subbyte transformation on masked data. IACR Cryptol. ePrint Arch., 2003:236, 2003.
Information Classification: General
December 8-10 | Virtual Event
Thank you for joining us.
Contribute to the RISC-V conversation on social!
#RISCVSUMMIT @risc_v

More Related Content

What's hot

Fueling the datasphere how RISC-V enables the storage ecosystem
Fueling the datasphere   how RISC-V enables the storage ecosystemFueling the datasphere   how RISC-V enables the storage ecosystem
Fueling the datasphere how RISC-V enables the storage ecosystemRISC-V International
 
Tech talk with lampro mellon an open source solution for accelerating verific...
Tech talk with lampro mellon an open source solution for accelerating verific...Tech talk with lampro mellon an open source solution for accelerating verific...
Tech talk with lampro mellon an open source solution for accelerating verific...RISC-V International
 
RISC-V 30946 manuel_offenberg_v3_notes
RISC-V 30946 manuel_offenberg_v3_notesRISC-V 30946 manuel_offenberg_v3_notes
RISC-V 30946 manuel_offenberg_v3_notesRISC-V International
 
Andes building a secure platform with the enhanced iopmp
Andes building a secure platform with the enhanced iopmpAndes building a secure platform with the enhanced iopmp
Andes building a secure platform with the enhanced iopmpRISC-V International
 
SemiDynamics new family of High Bandwidth Vector-capable Cores
SemiDynamics new family of High Bandwidth Vector-capable CoresSemiDynamics new family of High Bandwidth Vector-capable Cores
SemiDynamics new family of High Bandwidth Vector-capable CoresRISC-V International
 
Easily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg asEasily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg asRISC-V International
 
Tech talk with Antmicro - Building your world out of blocks with renode and l...
Tech talk with Antmicro - Building your world out of blocks with renode and l...Tech talk with Antmicro - Building your world out of blocks with renode and l...
Tech talk with Antmicro - Building your world out of blocks with renode and l...RISC-V International
 
Semi dynamics high bandwidth vector capable RISC-V cores
Semi dynamics high bandwidth vector capable RISC-V coresSemi dynamics high bandwidth vector capable RISC-V cores
Semi dynamics high bandwidth vector capable RISC-V coresRISC-V International
 
Klessydra-T: Designing Configurable Vector Co-Processors for Multi-Threaded E...
Klessydra-T: Designing Configurable Vector Co-Processors for Multi-Threaded E...Klessydra-T: Designing Configurable Vector Co-Processors for Multi-Threaded E...
Klessydra-T: Designing Configurable Vector Co-Processors for Multi-Threaded E...RISC-V International
 
Chips alliance omni xtend overview
Chips alliance omni xtend overviewChips alliance omni xtend overview
Chips alliance omni xtend overviewRISC-V International
 
Codasip application class RISC-V processor solutions
Codasip application class RISC-V processor solutionsCodasip application class RISC-V processor solutions
Codasip application class RISC-V processor solutionsRISC-V International
 
RISC-V Summit 2020: The Next Ten Years
RISC-V Summit 2020: The Next Ten YearsRISC-V Summit 2020: The Next Ten Years
RISC-V Summit 2020: The Next Ten YearsRISC-V International
 

What's hot (20)

Fueling the datasphere how RISC-V enables the storage ecosystem
Fueling the datasphere   how RISC-V enables the storage ecosystemFueling the datasphere   how RISC-V enables the storage ecosystem
Fueling the datasphere how RISC-V enables the storage ecosystem
 
Tech talk with lampro mellon an open source solution for accelerating verific...
Tech talk with lampro mellon an open source solution for accelerating verific...Tech talk with lampro mellon an open source solution for accelerating verific...
Tech talk with lampro mellon an open source solution for accelerating verific...
 
RISC-V 30946 manuel_offenberg_v3_notes
RISC-V 30946 manuel_offenberg_v3_notesRISC-V 30946 manuel_offenberg_v3_notes
RISC-V 30946 manuel_offenberg_v3_notes
 
RISC-V: The Open Era of Computing
RISC-V: The Open Era of ComputingRISC-V: The Open Era of Computing
RISC-V: The Open Era of Computing
 
Andes building a secure platform with the enhanced iopmp
Andes building a secure platform with the enhanced iopmpAndes building a secure platform with the enhanced iopmp
Andes building a secure platform with the enhanced iopmp
 
SemiDynamics new family of High Bandwidth Vector-capable Cores
SemiDynamics new family of High Bandwidth Vector-capable CoresSemiDynamics new family of High Bandwidth Vector-capable Cores
SemiDynamics new family of High Bandwidth Vector-capable Cores
 
Easily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg asEasily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg as
 
RISC-V Foundation Overview
RISC-V Foundation OverviewRISC-V Foundation Overview
RISC-V Foundation Overview
 
Open j9 jdk on RISC-V
Open j9 jdk on RISC-VOpen j9 jdk on RISC-V
Open j9 jdk on RISC-V
 
Tech talk with Antmicro - Building your world out of blocks with renode and l...
Tech talk with Antmicro - Building your world out of blocks with renode and l...Tech talk with Antmicro - Building your world out of blocks with renode and l...
Tech talk with Antmicro - Building your world out of blocks with renode and l...
 
Semi dynamics high bandwidth vector capable RISC-V cores
Semi dynamics high bandwidth vector capable RISC-V coresSemi dynamics high bandwidth vector capable RISC-V cores
Semi dynamics high bandwidth vector capable RISC-V cores
 
Klessydra-T: Designing Configurable Vector Co-Processors for Multi-Threaded E...
Klessydra-T: Designing Configurable Vector Co-Processors for Multi-Threaded E...Klessydra-T: Designing Configurable Vector Co-Processors for Multi-Threaded E...
Klessydra-T: Designing Configurable Vector Co-Processors for Multi-Threaded E...
 
Secure IoT Firmware for RISC-V
Secure IoT Firmware for RISC-VSecure IoT Firmware for RISC-V
Secure IoT Firmware for RISC-V
 
Data trustworthiness at the edge
Data trustworthiness at the edgeData trustworthiness at the edge
Data trustworthiness at the edge
 
Chips alliance omni xtend overview
Chips alliance omni xtend overviewChips alliance omni xtend overview
Chips alliance omni xtend overview
 
Codasip application class RISC-V processor solutions
Codasip application class RISC-V processor solutionsCodasip application class RISC-V processor solutions
Codasip application class RISC-V processor solutions
 
Developing for polar fire soc
Developing for polar fire socDeveloping for polar fire soc
Developing for polar fire soc
 
RISC-V Summit 2020: The Next Ten Years
RISC-V Summit 2020: The Next Ten YearsRISC-V Summit 2020: The Next Ten Years
RISC-V Summit 2020: The Next Ten Years
 
Andes RISC-V processor solutions
Andes RISC-V processor solutionsAndes RISC-V processor solutions
Andes RISC-V processor solutions
 
RISC-V Introduction
RISC-V IntroductionRISC-V Introduction
RISC-V Introduction
 

Similar to Coco co-desing and co-verification of masked software implementations on cp us

Quantum Cryptography Approach for Resolving Cyber Threats
Quantum Cryptography Approach for Resolving Cyber ThreatsQuantum Cryptography Approach for Resolving Cyber Threats
Quantum Cryptography Approach for Resolving Cyber Threatsijtsrd
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017Jian-Hong Pan
 
Data compression, data security, and machine learning
Data compression, data security, and machine learningData compression, data security, and machine learning
Data compression, data security, and machine learningChris Huang
 
A dynamic data encryption method based on addressing the data importance on ...
A dynamic data encryption method based on addressing the  data importance on ...A dynamic data encryption method based on addressing the  data importance on ...
A dynamic data encryption method based on addressing the data importance on ...IJECEIAES
 
HiPEAC2023-DL4IoT Workshop_Jean Hagemeyer presentation
HiPEAC2023-DL4IoT Workshop_Jean Hagemeyer presentationHiPEAC2023-DL4IoT Workshop_Jean Hagemeyer presentation
HiPEAC2023-DL4IoT Workshop_Jean Hagemeyer presentationVEDLIoT Project
 
Implementation of hummingbird cryptographic algorithm for low cost rfid tags ...
Implementation of hummingbird cryptographic algorithm for low cost rfid tags ...Implementation of hummingbird cryptographic algorithm for low cost rfid tags ...
Implementation of hummingbird cryptographic algorithm for low cost rfid tags ...eSAT Journals
 
Technical Seminar ppt.pptx
Technical Seminar ppt.pptxTechnical Seminar ppt.pptx
Technical Seminar ppt.pptxKarunGowda3
 
Lightweight digital imaging and communications in medicine image encryption f...
Lightweight digital imaging and communications in medicine image encryption f...Lightweight digital imaging and communications in medicine image encryption f...
Lightweight digital imaging and communications in medicine image encryption f...TELKOMNIKA JOURNAL
 
Automatic Street Light System
Automatic Street Light SystemAutomatic Street Light System
Automatic Street Light SystemAngel Jordan
 
Industrial Pioneers Days - Machine Learning
Industrial Pioneers Days - Machine LearningIndustrial Pioneers Days - Machine Learning
Industrial Pioneers Days - Machine LearningVEDLIoT Project
 
Dagrep v006-i009-complete
Dagrep v006-i009-completeDagrep v006-i009-complete
Dagrep v006-i009-completesandeep1721
 
Dagrep v006-i009-complete 2
Dagrep v006-i009-complete 2Dagrep v006-i009-complete 2
Dagrep v006-i009-complete 2sandeep1721
 
Revealing AES Encryption Device Key on 328P Microcontrollers with Differentia...
Revealing AES Encryption Device Key on 328P Microcontrollers with Differentia...Revealing AES Encryption Device Key on 328P Microcontrollers with Differentia...
Revealing AES Encryption Device Key on 328P Microcontrollers with Differentia...IJECEIAES
 
IRJET- Enhanced Image Encryption System using Blowfish and Randomization Methods
IRJET- Enhanced Image Encryption System using Blowfish and Randomization MethodsIRJET- Enhanced Image Encryption System using Blowfish and Randomization Methods
IRJET- Enhanced Image Encryption System using Blowfish and Randomization MethodsIRJET Journal
 
Internet of Things (IoT)
Internet of Things (IoT)Internet of Things (IoT)
Internet of Things (IoT)Akanksha Prasad
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsStanford School of Engineering
 
RFID Security Module
RFID Security ModuleRFID Security Module
RFID Security Modulecgvwzq
 

Similar to Coco co-desing and co-verification of masked software implementations on cp us (20)

Quantum Cryptography Approach for Resolving Cyber Threats
Quantum Cryptography Approach for Resolving Cyber ThreatsQuantum Cryptography Approach for Resolving Cyber Threats
Quantum Cryptography Approach for Resolving Cyber Threats
 
Cloud, Fog, or Edge: Where and When to Compute?
Cloud, Fog, or Edge: Where and When to Compute?Cloud, Fog, or Edge: Where and When to Compute?
Cloud, Fog, or Edge: Where and When to Compute?
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017
 
Data compression, data security, and machine learning
Data compression, data security, and machine learningData compression, data security, and machine learning
Data compression, data security, and machine learning
 
A dynamic data encryption method based on addressing the data importance on ...
A dynamic data encryption method based on addressing the  data importance on ...A dynamic data encryption method based on addressing the  data importance on ...
A dynamic data encryption method based on addressing the data importance on ...
 
HiPEAC2023-DL4IoT Workshop_Jean Hagemeyer presentation
HiPEAC2023-DL4IoT Workshop_Jean Hagemeyer presentationHiPEAC2023-DL4IoT Workshop_Jean Hagemeyer presentation
HiPEAC2023-DL4IoT Workshop_Jean Hagemeyer presentation
 
Implementation of hummingbird cryptographic algorithm for low cost rfid tags ...
Implementation of hummingbird cryptographic algorithm for low cost rfid tags ...Implementation of hummingbird cryptographic algorithm for low cost rfid tags ...
Implementation of hummingbird cryptographic algorithm for low cost rfid tags ...
 
The Computing Continuum.pdf
The Computing Continuum.pdfThe Computing Continuum.pdf
The Computing Continuum.pdf
 
Technical Seminar ppt.pptx
Technical Seminar ppt.pptxTechnical Seminar ppt.pptx
Technical Seminar ppt.pptx
 
Lightweight digital imaging and communications in medicine image encryption f...
Lightweight digital imaging and communications in medicine image encryption f...Lightweight digital imaging and communications in medicine image encryption f...
Lightweight digital imaging and communications in medicine image encryption f...
 
Automatic Street Light System
Automatic Street Light SystemAutomatic Street Light System
Automatic Street Light System
 
Industrial Pioneers Days - Machine Learning
Industrial Pioneers Days - Machine LearningIndustrial Pioneers Days - Machine Learning
Industrial Pioneers Days - Machine Learning
 
Dagrep v006-i009-complete
Dagrep v006-i009-completeDagrep v006-i009-complete
Dagrep v006-i009-complete
 
Dagrep v006-i009-complete 2
Dagrep v006-i009-complete 2Dagrep v006-i009-complete 2
Dagrep v006-i009-complete 2
 
Revealing AES Encryption Device Key on 328P Microcontrollers with Differentia...
Revealing AES Encryption Device Key on 328P Microcontrollers with Differentia...Revealing AES Encryption Device Key on 328P Microcontrollers with Differentia...
Revealing AES Encryption Device Key on 328P Microcontrollers with Differentia...
 
IRJET- Enhanced Image Encryption System using Blowfish and Randomization Methods
IRJET- Enhanced Image Encryption System using Blowfish and Randomization MethodsIRJET- Enhanced Image Encryption System using Blowfish and Randomization Methods
IRJET- Enhanced Image Encryption System using Blowfish and Randomization Methods
 
Internet of Things (IoT)
Internet of Things (IoT)Internet of Things (IoT)
Internet of Things (IoT)
 
The grid aprimer
The grid aprimerThe grid aprimer
The grid aprimer
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
 
RFID Security Module
RFID Security ModuleRFID Security Module
RFID Security Module
 

More from RISC-V International

London Open Source Meetup for RISC-V
London Open Source Meetup for RISC-VLondon Open Source Meetup for RISC-V
London Open Source Meetup for RISC-VRISC-V International
 
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...
Ziptillion   boosting RISC-V with an efficient and os transparent memory comp...Ziptillion   boosting RISC-V with an efficient and os transparent memory comp...
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...RISC-V International
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VRISC-V International
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VRISC-V International
 
Reverse Engineering of Rocket Chip
Reverse Engineering of Rocket ChipReverse Engineering of Rocket Chip
Reverse Engineering of Rocket ChipRISC-V International
 
RISC-V NOEL-V - A new high performance RISC-V Processor Family
RISC-V NOEL-V - A new high performance RISC-V Processor FamilyRISC-V NOEL-V - A new high performance RISC-V Processor Family
RISC-V NOEL-V - A new high performance RISC-V Processor FamilyRISC-V International
 
RISC-V 30910 kassem_ summit 2020 - so_c_gen
RISC-V 30910 kassem_ summit 2020 - so_c_genRISC-V 30910 kassem_ summit 2020 - so_c_gen
RISC-V 30910 kassem_ summit 2020 - so_c_genRISC-V International
 
RISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V International
 
RISC-V software state of the union
RISC-V software state of the unionRISC-V software state of the union
RISC-V software state of the unionRISC-V International
 
Ripes tracking computer architecture throught visual and interactive simula...
Ripes   tracking computer architecture throught visual and interactive simula...Ripes   tracking computer architecture throught visual and interactive simula...
Ripes tracking computer architecture throught visual and interactive simula...RISC-V International
 
Open source manufacturable pdk for sky water 130nm process node
Open source manufacturable pdk for sky water 130nm process nodeOpen source manufacturable pdk for sky water 130nm process node
Open source manufacturable pdk for sky water 130nm process nodeRISC-V International
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processorsRISC-V International
 
Klessydra t - designing vector coprocessors for multi-threaded edge-computing...
Klessydra t - designing vector coprocessors for multi-threaded edge-computing...Klessydra t - designing vector coprocessors for multi-threaded edge-computing...
Klessydra t - designing vector coprocessors for multi-threaded edge-computing...RISC-V International
 

More from RISC-V International (19)

WD RISC-V inliner work effort
WD RISC-V inliner work effortWD RISC-V inliner work effort
WD RISC-V inliner work effort
 
RISC-V Zce Extension
RISC-V Zce ExtensionRISC-V Zce Extension
RISC-V Zce Extension
 
RISC-V Online Tutor
RISC-V Online TutorRISC-V Online Tutor
RISC-V Online Tutor
 
London Open Source Meetup for RISC-V
London Open Source Meetup for RISC-VLondon Open Source Meetup for RISC-V
London Open Source Meetup for RISC-V
 
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...
Ziptillion   boosting RISC-V with an efficient and os transparent memory comp...Ziptillion   boosting RISC-V with an efficient and os transparent memory comp...
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-V
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-V
 
Security and functional safety
Security and functional safetySecurity and functional safety
Security and functional safety
 
Reverse Engineering of Rocket Chip
Reverse Engineering of Rocket ChipReverse Engineering of Rocket Chip
Reverse Engineering of Rocket Chip
 
RISC-V NOEL-V - A new high performance RISC-V Processor Family
RISC-V NOEL-V - A new high performance RISC-V Processor FamilyRISC-V NOEL-V - A new high performance RISC-V Processor Family
RISC-V NOEL-V - A new high performance RISC-V Processor Family
 
RISC-V 30910 kassem_ summit 2020 - so_c_gen
RISC-V 30910 kassem_ summit 2020 - so_c_genRISC-V 30910 kassem_ summit 2020 - so_c_gen
RISC-V 30910 kassem_ summit 2020 - so_c_gen
 
RISC-V 30908 patra
RISC-V 30908 patraRISC-V 30908 patra
RISC-V 30908 patra
 
RISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentor
 
RISC-V software state of the union
RISC-V software state of the unionRISC-V software state of the union
RISC-V software state of the union
 
Ripes tracking computer architecture throught visual and interactive simula...
Ripes   tracking computer architecture throught visual and interactive simula...Ripes   tracking computer architecture throught visual and interactive simula...
Ripes tracking computer architecture throught visual and interactive simula...
 
Porting tock to open titan
Porting tock to open titanPorting tock to open titan
Porting tock to open titan
 
Open source manufacturable pdk for sky water 130nm process node
Open source manufacturable pdk for sky water 130nm process nodeOpen source manufacturable pdk for sky water 130nm process node
Open source manufacturable pdk for sky water 130nm process node
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processors
 
Klessydra t - designing vector coprocessors for multi-threaded edge-computing...
Klessydra t - designing vector coprocessors for multi-threaded edge-computing...Klessydra t - designing vector coprocessors for multi-threaded edge-computing...
Klessydra t - designing vector coprocessors for multi-threaded edge-computing...
 

Recently uploaded

UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 

Recently uploaded (20)

UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 

Coco co-desing and co-verification of masked software implementations on cp us

  • 2. Information Classification: General December 8-10 | Virtual Event Coco: Co-Design and Co-Verification of Masked Software Implementations on CPUs Barbara Gigerl PhD Student Technical University of Graz #RISCVSUMMIT
  • 3. Information Classification: General About this presentation Introduction Co-Verification Co-Design Barbara Gigerl¹ and Vedad Hadzic¹ and Robert Primas¹ and Stefan Mangard¹ and Roderick Bloem¹: Co-Design and Co-Verification of Masked Software Implementations on CPUs ¹Graz University of Technology https://eprint.iacr.org/2020/1294
  • 5. Information Classification: General Side-channel attacks • Exploit side-channel information • Information leaked by a device unintentionally Execution time Power consumption Electromagnetic radiation Temperature Sound Photon emission
  • 6. Information Classification: General Power Analysis Attacks Oscilloscope Cryptographic device Power traces Attacker [Kocher, 1999]
  • 7. Information Classification: General The Masking countermeasure • Power consumption depends on: • What is done? • Which data is involved? • Masking [Chari, 1999]: Conceal secret 𝑠 by a random mask 𝑚: 𝑣𝑚 = 𝑠 ⊕ 𝑚 ⇔ 𝑠 = 𝑣𝑚 ⊕ 𝑚 • Cryptographic algorithm 𝑓 processes 𝑣𝑚 and 𝑚 individually Break the dependency!
  • 9. Information Classification: General • Formal security proofs are only done for SW • Assumption: underlying HW is secure • Goal: Co-Verification of Software and Hardware The HW/SW Gap CPU Masking Scheme SW HW RISC-V Assembly Ibex Core  
  • 10. Information Classification: General Co-Verification with Coco • Coco • Verify the execution of masked assembly implementations directly on a processor’s netlist • Check separation between shares • Execution-aware verification: SW as a sequence of control signals • SW must have constant control flow
  • 11. Information Classification: General Verification Flow Masking Scheme SW RISC-V Assembly CPU (Netlist) HW Ibex Core Simulation Execution Trace Annotation x21: share 1 x4: share 1 mem[0x16]: share 2 mem[0x24]: mask x17: unimportant Verification Yes, secure. No, not secure. Leak in cycle 8, gate “mux_regread”.
  • 12. Information Classification: General Cycle 𝒏 Cycle 𝒏 + 𝟏 Cycle 𝒏 + 𝟐 Execution trace 𝑏 1 0 0 𝑥 𝑎 0 0 Stable correlation sets 𝑆𝑥 𝑡 𝑆𝑎 𝑛 {1} {1} Transient correlation sets 𝑇𝑥 𝑡 𝑇𝑎 𝑛 𝑇𝑎 𝑛+1 {1} Verification Flow • Propagate labels through processor • For each gate/register: construct correlation set (stable/transient) Register Comb. logic AND a b x
  • 14. Information Classification: General Target processor: Ibex • RISC-V Ibex core • 32-bit CPU with two-stage in-order single-issue pipeline • Simple microarchitecture but still contains most important components of every processor • Part of the PULP Platform and the OpenTitan project [ETH, 2017]
  • 15. Information Classification: General Co-Design of Ibex using Coco • Securing Ibex with Coco: 1. Construct set of masked SW 2. Execute them with Ibex to get execution trace 3. Run verification with Coco 4. Fix problems, goto 1 • First: Coco confirms known problems¹  Software Constraints • Second: Further problems, (almost) impossible to fix in software  Hardware Fixes ¹[Balasch, 2014], [Barthe, 2015], [Kostas, 2017], [Shelton, 2019]
  • 16. Information Classification: General AND Register File • Problems: 1. Switching wires in the multiplexer tree 2. Glitchy address signals 3. Unintended Reads x1 x2 x3 MUX L0 MUX L0 Read Addr [5] Read Addr [5] ….. Write x1 MUX Data MUX L0 Read Addr [4] Read Port A x1 x2 x3 AND AND OR Read Port A MUX AND Reg Write Addr Read Addr One-Hot 5 32 Data 1 5 One-Hot 32 Reg 1 • Solution: Register Gating
  • 17. Information Classification: General Computation Units • Problem: Computation units (ALU, MD, CSR) are always-active • Instruction mul x5, x1, x2: Ibex will also compute 𝑥1 ⊕ 𝑥2 in ALU, … • Problematic when using parallel implementations of masking schemes [Barthe, 2017] • Solution: Computation unit gating • AND gates at the input of each unit connected to enable bit
  • 18. Information Classification: General Load/Store Operations • Problem: Hidden LSU State • Internal register for misaligned memory access • Overwrite with counterpart causes leak • Solution: Clear hidden LSU State • Clear hidden register after memory access
  • 19. Information Classification: General Evaluation • Area overhead: 9.9% (20.2 kGE vs 22.2 kGE) Name Runtim e (cycles) Leaking Cycle Input Shares Fresh Randomnes s Verification Runtime Stable Transient Trichina AND reg. [Trichina, 2003] 19 - 4 x 32 bit 32 bit 5 s 19 s DOM AND reg.  13 12 4 x 32 bit 32 bit 2 s 12 s DOM AES S-box [Boyar, 2012] 1900 - 16 x 16 bit 34 x 16 bit 18 m 4.75 h DOM Keccak S-box 2nd order [Groß, 2017] 474 - 15 x 32 bit 15 x 32 bit 3 m 1.3 h DOM AND reg 3rd order [Groß, 2016] 65 - 8 x 32 bit 6 x 32 bit 44 s 2.5 m
  • 20. Information Classification: General Evaluation T-test scores during the execution of a first-order DOM Keccak S-box using 100 000 power traces. Original register file Secured register file
  • 21. Information Classification: General References [Chari, 1999] Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. In Advances in Cryptology - CRYPTO ’99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15-19, 1999, Proceedings, volume 1666 of Lecture Notes in Computer Science, pages 398–412. Springer, 1999. [Kocher, 1999] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In CRYPTO, volume 1666 of Lecture Notes in Computer Science, pages 388–397.Springer, 1999. [Barthe, 2017] Gilles Barthe, François Dupressoir, Sebastian Faust, Benjamin Grégoire, François-Xavier Standaert, and Pierre-Yves Strub. Parallel implementations of masking schemes and the bounded moment leakage model. In Advances in Cryptology - EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part I, volume 10210 of Lecture Notes in Computer Science, pages 535–566, 2017. [Balasch, 2014] Josep Balasch, Benedikt Gierlichs, Vincent Grosso, Oscar Reparaz, and François-Xavier Standaert. On the cost of lazy engineering for masked software implementations. In Smart Card Research and Advanced Applications - 13th International Conference, CARDIS 2014, Paris, France, November 5-7, 2014. Revised Selected Papers, volume 8968 of Lecture Notes in Computer Science, pages 64–81. Springer, 2014. [Barthe, 2015] Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire, and Pierre-Yves Strub. Verified proofs of higher-order masking. In Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part I, volume 9056 of Lecture Notes in Computer Science, pages 457–485. Springer, 2015. [Kostas, 2017] Kostas Papagiannopoulos and Nikita Veshchikov. Mind the gap: Towards secure 1st-order masking in software. In Constructive Side-Channel Analysis and Secure Design - 8th International Workshop, COSADE 2017, Paris, France, April 13-14, 2017, Revised Selected Papers, volume 10348 of Lecture Notes in Computer Science, pages 282–297. Springer, 2017. [Shelton, 2019] Madura A. Shelton, Niels Samwel, Lejla Batina, Francesco Regazzoni, Markus Wagner, and Yuval Yarom. Rosita: Towards automatic elimination of power-analysis leakage in ciphers., abs/1912.05183,2019.
  • 22. Information Classification: General References [ETH, 2017] ETH Zurich and University of Bologna. Ibex Documentation. https://ibex-core.readthedocs.io/en/latest/index.html, accessed on Nov 11, 2020. [Groß, 2016] Hannes Groß, Stefan Mangard, and Thomas Korak. Domain-oriented masking: Compact masked hardware implementations with arbitrary protection order. In Proceedings of the ACM Workshop on Theory of Implementation Security, TIS@CCS 2016 Vienna, Austria, October, 2016, page 3. ACM, 2016. [Boyar, 2012] Joan Boyar and René Peralta. A small depth-16 circuit for the AES s-box. In Information Security and Privacy Research - 27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012, Heraklion, Crete, Greece, June 4-6, 2012. Proceedings, volume 376 of IFIP Advances in Information and Communication Technology, pages 287–298. Springer, 2012. [Groß, 2017] Hannes Groß, David Schaffenrath, and Stefan Mangard. Higher-order side-channel protected implementations of KECCAK. In Euromicro Conference on Digital System Design, DSD 2017, Vienna, Austria, August 30 - Sept. 1,2017, pages 205–212. IEEE Computer Society, 2017. [Trichina, 2003] Elena Trichina. Combinational logic design for AES subbyte transformation on masked data. IACR Cryptol. ePrint Arch., 2003:236, 2003.
  • 23. Information Classification: General December 8-10 | Virtual Event Thank you for joining us. Contribute to the RISC-V conversation on social! #RISCVSUMMIT @risc_v

Editor's Notes

  1. Stable correlations refer to the final values of the signals, whereas transient correlations refer to all intermediate signal values before the circuit stabilizes.