2. Information Classification: General
December 8-10 | Virtual Event
Coco: Co-Design and Co-Verification of Masked Software
Implementations on CPUs
Barbara Gigerl
PhD Student
Technical University of Graz
#RISCVSUMMIT
3. Information Classification: General
About this presentation
Introduction Co-Verification Co-Design
Barbara Gigerl¹ and Vedad Hadzic¹ and Robert Primas¹ and Stefan Mangard¹ and Roderick Bloem¹: Co-Design and
Co-Verification of Masked Software Implementations on CPUs
¹Graz University of Technology
https://eprint.iacr.org/2020/1294
5. Information Classification: General
Side-channel attacks
• Exploit side-channel information
• Information leaked by a device unintentionally
Execution time Power consumption Electromagnetic radiation
Temperature
Sound Photon emission
7. Information Classification: General
The Masking countermeasure
• Power consumption depends on:
• What is done?
• Which data is involved?
• Masking [Chari, 1999]: Conceal secret 𝑠 by a random mask 𝑚:
𝑣𝑚 = 𝑠 ⊕ 𝑚 ⇔ 𝑠 = 𝑣𝑚 ⊕ 𝑚
• Cryptographic algorithm 𝑓 processes 𝑣𝑚 and 𝑚 individually
Break the dependency!
9. Information Classification: General
• Formal security proofs are only done for SW
• Assumption: underlying HW is secure
• Goal: Co-Verification of Software and Hardware
The HW/SW Gap
CPU
Masking Scheme
SW HW
RISC-V Assembly Ibex Core
10. Information Classification: General
Co-Verification with Coco
• Coco
• Verify the execution of masked assembly implementations directly on a processor’s
netlist
• Check separation between shares
• Execution-aware verification: SW as a sequence of control signals
• SW must have constant control flow
11. Information Classification: General
Verification Flow
Masking Scheme
SW
RISC-V Assembly
CPU (Netlist)
HW
Ibex Core
Simulation
Execution
Trace
Annotation
x21: share 1
x4: share 1
mem[0x16]: share 2
mem[0x24]: mask
x17: unimportant
Verification
Yes, secure.
No, not secure.
Leak in cycle 8,
gate “mux_regread”.
12. Information Classification: General
Cycle 𝒏 Cycle 𝒏 + 𝟏 Cycle 𝒏 + 𝟐
Execution trace
𝑏 1 0 0
𝑥 𝑎 0 0
Stable correlation sets
𝑆𝑥
𝑡
𝑆𝑎
𝑛 {1} {1}
Transient correlation sets
𝑇𝑥
𝑡 𝑇𝑎
𝑛 𝑇𝑎
𝑛+1 {1}
Verification Flow
• Propagate labels through processor
• For each gate/register: construct correlation set (stable/transient)
Register
Comb. logic
AND
a
b
x
14. Information Classification: General
Target processor: Ibex
• RISC-V Ibex core
• 32-bit CPU with two-stage in-order single-issue
pipeline
• Simple microarchitecture but still contains most
important
components of every processor
• Part of the PULP Platform and the OpenTitan
project [ETH, 2017]
15. Information Classification: General
Co-Design of Ibex using Coco
• Securing Ibex with Coco:
1. Construct set of masked SW
2. Execute them with Ibex to get execution trace
3. Run verification with Coco
4. Fix problems, goto 1
• First: Coco confirms known problems¹ Software Constraints
• Second: Further problems, (almost) impossible to fix in software Hardware Fixes
¹[Balasch, 2014], [Barthe, 2015], [Kostas, 2017], [Shelton, 2019]
16. Information Classification: General
AND
Register File
• Problems:
1. Switching wires in the multiplexer tree
2. Glitchy address signals
3. Unintended Reads
x1
x2
x3
MUX
L0
MUX
L0
Read Addr [5]
Read Addr [5]
…..
Write x1
MUX
Data
MUX
L0
Read Addr [4]
Read Port A
x1
x2
x3
AND
AND
OR
Read Port A
MUX
AND
Reg
Write Addr
Read Addr
One-Hot
5
32
Data
1
5
One-Hot
32
Reg
1
• Solution: Register Gating
17. Information Classification: General
Computation Units
• Problem: Computation units (ALU, MD, CSR) are always-active
• Instruction mul x5, x1, x2: Ibex will also compute 𝑥1 ⊕ 𝑥2 in ALU, …
• Problematic when using parallel implementations of masking
schemes [Barthe, 2017]
• Solution: Computation unit gating
• AND gates at the input of each unit connected to enable bit
18. Information Classification: General
Load/Store Operations
• Problem: Hidden LSU State
• Internal register for misaligned memory access
• Overwrite with counterpart causes leak
• Solution: Clear hidden LSU State
• Clear hidden register after memory access
19. Information Classification: General
Evaluation
• Area overhead: 9.9% (20.2 kGE vs 22.2 kGE)
Name
Runtim
e
(cycles)
Leaking
Cycle
Input
Shares
Fresh
Randomnes
s
Verification Runtime
Stable Transient
Trichina AND reg. [Trichina, 2003] 19 - 4 x 32 bit 32 bit 5 s 19 s
DOM AND reg. 13 12 4 x 32 bit 32 bit 2 s 12 s
DOM AES S-box [Boyar, 2012] 1900 - 16 x 16 bit 34 x 16 bit 18 m 4.75 h
DOM Keccak S-box 2nd order
[Groß, 2017]
474 - 15 x 32 bit 15 x 32 bit 3 m 1.3 h
DOM AND reg 3rd order [Groß, 2016] 65 - 8 x 32 bit 6 x 32 bit 44 s 2.5 m
21. Information Classification: General
References
[Chari, 1999] Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. In Advances in Cryptology -
CRYPTO ’99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15-19, 1999, Proceedings, volume 1666 of Lecture Notes in Computer Science,
pages 398–412. Springer, 1999.
[Kocher, 1999] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In CRYPTO, volume 1666 of Lecture Notes in Computer Science, pages 388–397.Springer,
1999.
[Barthe, 2017] Gilles Barthe, François Dupressoir, Sebastian Faust, Benjamin Grégoire, François-Xavier Standaert, and Pierre-Yves Strub. Parallel implementations of masking schemes
and the bounded moment leakage model. In Advances in Cryptology - EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic
Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part I, volume 10210 of Lecture Notes in Computer Science, pages 535–566, 2017.
[Balasch, 2014] Josep Balasch, Benedikt Gierlichs, Vincent Grosso, Oscar Reparaz, and François-Xavier Standaert. On the cost of lazy engineering for masked software
implementations. In Smart Card Research and Advanced Applications - 13th International Conference, CARDIS 2014, Paris, France, November 5-7, 2014. Revised Selected Papers,
volume 8968 of Lecture Notes in Computer Science, pages 64–81. Springer, 2014.
[Barthe, 2015] Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire, and Pierre-Yves Strub. Verified proofs of higher-order masking. In Advances in
Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part
I, volume 9056 of Lecture Notes in Computer Science, pages 457–485. Springer, 2015.
[Kostas, 2017] Kostas Papagiannopoulos and Nikita Veshchikov. Mind the gap: Towards secure 1st-order masking in software. In Constructive Side-Channel Analysis and Secure Design
- 8th International Workshop, COSADE 2017, Paris, France, April 13-14, 2017, Revised Selected Papers, volume 10348 of Lecture Notes in Computer Science, pages 282–297. Springer,
2017.
[Shelton, 2019] Madura A. Shelton, Niels Samwel, Lejla Batina, Francesco Regazzoni, Markus Wagner, and Yuval Yarom. Rosita: Towards automatic elimination of power-analysis
leakage in ciphers., abs/1912.05183,2019.
22. Information Classification: General
References
[ETH, 2017] ETH Zurich and University of Bologna. Ibex Documentation. https://ibex-core.readthedocs.io/en/latest/index.html, accessed on Nov 11, 2020.
[Groß, 2016] Hannes Groß, Stefan Mangard, and Thomas Korak. Domain-oriented masking: Compact masked hardware implementations with arbitrary protection order. In Proceedings
of the ACM Workshop on Theory of Implementation Security, TIS@CCS 2016 Vienna, Austria, October, 2016, page 3. ACM, 2016.
[Boyar, 2012] Joan Boyar and René Peralta. A small depth-16 circuit for the AES s-box. In Information Security and Privacy Research - 27th IFIP TC 11 Information Security and Privacy
Conference, SEC 2012, Heraklion, Crete, Greece, June 4-6, 2012. Proceedings, volume 376 of IFIP Advances in Information and Communication Technology, pages 287–298. Springer,
2012.
[Groß, 2017] Hannes Groß, David Schaffenrath, and Stefan Mangard. Higher-order side-channel protected implementations of KECCAK. In Euromicro Conference on Digital System
Design, DSD 2017, Vienna, Austria, August 30 - Sept. 1,2017, pages 205–212. IEEE Computer Society, 2017.
[Trichina, 2003] Elena Trichina. Combinational logic design for AES subbyte transformation on masked data. IACR Cryptol. ePrint Arch., 2003:236, 2003.
Stable correlations refer to the final values of the signals, whereas transient correlations refer to all intermediate signal values before the circuit stabilizes.