Formal Verification of Arithmetic Masking in Hardware and Software

Abstract

Masking is a popular countermeasure to protect cryptographic implementations against physical attacks like differential power analysis. So far, research focused on Boolean masking for symmetric algorithms like AES and Keccak. With the advent of post-quantum cryptography (PQC), arithmetic masking has received increasing attention because many PQC algorithms require a combination of arithmetic and Boolean masking and respective conversion algorithms (A2B/B2A), which represent an interesting but very challenging research topic. While there already exist formal verification concepts for Boolean masked implementations, the same cannot be said about arithmetic masking and accompanying mask conversion algorithms.

In this work, we demonstrate the first formal verification approach for (any-order) Boolean and arithmetic masking which can be applied to both hardware and software, while considering side-effects such as glitches and transitions. First, we show how a formal verification approach for Boolean masking can be used in the context of arithmetic masking such that we can verify A2B/B2A conversions for arbitrary masking orders. We investigate various conversion algorithms in hardware and software, and point out several new findings such as glitch-based issues for straightforward implementations of Coron et al.-A2B in hardware, transition-based leakage in Goubin-A2B in software, and more general implementation pitfalls when utilizing common optimization techniques in PQC. We provide the first formal analysis of table-based A2Bs from a probing security perspective and point out that they might not be easy to implement securely on processors that use of memory buffers or caches.

Appendices

A Iterative and Unrolled Circuits

Fig. 3.

Iterative circuit [12]

Fig. 4.

Unrolled circuit [12]

B Fourier Expansion of the Arithmetic Addition

Recall the Fourier expansion of the AND, OR and XOR functions:

$$\begin{aligned} \textsc {And}\quad W(a \wedge b)&= \frac{1}{2} + \frac{1}{2}a + \frac{1}{2}b - \frac{1}{2}ab \\ \textsc {Or}\quad W(a \vee b)&= -\frac{1}{2} + \frac{1}{2}a + \frac{1}{2}b + \frac{1}{2}ab \\ \textsc {Xor}\quad W(a \oplus b)&= ab \end{aligned}$$

Additionally, note that Fourier expansions represent Boolean functions as a polynomial over the real domain \(\{1,-1\}\), where 1 represents False and −1 represents True. Consequently, monomials \(x^c\) with even exponents c evaluate to 1 in Fourier expansions. The Fourier expansion of the carry and sum can hence be expressed as:

$$\begin{aligned} \textsc {Carry} &W(c^{(j)}) = W((u^{(j)} \oplus u^{(j)}) \wedge c^{(j-1)}) \vee (u^{(j)} \wedge u^{(j)})) \\&= -(0.25u^{(j)})^2 (u^{(j)})^2 c^{(j-1)} - 0.25 (u^{(j)})^2 (u^{(j)})^2 - 0.25 (u^{(j)})^2 u^{(j)} c^{(j-1)}\\&- 0.25 u^{(j)} (u^{(j)}) ^2 c^{(j-1)} + (0.25 u^{(j)})^2 u^{(j)} + 0.25 u^{(j)} (u^{(j)}) ^2\\&- 0.5 u^{(j)} u^{(j)} c^{(j-1)} + 0.25 u^{(j)} c^{(j-1)} + 0.25 u^{(j)} c^{(j-1)} \\&+ 0.25 u^{(j)} + 0.25 u^{(j)} + 0.25 c^{(j-1)} + 0.25 \\&= 0.25 c^{(j-1)} - 0.25 - 0.25 u^{(j)} c^{(j-1)} - 0.25 u^{(j)} c^{(j-1)} + 0.25 u^{(j)}\\&+ 0.25 u^{(j)} - 0.5 u^{(j)} u^{(j)} c^{(j-1)} + 0.25 u^{(j)} c^{(j-1)} + 0.25 u^{(j)} c^{(j-1)} \\&+ 0.25 u^{(j)} + 0.25 u^{(j)} + 0.25 c^{(j-1)} + 0.25 \\&= 0.5 c^{(j-1)} + 0.5 u^{(j)} + 0.5 u^{(j)} - 0.5 u^{(j)} u^{(j)} c^{(j-1)} \\&W(c[0]) = 1 \\ \textsc {Sum} \quad&W(sum^{(j)}) = W(W(u^{(j)} \oplus u^{(j)}) \oplus c^{(j)}) \\&= W(u^{(j)}u^{(j)} \oplus c^{(j)} ) \\&= u^{(j)}u^{(j)} W(c^{(j)} ) \\&= 0.5u^{(j)} u^{(j)} c^{(j)} + 0.5 u^{(j)} + 0.5 u^{(j)} - 0.5 c^{(j)} \end{aligned}$$

Fig. 5.

Schematic image of Coron et al.-A2B [23] when implemented in hardware. The arithmetic input shares \(a_0, a_1\) are transformed into Boolean shares \(b_0, b_1\). The carry computation happens in the SecAdd module, from which we draw the first part responsible for bits 0 of the final result.

C Coron et al.-A2B

D Sanity Check Measurement Setup (RNG Off)

Fig. 6.

T-test statistics of the fixed version of Coron et al.-A2B with 400 000 traces and RNG off.

E Schneider et al.-B2A [60]

F Debraize-A2B

G Goubin [39]

Overwrite Leakages. In line 9 of the algorithm, the attacker probes the re-assignment of Y:

$$\begin{aligned} Y_\text {old}&= Y_{\text {line }6} \wedge a_1 \\&= (Y_{\text {line }1} \oplus b_{0\text {line }5}) \wedge a_1 \\&= (Y_{\text {line }1} \oplus (T \oplus a_0)) \wedge a_1 \\ Y_\text {new}&= T \wedge a_0 \\ Y_\text {old} \oplus Y_\text {new}&= ((Y_{\text {line }1} \oplus (T \oplus a_0)) \wedge a_1) \oplus (T \wedge a_0) \\&= (a_0 \wedge a_1) \oplus (a_0 \wedge T) \oplus (a_1 \wedge Y) \end{aligned}$$

Hence, for every bit \(>= 0\), this expression will correlate with native value a.

False Positive in Goubin-A2B. Assume the attacker probes the expression \(\varOmega \oplus Y_\text {line 9}\) in line 10, which is \((Y^{(0)} \wedge (Y^{(0)} \oplus {a}_1^{(0)})) \oplus ({a}_1^{(0)} \wedge (Y^{(0)} \oplus a_0^{(0)})) \). For reasons of readability, we omit to indicate that we always refer to the LSB, i.e., skip \(^{(0)}\).

Exact Fourier Expansion

$$\begin{aligned} W((Y \wedge (Y \oplus a_1)) \oplus ((Y \oplus a_0) \wedge a_1))&= ? \\ W(Y \oplus a_0)&= Y a_0 \\ W(Y \oplus a_1)&= Y a_1 \\ W(Y \wedge (Y \oplus a_1))&= -0.5 \, Y^{2} a_{1} + 0.5 \, Y a_{1} + 0.5 \, Y + 0.5\\&= -0.5 \, a_{1} + 0.5 \, Y a_{1} + 0.5 \, Y + 0.5\\ W((Y \oplus a_0) \wedge a_1))&= -0.5 \, Y a_{0} a_{1} + 0.5 \, Y a_{0} + 0.5 \, a_{1} + 0.5 \\ W((Y \wedge (Y \oplus a_1)) \oplus ((Y \oplus a_0) \wedge a_1))&= -0.25 \, Y^{2} a_{0} a_{1}^{2} + 0.25 \, Y a_{0} a_{1}^{2} + 0.25 \, Y^{2} a_{0} - 0.5 \, Y a_{0} a_{1}\\&+ 0.25 \, Y a_{1}^{2} + 0.25 \, Y a_{0} + 0.50 \, Y a_{1} - 0.25 \, a_{1}^{2} + 0.25 \, Y\\&+ 0.25 \\&= -0.25 \, a_{0} + 0.25 \, Y a_{0} + 0.25 \, a_{0} - 0.5 \, Y a_{0} a_{1}\\&+ 0.25 \, Y + 0.25 \, Y a_{0} + 0.50 \, Y a_{1} - 0.25 + 0.25 \, Y + 0.25 \end{aligned}$$

Approximated Fourier Expansion

Note: \(Y^2 = 1\) because in Fourier expression each element is either 1 (False) or −1 (True).

H Table Lookup on Gate-Level

Fig. 7.

Example of table lookup including equality comparator on gate-level with 4-bit addresses and 8-bit data words. The address addr is compared to the constant address of the SRAM cell (\((0110)_b\)). If both values are equal, the resulting 1-bit signal eq is 1, and 0 otherwise. eq is further used to decide whether the respective data word should be read or not.