Security Evaluation Against Side-Channel Analysis at Compilation Time

  • Nicolas Bruneau
  • Charles Christen
  • Jean-Luc Danger
  • Adrien Facon
  • Sylvain GuilleyEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1133)


Masking countermeasure is implemented to thwart side-channel attacks. The maturity of high-order masking schemes has reached the level where the concepts are sound and proven. For instance, Rivain and Prouff proposed a full-fledged AES at CHES 2010. Some non-trivial fixes regarding refresh functions were needed though. Now, industry is adopting such solutions, and for the sake of both quality and certification requirements, masked cryptographic code shall be checked for correctness using the same model as that of the theoretical protection rationale (for instance the probing leakage model).

Seminal work has been initiated by Barthe et al. at EUROCRYPT 2015 for automated verification at higher orders on concrete implementations.

In this paper, we build on this work to actually perform verification from within a compiler, so as to enable timely feedback to the developer. Precisely, our methodology enables to provide the actual security order of the code at the intermediate representation (IR) level, thereby identifying possible flaws (owing either to source code errors or to compiler optimizations). Second, our methodology allows for an exploitability analysis of the analysed IR code. In this respect, we formally handle all the symbolic expressions in the static single assignment (SSA) representation to build the optimal distinguisher function. This enables to evaluate the most powerful attack, which is not only function of the masking order d, but also on the number of leaking samples and of the expressions (e.g., linear vs non-linear leakages).

This scheme allows to evaluate the correctness of a masked cryptographic code, and also its actual security in terms of number of traces in a given deployment context.


Cryptographic code Compilation Intermediate representation (IR) Static single assignment (SSA) Side-channel analysis Masking protection Compositional countermeasure Formal analysis Optimal side-channel attacks Taylor expansion of distinguishers 



This work has been partly financed via TeamPlay, a project from European Union’s Horizon20202 research and innovation program, under grand agreement N\(^\circ \) 779882 (

Supplementary material


  1. 1.
    Balasch, Josep, Gierlichs, Benedikt, Reparaz, Oscar, Verbauwhede, Ingrid: DPA, bitslicing and masking at 1 GHz. In: Güneysu, Tim, Handschuh, Helena (eds.) CHES 2015. LNCS, vol. 9293, pp. 599–619. Springer, Heidelberg (2015). Scholar
  2. 2.
    Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.-A., Grégoire, B., Strub, P.-Y.: Verified proofs of higher-order masking. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 457–485. Springer, Heidelberg (2015). Scholar
  3. 3.
    Barthe, G., Dupressoir, F., Faust, S., Grégoire, B., Standaert, F.-X., Strub, P.-Y.: Parallel implementations of masking schemes and the bounded moment leakage model. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 535–566. Springer, Cham (2017). Scholar
  4. 4.
    Battistello, A., Coron, J.-S., Prouff, E., Zeitoun, R.: Horizontal side-channel attacks and countermeasures on the ISW masking scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 23–39. Springer, Heidelberg (2016). Scholar
  5. 5.
    Bayrak, A.G., Regazzoni, F., Novo, D., Brisk, P., Standaert, F.-X., Ienne, P.: Automatic application of power analysis countermeasures. IEEE Trans. Comput. 64(2), 329–341 (2015)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Bayrak, A.G., Regazzoni, F., Novo, D., Ienne, P.: Sleuth: automated verification of software power analysis countermeasures. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 293–310. Springer, Heidelberg (2013). Scholar
  7. 7.
    Belgarric, P., et al.: Time-frequency analysis for second-order attacks. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 108–122. Springer, Cham (2014). Scholar
  8. 8.
    El Ouahma, I.B., Meunier, Q., Heydemann, K., Encrenaz, E.: Side-channel robustness analysis of masked assembly codes using a symbolic approach. J. Cryptographic Eng. 1–12 (2019). Scholar
  9. 9.
    Bhasin, S., Danger, J.-L., Guilley, S., Najm, Z.: A low-entropy first-degree secure provable masking scheme for resource-constrained devices. In: Proceedings of the Workshop on Embedded Systems Security, WESS 2013, Montreal, Quebec, Canada, 29 September–4 October 2013, pp. 7:1–7:10. ACM (2013)Google Scholar
  10. 10.
    Billet, O., Gilbert, H., Ech-Chatbi, C.: Cryptanalysis of a white box AES implementation. In: Selected Areas in Cryptography, pp. 227–240 (2004)CrossRefGoogle Scholar
  11. 11.
    Blömer, J., Guajardo, J., Krummel, V.: Provably secure masking of AES. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 69–83. Springer, Heidelberg (2004). Scholar
  12. 12.
    Bogdanov, A., et al.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). Scholar
  13. 13.
    Bruneau, N., Danger, J.-L., Guilley, S., Heuser, A., Teglia, Y.: Boosting higher-order correlation attacks by dimensionality reduction. In: Chakraborty, R.S., Matyas, V., Schaumont, P. (eds.) SPACE 2014. LNCS, vol. 8804, pp. 183–200. Springer, Cham (2014). Scholar
  14. 14.
    Bruneau, N., Guilley, S., Heuser, A., Rioul, O.: Masks will fall off. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 344–365. Springer, Heidelberg (2014). Scholar
  15. 15.
    Bruneau, N., Guilley, S., Heuser, A., Rioul, O., Standaert, F.-X., Teglia, Y.: Taylor expansion of maximum likelihood attacks for masked and shuffled implementations. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 573–601. Springer, Heidelberg (2016). Scholar
  16. 16.
    Bruneau, N., Guilley, S., Najm, Z., Teglia, Y.: Multivariate high-order attacks of shuffled tables recomputation. J. Cryptol. 31(2), 351–393 (2018)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Carré, S., Facon, A., Guilley, S., Takarabt, S., Schaub, A., Souissi, Y.: Cache-timing attack detection and prevention. In: Polian, I., Stöttinger, M. (eds.) COSADE 2019. LNCS, vol. 11421, pp. 13–21. Springer, Cham (2019). Scholar
  18. 18.
    Coron, J.-S., Prouff, E., Rivain, M.: Side channel cryptanalysis of a higher order masking scheme. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 28–44. Springer, Heidelberg (2007). Scholar
  19. 19.
    Danger, J.-L., et al.: On the performance and security of multiplication in GF(2\({}^{\text{ N }}\)). Cryptography 2(3), 25 (2018)CrossRefGoogle Scholar
  20. 20.
    Eldib, H., Wang, C., Schaumont, P.: Formal verification of software countermeasures against side-channel attacks. ACM Trans. Softw. Eng. Methodol. 24(2), 11:1–11:24 (2014)CrossRefGoogle Scholar
  21. 21.
    ETSI/TC CYBER. Security techniques for protecting software in a white box model. ETSI TR 103 642 V1.1.1, October 2018Google Scholar
  22. 22.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). Scholar
  23. 23.
    ISO/IEC JTC 1/SC 27/WG 3. ISO/IEC CD 20085–1:2017 (E). Information technology - Security techniques – Test tool requirements and test tool calibration methods for use in testing non-invasive attack mitigation techniques in cryptographic modules – Part 1: Test tools and techniques, 25 January 2017Google Scholar
  24. 24.
    Nassar, M., Souissi, Y., Guilley, S., Danger, J.-L.: RSM: a small and fast countermeasure for AES, secure against first- and second-order zero-offset SCAs. In: DATE, pp. 1173–1178. IEEE Computer Society, Dresden, Germany, 12–16 March 2012. (TRACK A: “Application Design”, TOPIC A5: “Secure Systems”)Google Scholar
  25. 25.
    Oren, Y., Weisse, O., Wool, A.: A new framework for constraint-based probabilistic template side channel attacks. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 17–34. Springer, Heidelberg (2014). Scholar
  26. 26.
    Rauzy, P., Guilley, S., Najm, Z.: Formally proved security of assembly code against power analysis - a case study on balanced logic. J. Cryptogr. Eng. 6(3), 201–216 (2016)CrossRefGoogle Scholar
  27. 27.
    Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010). Scholar
  28. 28.
    Roy, D.B., Bhasin, S., Guilley, S., Danger, J.-L., Mukhopadhyay, D.: From theory to practice of private circuit: a cautionary note. In: 33rd IEEE International Conference on Computer Design, ICCD 2015, New York City, NY, USA, 18–21 October 2015, pp. 296–303. IEEE Computer Society (2015)Google Scholar
  29. 29.
    Schramm, K., Paar, C.: Higher order masking of the AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 208–225. Springer, Heidelberg (2006). Scholar
  30. 30.
    Tunstall, M., Whitnall, C., Oswald, E.: Masking tables—an underestimated security risk. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 425–444. Springer, Heidelberg (2014). Scholar
  31. 31.
    University of Sydney (Australia). Magma Computational Algebra System. Accessed 22 Aug 2014
  32. 32.
    Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Soft analytical side-channel attacks. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 282–296. Springer, Heidelberg (2014). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Nicolas Bruneau
    • 1
    • 2
  • Charles Christen
    • 3
  • Jean-Luc Danger
    • 1
    • 4
  • Adrien Facon
    • 1
    • 5
  • Sylvain Guilley
    • 1
    • 4
    • 5
    Email author
  1. 1.Secure-IC S.A.SCesson-SévignéFrance
  2. 2.STMicroelectronicsRoussetFrance
  3. 3.Direction Générale de l’ArmementBruzFrance
  4. 4.Télécom-Paris, Institut Polytechnique de ParisSaclayFrance
  5. 5.Département d’informatique de l’ENS, CNRSPSL UniversityParisFrance

Personalised recommendations