Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model
 21 Citations
 2.5k Downloads
Abstract
In this paper, we provide a necessary clarification of the good security properties that can be obtained from parallel implementations of masking schemes. For this purpose, we first argue that (i) the probing model is not straightforward to interpret, since it more naturally captures the intuitions of serial implementations, and (ii) the noisy leakage model is not always convenient, e.g. when combined with formal methods for the verification of cryptographic implementations. Therefore we introduce a new model, the bounded moment model, that formalizes a weaker notion of security order frequently used in the sidechannel literature. Interestingly, we prove that probing security for a serial implementation implies bounded moment security for its parallel counterpart. This result therefore enables an accurate understanding of the links between formal security analyses of masking schemes and experimental security evaluations based on the estimation of statistical moments. Besides its consolidating nature, our work also brings useful technical contributions. First, we describe and analyze refreshing and multiplication algorithms that are well suited for parallel implementations and improve security against multivariate sidechannel attacks. Second, we show that simple refreshing algorithms (with linear complexity) that are not secure in the continuous probing model are secure in the continuous bounded moment model. Eventually, we discuss the independent leakage assumption required for masking to deliver its security promises, and its specificities related to the serial or parallel nature of an implementation.
Keywords
Parallel Implementation Leakage Model Serial Implementation Randomness Requirement Leakage Function1 Introduction
The masking countermeasure is currently the most investigated solution to improve security against poweranalysis attacks [26]. It has been analyzed theoretically in the socalled probing and noisy leakage models [42, 53], and based on a large number of case studies, with various statistical tools (e.g. [16, 60] for nonprofiled and profiled attacks, respectively). Very briefly summarized, stateoftheart masking schemes are currently divided in two main trends: on the one hand, softwareoriented masking, following the initial work of Prouff and Rivain [56]; on the other hand hardwareoriented masking (or threshold implementations) following the inital work of Nikova, Rijmen and Schläffer [50].
At CRYPTO 2015, Reparaz et al. highlighted interesting connections between the circuit constructions in these two lines of works [55]. Looking at these links, a concrete difference remains between software and hardwareoriented masking schemes. Namely, the (analyses of the) first ones usually assume a serial manipulation of the shares while the (implementations of the) second ones encourage their parallel manipulation.^{1} Unfortunately, the probing leakage model, that has led to an accurate understanding of the security guarantees of softwareoriented masking schemes [31], is not directly interpretable in the parallel setting. Intuitively, this is because the parallel manipulation of the shares reveals information on all of them, e.g. via their sum, but observing sums of wires is not permitted in the probing model. As will be clear in the following, this does not limit the concrete relevance of the probing model. Yet, it reveals a gap between the level of theoretical understanding of serial and parallel masked implementations.
1.1 Our Contribution

First, we exhibit a natural connection between the probing model and the bounded moment model. More precisely, we prove that security in the probing model for a serial implementation implies security in the bounded moment model for the corresponding parallel implementation.

Next, we propose regular refreshing and multiplication algorithms suitable for parallel implementations. Thanks to parallelism, these algorithms can be implemented in linear time, with the same memory requirements as a serial implementation (since masking requires to store all the shares anyway). Note that the refreshing algorithm is particularly appealing for combination with keyhomomorphic primitives (e.g. inner product based [36]), since it allows them to be masked with linear (time and randomness) complexity. As for the multiplication algorithm, its linear execution time also provides improved security against multivariate (aka horizontal) sidechannel attacks [17].

Third, we exhibit the concrete separation between the probing model and the bounded moment model. For this purpose, we provide simple examples from the literature on leakage squeezing and lowentropy masking schemes showing that (for linear leakage funtions) it is possible to have a larger security order in the bounded moment model than in the probing model [25, 41]. More importantly, we show that our simple refreshing algorithm is insecure in the probing model against adversaries taking advantage of continuous leakage, while it remains secure against such (practically relevant) adversaries in the bounded moment model. This brings a theoretical foundation to the useful observation that simple refreshing schemes that are sometimes considered in practice (e.g. adding shares that sum to zero) do not lead to devastating attacks when used to refresh an immutable secret state (e.g. a block cipher key), despite their lack of security in the continuous probing model. Note that the latter result is also of interest for serial implementations.

Finally, we illustrate our results with selected case studies, and take advantage of them to discuss the assumption of independent leakages in sidechannel attacks (together with its underlying physical intuitions).
1.2 Related Work
Serial Masking and Formal Methods. The conceptual simplicity of the probing model makes it an attractive target for automated verification. Recognizing the close similarities between informationflow policies and security in the probing model, Moss, Oswald, Page and Turnstall [49] build a masking compiler that takes as input an unprotected program and outputs an equivalent program that resists firstorder DPA. Their compiler performs a typebased analysis of the input program and iteratively transforms the program when encountering a typing error. Aiming for increased generality, Bayrak, Regazzoni, Novo and Ienne [18] propose a SMTbased method for analyzing statistical independence between secret inputs and intermediate computations, still in the context of firstorder DPA. In a series of papers starting with [38], Eldib, Wang and Schaumont develop more powerful SMTbased methods for synthesizing masked implementations or analyzing the security of existing masked implementations. Their approach is based on a logical characterization of security at arbitrary orders in the probing model. In order to avoid the “state explosion” problem, which results from looking at higherorders and from the logical encoding of security in the probing model, they exploit elaborate methods that support incremental verification, even for relatively small orders. A followup by Eldib and Wang [37] extends this idea to synthesize masked implementations fully automatically. Leveraging the connection between probabilistic information flow policies and relational program logics, Barthe, Belaïd, Dupressoir, Fouque, Grégoire and Strub [13] introduce another approach based on a domainspecific logic for proving security in the probing model. Like Eldib, Wang and Schaumont, their method applies to higher orders. Interestingly, it achieves practicality at orders up to four for multiplications and Sboxes. In a complementary line of work, Belaïd, Benhamouda, Passelegue, Prouff, Thillard and Vergnaud [19] develop an automated tool for finding probing attacks on implementations and use it to discover optimal (in randomness complexity) implementations of multiplication at order 2, 3, and 4 (with 2, 4, and 5 random bits). They also propose a multiplication for arbitrary orders, requiring \(\frac{d^2}{4}+d\) bits of randomness to achieve security at order d.
All these works focus on the usual definition of security in the probing model. In contrast, Barthe, Belaïd, Dupressoir, Fouque and Grégoire introduce a stronger notion of security, called strong noninterference (or SNI), which enables compositional verification of higherorder masking schemes [14], and leads to much improved capabilities to analyze large circuits (i.e. full algorithms, typically). Similar to several other security notions for the probing model, strong noninterference is qualitative, in the sense that a program is either secure or insecure. Leaving the realm of qualitative notions, Eldib, Wang, Taha, and Schaumont [39] consider a quantitative relaxation of the usual definition of (probing) security, and adapt their tools to measure the quantitative masking strength of an implementation. Their definition is specialized to firstorder moments, but the connections with the bounded moment model are evident, and it would be interesting to explore generalizations of their work to our new model.
Threshold and Parallel Implementations. The inital motivation of Nikova, Rijmen and Schläffer was the observation that secure implementations of masking in hardware are challenging, due to the risk of glitches recombining the shares [45]. Their main idea to prevent this issue is to add a condition of noncompleteness to the masked computations (i.e. ensure that any combinatorial circuit never takes all shares as input). Many different works have confirmed the practical relevance of this additional requirement, making it the de facto standard for hardware masking (see [20, 21, 22, 48, 52] for a few examples). Our following results are particularly relevant to threshold implementations since (i) in view of their hardware specialization, they encourage a parallel manipulation of the shares, (ii) most of their security evaluations so far were based on the estimation of statistical moments that we formalize with the bounded moment model, and (iii) their higherorder implementations suggested in [55] and recently analyzed in [28] exploit the simple refreshing scheme that we study in Sect. 8.2.
Noisy Leakage Model. Note that the noisy leakage model in [53] also provides a natural way to capture parallel implementations (and in fact a more general one: see Fig. 7 in conclusions). Yet, this model is not always convenient when exploiting the aforementioned formal methods. Indeed, these tools benefit greatly from the simplicity of the probing model in order to analyze complex implementations, and hardly allow the manipulation of noisy leakages. In this respect, the bounded moment model can be seen as a useful intermediate (i.e. bounded moment security can be efficiently verified with formal methods, although its verification naturally remains slower than probing security).
Eventually, we believe it is fundamentally interesting to clarify the connections between the mainstream (probing and) noisy leakage model(s) and concrete evaluation strategies based on the estimation of statistical moments. In this respect, it is the fact that bounded moment security requires a weaker independence condition than probing security that enables us to prove the simple refreshing of Sect. 8.2, which is particularly useful in practice, especially compared to previous solutions for efficient refreshing algorithms such as [9]. Here as well, directly dealing with noisy leakages would be more complex.
2 Background
In this section, we introduce our leakage setting for serial and parallel implementations. Note that for readability, we keep the description of our serial and parallel computing models informal, and defer their definition to Sect. 5.
2.1 Serial Implementations
2.2 Parallel Implementations
3 Security Models
3.1 Probing Security and Noisy Leakage
We first recall two important models for analyzing masking countermeasures.
First, the conceptually simple tprobing and \(\epsilon \)probing (or random probing) models were introduced in [42]. In the former, the adversary obtains t intermediate values of the computation (e.g. can probe t wires if we compute in binary fields). In the latter, he rather obtains each of these intermediate values with probability \(\epsilon \), and gets \(\bot \) with probability \(1\epsilon \) (where \(\bot \) means no knowledge). Using a Chernoffbound, it is easy to show that security in the tprobing model reduces to security in the \(\epsilon \)probing model for certain values of \(\epsilon \).
Second, the noisy leakage model describes many realistic sidechannel attacks where an adversary obtains each intermediate value perturbed with a “\(\delta \)noisy” leakage function [53]. A leakage function \({\mathsf {L}}\) is called \(\delta \)noisy if for a uniformly random variable Y we have \(\mathrm {SD}(Y;Y\varvec{L}_Y) \le \delta \), with \(\mathrm {SD}\) the statistical distance. It was shown in [32] that an equivalent condition is that the leakage is not too informative, where informativity is measured with the standard notion of mutual information \(\mathrm {MI}(Y;\varvec{L}_Y)\). In contrast with the \(\epsilon \)probing model, the adversary obtains noisy leakage for each intermediate variable. For example, in the context of masking, he obtains \({\mathsf {L}}(Y_i,\varvec{R}_i)\) for all the shares \(Y_i\), which is reflective of actual implementations where the adversary can potentially observe the leakage of all these shares, since they are all present in leakage traces (as in Fig. 1).
Recently, Duc et al. showed that security against probing attacks implies security against noisy leakages [31]. This result leads to the natural strategy of proving security in the (simpler) probing model while stating security levels based on the concrete information leakage evaluations (as discussed in [32]).
3.2 The Bounded Moment Model
Motivation. In practice, the probing model is perfectly suited to proving the security of the serial implementations from Sect. 2.1. This is because it ensures that an adversary needs to observe d shares with his probes to recover secret information. Since in a serial implementation, every share is manipulated in a different clock cycle, it leads to a simple analogy between the number of probes and the number of cycles exploited in the leakage traces. By contrast, this simple analogy no longer holds for parallel implementations, where all the shares manipulated during a given cycle can leak concurrently. Typically, assuming that an adversary can only observe a single share with each probe is counterintuitive in this case. For example, it would be natural to allow that he can observe the output of Eq. (2) with one probe, which corresponds to a single cycle in Fig. 1(b) and already contains information about all the shares (if \(n_c=d\)).
As mentioned in introduction, the noisy leakage model provides a natural solution to deal with the leakages of parallel implementations. Indeed, nothing prevents the output of Eq. (2) from leaking only a limited amount of information if a large enough noise is considered. Yet, directly dealing with noisy leakages is sometimes inconvenient for the analysis of masked implementations, e.g. when it comes to verification with the formal methods listed in Sect. 1.2. In view of their increasing popularity in embedded security evaluation, this creates a strong incentive to come up with an alternative model allowing both the construction of proofs for parallel implementations and their efficient evaluation with formal methods. Interestingly, we will show in Sect. 5 that security in this alternative model is implied by probing security. It confirms the relevance of the aforementioned strategy of first proving security in the probing model, and then stating security levels based on concrete information leakage evaluations.
In order to define our security model, we therefore need the following definition.
Definition 1
This directly leads to our defintion of security in the bounded moment model.
Definition 2
(Security in the bounded moment model). Let \(\{\varvec{L}_c\}_{c=1}^N\) be the leakage vectors corresponding to an Ncycle cryptographic implementation manipulating a secret variable Y. This implementation is secure at order o if all the mixed moments of order up to o of \(\{\varvec{L}_c\}_{c=1}^N\) are independent of Y.^{2}
Say for example that we have a sensitive value Y that is split in \(d=3\) shares, for which we leak the same noisy Hamming weights as in Fig. 2. In the case of a (fully) parallel implementation, we have only one leakage sample \(L_1\) and security at order 2 requires that \({\mathsf {E}}(L_1)\) and \({\mathsf {E}}(L_1^2)\) are independent of Y. In the case of a serial implementation, we have three samples \(L_1,L_2,L_3\) and must show that \({\mathsf {E}}(L_1)\), \({\mathsf {E}}(L_2)\), \({\mathsf {E}}(L_3)\), \({\mathsf {E}}(L_1^2)\), \({\mathsf {E}}(L_2^2)\), \({\mathsf {E}}(L_3^2)\), \({\mathsf {E}}(L_1\times L_2)\), \({\mathsf {E}}(L_1\times L_3)\) and \({\mathsf {E}}(L_2\times L_3)\) are independent of Y. Note that the only difference between this example and concrete implementations is that in the latter case, each cycle would correspond to a leakage vector \(\varvec{L}_c\) rather than a single (univariate) sample \(L_c\).
Note also that this definition allows us to clarify a long standing discussion within the cryptographic hardware community about the right definition of security order. That is, the first definitions for secure masking (namely “perfect masking at order o” in [24] and “masking at order o” in [30]) were specialized to serial implementations, and required that any tuple of o intermediate variables is independent of any sensitive variable in an implementation. For clarity, we will now call this (strong) independence condition “security at order o in the probing model”. However, due to its specialization to serial implementation, this definition also leaves a confusion about whether its generalization to parallel implementations should relate to the smallest dimensionality of a keydependent leakage distribution (i.e. m in our definition) or the smallest order of a keydependent moment in these distributions (i.e. o in our definition). Concretely, \(m\ge o\) in the case of a serial implementation, but only the second solution generalizes to parallel implementations, since for such implementations the dimensionality can be as low as 1 independent of the number of shares. Hence, we adopt this solution in the rest of the paper and will call this (weaker) independence condition “security at order o in the bounded moment model”.
4 Additional Features and Discussions
4.1 Experimental Model Validation
Quite naturally, the introduction of a new leakage model should come with empirical validation that it reasonably matches the peculiarities of actual implementations and their evaluation. Conveniently, in the case of the bounded moment model, we do nothing else than formalizing evaluation approaches that are already deployed in the literature. This is witnessed by attacks based on the estimation of statistical moments, e.g. exploiting the popular differenceofmeans and correlation distinguishers [33, 47, 57]. Such tools have been applied to various protected implementations, including threshold ones [21, 22, 48, 52] and other masking schemes or designs running in recent highfrequency devices [11, 12, 44]. In all these cases, security at order o was claimed if the lowest keydependent statistical moment of the leakage distribution was found to be of order \(o+1\).
4.2 Dimensionality Reduction
One important property of Definition 2 is that it captures security based on the statistical order of the keydependent moments of a leakage distribution. This means that the dimensionality of the leakage vectors does not affect the security order in the bounded moment model. Therefore, it also implies that such a security definition is not affected by linear dimensionality reductions. This simple observation is formalized by the following definition and lemma.
Definition 3
(Linear dimensionality reduction). Let \(\varvec{L}=[L_1,L_2,\ldots ,L_{M}]\) denote an Msample leakage vector and \(\{\varvec{\alpha }_i\}_{i=1}^{m}\) denote Melement vectors in \({\mathbb {R}}\). We say that \(\varvec{L'}=[L'_1,L'_2,\ldots ,L'_{m}]\) is a linearly reduced leakage vector if each of its (projected) samples \(L'_i\) corresponds to a scalar product \(\left\langle \varvec{L};\varvec{\alpha }_i \right\rangle \).
Lemma 1
Let \(\{\varvec{L}_c\}_{c=1}^N\) be the leakage vectors corresponding to an Ncycle cryptographic implementation manipulating a secret variable Y. If this implementation is secure at order o in the bounded moment model, then any implementation with linearly reduced leakages of \(\{\varvec{L}_c\}_{c=1}^N\) is secure at order o.
Proof
Since the samples of \(\varvec{L}'\) are linear combinations of the samples of \(\varvec{L}\), we need the expectation of any polynomial of degree up to o of the samples of \(\varvec{L}'\) to be independent of Y. This directly derives from Definition 2 which guarantees that the expectation of any monomial of degree up to o is independent of Y. \(\square \)
Typical examples of linear dimensionality reductions are PCA [10] and LDA [58]. Note that while linearly combining leakage samples does not affect bounded moment security, it can be used to reduce the noise of the samples implied in a higherorder moment computation, and therefore can impact security in the noisy leakage model. This is in fact exactly the goal of the bounded moment model. Namely, it aims at simplifying security evaluations by splitting the tasks of evaluating the leakages’ deterministic part (captured by their moments) and probabilistic part (aka noise). Concrete security against sidechannel attacks is ensured by two ingredients: a high security order and sufficient noise.
4.3 Abstract Implementation Settings
5 Serial Security Implies Parallel Security
We now provide our first result in the bounded moment model. Namely, we establish an intuitive reduction between security of parallel implementations in the bounded moment model and security of serial implementations in the probing model. For this purpose, we also formalize our serial and parallel computation models. One useful and practical consequence of the reduction is that one can adapt existing tools for proving security in the bounded moment model, either by implementing a program transformation that turns parallel implementations into serial ones, or by adapting these tools to parallel implementations.

If the ithinstruction is a parallel assignment, \(\langle a_1,\ldots ,a_n \rangle := \langle e_1, \ldots , e_n\rangle \) by evaluating the expressions \(e_1\ldots e_n\) in state \(s_i\), leading to values \(v_1\ldots v_n\), and updating state \(s_i\) by assigning values \(v_1\ldots v_n\) to variables \(a_1\ldots a_n\);

if the ithinstruction is a parallel sampling, \(\langle a_1,\ldots ,a_n \rangle \leftarrow \langle \mu _1, \ldots , \mu _n\rangle \) by sampling values \(v_1\ldots v_n\) from distributions \(\mu _1\ldots \mu _n\), and updating the state \(s_i\) by assigning the values \(v_1\ldots v_n\) to the variables \(a_1\ldots a_n\).
By assigning to each execution a probability (formally, this is the product of the probabilities of each random sampling), one obtains for every program c of length \(\ell \) a sequence of distributions over states \(\sigma _0\sigma _1\ldots \sigma _\ell \), where \(\sigma _0\) is the distribution \({\mathbb {1}}_{s_0}\). The leakage of a program is then a sequence \(L_1~\ldots ~L_\ell \), defined by computing for each i the sum of the values held by the variables assigned by the ith instruction, that is \(a_1+\ldots + a_n\) for parallel assignments (or samplings). The mixed moments at order o then simply follow Definition 1. As for the serial programming language, instructions are either assignments \(a:=e\) or sampling \(a\leftarrow \mu \). The semantics of a program are defined similarly to the parallel case. Order o security of a serial program in the probing model amounts to show that each otuple of intermediate values is independent of the secret.
Without loss of generality, we can assume that parallel programs are written in static single assignment form, meaning that variables: (i) appear on the left hand side of an assignment or a sampling only once in the text of a program; (ii) are defined before use (i.e. they occur on the left of an assignment or a sampling before they are used on the right of an assignment); (iii) do not occur simultaneously on the left and right hand sides of an assignment. Under such assumption, any serialization that transforms parallel assignments or parallel samplings into sequences of assignments or samplings preserve the semantics of programs. For instance, the left to right serialization transforms the parallel instructions \(\langle a_1,\ldots ,a_n \rangle := \langle e_1, \ldots , e_n\rangle \) and \(\langle a_1,\ldots ,a_n \rangle \leftarrow \langle \mu _1, \ldots , \mu _n\rangle \) into \(a_1:= e_1; \ldots ; a_n:= e_n\) and \(a_1\leftarrow \mu _1; \ldots ; a_n \leftarrow \mu _n\) respectively.
Reduction Theorem. We can now state the reduction formally:
Theorem 1
A parallel implementation is secure at order o in the bounded moment model if its serialization is secure at order o in the probing model.
Proof
Note that concretely, this theorem suggests the possibility of efficient “combined security evaluations”, starting with the use of the formal verification tools to test probing security, and following with additional tests in the (weaker) bounded moment model in case of negative results (see the examples in Sect. 8).
Interestingly, it also backs up a result already used in [21] (Theorem 1), where the parallel nature of the implementations was not specifically discussed but typically corresponds to the experimental case study in this paper.
6 Parallel Algorithms
In this section, we describe regular and parallelizable algorithms for secure (additively) masked computations. For this purpose, we denote a vector of d shares as \(\varvec{a}=[a_1,a_2,\ldots ,a_d]\), the rotation of this vector by q positions as \(\mathsf {rot}(\varvec{a},q)\), and the bitwise addition (XOR) and multiplication (AND) operations between two vectors as \(\varvec{a}\oplus \varvec{b}\) and \(\varvec{a}\cdot \varvec{b}\). For concreteness, our analyses focus on computations in \({{\mathsf {G}}}{{\mathsf {F}}}(2)\), but their generalization to larger fields is straightforward.
6.1 Parallel Refreshing
6.2 Parallel Multiplication
Next, we consider the more challenging case of parallel multiplication with the similar goal of producing a simple and systematic way to manipulate the shares and fresh randomness used in the masked computations. For this purpose, our starting observation is that existing secure (serial) multiplications such as [42] (that we will mimic) essentially work in two steps: first a product phase that computes a \(d^2\)element matrix containing the pairwise multiplications of all the shares, second a compressing phase that reduces this \(d^2\)element matrix to a delement one (using fresh randomness). As a result, and given the share vectors \(\varvec{a}\) and \(\varvec{b}\) of two sensitive values a and b, it is at least possible to perform each pair of cross products \(a_i\cdot b_j\)’s and \(a_j\cdot b_i\)’s with XOR and rotation operations, and without refreshing. By contrast, the direct products \(a_i\cdot b_j\) have to be separated by fresh randomness (since otherwise it could lead to the manipulation of sensitive values during the compression phase, e.g. \((a_i\cdot b_i) \oplus (a_i\cdot b_j) = a_i \cdot (b_i\oplus b_j)\). A similar reasoning holds with the uniform randomness used between the XORs of the compression phase. Namely, every fresh vector can be used twice (in its original form and rotated by one) without leaking additional information.
Impact for Multivariate (Aka Horizontal) Attacks. In simplified terms, the security proofs for masked implementations in [31, 32] state that the data complexity of a sidechannel attack can be bounded by \(\frac{1}{\mathrm {MI}(Y_i,\varvec{L}_{Y_i})^{d}}\), with d the number of shares and \(\mathrm {MI}(Y_i,\varvec{L}_{Y_i})\) the information leakage of each share \(Y_i\) (assumed identical \(\forall i\)’s for simplicity – we take the worst case otherwise), if \(\mathrm {MI}(Y_i,\varvec{L}_{Y_i})\le \frac{1}{d}\) (where the d factor is due to the computation of the partial products in the multiplication algorithm of [42]). In a recent work, Batistello et al. [17] showed that the manipulation of the shares in masked implementations can be exploited concretely thanks to efficient multivariate/horizontal attacks (either via combination of shares’ tuples corresponding to the same sensitive variable, or via averaging of shares appearing multiple times). Interestingly, while multivariate/horizontal attacks are also possible in our parallel case, the number of leakage samples that parallel implementations provide to the sidechannel adversary is reduced (roughly by a factor d), which also mitigates the impact of such attacks.
7 Case Studies
By Theorem 1, security in the bounded moment model of a parallel implementation can be established from security of its serialization in the probing model. Therefore, it is possible to use existing formal methods to test the security of parallel implementations, by first preprocessing them into a serial ones, and feeding the resulting serial programs into a verification tool. In this section, we report on the successful automated analysis of several parallel implementations, including the parallel refreshing and multiplication presented in the previous section, and serial composition of parallel Sboxes. Note that, due to the algorithmic complexity of the verification task, we only establish security at small orders. However, we also note that, although our main design constraint was for our algorithms to be easily implementable in parallel, the use of automated tools – as opposed to manual analyses – to verify their security has yielded algorithms that match or improve on the stateoftheart in their randomness requirements at these orders. All experiments reported in this section are based on the current version of the tool of [13]. This version supports automated verification of two properties: the usual notion of probing security, and a strictly stronger notion, recently introduced in [14] under the name strong noninterference (SNI), which is better suited to the compositional verification of large circuits.
7.1 Parallel Refreshing
We first consider the parallel refreshing algorithm from the previous section.
Theorem 2
(Security of Algorithm 1). The refreshing in Algorithm 1 is secure at order \(d  1\) in the bounded moment model for all \(d \le 7\).
Probing and bounded moment security of Algorithm 1.
d  \((d1)\)b.m  Time (s) 

3  ✓  1 
4  ✓  1 
5  ✓  2 
6  ✓  20 
7  ✓  420 
SNI secure variants of Algorithm 1.
Alg.  d  \((d1)\)SNI  # rand. bits  Time (s)  

Our alg.  [42]  
\(R_d\)  3  ✓  3  3  1 
\(R_d\)  4  ✓  4  6  1 
\(R_d\)  5  ✗  5  10  1 
\(R_d^2\)  5  ✓  10  10  1 
\(R_d^2\)  6  ✓  12  15  1 
\(R_d^2\)  7  ✓  14  21  1 
\(R_d^2\)  8  ✗  16  28  1 
\(R_d^3\)  8  ✓  24  28  4 
\(R_d^3\)  9  ✓  27  36  36 
\(R_d^3\)  10  ✓  30  45  288 
\(R_d^4\)  11  ✓  40  55  3045 
These experiments show that, for small masking orders, there exist regular mask refreshing gadgets that are easily parallelizable, suitable for the construction of secure circuits by composition, and that have small randomness requirements. This fact is particularly useful when viewed through the lens of Theorem 1. Indeed, SNI gadgets are instrumental in easily proving probing security for large circuits [14], which Theorem 1 then lifts to the bounded moment model and parallel implementations. We conjecture that iterating the simple mask refreshing gadget from Algorithm 1 \(\lceil {(d1)/3}\rceil \) times always yields a \((d1)\)SNI mask refreshing algorithm over d shares. The resulting algorithm is easily parallelizable and requires \(\lceil {(d1)/3}\rceil \cdot d\) bits of randomness (marginally improving on the \(d \cdot (d  1) / 2\) bits of randomness from the ISWbased mask refreshing). We leave a proof of strong noninterference for all d’s as future work.
7.2 Parallel Multiplication
We now consider the parallel multiplication algorithm from the previous section (specified in Algorithm 3 in [15]), and prove its security for small orders.
Theorem 3
(Security of Algorithm 3 in [15]). The multiplication in Algorithm 3 in [15] is secure at order \(d1\) in the bounded moment model for all \(d \le 7\).
We also show a comparison of the randomness requirement of our algorithm and those of Belaï et al. [19]. Note that we sometimes need one additional random bit compared to the algorithm of Belaïd et al. [19]. This is due to our parallelization constraint: instead of sampling uniform sharings of 0, we only allow ourselves to sample uniformly random vectors and to rotate them.
SNI security for variants of Algorithm 3 in [15].
Algorithm  d  \((d1)\)SNI  # rand. bits  Time (s)  

Our alg.  [42]  
\(\odot _d\)  3  ✓  3  3  1 
\(\odot _d\)  \(d \ge 4\)  ✗  \(d(d  1)/4\)  \(d(d  1)/2\)   
\(R_d \circ \odot _d\)  4  ✓  8  6  1 
\(R_d \circ \odot _d\)  5  ✓  10  10  1 
\(R_d \circ \odot _d\)  6  ✓  18  15  39 
\(R_d \circ \odot _d\)  7  ✓  21  21  2647 
\(R_d \circ \odot _d\)  8  ✓  24  28  166535 
7.3 SBoxes and Feistel Networks
In order to better investigate the effects on the security of larger circuits of reducing the randomness requirements of the multiplication and refreshing algorithms, we now consider small Sboxes, shown in Fig. 5, and their iterations.
Probing and bounded moment security of small Sboxes.
We note that, although there is no evidence that iterating \(\textsf {sbox}_4\) longer yields insecure circuits, obtaining convincing security results for more than 3 iterations using automated tools seems unfeasible without relying on compositional principles. In particular, inserting a single mask refreshing operation per Feistel round greatly speeds up the verification of large iterations of the 4bit Sbox from Fig. 5(b). This highlights possible interactions between tools oriented towards the verification of small optimized circuits for particular values of d [13, 18, 38] and tools geared towards the more efficient but less precise verification of large circuits [14]. The ability to make our algorithms SNI allows us to directly take advantage of this “randomness complexity vs. verification time” tradeoff.
8 Separation Results
The previous sections illustrated that the reduction from security in the bounded moment model for parallel implementations to security in the probing model for their corresponding serialized implementations gives solutions to a number of technical challenges in the design of secure masking schemes. We now question whether the weaker condition required for security in the bounded moment model allows some implementations to be secure in this model and not in the probing model. We answer this question positively, starting with somewhat specialized but illustrative examples, and then putting forward a practically relevant separation between these models in the context of continuous leakages.
8.1 Specialized Encodings and Masking Schemes
Starting Example. Let us imagine a 2cycle parallel implementation manipulating two shares in each cycle. In the first cycle, the same random bit r is loaded twice, giving rise to a state (r, r). In the second cycle, a shared sensitive value a is loaded twice, giving rise to a state \((a\oplus r,{\overline{a}}\oplus r)\). Clearly, in the probing model two probes (on r and \(a\oplus r\)) are sufficient to learn a. But for an adversary observing the abstract leakages of this parallel implementations (i.e. the arithmetic sum for each cycle), and for a particular type of leakage function such that \(\alpha _i^j=1\) and \({\mathsf {G}}_i^j={{\mathsf {I}}}{{\mathsf {d}}}\) in Eq. (2), the first cycle will only reveal \(r+r\) while the second cycle will reveal a constant 1. So no combinations of these leakages can be used to recover a. An even simpler example would be the parallel manipulation of a and \({\overline{a}}\) which trivially does not leak any information if their values are just summed. Such implementations are known under the name “dualrail precharged” implementations in the literature [61]. Their main problem is that they require much stronger physical assumptions than masked implementations. That is, the leakages on the shares a and \({\overline{a}}\) do not only need to be independent but identical, which turns our to be much harder to achieve in practice [27].
Leakage Squeezing and Low Entropy Masking Schemes. Interestingly, the literature provides additional examples of countermeasures where the security order is larger in the bounded moment model than in the probing model. In particular, leakage squeezing and low entropy masking schemes exploit special types of encodings such that the lowest keydependent statistical moment of their leakage distributions is larger than the number of shares, if the leakage function’s deterministic part is linear [25, 41], i.e. if \({\mathsf {G}}_i^j={{\mathsf {I}}}{{\mathsf {d}}}\) in Eq. (2). Note that this requirement should not be confused with the global linearity requirement of Eq. (2). That is, what masking generally requires to be secure is that the different shares are combined linearly (i.e. that Eq. (2) is a firstdegree polynomial of the \({\mathsf {G}}_i^j({\mathcal {Y}}_i(j))\)’s). Leakage squeezing and low entropy masking schemes additionally require that the (local) \({\mathsf {G}}_i^j\) functions are linear.
The previous examples show that in theory, there exist leakage functions such that the security order in the bounded moment model is higher than the security order in the probing model, which is sufficient to prove separation. Yet, as previously mentioned, in practice the identical (resp. linear) leakage assumption required for dualrail precharged implementations (resp. leakage squeezing and low entropy masking schemes) is extremely hard to fulfill (resp. has not been thoroughly studied yet). So this is not a general separation for any implementation. We next present such a more general separation.
8.2 The Continuous Leakage Separation
A Continuous Probing Attack Against the Refreshing of Algorithm 1. Up to this point of the paper, our analyses have considered “oneshot” attacks and security. Yet, in practice, the most realistic leakage models consider adversaries who can continuously observe several executions of the target algorithms. Indeed, this typically corresponds to the standard DPA setting where senstive information is extracted by combining observations from many successive runs [43]. Such a setting is reflected in the continuous tprobing model of Ishai, Sahai and Wagner [42], where the adversary can learn t intermediate values produced during the computation of each execution of the algorithm. It implies that over time the adversary may learn much more information than just the t values – and in particular more than d, the number of shares. To be concrete, in a continuous attack that runs for q executions the adversary can learn up to tq intermediate values, evenly distributed between the executions of the algorithm.
Lemma 2
Let a be a uniformly chosen secret bit, \(d \in {\mathbb {N}}\) a number of shares and consider Algorithm 2. In each iteration of the for loop there exists a set of 3 probes such that after d iterations the secret a can be learned.
Proof
Theorem 4
The implementation of a stateless primitive where the secret key is refreshed using Algorithm 1 is secure at order o in the continuous bounded moment model if it is secure at order o in the oneshot probing model.
Proof
(sketch). We consider an algorithm for which a single execution takes N cycles which is repeated q times. We can view the qtimes execution of the algorithm as a computation running for qN cycles. Since we are only interested in protecting stateless primitives, individual executions are only connected via their refreshed key. Hence, the qtimes execution of the Ncycle implementation can be viewed as a circuit consisting of q refreshings of the secret key using Algorithm 1, where each refreshed key is used as input for the stateless masked implementation. If we show that this “inflated” circuit is secure against an adversary placing up to o probes in these qN cycles (in total and not per execution as in the continuous probing model), the result follows by Theorem 1.
For this purpose, we first observe that o probes just in the part belonging to the qtimes refreshing do not allow the adversary to learn the masked secret key. This follows from the fact that probing o values in a oneshot execution of the refreshing (Algorithm 1) does not allow the adversary to learn this masked secret key. More precisely, any such probes in the refreshing can be directly translated into probes on the initial encoding (and giving the appropriate randomness of the refreshing to the adversary for free). This means that any probe in the refreshing part allows to learn at most a single share of the masked secret key going into the stateless masked implementation. Moreover, we know by assumption that a singleshot execution of the implementation is oprobing secure. This implies that even after o probes inside the masked implementation there still must exist one share of the masked state of which these probes are independent. More generally, placing \(oi\) probes in the masked implementation must imply that these probes are independent of at least \(i+1\) shares of the masked state, since otherwise the remaining i probes can be placed at the unknown input shares to get a correlation with the masked secret key. As a result, we can also reveal all of the shares of the input encoding except for these \(i+1\) shares that are independent. Therefore, by simply adding up the probes, we get that even placing o probes inside of the inflated circuit maintains security. \(\square \)
Note that the above argument with the inflated circuit and the special use of the refreshing fails to work when we consider stateful primitives. In such a setting, the refreshing may interact with other parts of the circuit. Hence, we would need a stronger (composable) refreshing to achieve security in this case, in order to deal with the fact that Algorithm 1 could then appear at arbitrary positions in the computation. As already mentioned, the security condition of the bounded moment model is significantly weaker than in the probing model, which is what allows us to reach this positive result. Intuitively, security in the probing model requires that, given a certain number of probes, no information is leaked. By contrast, security in the bounded moment model only requires that this information is hard to exploit, which is captured by the fact that the lowest informative statistical moment in the leakage distribution observed by the adversary is bounded. This model nicely captures the reality of concrete sidechannel attacks, where all the points of a leakage traces (as in Fig. 1) are available to this adversary, and we want to ensure that he will at least have to estimate a higherorder moment of this leakage distribution in order to extract sensitive information (a task that is exponentially hard in o if the distribution is sufficiently noisy). We believe this last result is particularly relevant for cryptographic engineers, since it clarifies a long standing gap between the theory and practice of masking schemes regarding the need of complex refreshing schemes. Namely, we are able to show that simple refreshing schemes such as in Sect. 6.1 indeed bring sufficient security against concrete higherorder sidechannel attacks.
Note also that it is an interesting open problem to investigate the security of our simple refreshing scheme in the continuous noisy leakage model. Intuitively, extending the attack of Lemma 2 to this setting seems difficult. Take the second step for example: we have learned \(A_1^1\) and want to learn \(A_1^2\) with three noisy probes. If the noise is such that we do not learn \(A_1^2\) exactly, then observing again three probes with an independent noise will not help much (since we cannot easily combine the information on the fresh \(A_1^2\), and would need to collect information on all d shares to accumulate information on the constant secret). As for Theorem 1 in Sect. 5, we can anyway note that the bounded moment model allows obtaining much easier connections to the (more theoretical) probing model than the (more general but more involved) noisy leakage model.
9 Independence Issues
Before concluding, we discuss one important advantage of threshold implementation for hardware (parallel) implementations, namely their better resistance against glitches. We take advantage of and generalize this discussion to clarify the different independence issues that can affect leaking implementations, and detail how they can be addressed in order to obtain actual implementations that deliver the security levels guaranteed by masking security proofs.
 1.
Computational recombining (or glitches). In this first case, transient intermediate computations are such that the combinatorial part of the circuit recombines the shares. This effect has been frequently observed in the literature under the name “glitches”, and has been exploited to break (i.e. reduce the security order) of many hardware implementations (e.g. [46]).
 2.
Memory recombining (or transitions). In this second case, non independence comes from register reuse and the fact that actual leakage may be proportional to the transition between the register states. For example, this would happen in Fig. 6(a), if registers \(x_1\) and \(y_1\) (which depends on \(x_2,x_3\)) are the same. This effect has been frequently observed in the literature too, under the name “distancebased” or “transitionbased” leakages, and has been exploited to break software implementations (e.g. [11, 29]).
 3.
Routing recombining (or coupling). In this final case, the recombining is based on the physical proximity of the wires. The leakage function would then be proportional to some function of these wires. Such effects, known under the name “coupling”, could break the additive model of Eq. (2) in case of complex (e.g. quadratic) function. To the best of our knowledge, they have not yet been exploited in a concrete (published) attack.
TransitionBased Leakage. Various design solutions exist for this purpose. The straighforward one is simply to ensure that all the registers in the implementation are different, or to double the order of the masking scheme [11]. But this is of course suboptimal (since not all transitions are leaking sensitive information). So a better solution is to include transitionbased leakages in the evaluation of masked implementations, a task which also benefits from the tools in [13].
Couplings. This last effect being essentially physical, there are no algorithmic/software methods to prevent it. Couplings are especially critical in the context of parallel implementation since the nonlinearity they imply may break the the independent leakage assumption. (By contrast, in serial implementations this assumption is rather fulfilled by manipulating the shares at different cycles). So the fact that routingbased recombinations do not occur in parallel masked implementations is essentially an assumption that all designers have to make. In this respect, we note that experimental results of attacks against threshold implementations where several shares are manipulated in parallel (e.g. the ones listed in Sect. 4.1) suggest that this assumption is indeed well respected for current technologies. Yet, we also note that the risk of couplings increases with technology scaling [51]. Hence, in the latter case it is anyway a good design strategy to manipulate shares in larger fields, or to ensure a sufficient physical distance between them if masking is implemented in a bitslice fashion.
10 Open Problems
These results lead to two important tracks for further research.
Second, whenever discovering a bias in a masked implementation, our tools not only output the computation leading to this bias, but also its (possibly small) amplitude. Hence, the bounded moment model has great potential to extend the quantitative analysis in [39] (so far limited to firstorder leakages) to the higherorder case. Relying on the fact that the biases may be quantitatively hard to exploit could lead to further reductions of the randomness requirements in masked implementations, e.g. by combining the evaluation of these biases with tools to analyze nonindependent leakages introduced in [32] (Sect. 4.2).
Footnotes
 1.
This division between hardware and software is admittedly oversimplifying in view of the improved capabilities of modern microprocessors to take advantage of parallelism. So the following results in fact also apply to parallel software computing.
 2.
This definition justifies why we use raw moments rather than central or standardized ones. Indeed, to establish security at order o, we require moments of orders less than o to be independent of Y. Thus centralization (i.e. removing the mean) or normalization by the standard deviation only add terms known to be independent of Y.
Notes
Acknowledgements
Sebastian Faust is funded by the Emmy Noether Program FA 1320/11 of the German Research Foundation (DFG). FrançoisXavier Standaert is a research associate of the Belgian Fund for Scientific Research (F.R.S.FNRS). This work has been funded in parts by projects S2013/ICE2731 NGREENS SoftwareCM, ONR Grants N000141210914 and N000141512750, FP7 Marie Curie ActionsCOFUND 291803 and ERC project 280141.
References
 1.Francillon, A., Rohatgi, P. (eds.): CARDIS 2013. LNCS, vol. 8419. Springer, Heidelberg (2014)Google Scholar
 2.Prouff, E., Schaumont, P. (eds.): CHES 2012. LNCS, vol. 7428. Springer, Heidelberg (2012). doi: 10.1007/9783642330278 zbMATHGoogle Scholar
 3.Güneysu, T., Handschuh, H. (eds.): CHES 2015. LNCS, vol. 9293. Springer, Heidelberg (2015). doi: 10.1007/9783662483244 zbMATHGoogle Scholar
 4.Gierlichs, B., Poschmann, A.Y. (eds.): CHES 2016. LNCS, vol. 9813. Springer, Heidelberg (2016). doi: 10.1007/9783662531402 zbMATHGoogle Scholar
 5.Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999). doi: 10.1007/3540484051 zbMATHGoogle Scholar
 6.Oswald, E., Fischlin, M. (eds.): EUROCRYPT 2015. LNCS, vol. 9056. Springer, Heidelberg (2015). doi: 10.1007/9783662468005 zbMATHGoogle Scholar
 7.Fischlin, M., Coron, J.S. (eds.): EUROCRYPT 2016. LNCS, vol. 9666. Springer, Heidelberg (2016)zbMATHGoogle Scholar
 8.Joye, M., Moradi, A. (eds.): CARDIS 2014. LNCS, vol. 8968. Springer, Heidelberg (2015). doi: 10.1007/9783319167633 Google Scholar
 9.Andrychowicz, M., Dziembowski, S., Faust, S.: Circuit compilers with O(1/\(\backslash \)n)) leakage rate. In: EUROCRYPT 2016, Part II [7], pp. 586–615 (2016)Google Scholar
 10.Archambeau, C., Peeters, E., Standaert, F.X., Quisquater, J.J.: Template attacks in principal subspaces. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 1–14. Springer, Heidelberg (2006). doi: 10.1007/11894063_1 CrossRefGoogle Scholar
 11.Balasch, J., Gierlichs, B., Grosso, V., Reparaz, O., Standaert, F.X.: On the cost of lazy engineering for masked software implementations. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 64–81. Springer, Heidelberg (2015). doi: 10.1007/9783319167633_5 Google Scholar
 12.Balasch, J., Gierlichs, B., Reparaz, O., Verbauwhede, I.: DPA, bitslicing and masking at 1 GHz. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 599–619. Springer, Heidelberg (2015). doi: 10.1007/9783662483244_30 CrossRefGoogle Scholar
 13.Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.A., Grégoire, B., Strub, P.Y.: Verified proofs of higherorder masking. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 457–485. Springer, Heidelberg (2015). doi: 10.1007/9783662468005_18 Google Scholar
 14.Barthe, G., Belaid, S., Dupressoir, F., Fouque, P.A., Gregoire, B., Strub, P.Y., Zucchini, R.: Strong noninterference and typedirected higherorder masking. In: Proceedings of ACM CCS (2016, to appear)Google Scholar
 15.Barthe, G., Dupressoir, F., Faust, S., Grégoire, B., Standaert, F., Strub, P.: Parallel implementations of masking schemes and the bounded moment leakage model. IACR Cryptol. ePrint Arch. 2016, 912 (2016)Google Scholar
 16.Batina, L., Gierlichs, B., Prouff, E., Rivain, M., Standaert, F., VeyratCharvillon, N.: Mutual information analysis: a comprehensive study. J. Cryptol. 24(2), 269–291 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
 17.Battistello, A., Coron, J.S., Prouff, E., Zeitoun, R.: Horizontal sidechannel attacks and countermeasures on the ISW masking scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 23–39. Springer, Heidelberg (2016). doi: 10.1007/9783662531402_2 CrossRefGoogle Scholar
 18.Bayrak, A.G., Regazzoni, F., Novo, D., Ienne, P.: Sleuth: automated verification of software power analysis countermeasures. In: Bertoni, G., Coron, J.S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 293–310. Springer, Heidelberg (2013). doi: 10.1007/9783642403491_17 CrossRefGoogle Scholar
 19.Belaïd, S., Benhamouda, F., Passelègue, A., Prouff, E., Thillard, A., Vergnaud, D.: Randomness complexity of private circuits for multiplication. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 616–648. Springer, Heidelberg (2016). doi: 10.1007/9783662498965_22 CrossRefGoogle Scholar
 20.Bilgin, B., Daemen, J., Nikov, V., Nikova, S., Rijmen, V., Assche, G.: Efficient and firstorder DPA resistant implementations of keccak. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 187–199. Springer, Heidelberg (2014). doi: 10.1007/9783319083025_13 Google Scholar
 21.Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: Higherorder threshold implementations. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 326–343. Springer, Heidelberg (2014). doi: 10.1007/9783662456088_18 Google Scholar
 22.Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: A more efficient AES threshold implementation. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 267–284. Springer, Heidelberg (2014). doi: 10.1007/9783319067346_17 CrossRefGoogle Scholar
 23.Bilgin, B., Nikova, S., Nikov, V., Rijmen, V., Stütz, G.: Threshold implementations of all 3 \(\times \) 3 and 4 \(\times \) 4 Sboxes. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 76–91. Springer, Heidelberg (2012). doi: 10.1007/9783642330278_5 CrossRefGoogle Scholar
 24.Blömer, J., Guajardo, J., Krummel, V.: Provably secure masking of AES. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 69–83. Springer, Heidelberg (2004). doi: 10.1007/9783540305644_5 CrossRefGoogle Scholar
 25.Carlet, C., Danger, J., Guilley, S., Maghrebi, H., Prouff, E.: Achieving sidechannel highorder correlation immunity with leakage squeezing. J. Cryptogr. Eng. 4(2), 107–121 (2014)CrossRefGoogle Scholar
 26.Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract poweranalysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). doi: 10.1007/3540484051_26 Google Scholar
 27.Chen, C., Eisenbarth, T., Shahverdi, A., Ye, X.: Balanced encoding to mitigate power analysis: a case study. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 49–63. Springer, Heidelberg (2015). doi: 10.1007/9783319167633_4 Google Scholar
 28.De Cnudde, T., Reparaz, O., Bilgin, B., Nikova, S., Nikov, V., Rijmen, V.: Masking AES with \(d+1\) shares in hardware. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 194–212. Springer, Heidelberg (2016). doi: 10.1007/9783662531402_10 CrossRefGoogle Scholar
 29.Coron, J.S., Giraud, C., Prouff, E., Renner, S., Rivain, M., Vadnala, P.K.: Conversion of security proofs from one leakage model to another: a new issue. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 69–81. Springer, Heidelberg (2012). doi: 10.1007/9783642299124_6 CrossRefGoogle Scholar
 30.Coron, J.S., Prouff, E., Rivain, M.: Side channel cryptanalysis of a higher order masking scheme. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 28–44. Springer, Heidelberg (2007). doi: 10.1007/9783540747352_3 CrossRefGoogle Scholar
 31.Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 423–440. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_24 CrossRefGoogle Scholar
 32.Duc, A., Faust, S., Standaert, F.X.: Making masking security proofs concrete. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 401–429. Springer, Heidelberg (2015). doi: 10.1007/9783662468005_16 Google Scholar
 33.Durvaux, F., Standaert, F.X.: From improved leakage detection to the detection of points of interests in leakage traces. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 240–262. Springer, Heidelberg (2016). doi: 10.1007/9783662498903_10 CrossRefGoogle Scholar
 34.Durvaux, F., Standaert, F.X., Pozo, S.M.: Towards easy leakage certification. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 40–60. Springer, Heidelberg (2016). doi: 10.1007/9783662531402_3 CrossRefGoogle Scholar
 35.Dziembowski, S., Faust, S.: Leakageresilient cryptography from the innerproduct extractor. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 702–721. Springer, Heidelberg (2011). doi: 10.1007/9783642253850_38 CrossRefGoogle Scholar
 36.Dziembowski, S., Faust, S., Herold, G., Journault, A., Masny, D., Standaert, F.X.: Towards sound fresh rekeying with hard (physical) learning problems. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 272–301. Springer, Heidelberg (2016). doi: 10.1007/9783662530085_10 CrossRefGoogle Scholar
 37.Eldib, H., Wang, C.: Synthesis of masking countermeasures against side channel attacks. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 114–130. Springer, Heidelberg (2014). doi: 10.1007/9783319088679_8 Google Scholar
 38.Eldib, H., Wang, C., Schaumont, P.: Formal verification of software countermeasures against sidechannel attacks. ACM Trans. Softw. Eng. Methodol. 24(2), 11:1–11:24 (2014)CrossRefGoogle Scholar
 39.Eldib, H., Wang, C., Taha, M.M.I., Schaumont, P.: Quantitative masking strength: quantifying the power sidechannel resistance of software code. IEEE Trans. CAD Integr. Circuits Syst. 34(10), 1558–1568 (2015)CrossRefGoogle Scholar
 40.Grosso, V., Leurent, G., Standaert, F.X., Varıcı, K.: LSdesigns: bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 18–37. Springer, Heidelberg (2015). doi: 10.1007/9783662467060_2 Google Scholar
 41.Grosso, V., Standaert, F.X., Prouff, E.: Low entropy masking schemes, revisited. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 33–43. Springer, Heidelberg (2014). doi: 10.1007/9783319083025_3 Google Scholar
 42.Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). doi: 10.1007/9783540451464_27 CrossRefGoogle Scholar
 43.Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). doi: 10.1007/3540484051_25 Google Scholar
 44.Longo, J., Mulder, E., Page, D., Tunstall, M.: SoC it to EM: electromagnetic sidechannel attacks on a complex systemonchip. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 620–640. Springer, Heidelberg (2015). doi: 10.1007/9783662483244_31 CrossRefGoogle Scholar
 45.Mangard, S., Popp, T., Gammel, B.M.: Sidechannel leakage of masked CMOS gates. In: Menezes, A. (ed.) CTRSA 2005. LNCS, vol. 3376, pp. 351–365. Springer, Heidelberg (2005). doi: 10.1007/9783540305743_24 CrossRefGoogle Scholar
 46.Mangard, S., Pramstaller, N., Oswald, E.: Successfully attacking masked AES hardware implementations. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 157–171. Springer, Heidelberg (2005). doi: 10.1007/11545262_12 CrossRefGoogle Scholar
 47.Moradi, A.: Statistical tools flavor sidechannel collision attacks. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 428–445. Springer, Heidelberg (2012). doi: 10.1007/9783642290114_26 CrossRefGoogle Scholar
 48.Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the limits: a very compact and a threshold implementation of AES. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 69–88. Springer, Heidelberg (2011). doi: 10.1007/9783642204654_6 CrossRefGoogle Scholar
 49.Moss, A., Oswald, E., Page, D., Tunstall, M.: Compiler assisted masking. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 58–75. Springer, Heidelberg (2012). doi: 10.1007/9783642330278_4 CrossRefGoogle Scholar
 50.Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptol. 24(2), 292–321 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
 51.Paul, C.R.: Introduction to Electromagnetic Compatibility. Wiley & Sons, Hoboken (2006)Google Scholar
 52.Poschmann, A., Moradi, A., Khoo, K., Lim, C., Wang, H., Ling, S.: Sidechannel resistant crypto for less than 2,300 GE. J. Cryptol. 24(2), 322–345 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
 53.Prouff, E., Rivain, M.: Masking against sidechannel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013). doi: 10.1007/9783642383489_9 CrossRefGoogle Scholar
 54.Prouff, E., Rivain, M., Bevan, R.: Statistical analysis of second order differential power analysis. IEEE Trans. Comput. 58(6), 799–811 (2009)MathSciNetCrossRefGoogle Scholar
 55.Reparaz, O., Bilgin, B., Nikova, S., Gierlichs, B., Verbauwhede, I.: Consolidating masking schemes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 764–783. Springer, Heidelberg (2015). doi: 10.1007/9783662479896_37 CrossRefGoogle Scholar
 56.Rivain, M., Prouff, E.: Provably secure higherorder masking of AES. In: Mangard, S., Standaert, F.X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010). doi: 10.1007/9783642150319_28 CrossRefGoogle Scholar
 57.Schneider, T., Moradi, A.: Leakage assessment methodology. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 495–513. Springer, Heidelberg (2015). doi: 10.1007/9783662483244_25 CrossRefGoogle Scholar
 58.Standaert, F.X., Archambeau, C.: Using subspacebased template attacks to compare and combine power and electromagnetic information leakages. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 411–425. Springer, Heidelberg (2008). doi: 10.1007/9783540850533_26 CrossRefGoogle Scholar
 59.Standaert, F.X., Malkin, T.G., Yung, M.: A unified framework for the analysis of sidechannel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). doi: 10.1007/9783642010019_26 CrossRefGoogle Scholar
 60.Standaert, F.X., VeyratCharvillon, N., Oswald, E., Gierlichs, B., Medwed, M., Kasper, M., Mangard, S.: The world is not enough: another look on secondorder DPA. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 112–129. Springer, Heidelberg (2010). doi: 10.1007/9783642173738_7 CrossRefGoogle Scholar
 61.Tiri, K., Verbauwhede, I.: Securing encryption algorithms against DPA at the logic level: next generation smart card technology. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 125–136. Springer, Heidelberg (2003). doi: 10.1007/9783540452386_11 CrossRefGoogle Scholar
 62.Ullrich, M., de Cannière, C., Indesteege, S., Küçük, Ö., Mouha, N., Preneel, B.: Finding optimal bitsliced implementations of 4 \(\times \) 4bit Sboxes. In: Symmetric Key Encryption Workshop 2011 (2011)Google Scholar
 63.Waddle, J., Wagner, D.: Towards efficient secondorder power analysis. In: Joye, M., Quisquater, J.J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 1–15. Springer, Heidelberg (2004). doi: 10.1007/9783540286325_1 CrossRefGoogle Scholar