Gilles Barthe
MPI-SP, Germany; IMDEA Software Institute, Spain

Marc Gourjon
Hamburg University of Technology, Germany; NXP Semiconductors, Germany

Benjamin Grégoire
Inria, France

Maximilian Orlt
TU Darmstadt, Germany

Clara Paglialonga
TU Darmstadt, Germany

Lars Porth
TU Darmstadt, Germany

Keywords: Side-channel resilience, Higher-order masking, Probing security, Verification, Domain Specific Language

Abstract

We propose a new approach for building efficient, provably secure, and practically hardened implementations of masked algorithms. Our approach is based on a Domain Specific Language in which users can write efficient assembly implementations and fine-grained leakage models. The latter are then used as a basis for formal verification, allowing for the first time formal guarantees for a broad range of device-specific leakage effects not addressed by prior work. The practical benefits of our approach are demonstrated through a case study of the PRESENT S-Box: we develop a highly optimized and provably secure masked implementation, and show through practical evaluation based on TVLA that our implementation is practically resilient. Our approach significantly narrows the gap between formal verification of masking and practical security.