Noé Amiot, Quentin Meunier, Karine Heydemann, Emmanuelle Encrenaz

aLEAKator: HDL Mixed-Domain Simulation for Masked Hardware & Software Formal Verification

Introduction

Aleakator: hdl mixed-domain simulation for masked hardware & software formal verification. aLEAKator: Formal verification for masked hardware & software on CPUs. Uses HDL mixed-domain simulation to secure crypto against advanced leakage models.

Abstract

Verifying the security of masked hardware and software implementations, under advanced leakage models, remains a significant challenge, especially when accounting for glitches, transitions and CPU micro-architectural specifics. Existing verification approaches are either restricted to small hardware gadgets, small programs on CPUs such as Sboxes, limited leakage models, or require hardware-specific prior knowledge.In this work, we present aLEAKator, an open-source framework for the automated formal verification of masked cryptographic accelerators and software running on CPUs from their HDL descriptions. Our method introduces mixed-domain simulation, enabling precise modeling and verification under various (including robust and relaxed) 1-probing leakage models, and supports variable signal granularity without being restricted to 1-bit wires. aLEAKator also supports verification in the presence of lookup tables, and does not require prior knowledge of the target CPU architecture. Our approach is validated against existing tools and real-world measurements while providing innovative results such as the verification of a full, first-order masked AES on various CPUs.

Review

The paper introduces "aLEAKator," a novel open-source framework tackling the critical and complex challenge of formally verifying the security of masked hardware and software implementations. Acknowledging the limitations of current methods, which struggle with advanced leakage models incorporating glitches, transitions, and intricate CPU micro-architectural specifics, the authors highlight that existing approaches are typically confined to small hardware components, simple programs, restricted leakage models, or demand extensive prior hardware knowledge. This clearly sets the stage for a significant contribution addressing a pressing need in the field of side-channel security verification. aLEAKator distinguishes itself through its innovative approach: "mixed-domain simulation" for automated formal verification directly from Hardware Description Language (HDL) descriptions. This methodology offers several key advancements. It enables precise modeling and verification under a broad spectrum of 1-probing leakage models, including robust and relaxed variants, while uniquely supporting variable signal granularity beyond typical 1-bit wires. Furthermore, the framework accommodates the verification of designs incorporating lookup tables and, crucially, does not necessitate prior architectural knowledge of the target CPU, thereby significantly broadening its applicability and ease of use. The practical utility and robustness of aLEAKator are underscored by its thorough validation. The authors demonstrate its effectiveness through comparisons against established tools and real-world measurements, providing a strong empirical basis for its claims. A particularly noteworthy achievement is its ability to verify a full, first-order masked AES implementation across various CPUs, a task that has historically proven challenging for existing verification methods. This work represents a significant step forward in automated formal verification for side-channel security, offering a more comprehensive and accessible solution for securing cryptographic implementations.

Full Text

Comments

You need to be logged in to post a comment.