English

Rosita++: Automatic Higher-Order Leakage Elimination from Cryptographic Code

Cryptography and Security 2021-09-27 v1

Abstract

Side-channel attacks are a major threat to the security of cryptographic implementations, particularly for small devices that are under the physical control of the adversary. While several strategies for protecting against side-channel attacks exist, these often fail in practice due to unintended interactions between values deep within the CPU. To detect and protect from side-channel attacks, several automated tools have recently been proposed; one of their common limitations is that they only support first-order leakage. In this work, we present the first automated tool for detecting and eliminating higher-order leakage from cryptographic implementations. Rosita++ proposes statistical and software-based tools to allow high-performance higher-order leakage detection. It then uses the code rewrite engine of Rosita (Shelton et al. NDSS 2021) to eliminate detected leakage. For the sake of practicality we evaluate Rosita++ against second and third order leakage, but our framework is not restricted to only these orders. We evaluate Rosita++ against second-order leakage with three-share implementations of two ciphers, PRESENT and Xoodoo, and with the second-order Boolean-to-arithmetic masking, a core building block of masked implementations of many cryptographic primitives, including SHA-2, ChaCha and Blake. We show effective second-order leakage elimination at a performance cost of 36% for Xoodoo, 189% for PRESENT, and 29% for the Boolean-to-arithmetic masking. For third-order analysis, we evaluate Rosita++ against the third-order leakage using a four-share synthetic example that corresponds to typical four-share processing. Rosita++ correctly identified this leakage and applied code fixes.

Keywords

Cite

@article{arxiv.2109.11741,
  title  = {Rosita++: Automatic Higher-Order Leakage Elimination from Cryptographic Code},
  author = {Madura A. Shelton and Łukasz Chmielewski and Niels Samwel and Markus Wagner and Lejla Batina and Yuval Yarom},
  journal= {arXiv preprint arXiv:2109.11741},
  year   = {2021}
}
R2 v1 2026-06-24T06:17:01.075Z