Glitch Propagation through Flip-Flops Endangers Masking Schemes: Why Time Separation Is Required

Abstract

Glitches are hardware-level hazards that are capable of compromising secure implementations. Even dominant protections against side-channel attacks must demonstrate immunity in the potential presence of glitches. In this paper, we study two hardware masking schemes rationales, namely Ishai-ShaiWagner (ISW) and its Enhanced version (E-ISW), as well as Domain-Oriented Masking (DOM). While other glitch-aware masking schemes have been proposed, our focus is specifically on the differences between E-ISW and DOM. Those two styles rely respectively on combinational and on sequential separation of shares. It is known that sequential separation, realized through pipelining stages, does impact the latency of the hardware masking scheme. Additionally, in this paper, we show another drawback: pipelining does not provide full independence between manipulated shares. Indeed, we show that pipelining elements (DFFs in practice) can propagate upstream activity downstream. This results in first-order leakage in real-world systems, especially when parasitic effects are considered. In this respect, we show that DOM is leaking at first-order, and that this leakage increases with both the complexity of the netlist (in terms of number of DOM gadgets) and with the extent to which the operational environment can be worsened by an attacker (e.g., lowering the voltage to increase the leakage). These findings provide valuable insights for advancing secure hardware design.