# Power Contracts: Provably Complete Power Leakage Models for Processors

Roderick Bloem Graz University of Technology Barbara Gigerl Graz University of Technology Marc Gourjon
Hamburg University of Technology
and NXP Semiconductors

Vedad Hadžić Graz University of Technology Stefan Mangard Graz University of Technology Robert Primas Graz University of Technology

#### **ABSTRACT**

The protection of cryptographic software implementations against power-analysis attacks is critical for applications in embedded systems. A commonly used algorithmic countermeasure against these attacks is masking, a secret-sharing scheme that splits a sensitive computation into computation on multiple random shares. In practice, the security of masking schemes relies on several assumptions that are often violated by microarchitectural side-effects of CPUs. Many past works address this problem by studying these leakage effects and building corresponding leakage models that can then be integrated into a software verification workflow. However, these models have only been derived empirically, putting the otherwise rigorous security statements made with verification in question.

We solve this problem in two steps. First, we introduce a *contract* layer between the (CPU) hardware and the software that allows the specification of microarchitectural side-effects on masked software in an intuitive language. Second, we present a method for proving the correspondence between contracts and CPU netlists to ensure the completeness of the specified leakage models. Then, any further security proofs only need to happen between software and contract, which brings benefits such as reduced verification runtime, improved user experience, and the possibility of working with vendor-supplied contracts of CPUs whose design is not available on netlist-level due to IP restrictions. We apply our approach to the popular RISC-V IBEX core, provide a corresponding formally verified contract, and describe how this contract could be used to verify masked software implementations.

## **KEYWORDS**

Power Side-Channel, Leakage Model, Verification, Contract, Domain-Specific Language, Masking, Probing Security

Author Email: first.last@iaik.tugraz.at and first.last@tuhh.de

## 1 INTRODUCTION

Physical side-channel attacks such as power or EM analysis allow attackers within proximity of a device to learn sensitive information like cryptographic keys [31, 45]. One of the most widely used algorithmic countermeasures for protecting a cryptographic implementation against these kinds of attacks is masking [14, 27, 30]. Masking is a secret-sharing technique that splits input and intermediate variables of cryptographic computations into  $d \ge t+1$  random shares such that the observation of up to t shares does not reveal any information about their corresponding unmasked value. Masking schemes typically rely on certain assumptions, such as independent computations producing independent side-channel leakage. However, the structure of a CPU architecture can violate these assumptions and introduce additional leakage effects [16, 18, 25, 39, 43]. Such leakage is often also referred to as order-reducing leakage because it induces a security loss and thus a gap between formal security assurance and practical resilience. The physical characteristics of gates are relatively well understood and give rise to extended leakage models, which allow constructing hardware implementations that reliably mitigate order-reducing leakage [17, 20, 33, 34]. Similarly, when designing masked software implementations of cryptographic algorithms, knowing the concrete power side-effects of different instruction types is indispensable. It allows developers to optimize the performance of masked implementations by simplifying the otherwise trial-and-error hardening process [9].

**State of the Art.** Many works address the problem of characterizing and understanding the leakage behavior of instructions. These can be divided into two categories: works that use empirical methods to determine side-channel leakage, and works that use formal verification approaches to verify side-channel resilience.

On the empirical side, the measurement of a CPU's power consumption combined with a subsequent analysis using statistical methods, is a straightforward approach to determine whether cryptographic software is correctly masked. Any observed leakage effects can be reverse-engineered and taken into account in hardened versions of the respective masked software implementations [1, 23, 24, 36, 38, 43, 48]. Based on these observations, subsequent works derive leakage models that describe the leakage behavior of assembly instructions that are commonly used for masking implementations on CPUs [9, 10, 37]. All existing empirical approaches require high practical effort and cannot guarantee completeness, thereby reducing the confidence in security assessments [5, 39].

On the formal verification side, several works verify the security of masked software implementations under specific masking-related security notions. MaskVerif performs algorithmic software

masking verification using generic leakage models [7]. Barthe *et al.* [9] improve upon this by verifying the absence of order-reducing leakage with the tool ScVerif which combines user-provided leakage models for assembly instructions with verification routines for the more practice-oriented stateful extensions of the commonly accepted security notions t-NI and t-SNI [7, 8]. However, the security assurance still relies on the completeness of the used leakage models, as it is the case for pure empirical approaches.

An entirely different take on masked software verification was presented with the Coco tool by Gigerl et al., which avoids modeling leakage entirely and instead simulates the execution of masked software directly on the processor netlist [25, 26, 29]. Their approach considers the leakage of every single gate in an extended hardware leakage model and captures a wide range of microarchitectural side-effects. However, their method requires the processor's netlist, which may not be available, e.g., for most Arm-based embedded devices. All other tools operate in fixed software leakage models and are inadequate to protect software against device-specific leakage.

**Our Contribution.** We answer to the question of leakage model completeness and establish end-to-end (E2E) security for software executing on a processor. First, we introduce a contract between the hardware and the software that defines precise semantics and models side-channel behavior of assembly instructions. We then establish a technique to verify *compliance* of a processor with a contract. A processor is compliant when the leakage of each of its gates and the semantic of instruction is correctly specified in the contract. Put vice-versa, we prove the contract's model of instructions correct and its model of leakages complete. We pave the way for provable E2E security by defining software compliance for threshold probing security notions so that the approach of Barthe et al. [9] can be easily mapped to our slightly different language for contracts. We combine hardware compliance and software compliance to prove E2E security: any compliant software is secure w.r.t. all microarchitectural power side-channel leakage of any compliant CPU. Compared to related work, our approach comes with benefits such as more rigorous (practical) security statements, simplified software verification workflows, and the possibility of working with vendor-supplied contracts of CPUs whose design is not available on netlist-level due to IP restrictions. Our contributions also enable the construction of reliable hardened processors, as users can specify the desired leakage model in a contract and modify the CPU implementation to achieve compliance for fixed contracts. We emphasize that the intermediate contract layer enables for the first time portability of secure implementations across processors and improves the separation of secure hardware and software development in general.

1. Contracts. We introduce an intuitive and industry-grade domain-specific language (DSL) called Genoa. Genoa allows specifying Instruction Set Architecture (ISA) semantics and device-specific leakages in contracts. Genoa extends the long-standing Sail language to support leakage specifications. The RISC-V foundation recently picked Sail as the official tool to specify the reference RISC-V ISA and all standard extensions [40, 47]. Models for multiple architectures (e.g., Arm) exist, which can be freely adopted and compiled to software emulators [4]. We reuse existing models as the basis for contracts, augmenting them with leakage specifications and providing an interface for our verification tool. We show that

whenever a program is secure with respect to a contract, its concrete execution on a compliant processor is also secure, i.e., no order-reducing leakage can occur. We emphasize that our contracts also support higher-order masking, branching, and secret-dependent memory accesses needed for masked table lookups [15].

**2. Hardware Compliance.** We present a method to automatically verify the compliance of a processor with a contract. Verification ensures that the leakage of every gate is captured by a leakage specification in the contract and that the contract specifies correct instruction semantics. Our methodology is based on the intuition that if the contract properly models the hardware, then any leakage arising in the hardware can be computed from leakage produced during an execution in the contract. The verification encodes both hardware and contract execution, respectively leakage, as SMT formulas and checks for model gaps using the SMT solver Z3 [6, 19]. If the solver finds no cases where a hardware leakage is not modeled from the contract leakage, we have proven hardware compliance. 3. Case Study. We implement our methods in a tool and apply them to the popular RISC-V IBEX core [32], resulting in a verifiably complete contract for a wide range of instructions that are commonly used for cryptographic implementations. An approach for the verification of masked software implementations from Barthe et al. [9] can then easily be adopted to prove the absence of order-reducing leakage of masked software that is executed on a compliant CPU hardware. The contract, which is based on the official RISC-V reference models, is provided as an artifact.

# 2 SIDE-CHANNEL RESILIENCE

We introduce preliminaries for side-channel security. Hardware circuits and their power side-channel leakage are modeled in Section 2.1. In Section 2.2, we recall the masking countermeasure and the formal notions of provable side-channel resilience.

# 2.1 Hardware Model and Gate-level Leakage

Processors are digital hardware circuits which can be modeled using labeled directed graphs. For any given circuit (G, W, L), we say that *G* is the set of gates,  $W \subseteq G \times G$  is the set of wires connecting the gates, and  $L: G \to T$  is a labeling defining the type  $\tau \in T$  of each gate  $q \in G$ . The types T depend on the technology that realizes the circuit. In addition to combinatorial gates we only require that the technology contains an input type  $\tau_{\rm in}$  and a register type  $\tau_{\rm reg}$ . Input gates only have outgoing wires, and register gates only have one incoming wire. Additionally, every cyclic path in the circuit contains at least one register gate. The state of a circuit is completely defined by the values of its inputs and registers, referred to as locations, denoted with  $V^h = \{g \in G \mid L(g) \in \{\tau_{\text{in}}, \tau_{\text{reg}}\}\}$ . Hardware states are denoted with  $\sigma^h \in \mathbb{B}^{|V^h|}$ , with optional subscripts. Any location  $v^h \in V^h$  just returns the appropriate bit of the state. Any gate gis a function of a state, i.e.,  $q: \mathbb{B}^{|V^h|} \to \mathbb{B}$  where gate  $q \in G \setminus V$ combines state bits according to its type  $\tau$ .

The execution of a circuit happens in clock cycles. For a state  $\sigma_j^h$ , we denote the next state as  $\sigma_{j+1}^h$ . The registers of the next state have values reflecting the values of their inputs in the previous cycle, *i.e.*,  $g(\sigma_{j+1}^h) := g'(\sigma_j^h)$  with  $(g',g) \in W$ , whereas the next state of circuit inputs is determined by the environment.

We now proceed to define the power side-channel leakage that is exposed to an adversary. The root cause of power side-channels is that CMOS logic draws power, or emits electromagnetic radiation, mainly if a transistor switches its state. Thus, CMOS gates have a data-dependent power consumption. The leakage behavior of CMOS gates themselves is relatively well understood and can be modeled by a few simple leakage effects which allow an (idealized) probing adversary to observe the (intermediate) values of gates and wires without any loss due to measurement noise [5, 20, 30]. The seminal work of Ishai et al. [30] introduced value leakage which allows an idealized adversary to observe the value of any wire connected to a gate at the beginning or end of a cycle, i.e., its stable signal. The value leakage  $\lambda_q$  exposed by the gate is its value  $\lambda_g(\sigma_j^h) = g(\sigma_j^h)$  in the state  $\sigma_j^h$ . Besides value leakage, additional leakage effects are also observable in hardware. We define our extended probing model in close relation to the robust probing model of Faust et al. [20]. Transition leakage refers to the phenomeneon that the power consumption of CMOS gates depends on the charges (state) of the gate before computation. As such transition leakage allows observing whether the value of a gate changed during a clock cycle but also whether the value changed from zero to one or viceversa. Formally, our idealized adversary is able to observe the initial value and the resulting value of each gate. The observable gate leakage is then the concatenation of the old and new gate values, i.e.,  $\lambda_g(\sigma_{j-1}^h, \sigma_j^h) = g(\sigma_{j-1}^h)||g(\sigma_j^h)$ . This sufficiently captures any real-world transition leakage function computable from the old and new gate values. In addition to these main phenomena, there are glitches caused by propagation delay in the temporary logic states of combinatorial circuits within one clock cycle (and thus rather ephemeral) [35] and couplings caused by inductive coupling of adjacent wires [17]. These can be modeled by defining  $\lambda_g(\sigma_{j-1}^h,\sigma_j^h)$  for non-register gates as the concatenation of all possible values the gate g could take on due to these effects. We use  $\mathcal{L}^h_{0,m}$  to denote the observable gate-level leakage throughout the execution starting in state  $\sigma_0^h$  and ending in state  $\sigma_m^h$ . While the techniques described in the following apply to all effects, for the purpose of this paper, we focus on value leakage and transition leakage. Hence, we define  $\mathcal{L}^h_{0,m} = \{\lambda^h_g(\sigma^h_{i-1},\sigma^h_i) \mid g \in G, 1 \leq j < m\}.$ 

## 2.2 Provable Security and Simulatability

Applying masking to a cryptographic algorithm requires to replace the primitive operations (e.g., logical conjunction, exclusive or, addition) by masked computations, often called gadgets, which compute the same operation securely on shares [28, 30, 41, 46]. The challenge in the design and implementation of gadgets is to maintain the security of the secret-sharing: it must remain information theoretically impossible to learn the secrets or intermediate values by observing up to t leakages caused by the circuit. In sufficiently noisy environments this leads to an exponential gain of security in the order of t [13, 44]. However, many works do not take the full gate-level leakages into account, resulting in nominally secure implementations which are exploitable at an lower-than-advertised security order. Especially for masked software, the resulting gap in the security assurance allows to break the implementation by observing, e.g., transition leakage of the processor executing the program [5, 33, 42]. The focus of this work is to reduce the gap by

enabling software security assessments to include the *complete* set of gate-level leakages.

We give an overview of the notation associated with masking, and formalize gadgets and their security. Masking heavily relies on random variables. We write the names of random variables in lowercase, e.g.,  $x_i$ , and use lowercase boldface names for sets of variables, e.g.,  $\mathbf{x} = \{x_0, \dots, x_n\}$ . Each random variable  $x_i$ , respectively set  $x_i$  is associated with a probability distribution  $\Pr[x_i]$ , respectively  $\Pr[x]$ . Each secret  $x_i$  is encoded (masked) using  $d \ge t + 1$  shares and we write  $\overline{x_i} = \{x_i^0, \dots, x_i^d\}$  for the shares which encode  $x_i$ , where  $x_i^j$  denotes for  $0 \le i < n$  and  $0 \le j < d$  the  $j^{\text{th}}$  share of the  $i^{\text{th}}$  secret. The set of all shares is denoted by  $\overline{x} = \{\overline{x_0}, \dots, \overline{x_{n-1}}\}$ .

A gadget operates on input tuple  $(\overline{x}, r, p)$  returning tuple  $(\overline{y}, o, \mathcal{L})$ , each consisting of random variables. The input shares  $\overline{x}$  are a set of t-wise independent encodings  $\overline{x_i}$ , each encoding a secret variable  $x_i$ . r represents a set of independent and uniformly random variables, p are public inputs independent of secrets. The output of a gadget consist of output shares  $\overline{y}$ , public outputs o, and observable leakage  $\mathcal{L}$ . Each individual output is a random variable  $y_i^j$  (respectively  $o_i$ ) and computed as a function of the gadget's inputs, i.e.,  $y_i^j = f_i^{\ j}(\overline{x}, r, p)$ . During its execution a gadget produces observable leakage  $\mathcal{L} = \{\lambda_0(\overline{x}, r, p), \ldots, \lambda_m(\overline{x}, r, p)\}$ , which an attacker can observe, e.g., through power measurements. The attacker's goal is to learn information about the unshared secret inputs x.

Threshold non-interference (t-NI) and strong threshold non-interference (t-SNI) are two prominent security notions for proving the security of gadgets against idealized adversaries [7, 8]. These have been extended in [9] into Stateful t-(S)NI to incorporate that physical execution involves state and public in- and outputs. Security of gadgets in these notions is shown by proving that the observations an attacker makes can be *simulated* without knowing the secret values, thereby proving that no information can be gained from t observations. In the following, we formalize what it means to simulate random variables, and restate t-NI and t-SNI.

DEFINITION 1 (SIMULATION PROCEDURE). Let c and h be sets of possibly related random variables and r be a set of independent and uniformly distributed variables. The simulation procedure S:  $Dom(c \cup r) \rightarrow Dom(h)$  (simulator for short) samples the random variables r to simulate the distribution of h from c. We say that simulator S simulates h from c and r if Pr[S(c,r)] = Pr[h].

Importantly, the variables c and h are not necessarily independent, meaning  $\Pr[h \mid c]$  could be different from  $\Pr[h]$ , *i.e.*, their distributions are somehow related. This is central in the definitions of Stateful t-NI and t-SNI, however, we introduce a non-probabilistic way of *modeling* (instead of simulating) the outcome of a computation from a related but different value.

Definition 2 (Modeling Function). Let  $f_H: H \to V$  and  $f_C: C \to U$  be deterministic functions. We say that a deterministic function  $f_S: U \to V$  is a modeling function which models  $f_H$  from  $f_C$  under deterministic  $\Psi: H \times C \to \mathbb{B}$  whenever

$$\forall h \in H, c \in C : \Psi(h, c) \Rightarrow f_S \circ f_C(c) = f_H(h). \tag{1}$$

Definition 2 is strong: whenever modeling function  $f_S$  models  $f_H$  then it also simulates it, captured by Lemma 1.

LEMMA 1 (MODELING FUNCTIONS SIMULATE). Let h and c be sets of possibly dependent random variables with deterministic function  $f_H$  computing a set of dependent random variables v and function  $f_C$  computing dependent random variables v. If function  $f_S$  models  $f_H$  from  $f_C$  whenever  $\Psi(h,c)$  then it also simulates v:

$$Pr[f_S \circ f_C(c) \mid \Psi(h,c) = \top] = Pr[h \mid \Psi(h,c) = \top].$$
 (2)

Stateful t–(S)NI requires a probabilistic simulator to simulate observations on leakage or outputs shares independently of secrets and a function modeling public outputs from public inputs.

DEFINITION 3 (STATEFUL t-(S)NI [7-9]). Gadget  $G(\overline{x}, r, p) = (\overline{y}, o, \mathcal{L})$  is Stateful t-(S)NI if for every set  $\mathbf{e} \subseteq \mathcal{L} \cup \overline{y}$ , with  $|\mathbf{e}| \leq t$ , there exists a subset of input shares  $\mathbf{s} \subseteq \overline{x}$ , with  $\forall i: |\mathbf{s} \cap \overline{x_i}| \leq t' \leq t$ , a set of uniformly random variables  $\mathbf{r}'$ , a modeling function  $F: Dom(p) \to Dom(o)$  modeling public outputs  $\mathbf{o}$  from public inputs  $\mathbf{p}$  and a simulator  $S: Dom(\mathbf{s}, \mathbf{r}', \mathbf{p}) \to Dom(\mathbf{e})$  simulating observations  $\mathbf{e}$  from a subset of shares  $\mathbf{s}$ , random  $\mathbf{r}'$  and public inputs  $\mathbf{p}$  such that  $Pr[S(\mathbf{s}, \mathbf{r}', \mathbf{p}), F(\mathbf{p})] = Pr[\mathbf{e}, \mathbf{o}]$  and  $\mathbf{o} = F(\mathbf{p})$ . For t-NI  $t'=|\mathbf{e}|$  while the stricter t-SNI notion requires  $t'=|\mathbf{e}\setminus\overline{y}|$ .

The tool scVerif allows proving software gadgets secure under these notions for custom definitions of the observable leakage behavior  $\mathcal{L}$  [9]. However, to prove security with respect to gatelevel leakage, the provided model of  $\mathcal{L}$  must capture absolutely all gate-level leakages of the CPU executing a gadget. In case a gatelevel leakage is modeled incorrectly, the tool could assert security although the gadget can be broken with less than t observations at the gate-level. As analyzed by Balasch et al. [5], such leakage may halve the security order, i.e.,  $t' = \frac{t}{2}$ . Even worse, Gigerl et al. report protection losses that scale with the number of processor pipeline stages [26]. Our work mitigates such losses by verifying that all gate-level leakages are modeled.

#### 3 HARDWARE-SOFTWARE CONTRACTS

In Sections 3.1 and 3.2, we describe how to build a contract which completely captures the leakage exposed by every single gate of a processor. We introduce our DSL called Genoa and demonstrate it by describing our contract for IBEX. In Section 3.3 we define how to verify the security of masked software against the model specified in a contract.

We then turn towards the question of model completeness: In Section 3.4 we define *compliance*, a property which connects gate-level leakage of a processor to the leakage model specified in a contract. Finally, we prove E2E security by showing that if a processor's hardware complies with a contract, the contract models all gate-level leakages. This allows to reduce security assessments to the model specified in the contract and allows to show that whenever a specific masked software implementation is secure in the contract, then, the security order of the software is not reduced when executed on real, compliant hardware. In Section 4 we derive an automated verification tool to check compliance w.r.t. gate-level transition leakage of realistic processors.

## 3.1 Expressing Contracts in Genoa

A contract defines the instruction semantics and exposed sidechannel information of a processor from the perspective of a software developer, *i.e.*, which data is leaked via power side-channels

Listing 1: Contract model of state defined in Genoa.

```
// adopted from RISCV Sail Model, see license in Listing 6
register PC : bits(32)
register nextPC : bits(32)
register x1 : bits(32) ...
// shadow registers
register rf_pA : bits(32) // register file read port A
register rf_pB : bits(32) // register file read port B
register mem_last_addr : bits(32) // address of last access
register mem_last_read : bits(32) // value of last access
```

when an instruction is executed in conjunction with the semantic of the instruction. Contracts must specify correct instruction semantics to be able to express accurate data leakage. Besides the instruction perspective contracts allow to execute and thereby model entire programs. In practice, a contract is a user-supplied text file containing specifications of instructions written in Genoa, which is an extension of the industry-grade Sail DSL [4]. In a nutshell, Sail is designed to model the semantic of instructions of arbitrary ISAs and we add the ability to specify leakage.

Genoa extends Sail by a dedicated leak statement to express that specific values are observable through a side-channel. For example, a statement of the form leak(val1, val2) indicates that the processor may leak any combination of the source operands, *i.e.*, any value that can be computed using these operands. Users are free to specify more fine-grained leakage using concrete functions, e.g., the Hamming-Distance. Barthe *et al.* applied this concept in [9] to a custom DSL but require users to develop complex models from scratch, involving considerable effort. As we will show, modeling leakage in a contract becomes as easy as adding few leak statements to one of the many existing Sail models for RISC-V, Arm, etc. (Genoa supports all Sail models), providing an interface to our tool and applying it to check for modeling gaps (more on this in Section 5) Our contract for IBEX is shown in Listings 1 to 6.

The SAIL manual [2] and the work of Armstrong et al. [4] provide in-depth explanations of the syntax, we give a brief overview. In Listing 1 we define the architectural state of a processor, consisting of 32-bit registers which are declared as global variables. Additional shadow registers are introduced to model leakage which arises from microarchitectural state in hardware. For example, rf\_pA is used to remember the value last read from the register file but is not used in the specification of instruction semantics. Its value is maintained in the model and later on leaked in leak statements to model leakage of instructions accessing the register file since such leakage involves the value of the register read last [43]. Every contract must specify a step function defining how a single instruction is executed. For IBEX, step\_ibex shown in Listing 2 decodes the machine code instruction (encdec) provided as parameter op and returns whether the instruction executes (execute) successfully. Both encdec and execute are scattered into multiple clauses which describe the decoding, respectively execution, for a few instructions loosely belonging to a category (see Listing 6). Each category is represented by a datatype ast, e.g., RTYPE for instructions operating on three ISA registers, represented by three indices for destination and two operands, as well as another datatype rop for different operations. Listing 3 shows the model of RTYPE instructions; encdec maps between instruction bits and ast representations using conditional

## Listing 2: Model of instruction-step $\chi$ defined in Genoa.

```
// adopted from RISCV Sail Model, see license in Listing 6
function step_ibex (op : bits(32)) -> bool = {
    nextPC = PC + 4;
    let instruction = encdec(op);
    let ret = execute(instruction);
    tick_pc();
    match ret {
        RETIRE_SUCCESS => return true,
        RETIRE_FAIL => return false}}
```

# Listing 3: Contract model of R-type instructions in Genoa.

```
// adopted from RISCV Sail Model, see license in Listing 6
   type regidx = bits(5) // index of register 0b00001 = x1
   enum rop = {RISCV_ADD, RISCV_SUB, RISCV_SLL, RISCV_SLT,
        ← RISCV_SLTU, RISCV_XOR, RISCV_SRL, RISCV_SRA,
        union clause ast = RTYPE : (regidx, regidx, regidx, rop),
   mapping clause encdec = RTYPE(rs2, rs1, rd, RISCV_ADD)
     <-> 0b0000000 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011
     if (rs1[4] == bitzero) & (rs2[4] == bitzero) & (rd[4] ==
          → bitzero)
   mapping clause encdec = RTYPE(rs2, rs1, rd, RISCV_SLT)
     <-> 0b0000000 @ rs2 @ rs1 @ 0b010 @ rd @ 0b0110011
     if (rs1[4] == bitzero) & (rs2[4] == bitzero) & (rd[4] ==
10
11
   function clause execute (RTYPE(rs2, rs1, rd, op)) = {
12
     let rs1_val = X(rs1);
13
     let rs2_val = X(rs2);
14
     common_leakage(rs1_val, rs2_val);
15
     let result : bits(32) = match op {
16
       RISCV_ADD => rs1_val + rs2_val,
17
       RISCV_SLT => EXTZ(bool_to_bits(rs1_val <_s rs2_val)),
18
     overwrite_leakage(rd, result);
20
     X(rd) = result:
21
     return RETIRE_SUCCESS}
```

pattern matching. In line 6 rs1 represents the index bits of the first source register. The instruction semantic and leakage is specified in execute, X(rs1) returns the value of the register addressed by rs1. Leakage which is common across multiple instruction categories is exposed with a call to function common\_leakage (we defer the descriptions to Section 5.2, Listing 4). The semantics of the different operations (add, signed less than, etc.) is defined in the match statement. Additional leakage is specified by overwrite\_leakage (Listing 6) before writing the result to the destination register. In summary, Genoa allows designers to quickly construct and adjust contracts, while the human-readable specification supports the systematic development of side-channel protected software.

## 3.2 Contract Formalization

In the previous section we explained how to express contracts in the Genoa DSL. We now describe Genoa's profound formal semantics which is the basis for security verification and compliance checking. The small-steps semantics of Genoa are defined as a reduction:

$$(\delta, s, \mathcal{L}) \mapsto (\delta', s', \mathcal{L}').$$
 (3)

 $\delta$  is the context containing the definition of functions and the values of local and global variables, s is a sequence of statements and  $\mathcal{L}$  is the leakage exposed during execution. After the execution of one Genoa statement (not to be confused with an instruction)  $\delta'$  is the resulting context, s' are the remaining statements and  $\mathcal{L}' \supseteq \mathcal{L}$  is the resulting leakage. Leakage cannot be erased. All statements except leak do not add leakage and their transformation rules stay the same as in Sail [3]. A leak statement appends its operands  $v_1, \ldots, v_n$  to the execution leakage  $(\cdot; \cdot)$  is a sequence of statements).

$$(\delta, \mathsf{leak}(v_1, \dots, v_n); s, \mathcal{L}) \mapsto (\delta, s, \mathcal{L} \cup \{v_1(\sigma^c) || \dots || v_n(\sigma^c)\}).$$
(4)

A leak statement may expose multiple values, which allows abstracting away from particular assumptions such as Hamming-Distance leakage, as processors are allowed to leak any combination of the values exposed by a leak. While Genoa does not feature a construct to sample random values, sampling can be mimicked by reading from a dedicated state region containing randomness.

The behavior of a program is defined by user-supplied executions semantics which are specified in the contract. The contract specification written in Genoa thus defines the context  $\delta$  for small-step execution and, as for hardware, the contract state  $\sigma^c \in \mathbb{B}^{|V^c|}$  denotes the values of variables  $v^c \in V^c$ , further on referred to as locations. Based on these definitions, we can now define the semantics for the execution of an entire instruction, denoted by the step function  $\chi$ , starting in state  $\sigma^c_i$  and returning the state  $\sigma^c_{i+1}$  and a set of side-channel leakages  $\mathcal{L}^c_i$  of executing the  $i^{\text{th}}$  instruction:

$$\chi\left(\sigma_{i}^{c}\right) = \left(\sigma_{i+1}^{c}, \mathcal{L}_{i}^{c}\right) \tag{5}$$

The instruction to be executed is determined by the state  $\sigma_i^c$  itself, e.g., by the value of the program counter. The execution of an instruction corresponds to the many-steps evaluation of the instruction-steps function  $\chi$  using the small-steps semantics described before.  $\chi$  is part of the contract (for IBEX step\_ibex) and supplied by the user; to simplify our tool state  $\sigma_i^c$  is implicitly passed while the instruction to be executed is passed explicitly. A step can either fail or succeed, indicated by a Boolean flag, the criteria for failing the execution is governed by user-defined assumptions. For IBEX these prohibit illegal instructions, accesses of non-existent registers or unaligned memory accesses. In the following, we depict execution of an entire instruction in the contract with:

$$\sigma_i^c \xrightarrow{\mathcal{L}_i^c} \sigma_{i+1}^c$$
 (6)

Finally, we define the execution of programs in a contract. Contract  $[\![\cdot]\!]^c$  models the execution of program P starting in initial state  $\sigma_0^c$  and resulting in state  $\sigma_n^c$  while producing the accumulated observable side-channel information  $\mathcal{L}_{0,n}^c = \bigcup_{i=0}^{n-1} \mathcal{L}_i^c$ , i.e.,

$$[\![P]\!]^c \left(\sigma_0^c\right) = \left(\sigma_n^c, \mathcal{L}_{0,n}^c\right). \tag{7}$$

## 3.3 Software Security

In this section we link security of abstract gadgets to the execution in a contract or on hardware, *i.e.*, we define security w.r.t. the leakages specified in a contract or gate-level leakage of a processor.

Gadgets have as inputs and outputs either shares, random or public values, which are linked to the definition of Stateful t–(S)NI (Definition 3). However, when the implementation of a gadget is

executed within a contract or hardware then the gadget's inputs are located in the state  $\sigma$  with an implementation-specific placement, e.g., shares could be in registers or memory. We introduce policies  $\pi$  to translate between the structured in- and outputs of a gadget and the states in a contract, respectively hardware. Input policy  $\pi_{\text{in}}: (\overline{x}, r, p) \leftrightarrow \sigma_0$  constructs a state given values of variables for input shares, random and public variables but also the converse; extracting the values of gadget inputs given a state. In practice, such a policy is an annotation which defines where shares, random and public (initial) values are located w.r.t. locations of the state. Similar, output policy  $\pi_{\mathrm{out}}: (\overline{\pmb{y}}, \pmb{o}) \leftrightarrow \sigma_n$  maps between the values of public outputs and output shares of a gadget and state  $\sigma_n$  resulting from an execution. Since Stateful t–(S)NI is defined for random variables let  $\sigma$  denote the random variable for states. Using policies we can link Stateful t–(S)NI security of gadgets to the execution of their concrete implementation P within big-steps semantics [.] representing either the contract or hardware:

DEFINITION 4  $(t-(S)NI \text{ of } \llbracket P \rrbracket \text{ UNDER } \pi_{in}, \pi_{out})$ . An implementation P of gadget G  $(\overline{x}, r, p)$  is t-(S)NI secure w.r.t. semantic  $\llbracket \cdot \rrbracket$  and placement policies  $\pi_{in}, \pi_{out}$  if the gadget G'  $(\overline{x}, r, p) = (\overline{y}, o, \mathcal{L}_{0,n})$  is t-(S)NI according to Definition 3, where the inputs of the gadget correspond to the starting states  $\sigma_0 = \pi_{in}(\overline{x}, r, p)$  while leakages and gadget outputs correspond to the random variables  $\pi_{out}(\overline{y}, o) = \sigma_n$  resulting from execution  $\llbracket P \rrbracket (\sigma_0) = (\sigma_n, \mathcal{L}_{0,n})$ .

The actual verification of security for software implementations follows the same principles as outlined by Barthe  $et\ al.$  [9], which also describes representation of policies. However, the dependent type system of Genoa enables new approaches to verification of masked conversion functions and arithmetic masking in rings with prime moduli for security orders t>1. We leave the development of verification tools to dedicated future work.

# 3.4 Hardware Compliance With a Contract

We now turn towards the question of model completeness and define *compliance with a contract*, a formal property expressing that the results and leakages from execution on a CPU can be modeled by a contract according to Definition 2. This property is verified in Section 4 and ensures, as we prove in Section 3.5, that any implementation that is Stateful t-(S)NI secure in a contract mitigates any order-reducing leakage caused by the gate-level leakage of a processor.

A program P executed in initial hardware state  $\sigma_0^h$  leads to leakages  $\mathcal{L}_{0,m}^h$  and final state  $\sigma_m^h$  when executed on processor  $[\![\cdot]\!]^h$ :

$$[\![P]\!]^h \left(\sigma_0^h\right) = \left(\sigma_m^h, \mathcal{L}_{0,m}^h\right) \tag{8}$$

In contrast to contracts the execution proceeds in clock-cycles instead of instruction-steps, *i.e.*, one step in hardware corresponds to one clock cycle as defined in Section 2.1:

$$\sigma_i^h \xrightarrow{\mathcal{L}_j^h} \sigma_{i+1}^h. \tag{9}$$

Compliance expresses the property that all leakage and all outputs of hardware execution  $[\![\cdot]\!]^h$  can be modeled (according to Definition 2) from execution in a contract  $[\![\cdot]\!]^c$  as long as the starting states are similar, *i.e.*, execute the same program under equivalent inputs, depicted in Figure 1.

$$\begin{split} \llbracket \mathbf{P} \rrbracket^c \left( \sigma_0^c \right) : & \sigma_0^c \overset{\mathcal{L}_0^c}{\longrightarrow} \sigma_1^c \overset{\mathcal{L}_1^c}{\longrightarrow} \dots \overset{\mathcal{L}_{n-1}^c}{\longrightarrow} \sigma_n^c \\ & \Vert \mathcal{M} & \Vert \mathcal{N} \\ & \Vert \mathbf{P} \rrbracket^h \left( \sigma_0^h \right) : & \sigma_0^h \overset{\mathcal{L}_0^h}{\longrightarrow} \sigma_1^h \overset{\mathcal{L}_1^h}{\longrightarrow} \dots \overset{\mathcal{L}_{m-1}^h}{\longrightarrow} \sigma_m^h \end{split}$$

Figure 1: Compliance for a full program execution

In Definition 5 we introduce a Boolean relation between hardware state  $\sigma^h$  and contract state  $\sigma^c$  expressing that the values contained at a specific location  $v^h$  in the hardware can be modeled from a location  $v^c$  in the contract, e.g., register x1 models its counterpart in hardware. Which contract locations model some hardware location is defined in the simulation mapping  $\mathcal M$  provided by users alongside every contract and checked by our tool. The mapping specifies for all registers in the hardware (including finite state machines, decode stages, etc.) a location in the contract modeling the hardware location. To ease notation assume there are contract locations  $v_0^c$ ,  $v_1^c \in V^c$  which are constant zero, respectively one, and are later on used to express constraints on hardware execution.

Definition 5 (Similar states:  $\sigma^h \simeq_{\mathcal{M}} \sigma^c$ ). Two states  $\sigma^h$  and  $\sigma^c$ , with respective locations  $V^h$  and  $V^c$  are similar under simulation mapping  $\mathcal{M} \subseteq V^h \times V^c$ , written as  $\sigma^h \simeq_{\mathcal{M}} \sigma^c$ , if and only if

$$\bigwedge_{(v^h, v^c) \in \mathcal{M}} v^h(\sigma^h) = v^c(\sigma^c) \tag{10}$$

Simulation mapping  $\mathcal{M}$  is said to be complete if for all hardware locations  $V^h$  a mapping is defined.

We now give the definition of compliance, ensuring that semantic and leakage of execution of hardware is correctly modeled:

DEFINITION 6 (COMPLIANCE:  $[\![\cdot]\!]^h \vdash_{\mathcal{M}} [\![\cdot]\!]^c$ ). A hardware implementation is compliant with a contract under simulation mapping  $\mathcal{M}$  if for every program P and starting hardware and contract states  $\sigma_0^h$  and  $\sigma_0^c$ , the program executions

$$\llbracket \mathbf{P} \rrbracket^c \left( \sigma_0^c \right) = \left( \sigma_n^c, \mathcal{L}_{0,n}^c \right) \quad and \quad \llbracket \mathbf{P} \rrbracket^h \left( \sigma_0^h \right) = \left( \sigma_m^h, \mathcal{L}_{0,m}^h \right)$$

fulfill the following conditions:

(1) **States remain similar:** Whenever  $\sigma_0^h$  and  $\sigma_0^c$  are similar under  $\mathcal{M}$ , so are  $\sigma_m^h$  and  $\sigma_n^c$ :

$$\forall \sigma_0^h, \sigma_0^c : \sigma_0^h \simeq_{\mathcal{M}} \sigma_0^c \Rightarrow \sigma_m^h \simeq_{\mathcal{M}} \sigma_n^c. \tag{11}$$

(2) **Leaks are modeled:** For every leak  $\lambda_g(\sigma_{j-1}^h, \sigma_j^h) \in \mathcal{L}_{0,m}^h$  observable in hardware, there exists a leak  $\lambda(\sigma_i^c) \in \mathcal{L}_{0,n}^c$  in the contract and a function  $f_{\lambda} : Dom(\lambda) \to Dom(\lambda_g)$  that models  $\lambda_g$  from  $\lambda$  under relation  $\sigma_0^h \simeq_{\mathcal{M}} \sigma_0^c$  according to Definition 2:

$$\forall \sigma_0^h, \sigma_0^c : \sigma_0^h \simeq_{\mathcal{M}} \sigma_0^c \Rightarrow f_\lambda \circ \lambda \left(\sigma_i^c\right) = \lambda_g \left(\sigma_{j-1}^h, \sigma_j^h\right). \tag{12}$$

The notion of similar states allows to express a key ingredient for the relational definition of compliance: if execution in a contract and hardware start in a similar state, then execution must end in similar states such that the hardware execution's results can be modeled according to the simulation mapping (Clause 1 of Definition 6). Further, the second part of compliance expresses that every gatelevel leak observable during execution in hardware must be modeled by a single, fixed leak observable during execution in the contract (Clause 2 of Definition 6). Combined, this guarantees that software which is Stateful t–(S)NI secure when executed in the contract, is necessarily Stateful t–(S)NI when executed on compliant hardware.

## 3.5 End-to-end security

It remains to prove our E2E security claim: any implementation P of gadget G that is Stateful t–(S)NI w.r.t. the leakages of a contract must be Stateful t–(S)NI w.r.t. all gate-level leakage when executed on any compliant hardware and as such its security order cannot be decreased by leakage of the processor.

However, E2E security is claimed for the execution of the same gadget implementation in hardware and contract, i.e., both executions use the same structured inputs and outputs. Since the states in hardware and contract may have different structures we introduce a definition to ensure that the placement of inputs in hardware  $\pi_{\text{in}}^h$ ,  $\pi_{\text{out}}^h$  is similar to the ones  $\pi_{\text{in}}^c$ ,  $\pi_{\text{out}}^c$  for which t-(S)NI was shown in the contract. A hardware policy can be derived from a contract policy by substituting the locations which define where a value resides in the state according to the simulation mapping.

DEFINITION 7 (SIMILAR POLICY  $(\pi^h \triangleq_{\mathcal{M}} \pi^c)$ ). Let contract policy  $\pi^c: (d_1, \ldots, d_n) \leftrightarrow \sigma^c$  link sets of values  $d_1, \ldots, d_n$  to contract state  $\sigma^c$ . Hardware policy  $\pi^h: (d_1, \ldots, d_n) \leftrightarrow \sigma^h$  is similar to  $\pi^c$ , denoted  $\pi^h \triangleq_{\mathcal{M}} \pi^c$  if any pair of contract and hardware states constructed from the same sets of values are similar under mapping  $\mathcal{M}$ :

$$\forall \sigma^h = \pi^h \left( d_1, \dots, d_n \right), \sigma^c = \pi^c \left( d_1, \dots, d_n \right) : \sigma^h \simeq_{\mathcal{M}} \sigma^c. \quad (13)$$

Instead of proving the security reduction for t–(S)NI directly we prove a general *model reduction*: any observations made by an adversary interacting with hardware may be *modeled* with a contract the hardware complies with instead. We emphasize the difference: t–(S)NI requires the existence of a *simulation procedure* whereas compliance guarantees the existence of a (stronger) *modeling function* easing the subsequent security reduction.

Theorem 2 (Model Reduction). Let P be a program, and the gadgets  $G^c(\overline{x},r,p) = (\overline{y}^c,o^c,\mathcal{L}_{0,n}^c)$  and  $G^h(\overline{x},r,p) = (\overline{y}^h,o^h,\mathcal{L}_{0,m}^h)$  correspond to the program executions  $[\![P]\!]^c(\sigma_0^c) = (\sigma_n^c,\mathcal{L}_{0,n}^c)$ , respectively  $[\![P]\!]^h(\sigma_0^h) = (\sigma_m^h,\mathcal{L}_{0,m}^h)$ , under policies  $\pi_{in}^h$  and  $\pi_{out}^h$ , respectively  $\pi_{in}^c$  and  $\pi_{out}^c$ , with  $\sigma_0^c = \pi_{in}^c(\overline{x},r,p)$ ,  $\sigma_0^h = \pi_{in}^h(\overline{x},r,p)$ ,  $\sigma_n^c = \pi_{out}^c(\overline{y}^c,o^c)$ , and  $\sigma_m^h = \pi_{out}^h(\overline{y}^h,o^h)$ . Furthermore, let  $[\![\cdot]\!]^h \vdash_{\mathcal{M}}$   $[\![\cdot]\!]^c$ ,  $\pi_{in}^h \triangleq_{\mathcal{M}} \pi_{in}^c$  and  $\pi_{out}^h \triangleq_{\mathcal{M}} \pi_{out}^c$  under complete mapping  $\mathcal{M}$ . For every set of observations in hardware on  $\overline{y}^h$  or  $o^h$  there is an equally sized set of observations in the contract on  $\overline{y}^c$  or  $o^c$  which allows to model the observations under the identity function:

$$\forall \mathbf{e}_{\overline{\boldsymbol{y}}}^{h} \subseteq \overline{\boldsymbol{y}}^{h} \; \exists \; \mathbf{e}_{\overline{\boldsymbol{y}}}^{c} \subseteq \overline{\boldsymbol{y}}^{c} \; : \; \mathbf{e}_{\overline{\boldsymbol{y}}}^{h} = \mathbf{e}_{\overline{\boldsymbol{y}}}^{c}, \tag{14}$$

$$\forall \mathbf{e}_{o}^{h} \subseteq o^{h} \exists \mathbf{e}_{o}^{c} \subseteq o^{c} : \mathbf{e}_{o}^{h} = \mathbf{e}_{o}^{c}. \tag{15}$$

In addition, for every set of observations in hardware on  $\mathcal{L}_{0,m}^h$ , a modeling function  $T^{\mathcal{L}}$  and a (potentially smaller) set of observations in the contract on  $\mathcal{L}_{0,n}^c$  allow to model the observations in hardware:

$$\forall \mathbf{e}_{\mathcal{L}}^{h} \subseteq \mathcal{L}_{0,m}^{h} \, \exists \, \mathbf{e}_{\mathcal{L}}^{c} \subseteq \mathcal{L}_{0,n}^{c} : \, \left| \mathbf{e}_{\mathcal{L}}^{c} \right| \leq \left| \mathbf{e}_{\mathcal{L}}^{h} \right| \wedge \mathbf{e}_{\mathcal{L}}^{h} = T^{\mathcal{L}} \left( \mathbf{e}_{\mathcal{L}}^{c} \right). \tag{16}$$

PROOF. The gadgets  $G^c$  and  $G^h$  operate on equally distributed inputs and the policies for hardware are similar, thus for every initial state  $\sigma_0^h$  there must be a starting state  $\sigma_0^c$  similar under mapping  $\mathcal{M}$ , i.e.,  $\sigma_0^h \simeq_{\mathcal{M}} \sigma_0^c$ . Since hardware is compliant with the contract, the resulting states are similar as well, i.e.,  $\sigma_m^h \simeq_{\mathcal{M}} \sigma_n^c$  and since every observation in  $\mathbf{e}_0^h$ , respectively  $\mathbf{e}_{\overline{y}}^h$ , is an observation on the value of a location in  $\sigma_m^h$  it follows directly that there exists a single location in the contract  $\mathbf{e}_0^c$ , respectively  $\mathbf{e}_{\overline{y}}^h$ , according to the mapping  $\mathcal{M}$  which models the observation, fulfilling (14) and (15). From Lemma 1 and the second compliance clause (12) it follows that every observation  $\lambda_g(\sigma_{j-1}^h,\sigma_j^h)\in\mathbf{e}_{\mathcal{L}}^h$  can be modeled from some contract leak  $\lambda(\sigma_i^c)\in\mathcal{L}_{0,n}^c$  using  $f_\lambda$  as modeling function. Grouping the necessary  $\lambda(\sigma_i^c)$  as the set of random variables  $\mathbf{e}_{\mathcal{L}}^c$ , results in  $\left|\mathbf{e}_{\mathcal{L}}^c\right|\leq\left|\mathbf{e}_{\mathcal{L}}^h\right|$ , and defining  $T^{\mathcal{L}}$  as the set of respective  $f_\lambda$  implies (16), completing the proof.

From Theorem 3, we derive simulatability of mixed observations in Corollary 3. Furthermore, the reduction from Stateful t–(S)NI in hardware to Stateful t–(S)NI in contract stated in Corollary 4 is a direct consequence of Theorem 3 and Corollary 3.

COROLLARY 3 (MIXED OBSERVATIONS). Let the setting be as in Theorem 2. Every set of mixed observations on leakage and shared outputs  $\mathbf{e}^h_{\mathcal{L},\overline{y}} \subseteq \mathcal{L}^h \cup \overline{y}^h$ , can be modeled from some an equally sized set  $\mathbf{e}^c_{\mathcal{L},\overline{y}} \subseteq \mathcal{L}^c \cup \overline{y}^c$  by some modeling function  $T^{\mathcal{L},\overline{y}}$ .

COROLLARY 4 (END-TO-END SECURITY). Let the setting be as in Theorem 2. If gadget  $G^c$  is t-(S)NI then gadget  $G^h$  is also t-(S)NI since there exist simulators  $T^{\mathcal{L},\overline{\mathcal{Y}}}\circ S$  and F which simulate the outputs of  $G^h$  according to Definition 3.

This proof is valid for higher-order masking, *i.e.*,  $t \ge 1$ , as *each* of the t hardware observations in  $\mathbf{e}^h$  can be simulated from *one* observation in  $\mathbf{e}^c$  in the contract. The presented model reduction can be of help in proving the preservation of other security notions like PINI [12] or Threshold Implementations [41].

#### 4 VERIFYING HARDWARE COMPLIANCE

Whereas Section 3 introduces contracts and what it means for hardware to be compliant, this section presents a method to actually check hardware compliance for a given processor. The method is broken down into verification steps. Each step checks if the processor satisfies some part of Definition 6. First, we check whether similar hardware and contract states stay similar after executing an instruction according to Clause 1. Then, we check that each hardware leak can be modeled from a single leak emitted in the contract, according to Clause 2.

#### 4.1 Verification Concept

In this section, we first suggest that it is possible to prove a processor compliant without looking at full program executions. We argue that looking at all possible single instruction executions is sufficient to form an inductive argument of compliance. Next, we give an overview of the individual verification steps needed to verify that a processor is compliant with a given contract. Finally, we present a method for indirectly proving the existence of modeling functions.



Figure 2: Compliance for single instruction execution

This method is the backbone of the verification procedure and relies on encoding constraints into SMT formulas and checking their satisfiability with an SMT solver.

Single instructions. Checking compliance for all programs and pairs of processors and contracts using SMT solvers is computationally intractable. Instead we prove compliance inductively by showing that Definition 6 holds for all possible executions of a single instruction. Consequently, we require compliant processors to fulfill the outlined properties at the start and end of each instruction, as shown in Figure 2. Starting with similar states  $\sigma_j^h$  and  $\sigma_i^c$ , the hardware executes k clock cycles and the contract executes one instruction step. The executions produce leaks  $\mathcal{L}_{j,j+k}^h$ , respectively  $\mathcal{L}_i^c$ , and state  $\sigma_{j+k}^h$ , respectively  $\sigma_{i+1}^c$ , for which we need to show:

- (a) States remain similar: The states  $\sigma_{j+k}^h$  and  $\sigma_{i+1}^c$  are similar under  $\mathcal{M}$  (marked red), i.e., every location in  $\sigma_{j+k}^h$  is equal to the corresponding location in  $\sigma_{i+1}^c$ .
- (b) Leaks are modeled: Every leak  $\lambda_g(\sigma_{j+l-1}^h, \sigma_{j+l}^h) \in \mathcal{L}_{j,j+k}^h$  produced by the processor (marked red) must be modeled by a single leak  $\lambda(\sigma_i^c) \in \mathcal{L}_i^c$  emitted in the contract execution.

These conditions are inductive and much stricter than the corresponding clauses in Definition 6, *i.e.*, if the execution of a single instruction in an arbitrary valid starting state maintains the compliance properties, the processor complies with the contract for all possible program executions.

Unfortunately, as seen in Figure 2, the hardware might require multiple clock cycles to execute an instruction, and we do not have a lock-step execution with the contract. For the purposes of this paper, we define the starting point of an instruction as the moment it becomes in-flight, *i.e.*, it reaches the decode stage, and its end point when it retires, *i.e.*, the writeback completes. Therefore, we look at every possible instruction duration k on that particular processor. Concurrent execution of instructions in the pipeline complicates this approach. For simple pipelines, contracts can easily model the produced leakage because the fetch stage does not operate with security-critical data, and the writeback stage can be made the synchronisation point for the induction, instead of its full retirement. In more complex pipelines, the methods described in this paper require checking leakage produced by hardware components directly influenced by the instruction bits.

Verifying that states remain similar. As the very first step in the verification procedure, we show that the hardware and contract states are similar throughout the whole execution. That is, we show that if the relation  $\sigma_j^h \simeq_{\mathcal{M}} \sigma_i^c$  holds, the relation  $\sigma_{j+k}^h \simeq_{\mathcal{M}} \sigma_{i+1}^c$  must hold after the execution of a k-cycle instruction i.e.,  $\sigma_{j+k}^h = \chi^k(\sigma_j^h)$  and  $\sigma_{i+i}^c = \chi(\sigma_i^c)$ , no matter what the starting states were. This is essentially a full-fledged functional equivalence proof between the hardware and the contract. If this check succeeds, we have

shown that the processor satisfies Clause 1 of Definition 6 because  $\simeq_{\mathcal{M}}$  is conserved over the execution of an instruction. Section 4.3 formalizes the verification step and gives a verification method.

Finding modeling functions for gates. Before verifying that leaks are modeled, we require an intermediate verification step that provides information about the old values of gates. This constrains the old values of each gate g, therefore implicitly constraining the possible values of the corresponding leak  $\lambda_g$ . Otherwise, the old value could directly leak secrets, trivially breaking leakage modeling. For every gate  $g \in G$  in the hardware, we show that g can be modeled by some function  $f_g: \mathbb{B}^n \to \mathbb{B}$  that only uses a (small) subset of contract state bits  $\theta_g: \mathbb{B}^{|V^c|} \to \mathbb{B}^n$ , i.e.,

$$\exists f_g: \forall \sigma_i^h, \sigma_i^c: \sigma_i^h \simeq_{\mathcal{M}} \sigma_i^c \Rightarrow f_g \circ \theta_g \circ \chi\left(\sigma_i^c\right) = g \circ \chi^{k-1}\left(\sigma_i^h\right). \tag{17}$$

Ideally, we want to prove the existence of a modeling function that uses as little contract state information  $\theta_g$  as possible. Section 4.4 gives exact definitions of the verification checks and the greedy minimization procedure for  $\theta_g$ .

Verifying that leaks are modeled. In this verification step, we check whether the hardware leakage is properly modeled from contract leakage for any possible instruction execution, starting in any pair of similar states  $\sigma_j^h \simeq_{\mathcal{M}} \sigma_i^c$ . If the check succeeds, the proper modeling throughout any program execution is implied by composition of single instructions. Because we consider transition leakage, we constrain the possible values of gates at the end of the previous instruction. As mentioned before, we use the existence of a modeling function  $f_g$  according to (17) from the previous step.

The hardware leak  $\lambda_g(\sigma_{j+l-1}^h,\sigma_{j+l}^h)=g(\sigma_{j+l-1}^h)||g(\sigma_{j+l}^h)$  contains information about both the old, and the new values of gate g for any clock cycle l of the executed instruction. We analyze each hardware leak function  $\lambda_g$  separately by going through all leakage functions  $\lambda:\mathbb{B}^{|V^c|}\to\mathbb{B}^m$  and checking if there is a function  $f_\lambda:\mathbb{B}^m\to\mathbb{B}^2$  that models  $\lambda_g$  from  $\lambda$ , whenever states  $\sigma_j^h$  and  $\sigma_i^c$  are similar, the contract leak is emmitted, i.e.,  $\lambda(\sigma_i^c)\in\mathcal{L}_i^c$ , and  $f_g$  models the previous value of the gate g from  $\theta_g$ . Written formally:

$$\forall \sigma_{j}^{h}, \sigma_{i}^{c} : \sigma_{j}^{h} \simeq_{\mathcal{M}} \sigma_{i}^{c} \wedge f_{g} \circ \theta_{g} \circ \chi \left(\sigma_{i}^{c}\right) = g \circ \chi^{k-1} \left(\sigma_{j}^{h}\right) \wedge \lambda \left(\sigma_{i}^{c}\right) \in \mathcal{L}_{i}^{c} \Rightarrow f_{\lambda} \circ \lambda \left(\sigma_{i}^{c}\right) = \lambda_{g} \left(\sigma_{j+l-1}^{h}, \sigma_{j+l}^{h}\right).$$

$$(18)$$

Additionally, we require that for any possible state  $\sigma_i^c$  at least one leak  $\lambda$  fulfills (18), guaranteeing that Caluse 2 of the compliance definition is fulfilled. Section 4.5 gives a more detailed description.

Existence of modeling functions. Within the last two verification steps, we check that functions over the hardware state  $\sigma^h$  can be modeled from functions over the contract state  $\sigma^c$  whenever  $\sigma^h \simeq_{\mathcal{M}} \sigma^c$ . This involves proving the existence of modeling functions from Definition 2. However, automatically finding modeling functions is intractable in general [21]. We circumvent this issue by proving the existence of modeling functions without finding their definitions. Theorem 5 presents the condition we need to check.

THEOREM 5 (EXISTENCE OF MODELING FUNCTION). There exists a modeling function  $f: U \rightarrow V$  according to Def. 2 if and only if

$$\forall h, h' \in H, c, c' \in C:$$

$$\Psi(h, c) \land \Psi(h', c') \land f_{C}(c) = f_{C}(c') \Rightarrow f_{H}(h) = f_{H}(h').$$
(19)

PROOF. We prove the equality of the two statements by showing an implication in both directions. First, we prove that (19) follows from (1). From the functional congruence of f, we have:

$$\forall c, c' \in C : (f_C(c) = f_C(c')) \Rightarrow (f \circ f_C(c) = f \circ f_C(c')).$$

After instantiating the statement (1) separately for the primed and non-primed versions of  $h \in H$  and  $c \in C$ , we get:

$$\forall h \in H, c \in C : \Psi (h, c) \Rightarrow f \circ f_C (c) = f_H (h),$$
  
$$\forall h' \in H, c' \in C : \Psi (h', c') \Rightarrow f \circ f_C (c') = f_H (h').$$

We see that if all three premises are fulfilled simultaneously, then also all consequences of the implication must be fulfilled simultaneously. Therefore, we consolidate the left- and right-hand sides. Afterwards, we simplify the right-hand side by substituting  $f \circ f_C(c)$  with  $f_H(h)$ , and respectively  $f \circ f_C(c')$  with  $f_H(h')$ , to get (19).

For the second direction of the proof, we assume (19) and construct f so that it fulfills (1) and is well defined for all  $u \in U$ . First, we define the subset  $\widehat{U} \subseteq U$  of function inputs as

$$\widehat{U} := \{ u \mid \exists h \in H, c \in C : u = f_C(c) \land \Psi(h, c) \}. \tag{20}$$

For inputs  $u \in U \setminus \widehat{U}$ , we define f(u) as an arbitrary result  $v \in V$ . This partial definition trivially fulfills (1). For all other  $u \in \widehat{U}$ , we define  $f(u) := f_H(h)$ , for an arbitrary qualified h and c as in (20). We now argue that this portion of f is well defined, because  $f_H(h)$  is fixed for u. Consider the case where we can pick two such pairs:

$$\exists h, h' \in H, c, c' \in C : u = f_C(c) \land \Psi(h, c) \land$$
$$u = f_C(c') \land \Psi(h', c').$$

Because  $f_C(c) = f_C(c') = u$ , the assumption (19) implies that  $f_H(h)$  is unique since we always get  $f_H(h') = f_H(h)$ .

The underlying principle behind Theorem 5 can be thought of as partial functional congruence. Plainly speaking, if equal *inputs*  $f_C(c)$  and  $f_C(c')$  always result in equal *outputs*  $f_H(h)$  and  $f_H(h')$ , then there must also be a function mapping between them. Moreover, Theorem 5 can be translated into the quantifier-free SMT fragment and efficiently checked for satisfiability with modern SMT solvers.

#### 4.2 Verification Prerequisites

Real program execution within a processor is subject to many internal assumptions and restrictions that need to be considered when checking the compliance properties. In particular, we define *normal operating conditions* for the execution of an instruction, as well as constraints related to the mapping  $\mathcal M$  from Section 3.4.

Normal operating conditions. The hardware of a processor has many input ports and internal registers that are invisible to a software developer and are subject to hidden assumptions under normal operating conditions. In this section, we introduce predicates  $\phi_-$  to explicitly represent these assumptions. We use the predicate  $\phi_{\rm dev}(\sigma^h)$  to represent the usual assumptions a software developer might have, such as the processor not getting reset, triggering an interrupt, going into debug mode, or getting memory access errors. Similarly, there are several internal conditions for the processor to fetch, start the execution of, and retire an instruction. We formalize these conditions as  $\phi^l_{\rm instr}(\sigma^h)$ ,  $0 \le l < k$  for the l-th cycle in k-cycle instructions and apply them for the intermediate states

 $\sigma_{j+l}^h = \chi^l(\sigma_j^h)$ . Sometimes, the contract is not able to execute an instruction because it violates some sanity conditions such as the instruction not being implemented or triggering a fault. We formalize the condition of the contract successfully retiring an instruction as  $\phi_{\rm ret}(\sigma^c)$ . We aggregate these conditions into  $\phi_{\rm noc}$  as

$$\phi_{\mathrm{noc}}\left(\sigma_{j}^{h},\sigma_{i}^{c}\right)\coloneqq\phi_{\mathrm{ret}}\left(\sigma_{i}^{c}\right)\wedge\bigwedge_{l=0}^{k-1}\phi_{\mathrm{dev}}\left(\sigma_{j+l}^{h}\right)\wedge\phi_{\mathrm{instr}}^{l}\left(\sigma_{j+l}^{h}\right).$$

There are also some constraints that concern multiple executions of the hardware and contract. For such predicates we write  $\phi^*_-$  instead. We define  $\phi^*_{\rm ports}(\sigma^h,\sigma^{h'})$  as the constraint that certain processor input ports only contain public values. More concretely, for two executions of the hardware, these input ports are required to produce identical values. There are also similar execution-spanning conditions for the contract. For instance, the contract should forbid the program counter from becoming secret dependent. The predicate  $\phi^*_{\rm ret}(\sigma^c,\sigma^{c'})$  expresses these constraints, and is stricter than both  $\phi_{\rm ret}(\sigma^c)$  and  $\phi_{\rm ret}(\sigma^{c'})$  separately. Finally, we extend  $\phi_{\rm noc}$  to  $\phi^*_{\rm noc}$  over several executions as

$$\begin{split} \phi_{\text{noc}}^* \left( \sigma_j^h, \sigma_j^{h'}, \sigma_i^c, \sigma_i^{c'} \right) &:= \phi_{\text{ret}}^* \left( \sigma_i^c, \sigma_i^{c'} \right) \wedge \bigwedge_{l=0}^{k-1} \phi_{\text{ports}}^* \left( \sigma_{j+l}^h, \sigma_{j+l}^{h'} \right) \\ \bigwedge_{l=0}^{k-1} \phi_{\text{dev}} \left( \sigma_{j+l}^h \right) \wedge \phi_{\text{dev}} \left( \sigma_{j+l}^{h'} \right) \wedge \phi_{\text{instr}}^l \left( \sigma_{j+l}^h \right) \wedge \phi_{\text{instr}}^l \left( \sigma_{j+l}^{h'} \right). \end{split}$$

Breaking any of the conditions from  $\phi_{\rm noc}^*$  breaks the guarantees provided in this work. Because these assumptions are instrumental for correct execution, we make sure that the restrictions imposed on the hardware still permit the execution of all instructions defined in the contract. This sanity check confirms that software can still execute within both the hardware and the contract, allowing the implementation of a sensible software verifier.

Applying mappings. As introduced in Section 3.4, hardware and contract states can be similar under a mapping. For expressing that two states  $\sigma^h$  and  $\sigma^c$  are similar under mapping  $\mathcal{M}$ , i.e.,  $\sigma^h \simeq_{\mathcal{M}} \sigma^c$ , we use the predicate  $\phi^{\mathcal{M}}_{\mathrm{rel}}(\sigma^h, \sigma^c)$  as defined in (10). Conversely, we also require a predicate expressing that all registers, which are not in the mapping  $\mathcal{M}$ , are equivalent across hardware executions of the same program. We specify this property of two hardware states  $\sigma^h$  and  $\sigma^{h'}$  for the mapping  $\mathcal{M}$  and hardware locations  $V^h$  as

$$\phi_{\mathrm{pub}}^{\mathcal{M}*}\left(\sigma^{h},\sigma^{h'}\right):=\bigwedge_{v^{h}\in V^{h},\nexists\left(v^{h},v^{c}\right)\in\mathcal{M}}v^{h}\left(\sigma^{h}\right)=v^{h}\left(\sigma^{h'}\right).$$

#### 4.3 Verifying that States Remain Similar

As introduced in Section 4.1, we verify that the hardware and contract states resulting from the execution of a program are similar by showing similarity after every instruction. Our inductive argument assumes that the states  $\sigma_j^h$  and  $\sigma_i^c$  are similar at the start of an instruction, and proves that the states  $\sigma_{j+k}^h$  and  $\sigma_{i+1}^h$  are also similar after the k-cycle instruction terminates. This is a straightforward functional equivalence check under the assumption that  $\phi_{\rm noc}$  holds.

Proposition 1. Let  $\sigma_j^h$  be a hardware state and  $\sigma_i^c$  the corresponding contract state under mapping  $\mathcal{M}$ . Furthermore, let  $\sigma_{i+k}^h$ 

 $\chi^k(\sigma_j^h)$  and  $\sigma_{i+1}^c = \chi(\sigma_i^c)$  be the hardware and contract state after the execution of an instruction. Inductively,

$$\nexists \ \sigma_{j}^{h}, \sigma_{i}^{c}: \phi_{noc}\left(\sigma_{j}^{h}, \sigma_{i}^{c}\right) \wedge \phi_{rel}^{\mathcal{M}}\left(\sigma_{j}^{h}, \sigma_{i}^{c}\right) \wedge \neg \phi_{rel}^{\mathcal{M}}\left(\sigma_{j+k}^{h}, \sigma_{i+1}^{c}\right) \ \ (21)$$

implies the first hardware compliance condition (11) from Definition 6 under normal operating conditions.

Proposition 1 specifies how exactly this check is performed. We use an SMT solver to check for states that satisfy both  $\phi_{\rm noc}$  and  $\phi_{\rm rel}^{\mathcal{M}}$ , but their successors break  $\phi_{\rm rel}^{\mathcal{M}}$ . Any such case is a counterexample to the state similarity property of Definition 6. Otherwise the property is inductive, and we can use it as an assumption in all further verification checks.

We also check that  $\phi_{\text{pub}}^{\mathcal{M}*}(\cdot)$  is inductive because all of the further verification targets require this as an assumption. We check the inductiveness by asking an SMT solver

$$\exists \sigma_{j}^{h}, \sigma_{j}^{h'}, \sigma_{i}^{c}, \sigma_{i}^{c'} : \phi_{\text{noc}}^{*}\left(\sigma_{j}^{h}, \sigma_{j}^{h'}, \sigma_{i}^{c}, \sigma_{i}^{c'}\right) \wedge \phi_{\text{rel}}^{\mathcal{M}}\left(\sigma_{j}^{h}, \sigma_{i}^{c}\right) \wedge \phi_{\text{pub}}^{\mathcal{M}}\left(\sigma_{j}^{h}, \sigma_{i}^{c'}\right) \wedge \phi_{\text{pub}}^{\mathcal{M}*}\left(\sigma_{j}^{h}, \sigma_{j}^{h'}\right) \wedge \neg \phi_{\text{pub}}^{\mathcal{M}*}\left(\sigma_{j+k}^{h}, \sigma_{j+k}^{h'}\right).$$
(22)

If the solver is not able to find a solution,  $\phi_{\mathrm{pub}}^{\mathcal{M}*}$  is inductive and we assume  $\phi_{\mathrm{pub}}^{\mathcal{M}*}$  in addition to  $\phi_{\mathrm{rel}}^{\mathcal{M}}$  whenever we check properties under normal operating conditions over multiple executions.

## 4.4 Finding Modeling Functions for Gates

In this section, we introduce a method that finds a small number of contract registers from which the value of a hardware gate is modeled. We require this as an intermediate step whose aim it is to restrict the values a gate can have at the end of the previous instruction. Corollary 6 instantiates the general statements from Theorem 5 under normal operating conditions and presents a method for checking whether the value of a hardware g can be modeled by contract state bits  $\theta_g$ .

COROLLARY 6. Let  $\sigma_j^h$  be a hardware state and  $\sigma_i^c$  the corresponding contract state under mapping  $\mathcal M$  that fulfill both (21) and (22). Furthermore, let  $\sigma_{j+k-1}^h = \chi^{k-1}(\sigma_j^h)$  be the last hardware state before the instruction terminates, and  $\sigma_{i+1}^c = \chi(\sigma_i^c)$  be the contract state after the instruction terminates. Under normal operating conditions, the value of gate g in cycle k-1 can be modeled from contract function  $\theta_q$  if and only if

$$\exists \sigma_{j}^{h}, \sigma_{j}^{h'}, \sigma_{i}^{c}, \sigma_{i}^{c'} : \phi_{noc}^{*}\left(\sigma_{j}^{h}, \sigma_{j}^{h'}, \sigma_{i}^{c}, \sigma_{i}^{c'}\right) \land 
\phi_{pub}^{\mathcal{M}*}\left(\sigma_{j}^{h}, \sigma_{j}^{h'}\right) \land \phi_{rel}^{\mathcal{M}}\left(\sigma_{j}^{h}, \sigma_{i}^{c}\right) \land \phi_{rel}^{\mathcal{M}}\left(\sigma_{j}^{h'}, \sigma_{i}^{c'}\right) \land 
\theta_{g}\left(\sigma_{i+1}^{c}\right) = \theta_{g}\left(\sigma_{i+1}^{c'}\right) \land g\left(\sigma_{j+k-1}^{h}\right) \neq g\left(\sigma_{j+k-1}^{h'}\right).$$
(23)

Corollary 6 instantiates Theorem 5 under assumption of  $\phi_{\mathrm{noc}}$  and  $\phi_{\mathrm{pub}}^{\mathcal{M}*}$ . Here, g is the function  $f_H$  to be modeled,  $\theta_g$  is the function  $f_C$  whose results are used as inputs for the modeling function, and  $\phi_{\mathrm{rel}}^{\mathcal{M}}$  is the relation  $\Psi$  between the hardware and contract states.

However, not all functions  $\theta_g$  are useful, so a function like  $\theta_g(\sigma^c) = \sigma^c$  would not really restrict the initial values of g. Instead, we propose the greedy minimization procedure shown in Algorithm 1. Here, we first check whether the hardware gate g

## Algorithm 1 Greedy minimization of required state bits.

```
1: procedure FIND_THETA(gate g)
          \Theta \leftarrow V^c; \theta_q \leftarrow \text{concat}(\Theta);
3:
          if formula (23) is SAT then
4:
               error("gate g cannot be modeled");
          for v^c \in V^c do
5:
               \theta_q \leftarrow \operatorname{concat}(\Theta \setminus \{v^c\});
6:
               if formula (23) is UNSAT then
7:
                     \Theta \leftarrow \Theta \setminus \{v^c\};
8:
9:
          return \theta_q;
```

can be modeled from the complete contract state. If this fails the contract does not model the hardware properly and the verification fails because there is no way of telling the value of g when starting the execution of an instruction. Algorithm 1 iterates over all locations  $v^c$  in the contract state and checks whether they are needed for modeling g. In case they are not, *i.e.*, formula (23) is unsatisfirable, they are removed from  $\theta_g$ . At the end, we have a (locally) minimal  $\theta_g$ , where removing even one of its component locations would not allow to model gate g.

# 4.5 Verifying that Leaks are Modeled

Lastly, we verify that the hardware leakage produced during the execution of an instruction can be modeled by the contract leakage emitted during the execution of the same instruction. The set of transition leaks produced in the hardware, starting in state  $\sigma_j^h$  and executing a k-cycle instruction is given by

$$\mathcal{L}_{i,j+k}^{h} = \left\{ \lambda_g \left( \sigma_{i+l-1}^{h}, \sigma_{i+l}^{h} \right) \mid g \in G, 0 \le l < k \right\}.$$

As established in Section 4.1, we analyze every hardware leak  $\lambda_g(\sigma_{j+q-1}^h,\sigma_{j+q}^h)$  separately and show that there is a set of leak statements  $\mathcal{L}^g\subseteq\mathcal{L}_i^c$  such that every  $\lambda_g$  can be modeled by  $\lambda(\sigma_i^c)\in\mathcal{L}^g$  whenever the corresponding leak statement is reached in the contract, written as  $\phi_{\mathrm{emit}}(\sigma_i^c,\lambda)$ . Here, we use the intermediate proof of  $g(\sigma_{j-1}^h)$  being modeled by  $\theta_g(\sigma_i^c)$ , which we have shown through Corollary 6.

PROPOSITION 2. Let  $\sigma_{j-1}^h$  be the predecessor of hardware state  $\sigma_j^h = \chi(\sigma_{j-1}^h)$ , and  $\sigma_j^h$  be similar to contract state  $\sigma_i^c$  under mapping  $\mathcal{M}$ , fulfilling both (21) and (22). Furthermore, let  $\sigma_{j+1}^h = \chi^l(\sigma_j^h)$  with  $0 \le l < k$  be the hardware states reached throughout the execution of a k-cycle instruction. Let  $\lambda_g$  be the leakage function of a hardware gate g, and  $\theta_g$  be a contract function such that (23) holds. Crutially, let  $\mathcal{L}^g \subseteq \mathcal{L}_j^c$  be a set of contract leaks, such that for every  $\lambda(\sigma_i^c) \in \mathcal{L}^g$ :

$$\begin{split} \nexists \sigma_{j-}^{h}, \sigma_{j-1}^{h'}, \sigma_{i}^{c}, \sigma_{i}^{c'} &: \phi_{noc}^{*}\left(\sigma_{j}^{h}, \sigma_{j}^{h'}, \sigma_{i}^{c}, \sigma_{i}^{c'}\right) \wedge \phi_{emit}\left(\sigma_{i}^{c}, \lambda\right) \wedge \\ \phi_{pub}^{\mathcal{M}*}\left(\sigma_{j}^{h}, \sigma_{j}^{h'}\right) \wedge \phi_{rel}^{\mathcal{M}}\left(\sigma_{j}^{h}, \sigma_{i}^{c}\right) \wedge \phi_{rel}^{\mathcal{M}}\left(\sigma_{j}^{h'}, \sigma_{i}^{c'}\right) \wedge \\ \left(\theta_{g}\left(\sigma_{i}^{c}\right) = \theta_{g}\left(\sigma_{i}^{c'}\right) \Rightarrow g\left(\sigma_{j-1}^{h}\right) = g\left(\sigma_{j-1}^{h'}\right)\right) \wedge \\ \lambda(\sigma_{i}^{c}) = \lambda(\sigma_{i}^{c'}) \wedge \lambda_{g}\left(\sigma_{j+l-1}^{h}, \sigma_{j+l}^{h}\right) \neq \lambda_{g}\left(\sigma_{j+l-1}^{h'}, \sigma_{j+l}^{h'}\right). \end{split}$$

The leak function  $\lambda_g$  in cycle l of a k-cycle instruction is modeled by a single contract leak function  $\lambda$  under relation  $\phi_{rel}^{\mathcal{M}}$  and normal

operating conditions  $\phi_{noc}$ , according Definition 6 if

$$\forall \sigma_{j}^{h}, \sigma_{i}^{c}: \phi_{noc}\left(\sigma_{j}^{h}, \sigma_{i}^{c}\right) \wedge \phi_{rel}^{\mathcal{M}}\left(\sigma_{j}^{h}, \sigma_{i}^{c}\right) \Rightarrow \bigvee_{\lambda\left(\sigma_{i}^{c}\right) \in \mathcal{L}^{g}} \phi_{emit}\left(\sigma_{i}^{c}, \lambda\right).$$

Again, the method outlined in Proposition 2 uses an SMT solver to show that the hardware cannot leak more information than the contract. If the solver is able to find a pair of states  $\sigma_j^h$ ,  $\sigma_i^c$  for which the check fails, it has found a counterexample and the hardware does not comply with the leakage specified in the contract.

# 4.6 Modeling and Implementation

In this section, we briefly discuss the implementation and modeling details enabling our verification method. In particular, we discuss how all the formulas given to the SMT solver are constructed.

Unfolding circuits into SMT. Our verification method works with the processor netlist, and uses it to build the SMT formulas previously shown in Section 4. For the most part, this is standard procedure and has been elaborated in the model checking community. In short, the hardware state  $\sigma_j^h$  is represented symbolically using propositional variables. Each gate g in the processor is a symbolic expression of the variables representing hardware locations  $V^h$ . The expressions are generated by topologically iterating through the circuit and building the representation of each gate g from its inputs and gate type. With regard to clock cycles, the registers of the very first state  $\sigma_j^h$ , repsectively  $\sigma_{j-1}^h$ , are variables. In successor states  $\sigma_{j+l}^h$ , the registers are determined by their writebacks from the previous cycle. In a sense, we unfold the processor circuit symbolically k times for our verification.

Genoa to SMT translation. The translation of a contract to a SMT formula is based on an existing SAIL back-end which allows to generate SMT formulas for custom predicates. However, the back-end cannot handle leak statements. We perform two coderewriting passes from Genoa to Genoa. The first adds global state for each value in a leak statement and replaces the leak by an assignment to the respective global state. This reduces the Genoa DSL to the Sail subset supported by the SMT back-end. The second pass duplicates the variables representing contract state  $\sigma^c$  and leakages into prime and non-primed variants and duplicates the instruction-step function  $\chi$  by rewriting it to operate on either  $\sigma^c_i$  or  $\sigma^{c'}_i$  and resulting in  $\sigma^c_{i+1}$ , respectively  $\sigma^{c'}_{i+1}$ . Finally, a predicate is defined to ensure the initial and final states, including global leakages are preserved by the SMT back-end and that the predicates  $\phi_{\rm ret}$ ,  $\phi^*_{\rm ret}$  and  $\phi_{\rm emit}$  hold. Our tool receives the SMT as input.

Gluing it all together. Configuration files play a central role in the generation of formulas. In particular, our verification procedure expects an input where all of the hardware locations are declared, and either mapped onto contract registers with  $\phi_{\rm rel}^{\mathcal{M}}$ , subjected to developer assumptions  $\phi_{\rm dev}$ , port restrictions  $\phi_{\rm ports}^*$ , or instruction execution constraints  $\phi_{\rm instr}^l$ . As previously mentioned, everything specified in the configuration is heavily sanity-checked, making sure that execution still works properly, public signals  $\phi_{\rm pub}^{\mathcal{M}*}$  remain public, and every hardware location is declared. Similarly, intermediate results such as  $\theta_g$  are cached in configuration files and checked upon loading a configuration.

#### 5 VERIFICATION PROCESS

We apply the verification method presented to the IBEX processor and detail the process and results. IBEX is an open source RISC-V processor that supports the Integer, Embedded, Multiplication, Compressed and Bit manipulation ISA extensions [32]. For the purpose of our paper, we mainly target the E extension, although adding support for the others is possible. The IBEX pipeline consists of two stages, Instruction Fetch (IF) and Instruction Decode/Execute (ID/EX). Computations take place in the ID/EX stage, which consists of a decoder, a controller, and the register file, which forward the data into the arithmetic-logic unit (ALU), and the load-store unit (LSU). In the same pipeline stage, and hence in the same clock cycle, the result is written back into the register file.

The verification requires two manual and four automated steps:

- (1) Configuration of the processor by defining constraints
- (2) Definition of a mapping between hardware and contract
- (3) Automated sanity-check to ensure instructions defined in the contract can still execute in the processor under constraints
- (4) Automated check of similarity for resulting states (Section 4.3)
- (5) Automated check for gate modeling functions (Section 4.4)
- (6) Automated check for leakage modeling functions (Section 4.5)

In case any of the steps fail, the verification framework produces a detailed counterexample explaining the verification failure. The developer must then adjust the configuration, the annotation, the contract, or even the processor in order to fix the problem and restart verification. Therefore, development and verification form a refinement loop producing improved contracts.

## 5.1 IBEX Configuration

We align the contract and the hardware by restricting the state of the processor throughout the execution of an instruction. In the configuration files, provided in Listing 7, we precisely constrain the values of all registers with regard to the current instruction length and analyzed cycle. For the verification, we look at instructions when they reach the ID stage. At this point, signal instr\_rdata\_id carries the instruction bits and must be set equivalent to the argument of step\_ibex in the contract.

Additionally, we need to make sure that instructions are only retired in the last cycle k-1 of a k-cycle instruction by constraining instr\_id\_done to be  $\top$  in the last cycle and  $\bot$  otherwise. Similarly, we enforce that the next instruction is fetched exactly in cycle k-1 by constraining fetch\_valid and id\_in\_ready. We assert that there are no outstanding errors caused by the previous instruction by constraining registers lsu\_err\_q, pmp\_err\_q, branch\_set\_raw, and data\_err\_i to be  $\bot$ . To make sure that the state machines in the LSU and control unit start off in a valid state when the instruction starts executing, we add several further constraints. Finally, we also assert that there is no reset through rst\_ni and no interrupt signals irq\_\*, debug\_req\_i are triggered to match the developers expected behavior.

One of the main challenges in modeling the processor environment is the memory interface. Whenever the processor requests data by setting data\_req\_o to  $\top$ , the next cycle provides a grant with data\_rvalid\_i set to  $\top$  and the corresponding read data being available at data\_rdata\_i. Here, we additionally require memory to only provide acknowledgement through data\_rvalid\_i

#### Listing 4: Common leakage occurring in every instruction.

```
function common_leakage(rs1_val, rs2_val) = {
    leak(rs1_val, rs2_val, rf_pA, rf_pB,
        mem_last_addr, mem_last_read);
    rf_pA = rs1_val; rf_pB = rs2_val; /* read port */}
```

#### Listing 5: Specialized leakage occurring during loads.

if there was a request, and not provide any data on the input data\_rdata\_i otherwise. This is due to an oversight in IBEX, which causes the data\_rvalid\_i signal to overrule all other signals in the processor and ultimately issue an erroneous write-back.

# 5.2 Complete Power Contract for IBEX

We have proven that IBEX is compliant with the contract shown in Listings 1 to 6. In this section, we discuss the observed behavior and compare the findings to existing models for other architectures.

Most instructions have a common leakage pattern modeled in common\_leakage in Listing 4. The IBEX processor combines the previous outputs of the register file (modeled in leakage states rf\_pA, rf\_pB) with the current outputs rs1\_val and rs2\_val, as well as the address and value of the last memory access mem\_last\_addr and mem\_last\_read. This leak statement models all transition leakage and value leakage produced in the ALU and the writeback logic. None of the operands in the leak statement can be removed without breaking compliance since distinct parts of IBEX cause these combinations The writeback logic causes additional combinations: ALU or branch instructions following a LOAD cause a transition between data from memory access and the current ALU result.

This common leakage covers leak effects previously discussed in related works. It models transition leakage produced in the ALU, whose source are the two read ports of the register file. Transitions in the first, respectively second, operand of instructions are well-known [36, 37]. Furthermore, the leakage is even caused by instructions which have no register operands like LUI (load unsigned immediate) (line 88 in Listing 6). The root cause of this effect is that the register file is always active, decoding specific instruction bits as register addresses. In the case of LUI, these bits are actually part of the immediate value. This effect was observed by Gigerl *et al.* [25] but we model it precisely.

The leakage of load instructions modeled by <code>load\_leakage</code> (Listing 5) differs from all other instructions. Here, the leak statement in <code>common\_leakage</code> can be broken down into smaller leak statements. First off, because the ALU is always active and performs its computations even when not necessary, the current and previous values of the register file outputs are combined in line 6. Similarly, the last register file outputs are combined with the loaded data and the load address within the writeback logic, as shown in line 7. Papagiannopoulos <code>et al.</code> [43] already observe leakage across the value

read in two load instructions separated by an arbitrary number of unrelated instructions. We see this effect as well, as shown in line 9.

Surprisingly, IBEX does not expose transition leakages in subsequent memory writes separated by arbitrary other instructions, which was observed for several Arm architectures [9, 36]. Likely, this is related to IBEX not having additional registers in the memory path which many other processors have.

We emphasize that our model is provably complete for branching instructions as well (see Listing 6). The side-channel behavior of these ubiquitous instructions was not characterized so far.

#### 5.3 Discussion

While we demonstrate our approach on the RISC-V IBEX core we emphasize that it is neither limited to RISC-V processors, nor the IBEX core. Verifying contract compliance for similar architectures and processors requires adapting the tool to their pipeline and properly configuring the verification procedure.

Our tool focuses on value leakage and transition leakage, while our theoretical framework supports arbitrary gate-level leakage. Extending our verification tool to include further effects such as glitches makes an interesting future research question, and could be achieved by extending the encoding of leakage from Section 4.5.

Our verification methodology and the contracts themselves support bitsliced and n-sliced masking [11], which are among the most popular implementation techniques for masked software. More exotic concepts like share-slicing require a bit-granular verification. However, since we confirm the empirical results of Gao  $et\ al.$  [22] and show the existence of bit-combinations within one 32-bit register, any share-sliced implementation is insecure on IBEX.

# 6 CONCLUSION

We introduced a methodology for creating software leakage models and proving their completeness based on the netlist of a CPU. Our rigorous approach allows us to treat the model as contract between the software and the hardware which provably guarantees end-to-end security: any implementation secure w.r.t. a contract is also secure on any compliant processor for all leakages exposed at gate-level. Overall the result significantly improve the secure construction of hardened software implementations.

Besides providing strong guarantees of side-channel resistance, easing the safe porting of programs to different CPUs and the most extensive modeling of different instructions's side-channel leakage, we think our approach could be beneficial for other applications as well. In particular, we believe it could be used for leakage emulators or statistical security evaluations that can be derived from the executable Genoa contracts.

# **ACKNOWLEDGMENTS**

This work received funding from the Federal Ministry of Education and Research (BMBF) as part of the VE-Jupiter project (grant number 16ME0231K). This work was supported by the Austrian Research Promotion Agency (FFG) through the FERMION project (grant number 867542).

#### REFERENCES

- [1] Arnold Abromeit, Florian Bache, Leon A. Becker, Marc Gourjon, Tim Güneysu, Sabrina Jorn, Amir Moradi, Maximilian Orlt, and Falk Schellenberg. Automated masking of software implementations on industrial microcontrollers. In Design, Automation & Test in Europe Conference & Exhibition, DATE 2021, Grenoble, France, February 1-5, 2021, pages 1006–1011. IEEE, 2021.
- [2] Alasdair Armstrong, Thomas Bauereiss, Brian Campbell, Kathryn E. Gray, Robert Norton-Wright, Christopher Pulte, Shaked Flur, and Peter Sewell, July 2021 (accessed January 12, 2022). https://raw.githubusercontent.com/rems-project/sail/sail/manual.pdf.
- [3] Alasdair Armstrong, Thomas Bauereiss, Brian Campbell, Alastair Reid, Kathryn E. Gray, Robert M. Norton, Prashanth Mundkur, Mark Wassell, Jon French, Christopher Pulte, Shaked Flur, Ian Stark, Neel Krishnaswami, and Peter Sewell. Minisail: A core calculus for sail, 2018 (accessed January 12, 2022). https://www.cl.cam.ac.uk/~mpew2/papers/minisail\_anf.pdf.
- [4] Alasdair Armstrong, Thomas Bauereiss, Brian Campbell, Alastair Reid, Kathryn E. Gray, Robert M. Norton, Prashanth Mundkur, Mark Wassell, Jon French, Christopher Pulte, Shaked Flur, Ian Stark, Neel Krishnaswami, and Peter Sewell. ISA semantics for ARMv8-A, RISC-V, and CHERI-MIPS. In Proc. 46th ACM SIGPLAN Symposium on Principles of Programming Languages, January 2019. Proc. ACM Program. Lang. 3, POPL, Article 71.
- [5] Josep Balasch, Benedikt Gierlichs, Vincent Grosso, Oscar Reparaz, and François-Xavier Standaert. On the cost of lazy engineering for masked software implementations. In Marc Joye and Amir Moradi, editors, Smart Card Research and Advanced Applications - 13th International Conference, CARDIS 2014, Paris, France, November 5-7, 2014. Revised Selected Papers, volume 8968 of Lecture Notes in Computer Science, pages 64–81. Springer, 2014.
- [6] Clark Barrett, Aaron Stump, and Cesare Tinelli. The SMT-LIB Standard: Version 2.0. Technical report, Department of Computer Science, The University of Iowa, 2010. Available at www.SMT-LIB.org.
- [7] Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire, and Pierre-Yves Strub. Verified proofs of higher-order masking. In Elisabeth Oswald and Marc Fischlin, editors, EUROCRYPT 2015, Part I, volume 9056 of LNCS, pages 457–485. Springer, Heidelberg, April 2015.
- [8] Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire, Pierre-Yves Strub, and Rébecca Zucchini. Strong non-interference and type-directed higher-order masking. In Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi, editors, ACM CCS 2016, pages 116–129. ACM Press, October 2016.
   [9] Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglia-
- [9] Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglialonga, and Lars Porth. Masking in fine-grained leakage models: Construction, implementation and verification. *IACR TCHES*, 2021(2):189–228, 2021. https://tches.iacr.org/index.php/TCHES/article/view/8792.
- [10] Omid Bazangani, Alexandre Iooss, Ileana Buhan, and Lejla Batina. Abby: Automating the creation of fine-grained leakage models. Cryptology ePrint Archive, Report 2021/1569, 2021. https://ia.cr/2021/1569.
- [11] Sonia Belaïd, Pierre-Évariste Dagand, Darius Mercadier, Matthieu Rivain, and Raphaël Wintersdorff. Tornado: Automatic generation of probing-secure masked bitsliced implementations. In Anne Canteaut and Yuval Ishai, editors, EURO-CRYPT 2020, Part III, volume 12107 of LNCS, pages 311–341. Springer, Heidelberg, May 2020.
- [12] Gaëtan Cassiers and François-Xavier Standaert. Trivially and efficiently composing masked gadgets with probe isolating non-interference. IEEE Trans. Inf. Forensics Secur., 15:2542–2555, 2020.
- [13] Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. In Michael J. Wiener, editor, CRYPTO'99, volume 1666 of LNCS, pages 398–412. Springer, Heidelberg, August 1999.
- [14] Thomas De Cnudde, Oscar Reparaz, Begül Bilgin, Svetla Nikova, Ventzislav Nikov, and Vincent Rijmen. Masking AES with d+1 shares in hardware. In Cryptographic Hardware and Embedded Systems CHES 2016 18th International Conference, Santa Barbara, CA, USA, August 17-19, 2016, Proceedings, volume 9813 of Lecture Notes in Computer Science, pages 194–212. Springer, 2016.
- [15] Jean-Sébastien Coron. Higher order masking of look-up tables. In Phong Q. Nguyen and Elisabeth Oswald, editors, EUROCRYPT 2014, volume 8441 of LNCS, pages 441–458. Springer, Heidelberg, May 2014.
- [16] Jean-Sébastien Coron, Christophe Giraud, Emmanuel Prouff, Soline Renner, Matthieu Rivain, and Praveen Kumar Vadnala. Conversion of security proofs from one leakage model to another: A new issue. In Constructive Side-Channel Analysis and Secure Design - Third International Workshop, COSADE 2012, Darmstadt, Germany, May 3-4, 2012. Proceedings, volume 7275 of Lecture Notes in Computer Science, pages 69–81. Springer, 2012.
- [17] Thomas De Cnudde, Begül Bilgin, Benedikt Gierlichs, Ventzislav Nikov, Svetla Nikova, and Vincent Rijmen. Does coupling affect the security of masked implementations? In Sylvain Guilley, editor, COSADE 2017, volume 10348 of LNCS, pages 1–18. Springer, Heidelberg, April 2017.

- [18] Wouter de Groot, Kostas Papagiannopoulos, Antonio de la Piedra, Erik Schneider, and Lejla Batina. Bitsliced masking and ARM: friends or foes? In Lightweight Cryptography for Security and Privacy 5th International Workshop, LightSec 2016, Aksaray, Turkey, September 21-22, 2016, Revised Selected Papers, volume 10098 of Lecture Notes in Computer Science, pages 91-109. Springer, 2016.
- [19] Leonardo Mendonça de Moura and Nikolaj S. Bjørner. Z3: an efficient SMT solver. In C. R. Ramakrishnan and Jakob Rehof, editors, Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings, volume 4963 of Lecture Notes in Computer Science, pages 337-340. Springer, 2008.
- [20] Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, and François-Xavier Standaert. Composable masking schemes in the presence of physical defaults & the robust probing model. *IACR TCHES*, 2018(3):89–120, 2018. https://tches.iacr.org/index.php/TCHES/article/view/7270.
- [21] Andreas Fröhlich, Gergely Kovásznai, and Armin Biere. More on the complexity of quantifier-free fixed-size bit-vector logics with binary encoding. In Andrei A. Bulatov and Arseny M. Shur, editors, Computer Science - Theory and Applications - 8th International Computer Science Symposium in Russia, CSR 2013, Ekaterinburg, Russia, June 25-29, 2013. Proceedings, volume 7913 of Lecture Notes in Computer Science, pages 378–390. Springer, 2013.
- [22] Si Gao, Ben Marshall, Dan Page, and Elisabeth Oswald. Share-slicing: Friend or foe? IACR TCHES, 2020(1):152–174, 2019. https://tches.iacr.org/index.php/ TCHES/article/view/8396.
- [23] Si Gao and Elisabeth Oswald. A novel completeness test and its application to side channel attacks and simulators. Cryptology ePrint Archive, Report 2021/756, 2021. https://ia.cr/2021/756.
- [24] Si Gao, Elisabeth Oswald, and Dan Page. Reverse engineering the microarchitectural leakage features of a commercial processor. Cryptology ePrint Archive, Report 2021/794, 2021. https://ia.cr/2021/794.
- [25] Barbara Gigerl, Vedad Hadzic, Robert Primas, Stefan Mangard, and Roderick Bloem. Coco: Co-design and co-verification of masked software implementations on cpus. In Michael Bailey and Rachel Greenstadt, editors, 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, pages 1469–1468. USENIX Association. 2021.
- [26] Barbara Gigerl, Robert Primas, and Stefan Mangard. Secure and efficient software masking on superscalar pipelined processors. In Mehdi Tibouchi and Huaxiong Wang, editors, Advances in Cryptology - ASIACRYPT 2021 - 27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 6-10, 2021, Proceedings, Part II, volume 13091 of Lecture Notes in Computer Science, pages 3-32. Springer, 2021.
- [27] Hannes Gross, Stefan Mangard, and Thomas Korak. Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order. In Proceedings of the 2016 ACM Workshop on Theory of Implementation Security, TIS '16, pages 3-3, New York, NY, USA, 2016. ACM.
- [28] Hannes Gross, Stefan Mangard, and Thomas Korak. An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order. In Helena Handschuh, editor, CT-RSA 2017, San Francisco, CA, USA, February 14–17, 2017, Proceedings, pages 95–112, Cham, 2017. Springer International Publishing.
- [29] Vedad Hadzic and Roderick Bloem. COCOALMA: A versatile masking verifier. In Formal Methods in Computer Aided Design, FMCAD 2021, New Haven, CT, USA, October 19-22, 2021, pages 1–10. IEEE, 2021.
- [30] Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks. In Dan Boneh, editor, CRYPTO 2003, volume 2729 of LNCS, pages 463–481. Springer, Heidelberg, August 2003.
- [31] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In Michael J. Wiener, editor, Advances in Cryptology - CRYPTO '99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15-19, 1999, Proceedings, volume 1666 of Lecture Notes in Computer Science, pages 388–397. Springer, 1999.
- [32] lowRISC. Ibex RISC-V Core. https://github.com/lowRISC/ibex.
- [33] Stefan Mangard, Thomas Popp, and Berndt M. Gammel. Side-channel leakage of masked CMOS gates. In Alfred Menezes, editor, CT-RSA 2005, volume 3376 of LNCS, pages 351–365. Springer, Heidelberg, February 2005.
- [34] Stefan Mangard, Norbert Pramstaller, and Elisabeth Oswald. Successfully attacking masked AES hardware implementations. In Josyula R. Rao and Berk Sunar, editors, CHES 2005, volume 3659 of LNCS, pages 157–171. Springer, Heidelberg, August / September 2005.
- [35] Stefan Mangard, Norbert Pramstaller, and Elisabeth Oswald. Successfully attacking masked AES hardware implementations. In CHES, volume 3659 of Lecture Notes in Computer Science, pages 157–171. Springer, 2005.
- [36] Ben Marshall, Dan Page, and James Webb. Miracle: Micro-architectural leakage evaluation: A study of micro-architectural power leakage across many devices. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2022(1):175–220. Nov. 2021.
- [37] David McCann, Elisabeth Oswald, and Carolyn Whitnall. Towards practical tools for side channel aware software engineering: 'grey box' modelling for instruction leakages. In Engin Kirda and Thomas Ristenpart, editors, USENIX Security 2017,

- pages 199-216. USENIX Association, August 2017.
- [38] David McCann, Carolyn Whitnall, and Elisabeth Oswald. ELMO: emulating leaks for the ARM cortex-m0 without access to a side channel lab. IACR Cryptol. ePrint Arch., page 517, 2016.
- [39] Lauren De Meyer, Elke De Mulder, and Michael Tunstall. On the effect of the (micro)architecture on the development of side-channel resistant software. IACR Cryptol. ePrint Arch., 2020:1297, 2020.
- [40] Prashanth Mundkur, Rishiyur S. Nikhil, Bluespec Inc, Jon French, Brian Campbell, Robert Norton-Wright, Alasdair Armstrong, Thomas Bauereiss, Shaked Flur, Christopher Pulte, Peter Sewell, Alexander Richardson, Hesham Almatary, Jessica Clarke, Microsoft, Nathaniel Wesley Filardo, Peter Rugg, and Aril Computer Corp. Riscv sail model, August 2021 (accessed January 17, 2022). https://github.com/ riscv/sail-riscv.
- [41] Svetla Nikova, Christian Rechberger, and Vincent Rijmen. Threshold implementations against side-channel attacks and glitches. In Peng Ning, Sihan Qing, and Ninghui Li, editors, *ICICS 06*, volume 4307 of *LNCS*, pages 529–545. Springer, Heidelberg, December 2006.
- [42] Svetla Nikova, Vincent Rijmen, and Martin Schläffer. Secure hardware implementation of nonlinear functions in the presence of glitches. *Journal of Cryptology*, 24(2):292–321, April 2011.
- [43] Kostas Papagiannopoulos and Nikita Veshchikov. Mind the gap: Towards secure 1st-order masking in software. In Sylvain Guilley, editor, COSADE 2017, volume 10348 of LNCS, pages 282–297. Springer, Heidelberg, April 2017.
- [44] Emmanuel Prouff and Matthieu Rivain. Masking against side-channel attacks: A formal security proof. In Thomas Johansson and Phong Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 of LNCS, pages 142–159. Springer, Heidelberg, May 2013.
- [45] Jean-Jacques Quisquater and David Samyde. Electromagnetic analysis (EMA): measures and counter-measures for smart cards. In Isabelle Attali and Thomas P. Jensen, editors, Smart Card Programming and Security, International Conference on Research in Smart Cards, E-smart 2001, Cannes, France, September 19-21, 2001, Proceedings, volume 2140 of Lecture Notes in Computer Science, pages 200-210. Springer, 2001.
- [46] Oscar Reparaz, Begül Bilgin, Svetla Nikova, Benedikt Gierlichs, and Ingrid Verbauwhede. Consolidating Masking Schemes. In CRYPTO 2015, 2015.
- [47] Peter Sewell. Isa formal spec public review, June 2020 (accessed January 14, 2022). https://github.com/riscvarchive/ISA\_Formal\_Spec\_Public\_Review.
- [48] Madura A. Shelton, Niels Samwel, Lejla Batina, Francesco Regazzoni, Markus Wagner, and Yuval Yarom. Rosita: Towards automatic elimination of poweranalysis leakage in ciphers. In NDSS. The Internet Society, 2021.

## **APPENDIX**

## 6.1 RISC-V Model for IBEX

The missing parts of our contract for IBEX are depicted in Listing 6. Comment for reviewers: The non-blinded copyright holders do not deanonymize the authors of this paper.

# Listing 6: Contract model of remaining instructions for IBEX.

```
/*======*/
/* RISCV Sail Model */
/* This Sail RISC-V architecture model, comprising all files
     \hookrightarrow and directories except for the snapshots of the
     \hookrightarrow Lem and Sail libraries in the prover_snapshots

    directory (which include copies of their licences),
     \hookrightarrow is subject to the BSD two-clause licence below. */
/* Copyright (c) 2017-2021 Prashanth Mundkur, Rishiyur S.
     \hookrightarrow Nikhil and Bluespec Inc., Jon French, Brian
     ← Peter Sewell, Alexander Richardson, Hesham Almatary,
     \hookrightarrow Jessica Clarke, Microsoft, for contributions by
     \hookrightarrow Robert Norton-Wright and Nathaniel Wesley Filardo,
     \hookrightarrow Peter Rugg and Aril Computer Corp., for
     \hookrightarrow contributions by Scott Johnson */
/* Copyright 2020-2022 - TUHH, TU Graz */
/* All rights reserved. */
```

```
/* This software was developed by the above within the

    ⇔ Rigorous Engineering of Mainstream Systems (REMS)

         \hookrightarrow at the Universities of Cambridge and Edinburgh. */
   /* This software was developed by SRI International and the
         → Department of Computer Science and Technology)
         \hookrightarrow under DARPA/AFRL contract FA8650-18-C-7809 ("CIFV"),

    and under DARPA contract HR0011-18-C-0016 ("ECATS")

         \hookrightarrow as part of the DARPA SSITH research programme. */
    /* This project has received funding from the European

    ⇔ Research Council (ERC) under the European Union's

         /* This software has received funding from the Federal
         Ministry of Education and Research
         (BMBF) as part of the VE-Jupiter project grant
         16ME0231K. */
    /* This work was supported by the Austrian Research
         Promotion Agency (FFG) through the FERMION project
         (grant number 867542). */
    /* Redistribution and use in source and binary forms, with
         \hookrightarrow or without modification, are permitted provided
         \hookrightarrow that the following conditions are met: */
   \slash * 1. Redistributions of source code must retain the above
         \hookrightarrow copyright notice, this list of conditions and the
         \hookrightarrow following disclaimer. */
   /* 2. Redistributions in binary form must reproduce the
         \hookrightarrow above copyright notice, this list of conditions and
         \,\hookrightarrow\, the following disclaimer in the documentation and/
         \hookrightarrow or other materials provided with the distribution.
   /* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS

→ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
         \hookrightarrow INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
         \hookrightarrow WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
         ← PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
         \hookrightarrow SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
         ← DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
         \hookrightarrow OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
         \hookrightarrow LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
         \hookrightarrow SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
         \hookrightarrow BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
         \hookrightarrow THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
         \hookrightarrow LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
         \hookrightarrow OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
         \hookrightarrow THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
         \hookrightarrow OF SUCH DAMAGE. */
    /*=======*/
38
39
    val overwrite_leakage : (regidx, xlenbits) -> unit effect {

    rreg, leakage}

    function overwrite_leakage(dest_idx : regidx, res : xlenbits
         ⇔ ) = {
     let x1_n = if (dest_idx == 0b00001)
42
       then {res} else {x1} in leak(x1 , x1_n );
43
```

let x2\_n = if (dest\_idx == 0b00010)

```
then {res} else {x2} in leak(x2 , x2_n );
                                                                         /* *********************************
45
                                                                         union clause ast = RISCV_JAL : (bits(21), regidx)
      let x3_n = if (dest_idx == 0b00011)
        then {res} else {x3} in leak(x3, x3_n);
      let x4_n = if (dest_idx == 0b00100)
48
                                                                    105
                                                                         mapping clause encdec =
        then \{res\} else \{x4\} in leak(x4, x4_n);
                                                                           RISCV_JAL(imm_19 @ imm_7_0 @ imm_8 @ imm_18_13 @ imm_12_9
                                                                    106
      let x5 n = if (dest idx == 0b00101)
                                                                                \hookrightarrow @ 0b0. rd)
50
        then \{res\} else \{x5\} in leak(x5, x5_n);
                                                                           <-> imm_19 : bits(1) @ imm_18_13 : bits(6) @ imm_12_9 :
                                                                    107
51
     let x6_n = if (dest_idx == 0b00110)
                                                                                \hookrightarrow bits(4) @ imm_8 : bits(1) @ imm_7_0 : bits(8) @ rd
52
        then \{res\} else \{x6\} in leak(x6, x6_n);
                                                                                53
      let x7_n = if (dest_idx == 0b00111)
                                                                    108
                                                                           if (rd[4] == bitzero)
54
        then \{res\} else \{x7\} in leak(x7, x7_n);
55
     let x8_n = if (dest_idx == 0b01000)
                                                                         function clause execute (RISCV_JAL(imm, rd)) = {
56
                                                                    110
        then {res} else {x8} in leak(x8, x8_n);
                                                                           let rs1 val = X(0b0 @ imm[18 .. 15]):
57
                                                                    111
                                                                           let rs2_val = X(0b0 @ imm[3 .. 1]
     let x9_n = if (dest_idx == 0b01001)
58
                                                                    112
59
       then \{res\} else \{x9\} in leak(x9, x9_n);
                                                                                         @ subrange_bits(imm, 11, 11));
     let x10_n = if (dest_idx == 0b01010)
                                                                           common_leakage(rs1_val, rs2_val);
        then {res} else {x10} in leak(x10, x10_n);
                                                                    115
61
     let x11_n = if (dest_idx == 0b01011)
                                                                           let t : xlenbits = PC + EXTS(imm);
                                                                    116
62
       then {res} else {x11} in leak(x11, x11_n);
                                                                           let rd_next = get_next_pc();
63
                                                                    117
     let x12_n = if (dest_idx == 0b01100)
64
                                                                    118
       then {res} else {x12} in leak(x12, x12_n);
                                                                           overwrite_leakage(rd, rd_next);
65
                                                                    119
     let x13_n = if (dest_idx == 0b01101)
                                                                           X(rd) = rd_next;
        then {res} else {x13} in leak(x13, x13_n);
                                                                    121
                                                                           if t[1 .. 0] == 0b00 then {
      let x14_n = if (dest_idx == 0b01110)
                                                                    122
                                                                            set_next_pc(t);
68
        then \{res\} else \{x14\} in leak(x14, x14_n);
                                                                            RETIRE_SUCCESS
69
                                                                    123
      let x15_n = if (dest_idx == 0b01111)
                                                                           } else RETIRE_FAIL
70
                                                                    124
        then {res} else {x15} in leak(x15, x15_n);
71
                                                                    125
                                                                        }
72
                                                                         /* ****************************
    /* ********************************
                                                                         union clause ast =
74
    enum uop = {RISCV_LUI, RISCV_AUIPC}
                                                                           RISCV_JALR: (bits(12), regidx, regidx)
75
                                                                    129
    union clause ast = UTYPE : (bits(20), regidx, uop)
                                                                    130
                                                                         mapping clause encdec = RISCV_JALR(imm, rs1, rd)
                                                                    131
    mapping encdec_uop : uop <-> bits(7) = {
                                                                           <-> imm @ rs1 @ 0b000 @ rd @ 0b1100111
                                                                    132
78
     RISCV_LUI <-> 0b0110111,
                                                                           if (rs1[4] == bitzero & rd[4] == bitzero)
                                                                    133
      RISCV_AUIPC <-> 0b0010111
80
                                                                    134
                                                                         function clause execute (RISCV_JALR(imm, rs1, rd)) = {
                                                                    135
81
                                                                           let rs1_val = X(rs1);
82
                                                                    136
    mapping clause encdec = UTYPE(imm, rd, op)
                                                                           let rs2_val = X(0b0 @ imm[3..0]);
83
                                                                    137
      <-> imm @ rd @ encdec_uop(op)
                                                                           common_leakage(rs1_val, rs2_val);
84
                                                                    138
      if (rd[4] == bitzero)
85
                                                                           let t : xlenbits =
    function clause execute UTYPE(imm, rd, op) = {
                                                                            [(rs1_val + EXTS(imm)) with 0 = bitzero];
                                                                    141
87
      let rs1_val = X(0b0 @ imm[6 .. 3]);
                                                                           if t[1 .. 0] == 0b00 then {
                                                                    142
88
     let rs2_val = X(0b0 @ imm[11 .. 8]);
                                                                            overwrite_leakage(rd, get_next_pc());
89
                                                                    143
      common_leakage(rs1_val, rs2_val);
                                                                            X(rd) = get_next_pc();
                                                                    144
                                                                            set_next_pc(t);
                                                                    145
      let off : xlenbits = EXTS(imm @ 0x000);
                                                                            RETIRE SUCCESS
     let ret : xlenbits = match op {
                                                                           } else RETIRE_FAIL
       RISCV_LUI => off,
                                                                    148
94
       RISCV_AUIPC => get_arch_pc() + off
95
                                                                    149
                                                                         };
96
                                                                    150
                                                                         enum bop = {RISCV_BEQ, RISCV_BNE, RISCV_BLT, RISCV_BGE,
97
                                                                    151
                                                                              \hookrightarrow RISCV_BLTU, RISCV_BGEU}
      X(rd) = ret;
      RETIRE_SUCCESS
                                                                        union clause ast =
                                                                           BTYPE : (bits(13), regidx, regidx, bop)
100
    }
101
                                                                    154
```

```
let rs2_val = X(0b0 @ imm[3 .. 0]);
    mapping encdec_bop : bop <-> bits(3) = {
                                                                      208
      RISCV_BEQ <-> 0b000,
                                                                             common_leakage(rs1_val, rs2_val);
      RISCV_BNE <-> 0b001,
                                                                            let immext : xlenbits = EXTS(imm);
                                                                            let result : xlenbits = match op {
      RISCV_BLT <-> 0b100,
158
                                                                      211
      RISCV_BGE <-> 0b101,
                                                                              RISCV_ADDI => rs1_val + immext,
159
                                                                      212
      RISCV BLTU <-> 0b110.
                                                                              RISCV SLTI =>
160
                                                                      213
      RISCV_BGEU <-> 0b111
                                                                                EXTZ(bool_to_bits(rs1_val <_s immext)),</pre>
                                                                      214
161
162
    }
                                                                      215
                                                                              RISCV SLTIU =>
                                                                                EXTZ(bool_to_bits(rs1_val <_u immext)),</pre>
163
                                                                              RISCV_ANDI => rs1_val & immext,
    mapping clause encdec = BTYPE(imm7_6 @ imm5_0 @ imm7_5_0 @
                                                                      217
164
          \hookrightarrow imm5_4_1 @ 0b0, rs2, rs1, op)
                                                                      218
                                                                              RISCV_ORI => rs1_val | immext,
      <-> imm7_6 : bits(1) @ imm7_5_0 : bits(6) @ rs2 @ rs1 @
                                                                              RISCV_XORI => rs1_val ^ immext
165
                                                                      219
           \hookrightarrow encdec_bop(op) @ imm5_4_1 : bits(4) @ imm5_0 :
                                                                      220
                                                                            }:

    bits(1) @ 0b1100011

                                                                            overwrite_leakage(rd, result);
                                                                      221
      if (rs1[4] == bitzero & rs2[4] == bitzero)
                                                                            X(rd) = result:
                                                                            RETIRE SUCCESS
     function clause execute (BTYPE(imm, rs2, rs1, op)) = {
                                                                      224
168
      let rs1_val = X(rs1);
                                                                      225
169
      let rs2 val = X(rs2):
                                                                           /* **********************************
170
                                                                      226
      common_leakage(rs1_val, rs2_val);
                                                                           enum sop = {RISCV_SLLI, RISCV_SRLI, RISCV_SRAI}
171
                                                                      227
      let taken : bool = match op {
172
                                                                      228
                                                                          union clause ast =
        RISCV_BEQ => rs1_val == rs2_val,
                                                                            SHIFTIOP: (bits(6), regidx, regidx, sop)
173
                                                                      229
        RISCV_BNE => rs1_val != rs2_val,
174
                                                                      230
                                                                           mapping encdec_sop : sop <-> bits(3) = {
        RISCV_BLT => rs1_val <_s rs2_val,
                                                                      231
175
        RISCV_BGE => rs1_val >=_s rs2_val,
                                                                            RISCV_SLLI <-> 0b001,
176
                                                                      232
        RISCV_BLTU => rs1_val <_u rs2_val,
                                                                            RISCV_SRLI <-> 0b101,
177
                                                                      233
        RISCV_BGEU => rs1_val >=_u rs2_val
                                                                            RTSCV SRAT <-> 0b101
178
                                                                      234
      };
                                                                          }
179
                                                                      235
      let t : xlenbits = PC + EXTS(imm);
                                                                          mapping clause encdec = SHIFTIOP(shamt, rs1, rd, RISCV_SLLI)
181
                                                                      237
      if (t[1 .. 0] != 0b00) then
                                                                             <-> 0b000000 @ shamt @ rs1 @ 0b001 @ rd @ 0b0010011
182
                                                                      238
        return RETIRE_FAIL;
                                                                             if (shamt[5] == bitzero) &(rs1[4] == bitzero) & (rd[4] ==
183
                                                                      239
      if taken then { set_next_pc(t); };
                                                                                  → bitzero)
184
      return RETIRE_SUCCESS
                                                                           mapping clause encdec = SHIFTIOP(shamt, rs1, rd, RISCV_SRLI)
185
                                                                      240
    }
                                                                            <-> 0b000000 @ shamt @ rs1 @ 0b101 @ rd @ 0b0010011
                                                                      241
                                                                             if (shamt[5] == bitzero) &(rs1[4] == bitzero) & (rd[4] ==
187
                                                                      242
    /* ******* */
                                                                                  → bitzero)
188
    enum iop = {RISCV_ADDI, RISCV_SLTI, RISCV_SLTIU, RISCV_XORI,
                                                                           mapping clause encdec = SHIFTIOP(shamt, rs1, rd, RISCV_SRAI)
189
                                                                      243
          <-> 0b010000 @ shamt @ rs1 @ 0b101 @ rd @ 0b0010011
                                                                      244
                                                                             if (shamt[5] == bitzero) &(rs1[4] == bitzero) & (rd[4] ==
    union clause ast =
190
                                                                      245
      ITYPE : (bits(12), regidx, regidx, iop)
                                                                                  \hookrightarrow bitzero)
191
    mapping encdec_iop : iop <-> bits(3) = {
                                                                           function clause execute (SHIFTIOP(shamt, rs1, rd, op)) = {
                                                                      247
193
      RISCV_ADDI <-> 0b000,
                                                                            let rs1 val = X(rs1):
                                                                      248
194
      RISCV_SLTI <-> 0b010,
                                                                            let rs2_val = X(0b0 @ shamt[3..0]);
195
                                                                      249
      RISCV SLTIU <-> 0b011.
                                                                            common_leakage(rs1_val, rs2_val);
                                                                      250
196
      RISCV_ANDI <-> 0b111,
                                                                             /* the decoder guard ensures that shamt[5] = 0 for RV32E
197
                                                                      251
      RISCV ORI <-> 0b110.
                                                                                  → */
      RISCV XORI <-> 0b100
                                                                            let result : xlenbits = match op {
                                                                              RISCV_SLLI => if sizeof(xlen) == 32
                                                                      253
200
                                                                                            then rs1_val << shamt[4..0]
201
                                                                      254
    mapping clause encdec = ITYPE(imm, rs1, rd, op)
                                                                                            else rs1_val << shamt,</pre>
202
                                                                      255
      <-> imm @ rs1 @ encdec_iop(op) @ rd @ 0b0010011
                                                                              RISCV_SRLI => if sizeof(xlen) == 32
203
                                                                      256
      if (rs1[4] == bitzero) & (rd[4] == bitzero)
                                                                                            then rs1_val >> shamt[4..0]
204
                                                                      257
                                                                                            else rs1_val >> shamt,
    function clause execute (ITYPE (imm, rs1, rd, op)) = {
                                                                              RISCV_SRAI => if sizeof(xlen) == 32
      let rs1_val = X(rs1);
```

```
0b01 => req_data[15 .. 8],
                      then shift_right_arith32(rs1_val, shamt
                            \hookrightarrow [4..01)
                                                                                 0b10 => req_data[23 .. 16],
                      else shift_right_arith64(rs1_val, shamt)};
                                                                                 0b11 => req_data[31 .. 24]};
                                                                               let req_half : bits(16) = match (addr[1]) {
      overwrite_leakage(rd, result);
                                                                         306
262
      X(rd) = result;
                                                                                 bitzero => req_data[15 .. 0],
                                                                         307
263
      RETIRE SUCCESS
                                                                                 bitone => req_data[31 .. 16]};
                                                                         308
                                                                         309
                                                                               match (width, addr[1 .. 0]) {
265
                                                                         310
                                                                                 (BYTE, _) => process_load(rd, addr, req_byte,
    /* *****************************
                                                                                       \hookrightarrow is unsigned).
    enum word_width = {BYTE, HALF, WORD, DOUBLE}
                                                                         311
                                                                                 (HALF, 0b00) => process_load(rd, addr, req_half,
    union clause ast = LOAD :
                                                                                       \hookrightarrow is_unsigned),
269
      (bits(12), regidx, regidx, bool, word_width, bool, bool)
                                                                                 (HALF, 0b10) => process_load(rd, addr, reg_half,
270
                                                                         312
                                                                                       \hookrightarrow is unsigned).
271
    mapping clause encdec = LOAD(imm, rs1, rd, is_unsigned, size 313
                                                                                 (WORD, 0b00) => process_load(rd, addr, req_data,
272
          \hookrightarrow , false, false)
                                                                                       \hookrightarrow is_unsigned),
      if ((word_width_bytes(size) < sizeof(xlen_bytes)) | (</pre>
                                                                                 (_, _) => RETIRE_FAIL // takes care of misaligned}

    not_bool(is_unsigned) & word_width_bytes(size) <=
</pre>
                                                                             }
                                                                         315
            \hookrightarrow sizeof(xlen_bytes))) & (rs1[4] == bitzero) & (rd
                                                                             /* **************************
                                                                         316
            \hookrightarrow \lceil 4 \rceil == bitzero)
                                                                             union clause ast = STORE :
                                                                         317
      <-> imm @ rs1 @ bool_bits(is_unsigned) @ size_bits(size) @
                                                                                (bits(12), regidx, regidx, word_width, bool, bool)
274
                                                                        318

→ rd @ 0b0000011

      if ((word_width_bytes(size) < sizeof(xlen_bytes)) | (</pre>
                                                                             mapping clause encdec = STORE(imm7 @ imm5, rs2, rs1, size,
            ← not_bool(is_unsigned) & word_width_bytes(size) <=</pre>
                                                                                   \hookrightarrow false, false)

    sizeof(xlen_bytes))) & (rs1[4] == bitzero) & (rd

                                                                               if (word_width_bytes(size) <= sizeof(xlen_bytes)) & (rs1</pre>
                                                                         321
            \hookrightarrow [4] == bitzero)
                                                                                     \hookrightarrow [4] == bitzero) & (rs2[4] == bitzero)
                                                                               <-> imm7 : bits(7) @ rs2 @ rs1 @ 0b0 @ size_bits(size) @
276
                                                                         322
                                                                                     \hookrightarrow imm5 : bits(5) @ 0b0100011
    function aligned(vaddr : xlenbits, width : word_width) ->
          → bool =
                                                                               if (word_width_bytes(size) <= sizeof(xlen_bytes)) & (rs1</pre>
      { width == BYTE | (width == HALF & vaddr[0] == bitzero) |
                                                                                     \hookrightarrow [4] == bitzero) & (rs2[4] == bitzero)
            \hookrightarrow (width == WORD & vaddr[1 .. 0] == 0b00) }
                                                                         324
                                                                             function clause execute (STORE(imm, rs2, rs1, width, aq, rl)
279
                                                                         325
    val load_leakage : (xlenbits, xlenbits, xlenbits, xlenbits)
                                                                                   \hookrightarrow ) = {
280
                                                                               let offset : xlenbits = EXTS(imm);
      -> unit effect {rreg, wreg, leakage}
281
    function load_leakage(rs1_val : xlenbits, rs2_val : xlenbits 327
                                                                               let rs1_val = X(rs1);
          let rs2_val = X(rs2);
      // as in common_leakage
                                                                               common_leakage(rs1_val, rs2_val);
283
                                                                         329
      leak(rf_pA, rf_pB, rs1_val, rs2_val);
                                                                               let addr = rs1_val + offset;
284
                                                                         330
      leak(rf_pA, rf_pB, mem_last_addr, mem_last_read);
                                                                               // address comptation and register file access leakage
285
                                                                         331
      rf_pA = rs1_val;
                                                                               leak(mem_last_addr, addr);
286
                                                                         332
                                                                               mem_last_addr = addr;
      rf_pB = rs2_val;
287
                                                                         333
      leak(addr, req_data, mem_last_addr, mem_last_read);
                                                                               if aligned(addr, width) then {
      mem_last_read = req_data;
                                                                                 let result = rs2_val;
      mem_last_addr = addr;
                                                                                 overwrite_leakage(0b00000, result);
290
                                                                         336
    }
                                                                                 let success : bool = match(width) {
                                                                         337
291
                                                                                   BYTE => write_mem(Write_plain, sizeof(xlen), addr, 1,
292
                                                                         338
    function clause execute(LOAD(imm, rs1, rd, is_unsigned,
                                                                                         \hookrightarrow result[7..0]),
          \hookrightarrow width, aq, rl)) = {
                                                                                   HALF => write_mem(Write_plain, sizeof(xlen), addr, 2,
      let offset : xlenbits = EXTS(imm);
                                                                                         \hookrightarrow result[15..0]),
      let rs1_val = X(rs1);
                                                                                   WORD => write_mem(Write_plain, sizeof(xlen), addr, 4,
      let rs2_val = X(0b0 @ imm[3 .. 0]);
                                                                                         \hookrightarrow result).
296
      let addr = rs1_val + offset;
                                                                                    _ => false};
297
                                                                         341
      let req_addr = addr[(sizeof(xlen) - 1) .. 2] @ 0b00;
                                                                                 if success then {RETIRE_SUCCESS} else {RETIRE_FAIL}
298
                                                                         342
                                                                               } else { RETIRE_FAIL }
      let req_data = read_mem(Read_plain, sizeof(xlen), req_addr
299
            \hookrightarrow , 4);
                                                                             }
      load_leakage(rs1_val, rs2_val, addr, req_data);
                                                                             /* ***********************
      let req_byte : bits(8) = match (addr[1 .. 0]) {
                                                                             mapping clause encdec = ILLEGAL(s) <-> s
301
        0b00 => req_data[ 7 .. 0],
                                                                             function clause execute (ILLEGAL(s)) =
302
```

 $\ensuremath{//}$  – the registers of the IBEX processor (registers and

// - conditions which have to hold before/during execution

→ memory)

// - a mapping between the states

 $\hookrightarrow$  of an instruction

// - which states may contain sensitive data

hardware variable register\_file\_i.rf\_reg\_q[14]

```
48 { return RETIRE_FAIL }
```

# 6.2 IBEX Configuration

→ leakage state)

In the following, we give the configuration file that specifies the mapping and normal operating conditions simultaneously.

```
// - which HW and contract state is printed in
                                                                        Listing 7: IBEX configuration file
                                                                   // Power Contract for IBEX
                                                                   // Copyright (c) 2020-2022 - TUHH, TU Graz
                                                                   // specification of architectural registers and HW/CT
   //

    mapping

   // All rights reserved.
                                                                   //
                                                                   // PC
   // This software has received funding from the Federal
                                                                   contract register PC BitVec 32
        Ministry of Education and Research (BMBF) as part of
                                                                   hardware public u_ibex_core.pc_id
        the VE-Jupiter project grant 16ME0231K.
                                                                   mapping register PC u_ibex_core.pc_id
                                                               58
   //
                                                               59
   // This work was supported by the Austrian Research
                                                                   // next PC
        Promotion Agency (FFG) through the FERMION project
                                                                  hardware public u_ibex_core.if_stage_i.gen_prefetch_buffer.
        (grant number 867542).
   //

→ prefetch_buffer_i.fifo_i.instr_addr_q

   // Redistribution and use in source and binary forms,
                                                                   contract register nextPC BitVec 32
11
   // with or without modification, are permitted provided
                                                                   mapping register nextPC u_ibex_core.if_stage_i.
12
   // that the following conditions are met:

    gen_prefetch_buffer.prefetch_buffer_i.fifo_i.

   // 1. Redistributions of source code must retain the

    instr_addr_q

   // above copyright notice, this list of conditions
                                                               64
                                                                   // REGISTERS
   // and the following disclaimer.
   // 2. Redistributions in binary form must reproduce the
                                                                   contract register x1 BitVec 32
   // above copyright notice, this list of conditions
                                                                   contract register x2 BitVec 32
   // and the following disclaimer in the documentation
                                                                   contract register x3 BitVec 32
   // and/or other materials provided with the
                                                                  contract register x4 BitVec 32
   // distribution.
                                                                  contract register x5 BitVec 32
21
   //
                                                                  contract register x6 BitVec 32
22
   // THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND
                                                                  contract register x7 BitVec 32
   // CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR
                                                                   contract register x8 BitVec 32
24
   // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
                                                                   contract register x9 BitVec 32
                                                               74
25
   // TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
                                                                   contract register x10 BitVec 32
                                                               75
   // AND FITNESS FOR A PARTICULAR PURPOSE ARE
                                                                   contract register x11 BitVec 32
   // DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
                                                                   contract register x12 BitVec 32
   // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
                                                                   contract register x13 BitVec 32
   // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
                                                                   contract register x14 BitVec 32
   // DAMAGES (INCLUDING, BUT NOT LIMITED TO,
                                                                   contract register x15 BitVec 32
   // PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
                                                                  hardware variable register_file_i.rf_reg_q[1]
32
   // OF USE, DATA, OR PROFITS; OR BUSINESS
                                                                  hardware variable register_file_i.rf_reg_q[2]
33
   // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
                                                                  hardware variable register_file_i.rf_reg_q[3]
   // LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
                                                                  hardware variable register_file_i.rf_reg_q[4]
   // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
                                                                  hardware variable register_file_i.rf_reg_q[5]
   // ARISING IN ANY WAY OUT OF THE USE OF THIS
                                                                   hardware variable register_file_i.rf_reg_q[6]
   // SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
                                                                   hardware variable register_file_i.rf_reg_q[7]
38
   // SUCH DAMAGE.
                                                                   hardware variable register_file_i.rf_reg_q[8]
39
                                                                   hardware variable register_file_i.rf_reg_q[9]
   hardware variable register_file_i.rf_reg_q[10]
41
   \ensuremath{//} This file contains the configuration of our tool.
                                                                  hardware variable register_file_i.rf_reg_q[11]
   // It specifies
                                                                  hardware variable register_file_i.rf_reg_q[12]
   // - the state modeled in the contract (registers, memory,
                                                                  hardware variable register_file_i.rf_reg_q[13]
```

```
hardware variable register_file_i.rf_reg_q[15]
                                                                  // important signals that must be constrained
                                                                  mapping register x1 register_file_i.rf_reg_q[1]
   mapping register x2 register_file_i.rf_reg_q[2]
                                                                  // never trigger a reset of the core
   mapping register x3 register_file_i.rf_reg_q[3]
                                                                  hardware public rst_ni
   mapping register x4 register_file_i.rf_reg_q[4]
                                                                  hardware const@pre: rst_ni 0b1
   mapping register x5 register_file_i.rf_reg_q[5]
                                                                  // make sure that initially, the ID FSM is in state
100
   mapping register x6 register_file_i.rf_reg_q[6]

    instr_first_cycle_i

   mapping register x7 register_file_i.rf_reg_q[7]
                                                                  // this means that we look at the case where we started
   mapping register x8 register_file_i.rf_reg_q[8]
                                                                       \hookrightarrow executing in 0th cycle
   mapping register x9 register_file_i.rf_reg_q[9]
                                                                  hardware public u_ibex_core.id_stage_i.id_fsm_q
                                                              152
104
   mapping register x10 register_file_i.rf_reg_q[10]
                                                                  hardware const@start u_ibex_core.id_stage_i.id_fsm_q 0b0
105
                                                              153
   mapping register x11 register_file_i.rf_reg_q[11]
                                                                  // no compressed (valid or invalid) instructions at the
106
                                                              154
   mapping register x12 register_file_i.rf_reg_q[12]

→ output of instruction fetch stage

107
   mapping register x13 register_file_i.rf_reg_q[13]
                                                                  hardware public u_ibex_core.if_stage_i.instr_new_id_q
   mapping register x14 register_file_i.rf_reg_q[14]
                                                                  hardware public u_ibex_core.if_stage_i.
   mapping register x15 register_file_i.rf_reg_q[15]

    instr_is_compressed_id_o

                                                                  hardware const@start u_ibex_core.if_stage_i.
111
   contract opcode op BitVec 32

    instr_is_compressed_id_o 0b0

112
   // instruction bits for the instruction whose last execution
                                                                  hardware public u ibex core.if stage i.illegal c insn id o
                                                              158
113
                                                                  hardware const@start u_ibex_core.if_stage_i.
        \hookrightarrow cycle is this cycle
   // only true if the assertion for the valid_d is present
                                                                       114
   hardware opcode u_ibex_core.instr_rdata_id
                                                                  // this is a hidden assumption made by IBEX developers
                                                                  hardware public u_ibex_core.if_stage_i.instr_rdata_alu_id_o
116
                                                                  hardware public u_ibex_core.if_stage_i.instr_rdata_id_o
   // memory request name_contract name_hardware
117
   contract register read_val_1 BitVec 32
                                                                  // this encodes pre cycle and first cycle assumptions
118
   contract register read_addr_1 BitVec 32
                                                                  hardware equiv@pre:start+1 u_ibex_core.if_stage_i.
119
   hardware variable data rdata i

    instr_rdata_id_o u_ibex_core.if_stage_i.

120

    instr_rdata_alu_id_o

121
   memory raddr u_ibex_core.load_store_unit_i.adder_result_ex_i

    read_addr_1

                                                                  // annotation of input ports of ibex_top
   memory rdata data_rdata_i read_val_1
123
   memory req data_req_o
                                                                  124
                                                              168
   memory gnt data_gnt_i
                                                                  hardware public clk i
125
   memory ack data rvalid i
                                                                  hardware public ram_cfg_i
   memory we data_we_o
                                                                  hardware public test_en_i
                                                                  hardware public hart_id_i
128
   hardware public boot_addr_i
129
   // Non-regport signals that must be constrained
                                                                  // Instruction memory interface
130
   hardware public instr_gnt_i
131
   // fetching next instruction was successful, ready to
                                                                  hardware public instr_rvalid_i
132
                                                                  hardware public instr_rdata_i
        hardware const@end-1 u_ibex_core.if_stage_i.fetch_valid 0b1
                                                                  hardware public instr_err_i
   hardware const@pre u_ibex_core.if_stage_i.fetch_valid 0b1
                                                                  hardware public data_gnt_i
   // do not load a new instruction until last cycle
                                                                  hardware public data rvalid i
135
   hardware const@start:end-1 u_ibex_core.id_stage_i.
                                                                  hardware public data_err_i
                                                              181
                                                                  hardware const@pre: data_err_i 0b0

    id_in_ready_o 0b0

   // make sure that nothing retires before the end of the last
                                                                  // interrupts
                                                                  hardware public irq_software_i
   hardware const@start:end-1 u_ibex_core.instr_id_done 0b0
                                                                  hardware public irq_timer_i
   // make sure that an instruction has its last cycle in our
                                                                  hardware public irq_external_i
139
        → last cycle
                                                                  hardware public irq_fast_i
   hardware const@end-1 u_ibex_core.instr_id_done 0b1
                                                                  hardware public irq_nm_i
140
   hardware const@pre u_ibex_core.instr_id_done 0b1
                                                                  // disabling interrupts
141
   hardware const@start u_ibex_core.id_stage_i.decoder_i.
                                                                  hardware const@pre: irq_software_i 0b0
        hardware const@pre: irq_timer_i 0b0
                                                                  hardware const@pre: irq_external_i 0b0
   hardware const@pre: irq_fast_i 0b00000000000000
```

```
hardware const@pre: irg nm i 0b0
                                                                      hardware const@start u_ibex_core.load_store_unit_i.pmp_err_q
    // core debug
    hardware public debug_req_i
                                                                      // since data_err_i is never 1 and pmp_err_q is also not 1,
    hardware const@pre: debug_req_i 0b0
                                                                            \hookrightarrow this must be 0
    hardware public fetch_enable_i
                                                                      hardware public u_ibex_core.load_store_unit_i.lsu_err_q
                                                                  236
    hardware public scan rst ni
                                                                      hardware const@start u_ibex_core.load_store_unit_i.lsu_err_q
                                                                  237
                                                                            → 0b0
    hardware public u_ibex_core.load_store_unit_i.
    // annotate internal state of ibex
                                                                            hardware public u_ibex_core.id_stage_i.controller_i.
203
    hardware public core_busy_q

    illegal_insn_q

204
    hardware public u_ibex_core.instr_fetch_err
                                                                      hardware public u_ibex_core.id_stage_i.controller_i.
205
                                                                  240
    hardware public u ibex core.instr fetch err plus2
                                                                            \hookrightarrow do single step a
206
    // instructions in the prefetch fifo
                                                                      hardware public u_ibex_core.id_stage_i.controller_i.
    hardware public u_ibex_core.if_stage_i.instr_valid_id_q
                                                                           hardware public u_ibex_core.if_stage_i.instr_rdata_c_id_o
                                                                      // LSU register handling misaligned memory accesses which
    hardware public u_ibex_core.if_stage_i.gen_prefetch_buffer.

    ⇒ are not allowed by the contract

210

    prefetch_buffer_i.fifo_i.rdata_g0

                                                                      hardware public u_ibex_core.load_store_unit_i.rdata_q
    hardware public u_ibex_core.if_stage_i.gen_prefetch_buffer.
                                                                      contract leakagestate mem last read BitVec 32
                                                                  244
211

    prefetch_buffer_i.fifo_i.rdata_q1

                                                                      // Must be idle when new instruction reaches ID/EX
    hardware public u_ibex_core.if_stage_i.gen_prefetch_buffer.
                                                                      hardware public u_ibex_core.load_store_unit_i.ls_fsm_cs

    prefetch_buffer_i.fifo_i.rdata_q2

                                                                      hardware const@start u_ibex_core.load_store_unit_i.ls_fsm_cs
    hardware public u_ibex_core.if_stage_i.gen_prefetch_buffer.
213

    prefetch_buffer_i.fifo_i.err_q

                                                                      hardware variable u_ibex_core.load_store_unit_i.addr_last_q
    hardware public u_ibex_core.if_stage_i.gen_prefetch_buffer.
                                                                      hardware variable u_ibex_core.load_store_unit_i.
214
                                                                  249

    prefetch_buffer_i.fifo_i.valid_q
                                                                            hardware public u_ibex_core.if_stage_i.gen_prefetch_buffer.
                                                                      contract leakagestate mem last addr BitVec 32
215

    prefetch_buffer_i.rdata_pmp_err_q

                                                                      mapping leakagestate mem_last_addr u_ibex_core.
    hardware public u_ibex_core.if_stage_i.gen_prefetch_buffer.

    → load_store_unit_i.addr_last_q

    prefetch_buffer_i.discard_reg_q
                                                                      mapping leakagestate mem_last_addr u_ibex_core.
                                                                  252
    hardware public u_ibex_core.if_stage_i.gen_prefetch_buffer.

    → load_store_unit_i.rdata_offset_q

217

    prefetch_buffer_i.branch_discard_q
                                                                      hardware public u_ibex_core.load_store_unit_i.data_type_q
                                                                  253
    hardware public u_ibex_core.if_stage_i.gen_prefetch_buffer.
                                                                      hardware public u_ibex_core.load_store_unit_i.
                                                                  254

    prefetch_buffer_i.rdata_outstanding_q

    data_sign_ext_q

    hardware public u_ibex_core.if_stage_i.gen_prefetch_buffer.

    prefetch_buffer_i.fetch_addr_q

                                                                      // system registers
                                                                  256
                                                                      hardware public u_ibex_core.cs_registers_i.mie_q
    hardware public u_ibex_core.if_stage_i.gen_prefetch_buffer.
220
                                                                  257

    prefetch_buffer_i.stored_addr_q

                                                                      hardware public u_ibex_core.cs_registers_i.mtval_q
                                                                  258
                                                                      hardware public u_ibex_core.cs_registers_i.mcause_q
221
                                                                  259
    // instruction decode
                                                                      hardware public u_ibex_core.cs_registers_i.mscratch_q
222
                                                                      hardware public u_ibex_core.cs_registers_i.dscratch0_q
    hardware public u_ibex_core.id_stage_i.controller_i.

    ctrl fsm cs

                                                                      hardware public u_ibex_core.cs_registers_i.dscratch1_q
                                                                      hardware public u_ibex_core.cs_registers_i.mstack_q
    hardware public u_ibex_core.id_stage_i.controller_i.
                                                                  263
224
         → load err a
                                                                      hardware public u_ibex_core.cs_registers_i.mstack_cause_q
    hardware public u_ibex_core.id_stage_i.controller_i.
                                                                      hardware public u_ibex_core.cs_registers_i.mstack_epc_q
225
                                                                  265
                                                                      hardware public u_ibex_core.cs_registers_i.mstatus_q
         \hookrightarrow store err a
    hardware public u_ibex_core.id_stage_i.controller_i.
                                                                      hardware public u_ibex_core.cs_registers_i.dcsr_q

→ exc req_q

                                                                      hardware const@start u_ibex_core.cs_registers_i.dcsr_q 0
                                                                            hardware public u_ibex_core.id_stage_i.branch_set_raw
    hardware const@start u_ibex_core.id_stage_i.branch_set_raw 0
                                                                      hardware public u_ibex_core.cs_registers_i.mhpmcounter[0]
228
                                                                      hardware public u_ibex_core.cs_registers_i.mhpmcounter[1]
    hardware public u_ibex_core.id_stage_i.
                                                                      hardware public u ibex core.cs registers i.mhpmcounter[2]
229

    branch_jump_set_done_q

                                                                      hardware public u_ibex_core.cs_registers_i.mcountinhibit
                                                                  272
    hardware public u_ibex_core.load_store_unit_i.data_we_q
                                                                      hardware public u_ibex_core.csr_depc
230
                                                                      hardware public u_ibex_core.csr_mtvec
    // since data_pmp_err_i is 0, this should not be 1
                                                                      hardware public u_ibex_core.csr_mepc
    hardware public u_ibex_core.load_store_unit_i.pmp_err_q
                                                                      hardware public u_ibex_core.dummy_instr_en
```

# Power Contracts: Provably Complete Power Leakage Models for Processors

```
hardware public u_ibex_core.dummy_instr_mask

hardware public u_ibex_core.data_ind_timing

hardware public u_ibex_core.data_ind_timing

hardware public u_ibex_core.icache_enable

hardware public u_ibex_core.debug_mode

hardware public u_ibex_core.priv_mode_id

hardware public u_ibex_core.priv_mode_id
```