Formally Proved Security of Assembly Code Against Power Analysis: A Case Study on Balanced Logic

In his keynote speech at CHES 2004, Kocher advocated that side-channel attacks were an illustration that formal cryptography was not as secure as it was believed because some assumptions (e.g., no auxiliary information is available during the computation) were not modeled. This failure is caused by formal methods’ focus on models rather than implementations. In this paper we present formal methods and tools for designing protected code and proving its security against power analysis. These formal methods avoid the discrepancy between the model and the implementation by working on the latter rather than on a high-level model. Indeed, our methods allow us (a) to automatically insert a power balancing countermeasure directly at the assembly level, and to prove the correctness of the induced code transformation; and (b) to prove that the obtained code is balanced with regard to a reasonable leakage model. We also show how to characterize the hardware to use the resources which maximize the relevancy of the model. The tools implementing our methods are then demonstrated in a case study on an 8-bit AVR smartcard for which we generate a provably protected present implementation that reveals to be at least 250 times more resistant to CPA attacks.

💡 Research Summary

The paper addresses the longstanding gap between formal verification methods and real‑world side‑channel resistance by operating directly on assembly code rather than on abstract algorithmic models. The authors focus on power analysis attacks—Simple Power Analysis (SPA) and Differential Power Analysis (CPA/DPA)—which exploit the correlation between a device’s power consumption and the secret data it processes. Traditional formal methods model cryptographic algorithms but ignore the physical leakage that occurs during implementation, leading to a mismatch between proven security and actual vulnerability.

To bridge this gap, the authors adopt Dual‑rail with Precharge Logic (DPL), a well‑known hardware countermeasure that represents each logical bit as a pair of physical bits (y_false, y_true). The DPL protocol consists of a pre‑charge phase that forces every pair into a known (0,0) state, followed by an evaluation phase where a logical ‘0’ is encoded as (1,0) and a logical ‘1’ as (0,1). Because both wires transition in a balanced way, the instantaneous power consumption becomes independent of the logical value, thwarting power‑analysis attacks that rely on Hamming‑weight or Hamming‑distance leakage models.

The novelty of the work lies in implementing DPL entirely in software on an off‑the‑shelf 8‑bit AVR microcontroller. The authors first identify two “indistinguishable” resources within the processor—pairs of bits in registers or memory cells—that can serve as the false/true rails. They then define a set of DPL macros that operate at the bit level, duplicating every logical operation in both positive and negative polarity. By systematically rewriting the original assembly program into a DPL‑augmented version, they ensure that every intermediate value is represented by a balanced pair.

Two formal guarantees are provided. First, the transformation is shown to be semantics‑preserving: the functional behavior (input‑output relation) of the original program is unchanged. This is proved using a Coq‑style logical framework that models the operational semantics of AVR assembly and the DPL macros, and then automatically verifies that each macro is equivalent to its corresponding original instruction. Second, the authors prove that the transformed code is power‑balanced with respect to a bounded leakage model. They adopt a Hamming‑weight/distance model, which is widely accepted for CMOS devices, and employ a symbolic execution engine to explore all possible execution paths. The engine generates symbolic expressions for the power consumption of each instruction and checks that, under the hardware assumptions (identical capacitance and switching characteristics for the two rails), the expressions are independent of the secret data.

The implementation of these methods is encapsulated in a tool called “paioli”, written in OCaml. Paioli parses AVR assembly, inserts the DPL macros automatically, and then runs the symbolic analysis to certify the absence of data‑dependent power leakage. It also includes a hardware‑characterization module that, given a description of the microcontroller’s register file and memory layout, selects the most suitable pair of bits for the false/true rails, thereby maximizing the relevance of the leakage model.

The authors validate their approach on a concrete case study: a software implementation of the PRESENT block cipher running on an AVR ATmega microcontroller. The unprotected version of PRESENT exhibits a high signal‑to‑noise ratio (SNR) in power traces, making it vulnerable to CPA attacks. After applying paioli’s automatic DPL insertion, the resulting implementation shows a reduction of the SNR by a factor of roughly 16, which translates into at least a 250‑fold increase in resistance to CPA attacks, as measured by standard statistical tests. Performance overhead is modest: code size roughly doubles, and execution time increases by a factor of three, which is considerably lower than the overhead reported for high‑order masking schemes (often 40‑to‑90× slower).

In the related‑work discussion, the paper contrasts DPL with masking techniques. Masking relies on random values to decorrelate the leakage but suffers from high randomness cost, vulnerability to higher‑order attacks, and difficulty of formal analysis due to glitches and implementation‑specific side effects. DPL, by contrast, is a “curative” countermeasure that aims to make the leakage constant, independent of data, and does not require randomness. The authors also note that other dual‑rail styles (WDDL, MDPL, BCDL) have been proposed for hardware, but their software‑level realization is novel and avoids the costly place‑and‑route constraints of hardware implementations.

The paper concludes that formal methods can indeed be applied directly to low‑level code to provide mathematically provable side‑channel resistance. The combination of automatic code transformation, semantic preservation proofs, and static symbolic leakage analysis constitutes a practical pathway toward certifiable secure implementations on constrained devices. Future work is suggested in extending the approach to more complex microarchitectures, handling electromagnetic leakage, and integrating the methodology into broader certification frameworks such as Common Criteria.