## From Trivial Composition to Full Verification and an Application to Masking in Hardware



Gaëtan Cassiers, François-Xavier Standaert

UCLouvain (Belgium)

VeriSiCC Seminar, Paris, France, September 2019

## Side-Channel Analysis


executed operations

## Side-Channel Analysis


executed operations

## Side-Channel Analysis


executed operations

## Side-Channel Analysis


executed operations

## Side-Channel Analysis



## Side-Channel Analysis



## Masking (e.g., Boolean $x=x_{0}+x_{1}+\cdots+x_{d}$ )



Noisy leakages security: $N \propto \frac{c}{\operatorname{MI}(X ; L)}$
Goal (ideally): $\operatorname{MI}(X ; \boldsymbol{L})<\operatorname{MI}\left(X_{i} ; L_{i}\right)^{d}$

## Masking (e.g., Boolean $x=x_{0}+x_{1}+\cdots+x_{d}$ )



Bounded moment security:

(d-1)th order statistical moment (ideally)


## Noisy leakages security: $N \propto \frac{c}{\operatorname{MI}(X ; L)}$

Goal (ideally): $\operatorname{MI}(X ; \boldsymbol{L})<\operatorname{MI}\left(X_{i} ; L_{i}\right)^{d}$

## Masking (e.g., Boolean $x=x_{0}+x_{1}+\cdots+x_{d}$ )



## Probing security:

Sets of (d-1) probes are $\Perp$ of $X$ (ideally)

PDF


Bounded moment security:

(d-1)th order statistical moment (ideally)


Noisy leakages security: $N \propto \frac{c}{\operatorname{MI}(X ; L)}$
Goal (ideally): $\operatorname{MI}(X ; L)<\operatorname{MI}\left(X_{i} ; L_{i}\right)^{d}$

## Security reductions





## bounded moment physical-qualitative

> [Barthe et al., Eurocrypt 2017]
[Duc et al., Eurocrypt 2014]


## What can go wrong? (e.g., when computing $a . b$ )

Issue \#1. Lack of randomness (can break the independence assumption)
$\left(\begin{array}{lll}a_{1} b_{1} & a_{1} b_{2} & a_{1} b_{3} \\ a_{2} b_{1} & a_{2} b_{2} & a_{2} b_{3} \\ a_{3} b_{1} & a_{3} b_{2} & a_{3} b_{3}\end{array}\right) \Rightarrow\left(\begin{array}{l}c_{1} \\ c_{2} \\ c_{3}\end{array}\right)$
Example: probing $c_{1}=a_{1} .\left(b_{1}+b_{2}+b_{3}\right)$ reveals information on $b$ (when $c_{1}=1$ )

## What can go wrong? (e.g., when computing $a . b$ )

Issue \#1. Lack of randomness (can break the independence assumption)
$\left(\begin{array}{lll}a_{1} b_{1} & a_{1} b_{2} & a_{1} b_{3} \\ a_{2} b_{1} & a_{2} b_{2} & a_{2} b_{3} \\ a_{3} b_{1} & a_{3} b_{2} & a_{3} b_{3}\end{array}\right)+\left(\begin{array}{ccc}0 & r_{1} & r_{2} \\ r_{2} & 0 & r_{3} \\ r_{2} & r_{3} & 0\end{array}\right) \Rightarrow\left(\begin{array}{l}c_{1} \\ c_{2} \\ c_{3}\end{array}\right)$

- mitigated by adding «refreshing gadgets»
- can be analyzed in the probing model


## What can go wrong? (e.g., when computing $a . b$ )

Issue \#1. Lack of randomness (can break the independence assumption)
$\left(\begin{array}{lll}a_{1} b_{1} & a_{1} b_{2} & a_{1} b_{3} \\ a_{2} b_{1} & a_{2} b_{2} & a_{2} b_{3} \\ a_{3} b_{1} & a_{3} b_{2} & a_{3} b_{3}\end{array}\right)+\left(\begin{array}{ccc}0 & r_{1} & r_{2} \\ r_{2} & 0 & r_{3} \\ r_{2} & r_{3} & 0\end{array}\right) \Rightarrow\left(\begin{array}{l}c_{1} \\ c_{2} \\ c_{3}\end{array}\right)$

- mitigated by adding «refreshing gadgets »
- can be analyzed in the probing model


## Issue \#2. Physical defaults

(can break the independence assumption)
Example: glitches (transcient values) «re-combine » the shares such that:

$$
L_{i}=\delta\left(x_{1} \cdot x_{2} \cdot x_{3}\right)
$$

(detected in the bounded moment model)


## What can go wrong? (e.g., when computing $a . b$ )

## Issue \#1. Lack of randomness (can break the independence assumption)

$\left(\begin{array}{lll}a_{1} b_{1} & a_{1} b_{2} & a_{1} b_{3} \\ a_{2} b_{1} & a_{2} b_{2} & a_{2} b_{3} \\ a_{3} b_{1} & a_{3} b_{2} & a_{3} b_{3}\end{array}\right)+\left(\begin{array}{ccc}0 & r_{1} & r_{2} \\ r_{2} & 0 & r_{3} \\ r_{2} & r_{3} & 0\end{array}\right) \Rightarrow\left(\begin{array}{l}c_{1} \\ c_{2} \\ c_{3}\end{array}\right)$

- mitigated by adding «refreshing gadgets »
- can be analyzed in the probing model


## Issue \#2. Physical defaults

(can break the independence assumption)

- mitigated by adding a « noncompleteness » property [ $\approx$ Theshold Implementations]
- abstract property: can be analyzed in the probing model!



## Technical challenge: scalability


q-probing security [ISW, 2004]: any $q$-tuple of shares in the protected circuit is independent of any sensitive variable

## Technical challenge: scalability


> q-probing security [ISW, 2004]: any $q$-tuple of shares in the protected circuit is independent of any sensitive variable

Problem: the cost of testing probing security increases (very) fast with circuit size and the \# of shares (since $\exists$ many tuples)

## Technical challenge: scalability


q-probing security [ISW, 2004]: any $q$-tuple of shares in the protected circuit is independent of any sensitive variable

Problem: the cost of testing probing security increases (very) fast with circuit size and the \# of shares (since $\exists$ many tuples)

- Solution \#1: direct verification of (weaker) circuit properties - [Barthe et al., 2015/2019], [Bloem et al., 2018]
- Solution \#2: composable verification with (stronger) properties
- [Barthe et al., 2016] - but limited to "abstract" circuits
- Solution \#3: test more specific properties [Arribas et al., 2018]


## Technical challenge: scalability


q-probing security [ISW, 2004]: any $q$-tuple of shares in the protected circuit is independent of any sensitive variable

Problem: the cost of testing probing security increases (very) fast with circuit size and the \# of shares (since $\exists$ many tuples)

- Solution \#1: direct verification of (weaker) circuit properties - [Barthe et al., 2015/2019], [Bloem et al., 2018]
- Solution \#2: composable verification with (stronger) properties - [Barthe et al., 2016] - but limited to "abstract" circuits
- Can be complementary: use \#1 for gadgets, \#2 for circuits


## Does it go wrong (for hardware masking)?

- State-of-the-art hardware-oriented masking schemes
- Consolidating Masking Scheme (CMS, 2015)
- Domain-Oriented Masking (DOM, 2016)
- Unified Masking Approach (UMA, 2017)
- Generic Low-Latency Masking (GLM, 2018)


## Does it go wrong (for hardware masking)?

- State-of-the-art hardware-oriented masking schemes
- Consolidating Masking Scheme (CMS, 2015)
- Domain-Oriented Masking (DOM, 2016)
- Unified Masking Approach (UMA, 2017)
- Generic Low-Latency Masking (GLM, 2018)
- Intuitively appealing constructions
- But no probing security proof at high orders
- Theoretical concern or practical risk?


## Does it go wrong (for hardware masking)?

- State-of-the-art hardware-oriented masking schemes
- Consolidating Masking Scheme (CMS, 2015)
- Domain-Oriented Masking (DOM, 2016)
- Unified Masking Approach (UMA, 2017)
- Generic Low-Latency Masking (GLM, 2018)
- Intuitively appealing constructions
- But no probing security proof at high orders
- Theoretical concern or practical risk?
- [Moos et al., 2019]: all the higher-order extensions of these schemes are affected by concrete flaws
- Next: CMS (local) and DOM (composability) examples...


## Consolidating Masking Scheme

- Local flaw in the "ring refreshing" algorithm
- Attack with 3 probes for any $d>3$ shares


Problem: most of the randomness cancels out...

## Consolidating Masking Scheme

- Local flaw in the "ring refreshing" algorithm
- Attack with 3 probes for any $d>3$ shares


Problem: most of the randomness cancels out...

Fix proposed by De Cnudde ( $\Rightarrow$ CMS more similar to DOM)

Composability remains unclear


## Composability requirements (example)


$\boldsymbol{q}$-(Strong) Non Interference [Barthe et al., CCS 2016]: a circuit gadget (e.g., $\mathrm{f}_{1}$ ) is $\mathrm{NI}(\mathrm{SNI})$ any set of $q_{1}+q_{2}$ probes can be simulated with at most $q_{1}+q_{2}$ (only $q_{1}$ ) shares of each input

D (input shares||probes) $\approx \mathrm{D}$ (input shares\|simulation)

## Composability requirements (example)


$\boldsymbol{q}$-(Strong) Non Interference [Barthe et al., CCS 2016]: a circuit gadget (e.g., $\mathrm{f}_{1}$ ) is $\mathrm{NI}(\mathrm{SNI})$ any set of $q_{1}+q_{2}$ probes can be simulated with at most $q_{1}+q_{2}$ (only $q_{1}$ ) shares of each input

D (input shares||probes) $\approx \mathrm{D}$ (input shares\|simulation)

## Domain Oriented Masking

- Two algorithms: DOM-indep and DOM-dep
- DOM-indep not sufficient to compose, e.g., $z=x \otimes x$

$$
\left(\begin{array}{l}
z_{0} \\
z_{1} \\
z_{2}
\end{array}\right)=\left(\begin{array}{cccc}
x_{0} \otimes x_{0} & \oplus\left(\begin{array}{cc}
\left.x_{0} \otimes x_{1} \oplus r_{0}\right) & \oplus \\
\left(x_{0} \otimes x_{2} \oplus r_{1}\right) \\
\left(x_{1} \otimes x_{0} \oplus r_{0}\right) & \oplus \\
\left(x_{2} \otimes x_{0} \oplus r_{1}\right) & \oplus \\
\oplus & \left(x_{1} \otimes x_{1} \otimes x_{1} \oplus r_{2}\right)
\end{array}\right) \oplus & \oplus & \left(x_{1} \otimes x_{2} \oplus r_{2}\right) \\
x_{2} \otimes x_{2}
\end{array}\right)
$$

## Domain Oriented Masking

Two algorithms: DOM-indep and DOM-dep

- DOM-indep not sufficient to compose, e.g., $z=x \otimes x$

$$
\left(\begin{array}{l}
z_{0} \\
z_{1} \\
z_{2}
\end{array}\right)=\left(\begin{array}{ccccc}
x_{0} \otimes x_{0} & \oplus & \left(x_{0} \otimes x_{1} \oplus r_{0}\right) & \oplus & \left(x_{0} \otimes x_{2} \oplus r_{1}\right) \\
\left(x_{1} \otimes x_{0} \oplus r_{0}\right) & \oplus & x_{1} \otimes x_{1} & \oplus & \left(x_{1} \otimes x_{2} \oplus r_{2}\right) \\
\left(x_{2} \otimes x_{0} \oplus r_{1}\right) & \oplus & \left(x_{2} \otimes x_{1} \oplus r_{2}\right) & \oplus & x_{2} \otimes x_{2}
\end{array}\right)
$$

$\Rightarrow$ DOM-dep critical to compose but broken (\& no fix)

## Domain Oriented Masking

- Two algorithms: DOM-indep and DOM-dep
- DOM-indep not sufficient to compose, e.g., $z=x \otimes x$

$\Rightarrow$ DOM-dep critical to compose but broken (\& no fix)
- SOTA (2018): $\exists$ composable masking schemes that ignore physical defaults such as glitches \& hardwareoriented masking schemes that mitigate glitches but are at best probing secure (so not provably composable)


## (Refined) model and security definition



Glitch-extended probes: probing any output of a combinatorial circuit allows the adversary to observe all the circuit inputs

Example: $p_{1}$ gives $a, b$ and $c$

## (Refined) model and security definition



Glitch-extended probes: probing any output of a combinatorial circuit allows the adversary to observe all the circuit inputs

Example: $p_{1}$ gives $a, b$ and $c$
(SNI-related) clarification: the adversary can also probe the stable register output $d$ so both $p_{1}$ and $p_{2}$ appear in proofs

## (Refined) model and security definition



Glitch-extended probes: probing any output of a combinatorial circuit allows the adversary to observe all the circuit inputs Example: $p_{1}$ gives $a, b$ and $c$
(SNI-related) clarification: the adversary can also probe the stable register output $d$ so both $p_{1}$ and $p_{2}$ appear in proofs

Definition: a gadget is glitch-robust $\boldsymbol{q}$-SNI if it is $q$-SNI in the "glitch-extended" probing model

## (Refined) model and security definition



Glitch-extended probes: probing any output of a combinatorial circuit allows the adversary to observe all the circuit inputs Example: $p_{1}$ gives $a, b$ and $c$
(SNI-related) clarification: the adversary can also probe the stable register output $d$ so both $p_{1}$ and $p_{2}$ appear in proofs

Definition: a gadget is glitch-robust q-SNI if it is q-SNI in the "glitch-extended" probing model
$\Rightarrow$ Shares' fan in of secure gadgets should be minimum

## (Refined) model and security definition



Glitch-extended probes: probing any output of a combinatorial circuit allows the adversary to observe all the circuit inputs

Example: $p_{1}$ gives $a, b$ and $c$
(SNI-related) clarification: the adversary can also probe the stable register output $d$ so both $p_{1}$ and $p_{2}$ appear in proofs

Definition: a gadget is glitch-robust $q-S N I$ if it is $q$-SNI in the "glitch-extended" probing model
$\Rightarrow$ Shares' fan in of secure gadgets should be minimum
$\Rightarrow$ Output probes (excluded in the SNI count) must be stable

## Note: the problem must be solved jointly

- TI gadget + SNI refresh + register: robust against glitches \& composable without glitches (not both)

- Extended probe on $c^{\prime}$ reveals all $R^{\prime}$ s randomness


## Note: the problem must be solved jointly

- TI gadget + SNI refresh + register: robust against glitches \& composable without glitches (not both)

- Extended probe on c' reveals all R's randomness
- Adding a register does not help (just probe c)



## ISW mult. is glitch-robust $q-$ SNI in 2 cycles



## ISW mult. is glitch-robust $q$-SNI in 2 cycles



## ISW mult. is glitch-robust $q$-SNI in 2 cycles



## ISW mult. is glitch-robust $q$-SNI in 2 cycles



## ISW mult. is glitch-robust $q$-SNI in 2 cycles



## ISW mult. is glitch-robust $q$-SNI in 2 cycles



## ISW mult. is glitch-robust $q$-SNI in 2 cycles



## ISW mult. is glitch-robust $q$-SNI in 2 cycles

$$
\begin{aligned}
& \text { - } \mathbf{G}\left(u_{1,2}\right):=\left(a_{1}, b_{2}, r_{1,2}\right) \\
& \text { - } \mathbf{G}\left(c_{1}\right):=\left(u_{1,1}, u_{2,1}, u_{3,1}\right) \\
& \text { - } a_{1}, b_{2} \text { : use a } 1^{\text {st }} \text { share of } a, b \\
& \text { - } r_{1,2} \text { : random value } \\
& \text { - } u_{1,1}\left(a_{1} b_{1}\right) \text { : use a } 2^{\text {nd }} \text { share of } b \\
& \text { - } u_{2,1}\left(a_{2} b_{1}\right) \text { use a } 2^{\text {nd }} \text { share of } a \\
& \text { - } u_{3,1}\left(a_{3} b_{1}+r_{1,3}\right) \text { : random value }
\end{aligned}
$$

## ISW mult. is glitch-robust $q$-SNI in 2 cycles



## ISW mult. is glitch-robust $q$-SNI in 2 cycles



## DOM-indep is glitch-robust $q$-NI in 1 cycle



## Approaches to composition

- [Faust et al., 2018]: glitch-robust SNI mult. in 2 cycles
- DOM-indep: glitch-robust NI mult. in 1 cycle
- What can we construct based on that?


## Approaches to composition

- [Faust et al., 2018]: glitch-robust SNI mult. in 2 cycles
- DOM-indep: glitch-robust NI mult. in 1 cycle - What can we construct based on that?
- [Cassiers et al., 2019] proof that any compositional strategy that is correct in the standard probing model remains valid in the robust probing model


## Approaches to composition

- [Faust et al., 2018]: glitch-robust SNI mult. in 2 cycles
- DOM-indep: glitch-robust NI mult. in 1 cycle - What can we construct based on that?
- [Cassiers et al., 2019] proof that any compositional strategy that is correct in the standard probing model remains valid in the robust probing model
$\Rightarrow$ Both trivial composition (e.g., using only SNI gadgets) or optimized composition (e.g., combining $\mathrm{NI} / \mathrm{SNI}$ multiplications with SNI refreshes) can work
$\approx$ tradeoff between verification complexity and performance


## Approaches to composition

- [Faust et al., 2018]: glitch-robust SNI mult. in 2 cycles
- DOM-indep: glitch-robust NI mult. in 1 cycle - What can we construct based on that?
- [Cassiers et al., 2019] proof that any compositional strategy that is correct in the standard probing model remains valid in the robust probing model
$\Rightarrow$ Both trivial composition (e.g., using only SNI gadgets) or optimized composition (e.g., combining $\mathrm{NI} / \mathrm{SNI}$ multiplications with SNI refreshes) can work
$\approx$ tradeoff between verification complexity and performance
- Next: focus on trivial composition (natural first step \& instrumental in our tool for full verification)


## Improving trivial composition

- Linear gadgets enable share isolation

$\Rightarrow$ Informally we expect trivial composition for free


## Improving trivial composition

- Linear gadgets enable share isolation

$\Rightarrow$ Informally we expect trivial composition for free
- But "share-by-share" linear gadgets are only NI

$\Rightarrow$ Trivial SNI composition must refresh linear gadgets


## Probe Isolating Non-Interference (PINI)

- [Cassiers \& Standaert, 2018]: gadgets should behave (w.r.t. simulatability) as if shares were isolated

$\Rightarrow$ "share-by-share" linear gadgets are PINI (formalizes the idea of circuit share in DOM/TIs)
- Theorem: any combination of $q$-PINI gadgets is $q$-PINI


## Probe Isolating Non-Interference (PINI)

[Cassiers \& Standaert, 2018]: gadgets should behave (w.r.t. simulatability) as if shares were isolated

$\Rightarrow$ "share-by-share" linear gadgets are PINI (formalizes the idea of circuit share in DOM/TIs)

- Theorem: any combination of q-PINI gadgets is $q$-PINI
- Used to prove a strategy by [Goudarzi \& Rivain, 2017]
- But can lead to much more...



## Hardware Private Circuits

- ( $\exists$ more efficient PINI multiplications in software)


## Hardware Private Circuits

## ( $\exists$ more efficient PINI multiplications in software)

- Significantly improves trivial composition in hardware

[Faust et al., 2018]: SNI-based PINI mult. in 4 cycles


## Hardware Private Circuits

## ( $\exists$ more efficient PINI multiplications in software)

- Significantly improves trivial composition in hardware

> [Faust et al., 2018]: SNI-based PINI mult. in 4 cycles

[Cassiers et al., 2019]: PINI maintained without output register (...remember this would not work with SNI)

## Hardware Private Circuits

- ( $\exists$ more efficient PINI multiplications in software)
- Significantly improves trivial composition in hardware

> [Faust et al., 2018]: SNI-based PINI mult. in 4 cycles

[Cassiers et al., 2019]: PINI maintained without output register \& refresh randomness can be accumulated off-path

## Hardware Private Circuits

- ( $\exists$ more efficient PINI multiplications in software)
- Significantly improves trivial composition in hardware


$$
\begin{aligned}
& \text { [Faust et al., 2018]: } \\
& \text { SNI-based PIN mult. } \\
& \text { in } 4 \text { cycles }
\end{aligned}
$$

[Cassiers et al., 2019]: PINI maintained without output register \& refresh randomness can be accumulated off-path $\approx$ optimization of [Faust et al., 2018] or fix of DOM

## Other PINI advantages

- First efficient glitch-resistant masking scheme that is provably composable at arbitrary orders
- Further improvements with optimized composition are an interesting open problem
- But overheads compared to 1-cycle DOM limited
- Especially for some S-box structures that can take advantage of the input refreshing asymmetry


## Other PINI advantages

- First efficient glitch-resistant masking scheme that is provably composable at arbitrary orders
- Further improvements with optimized composition are an interesting open problem
- But overheads compared to 1-cycle DOM limited
- Especially for some S-box structures that can take advantage of the input refreshing asymmetry
- Instrumental in the design of full verification tool
- Composable verification like [Barthe et al., 2016] that applies to synthetized VHDL code rather than abstract (e.g., glitch-free) circuit descriptions
- Also captures transitions (thanks to isolation)?


## State-of-the-art tools (roughly)

|  | abstract | concrete |
| :---: | :---: | :---: |
| direct | Barthe et al. <br> (Eurocrypt 2015) | REBECCA <br> (Eurocrypt 2018) <br> maskVerif <br> (ESORICS 2019) |
| comp.-based | maskComp. <br> (ACM CCS 2016) <br> Tight Private Circuits <br> (Asiacrypt 2018) | fullVerif <br> (new) |

## State-of-the-art tools (roughly)



- $\exists$ other approaches (e.g., spanning multiples cells like the one by Eldib et al., or aiming at different, more specific, goals like the one of Arribas et al.)


## State-of-the-art tools (roughly)

|  | abstract | concrete |
| :---: | :---: | :---: |
| direct | Barthe et al. <br> (Eurocrypt 2015) | REBECCA <br> (Eurocrypt 2018) <br> maskVerif <br> (ESORICS 2019) |
| comp.-based | maskComp. <br> (ACM CCS 2016) <br> Tight Private Circuits <br> (Asiacrypt 2018) | fullVerif <br> (new) |

- $\exists$ other approaches (e.g., spanning multiples cells like the one by Eldib et al., or aiming at different, more specific, goals like the one of Arribas et al.)
- Next, first full verification tool that applies to synthetized HDL code and captures all physical defaults that can be naturally modeled with probes (i.e., transitions \& glitches)


## Hardware composition verification tool

Trivial composition makes it simple for the designer:
"Just connect PINI gadgets together."
Do you really want to write a tool to check that all gadgets are PINI ?
for gadget in gadgets:
assert gadget.is_pini(); // Uses maskVerif
Done?

## A masked Verilog block cipher implementation

## Code:

- ~30 files
- ~4k LoC

Parmeters:

- $d=2, \ldots, 16$
- roll_sb $=0, \ldots, 5$
- roll_lb = 0, 1, 2
$15 * 6 * 3=270$ parameter sets

Complex code:

- FSM
- loops
- procedurally generated code
- pipelining
- thousands of gadget instances
-     - ...


## Example LoC:

```
rinrfrs1_chunk[Nrndrfrs1_each-1+ii*Nrndrfrs1_each -: Nrndrfrs1_each]
<= {rinrfrs1[(Nrndrfrs1_each/4)*4-1+(ii+8)*Nrndrfrs1_each - :
(Nrndrfrs1_each/4)],{(Nrndrfrs1_each/4){1'b0}}, rinrfrs1[(Nrndrfrs1_each/4)*2-
1+(ii+8)*Nrndrfrs1_each -: (Nrndrfrs1_each/4)],{(Nrndrfrs1_each/4){1'b0}}};
```

Is this thing (glitch,transition)-robust t-probing secure ?

## What could go wrong ?

- Bad randomness input to gadgets
- Re-order of wires in a sharing
- Mix clock signals
- Mix valid and invalid data
- Output data at the right cycle
- Keep state around after computation is over

Code written by a side-channel expert hardware designer.
And no:

- Use non-PINI gadgets
(Experiment might be biased.)


## Tool workflow



- 2.5kLoC
- <10s runtime

Flexible: it is easy to implement other strategies.

## Tool workflow



- 2.5kLoC
- <10s to check

Checking other strategies: 1 box change!

## Source annotations

```
1 (* psim_prop = "PINI", psim_strat = "assumed", psim_order=d *)
2 module and_pini #(parameter d=2) (ina, inb, rnd, cl\overline{k}, out);
3
4 `include "ref_rnd.inc"
localparam n_rnd_mul = d*(d-1)/2;
localparam n_rnd = and_pini_nrnd;
(* psim_type = "sharing", psim_latency = 1 *) input [d-1:0] ina;
(* psim_type = "sharing", psim_latency = 0 *) input [d-1:0] inb;
10 (* psim_type = "sharing", psim_latency = 2 *) output [d-1:0] out;
1 1 ~ ( * ~ p s i m \_ t y p e ~ = ~ " c l o c k " ~ * ) ~ i n p u t ~ c l k ;
12 (*
23 wire [d-1:0] inb_ref;
24 MSKref \#(.d(d)) rfrsh (.in(inb), .clk(clk), .out(inb_ref), .rnd(rnd_ref));
25 MSKand \#(.d(d)) mul (.ina(ina), .inb(inb_ref), .clk(clk), .rnd(rnd_mul), .out(out));
26
27 endmodule
```


## Source annotations: composite gadget

1 (* psim_prop = "PINI", psim_strat = "composite", psim_order=d *)
2 module MSKspook_sbox \#(parameter d=4) (in, rnd_ref, rnd_mul, clk, out);
6 (* psim_type = "sharing", psim_latency = 0, psim_count=spook_sbox_nbits*)
7 input [d*spook_sbox_nbits-1:0] in;
8 (* psim_type = "sharing", psim_latency = spook_sbox_lat, psim_count=spook_sbox_nbits *)
9 output [d*spook_sbox_nbits-1:0] out;
10 (* psim_type = "clock" *) input clk;
11 (*
12 psim_type = "random", psim_count=6,
13 psim_rnd_lat_0=0, psim_rnd_count_0=2*ref_lat_0,

21 psim_type = "random", psim_count=2,
22 psim_rnd_lat_0=0, psim_rnd_count_0=2*and_pini_lat_1,
23 psim_rnd_lat_1=1, psim_rnd_count_1=2*and_pini_lat_1
24 *) input [4*and_pini_lat_1-1:0] rnd_mul;
26 MSKreg \#(d) reg1 (clk, 1'b0, in[d+d*(3)-1 -: d], x0F);
27 MSKreg \#(d) reg2 (clk, 1'b0, in[d+d*(2)-1 -: d], x1F);

## Source annotations: flatten (for the lazy)

```
1 (* psim_prop = "PINI", psim_strat = "composite", psim_order=d *)
2 module MSKsbox_unit \# (
3 parameter \(\mathrm{d}=2\),
4 parameter \(\operatorname{PDSBOX}=0\),
5 parameter Nbits = 128,
6 // Generation params (DO NOT TOUCH)
7 localparam AM_BUND_cols = 2**PDSBOX,
8 localparam SIZE_BUND_cols = d*Nbits/AM_BUND_cols,
9 localparam AM_cols = 32/AM_BUND_cols
10 ) (cols, rnd, clk, cols_post_sb);
11 `include "spook_sbox_rnd.inc"
12 input [SIZE_BUND_cols-1:0] cols;
13 input [spook_sbox_rnd*(SIZE_BUND_cols/(4*d))-1:0] rnd;
14 input clk;
15 output [SIZE_BUND_cols-1:0] cols_post_sb;
16 genvar i;
17 for( \(\left.i=0 ; i<A M \_c o l s ; i=i+1\right)\) begin: sb
18 MSKspook_sbox \#(.d(d)) sbi (
        .in(cols[(i+1)*4*d-1:i*4*d]),
        .rnd_ref(rnd \([(i+1) * 4 *\) ref_n_rnd-1 +(32/(2**PDSBOX))*and_pini_lat_1
        .rnd_mul(rnd[ (i+1)*4*and_pini_lat_1 -1
        .clk(clk),
    .out(cols_post_sb[(i+1)*4*d-1:i*4*d])
        );
    end
26 endmodule
```


## THANKS

http://perso.uclouvain.be/fstandae/

