Quantile: Quantifying Information Leakage


  • Vedad Hadžić Graz University of Technology, Graz, Austria
  • Gaëtan Cassiers Graz University of Technology, Graz, Austria
  • Robert Primas Intel Labs, Hillsboro, USA
  • Stefan Mangard Graz University of Technology, Graz, Austria
  • Roderick Bloem Graz University of Technology, Graz, Austria




Side-channel attacks, Masking, Verification


The masking countermeasure is very effective against side-channel attacks such as differential power analysis. However, the design of masked circuits is a challenging problem since one has to ensure security while minimizing performance overheads. The security of masking is often studied in the t-probing model, and multiple formal verification tools can verify this notion. However, these tools generally cannot verify large masked computations due to computational complexity.
We introduce a new verification tool named Quantile, which performs randomized simulations of the masked circuit in order to bound the mutual information between the leakage and the secret variables. Our approach ensures good scalability with the circuit size and results in proven statistical security bounds. Further, our bounds are quantitative and, therefore, more nuanced than t-probing security claims: by bounding the amount of information contained in the lower-order leakage, Quantile can evaluate the security provided by masking even when they are not 1-probing secure, i.e., when they are classically considered as insecure. As an example, we apply Quantile to masked circuits of Prince and AES, where randomness is aggressively reused.




How to Cite

Hadžić, V., Cassiers, G., Primas, R., Mangard, S., & Bloem, R. (2023). Quantile: Quantifying Information Leakage. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2024(1), 433–456. https://doi.org/10.46586/tches.v2024.i1.433-456