{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:15:40Z","timestamp":1778040940090,"version":"3.51.4"},"reference-count":51,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2026,2,3]],"date-time":"2026-02-03T00:00:00Z","timestamp":1770076800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2026,4,28]]},"abstract":"<jats:p>Efficient and practically secure masked software implementations are faced with significant challenges. A fundamental reason is the unknown nature of micro-architectures of commercial processors and their leakage-inducing effects. Thus, even though provably secure software algorithms have been presented in the literature, it requires additional consideration when implementing them in practice.<\/jats:p>\n                  <jats:p>In this work, we tackle horizontal leakage effects originating in the ALU micro-architecture of CPUs. Horizontal leakage is emitted when ALU operations require the combination of values at different bit indices to yield the correct result and gives adversaries the joint information of multiple bits within a register. This led to the belief that no more than one share of a secret value must be present in the same register at any point. We show that this restriction is not universally true. We introduce barriers within register that stop horizontal leakage within, and thus allows multiple shares of the same secret to be placed within a single register. This enables us to operate on multiple shares within a single software instruction and therefore increase efficiency. With our proposed share and barrier layout, we present practical case studies on a full AES round and the AES-prime Sbox and show their SCA security with up to one million traces.<\/jats:p>","DOI":"10.62056\/ana69qdja","type":"journal-article","created":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T18:09:08Z","timestamp":1777918148000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Horizontal Leakage in Micro-Architectures"],"prefix":"10.62056","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3682-1567","authenticated-orcid":false,"given":"Jannik","family":"Zeitschner","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/04tsk2644","id-type":"ROR","asserted-by":"publisher"}],"name":"Ruhr-University Bochum","place":["Universit\u00e4tsstra\u00dfe 150, Bochum, 44801, Germany"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1626-6175","authenticated-orcid":false,"given":"John","family":"Gaspoz","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05f950310","id-type":"ROR","asserted-by":"publisher"}],"name":"Catholic University Leuven","place":["Oude Markt 13, Leuven, 3000, Belgium"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3133-9261","authenticated-orcid":false,"given":"Svetla","family":"Nikova","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05f950310","id-type":"ROR","asserted-by":"publisher"}],"name":"Catholic University Leuven","place":["Oude Markt 13, Leuven, 3000, Belgium"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4032-7433","authenticated-orcid":false,"given":"Amir","family":"Moradi","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05n911h24","id-type":"ROR","asserted-by":"publisher"}],"name":"Technical University Darmstadt","place":["Karolinenplatz 5, Darmstadt, 64289, Germany"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"48349","published-online":{"date-parts":[[2026,5,4]]},"reference":[{"key":"ref1:C:Kocher96","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"104","DOI":"10.1007\/3-540-68697-5_9","article-title":"Timing Attacks on Implementations of Diffie-Hellman,\n  RSA, DSS, and Other Systems","volume":"1109","author":"Paul C. Kocher","year":"1996"},{"key":"ref2:C:KocJafJun99","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"388","DOI":"10.1007\/3-540-48405-1_25","article-title":"Differential Power Analysis","volume":"1666","author":"Paul C. Kocher","year":"1999"},{"key":"ref3:EC:BDMRW20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"311","DOI":"10.1007\/978-3-030-45727-3_11","article-title":"Tornado: Automatic Generation of Probing-Secure Masked\n  Bitsliced Implementations","volume":"12107","author":"Sonia Bela\u00efd","year":"2020"},{"key":"ref4:DBLP:journals\/tches\/ZeitschnerMM23","doi-asserted-by":"publisher","first-page":"391","DOI":"10.46586\/TCHES.V2023.I3.391-421","article-title":"PROLEAD_SW Probing-Based Software Leakage Detection for\n  ARM Binaries","volume":"2023","author":"Jannik Zeitschner","year":"2023","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref5:DBLP:conf\/asiacrypt\/GigerlPM21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-030-92075-3_1","article-title":"Secure and Efficient Software Masking on Superscalar\n  Pipelined Processors","author":"Barbara Gigerl","year":"2021"},{"key":"ref6:DBLP:journals\/tches\/GaspozD23","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2023.i2.155-179","article-title":"Threshold Implementations in Software: Micro-architectural\n  Leakages in Algorithms","author":"John Gaspoz","year":"2023","journal-title":"CHES"},{"key":"ref7:DBLP:journals\/tches\/CassiersMMMS23","doi-asserted-by":"publisher","first-page":"482","DOI":"10.46586\/TCHES.V2023.I2.482-518","article-title":"Prime-Field Masking in Hardware and its Soundness against\n  Low-Noise SCA Attacks","volume":"2023","author":"Ga\u00ebtan Cassiers","year":"2023","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref8:DBLP:conf\/acns\/GigerlPM23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-031-33488-7_1","article-title":"Formal Verification of Arithmetic Masking in Hardware and\n  Software","author":"Barbara Gigerl","year":"2023"},{"key":"ref9:DBLP:journals\/tches\/BronchainC22","doi-asserted-by":"publisher","first-page":"553","DOI":"10.46586\/tches.v2022.i4.553-588","article-title":"Bitslicing Arithmetic\/Boolean Masking Conversions for Fun\n  and Profit with Application to Lattice-Based KEMs","volume":"2022","author":"Olivier Bronchain","year":"2022","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref10:DBLP:conf\/eurocrypt\/MasureMMS23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"596","DOI":"10.1007\/978-3-031-30634-1_20","article-title":"Effective and Efficient Masking with Low Noise Using\n  Small-Mersenne-Prime Ciphers","author":"Lo\u00efc Masure","year":"2023"},{"key":"ref11:C:IshSahWag03","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"463","DOI":"10.1007\/978-3-540-45146-4_27","article-title":"Private Circuits: Securing Hardware against Probing\n  Attacks","volume":"2729","author":"Yuval Ishai","year":"2003"},{"key":"ref12:DBLP:journals\/tches\/FaustGPPS18","doi-asserted-by":"publisher","DOI":"10.13154\/tches.v2018.i3.89-120","article-title":"Composable Masking Schemes in the Presence of Physical\n  Defaults & the Robust Probing Model","author":"Sebastian Faust","year":"2018","journal-title":"CHES"},{"key":"ref13:DBLP:journals\/tc\/CassiersGLS21","doi-asserted-by":"publisher","first-page":"1677","DOI":"10.1109\/TC.2020.3022979","article-title":"Hardware Private Circuits: From Trivial Composition to Full\n  Verification","volume":"70","author":"Ga\u00ebtan Cassiers","year":"2021","journal-title":"IEEE Trans. Computers"},{"key":"ref14:DBLP:conf\/cosade\/MominCS22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"257","DOI":"10.1007\/978-3-030-99766-3_12","article-title":"Handcrafting: Improving Automated Masking in Hardware with\n  Manual Optimizations","author":"Charles Momin","year":"2022"},{"key":"ref15:DBLP:journals\/tches\/KnichelSM22","doi-asserted-by":"publisher","first-page":"323","DOI":"10.46586\/tches.v2022.i1.323-344","article-title":"Generic Hardware Private Circuits: Towards Automated\n  Generation of Composable Secure Gadgets","volume":"2022","author":"David Knichel","year":"2022","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref16:DBLP:journals\/tches\/KnichelMMS22","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2022.i1.589-629","article-title":"Automated Generation of Masked Hardware","author":"David Knichel","year":"2022","journal-title":"CHES"},{"key":"ref17:DBLP:journals\/tches\/CassiersSV24","doi-asserted-by":"publisher","DOI":"10.46586\/TCHES.V2024.I3.603-633","article-title":"Low-Latency Masked Gadgets Robust against Physical Defaults\n  with Application to Ascon","author":"Ga\u00ebtan Cassiers","year":"2024","journal-title":"CHES"},{"key":"ref18:DBLP:journals\/tches\/MullerM24a","doi-asserted-by":"publisher","DOI":"10.46586\/TCHES.V2024.I4.451-482","article-title":"Robust but Relaxed Probing Model","author":"Nicolai M\u00fcller","year":"2024","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref19:DBLP:conf\/cosade\/Papagiannopoulos17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"282","DOI":"10.1007\/978-3-319-64647-3_17","article-title":"Mind the Gap: Towards Secure 1st-Order Masking in Software","author":"Kostas Papagiannopoulos","year":"2017"},{"key":"ref20:DBLP:conf\/cosade\/CorreGD18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"82","DOI":"10.1007\/978-3-319-89641-0_5","article-title":"Micro-architectural Power Simulator for Leakage Assessment\n  of Cryptographic Software on ARM Cortex-M3 Processors","author":"Yann Le Corre","year":"2018"},{"key":"ref21:DBLP:conf\/eurocrypt\/GaoOP22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"284","DOI":"10.1007\/978-3-031-07082-2_11","article-title":"Towards Micro-architectural Leakage Simulators: Reverse\n  Engineering Micro-architectural Leakage Features Is Practical","author":"Si Gao","year":"2022"},{"key":"ref22:DBLP:journals\/tches\/MarshallPW22","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2022.i1.175-220","article-title":"MIRACLE: MIcRo-ArChitectural Leakage Evaluation A study\n  of micro-architectural power leakage across many devices","author":"Ben Marshall","year":"2022","journal-title":"CHES"},{"key":"ref23:DBLP:conf\/ches\/BattistelloCPZ16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1007\/978-3-662-53140-2_2","article-title":"Horizontal Side-Channel Attacks and Countermeasures on the\n  ISW Masking Scheme","author":"Alberto Battistello","year":"2016"},{"key":"ref24:DBLP:conf\/uss\/GigerlHPMB21","first-page":"1469","article-title":"Coco: Co-Design and Co-Verification of Masked Software\n  Implementations on CPUs","author":"Barbara Gigerl","year":"2021"},{"key":"ref25:DBLP:journals\/tches\/GaoMPO20","doi-asserted-by":"publisher","DOI":"10.13154\/TCHES.V2020.I1.152-174","article-title":"Share-slicing: Friend or Foe?","author":"Si Gao","year":"2020","journal-title":"CHES"},{"key":"ref26:ICICS:NikRecRij06","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"529","DOI":"10.1007\/11935308_38","article-title":"Threshold Implementations Against Side-Channel Attacks and\n  Glitches","volume":"4307","author":"Svetla Nikova","year":"2006"},{"key":"ref27:DBLP:conf\/eurocrypt\/GoudarziR17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"567","DOI":"10.1007\/978-3-319-56620-7_20","article-title":"How Fast Can Higher-Order Masking Be in Software?","author":"Dahmun Goudarzi","year":"2017"},{"key":"ref28:DBLP:conf\/islped\/Correale95","doi-asserted-by":"publisher","first-page":"75","DOI":"10.1145\/224081.224095","article-title":"Overview of the power minimization techniques employed in\n  the IBM PowerPC 4xx embedded controllers","author":"Anthony Correale Jr.","year":"1995"},{"key":"ref29:DBLP:conf\/date\/MunchWWMS00","doi-asserted-by":"publisher","first-page":"624","DOI":"10.1109\/DATE.2000.840850","article-title":"Automating RT-Level Operand Isolation to Minimize Power\n  Consumption in Datapaths","author":"Michael M\u00fcnch","year":"2000"},{"key":"ref30:Canal04OperandGating","doi-asserted-by":"publisher","first-page":"125","DOI":"10.1109\/CGO.2004.1281669","article-title":"Software-Controlled Operand-Gating","author":"Ramon Canal","year":"2004"},{"key":"ref31:kulkarni2014implementation","doi-asserted-by":"publisher","DOI":"10.1109\/ECS.2014.6892770","article-title":"Implementation of clock gating technique and performing\n  power analysis for processor engine (ALU) in network processors","author":"Roopa Kulkarni","year":"2014"},{"key":"ref32:kulkarni2020power","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-15-5558-9_71","article-title":"Power Optimization of a 32-Bit ALU Using Distributed Clock\n  Gating Technique","author":"Roopa R Kulkarni","year":"2020"},{"key":"ref33:vo2024hybrid","article-title":"Hybrid Data Driven Clock Gating and Data Gating Technique\n  for Better Saving Power in ALU RISC-V","author":"Minh Huan Vo","year":"2024","journal-title":"IJEER"},{"key":"ref34:DBLP:journals\/tches\/MullerM22","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2022.i4.311-348","article-title":"PROLEAD A Probing-Based Hardware Leakage Detection\n  Tool","author":"Nicolai M\u00fcller","year":"2022","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref35:scalib","doi-asserted-by":"publisher","first-page":"5196","DOI":"10.21105\/joss.05196","article-title":"SCALib: A Side-Channel Analysis Library","volume":"8","author":"Ga\u00ebtan Cassiers","year":"2023","journal-title":"Journal of Open Source Software"},{"key":"ref36:Armv6ISA","volume-title":"Armv6-M Architecture Reference Manual"},{"key":"ref37:Armv7ISA","volume-title":"Armv7-M Architecture Reference Manual"},{"key":"ref38:RISCVISA","volume-title":"The RISC-V Instruction Set Manual Volume 1: Unprivileged\n  ISA"},{"key":"ref39:DBLP:journals\/jce\/OFlynnC15","doi-asserted-by":"publisher","first-page":"53","DOI":"10.1007\/S13389-014-0087-5","article-title":"Synchronous sampling and clock recovery of internal\n  oscillators for side channel analysis and fault injection","volume":"5","author":"Colin O'Flynn","year":"2015","journal-title":"J. Cryptogr. Eng."},{"key":"ref40:TransposedAES","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"159","DOI":"10.1007\/3-540-36400-5_13","article-title":"Efficient Software Implementation of AES on 32-Bit\n  Platforms","author":"Guido Bertoni","year":"2002"},{"key":"ref41:ahmed2009lightweight","article-title":"Lightweight mix columns implementation for AES","author":"Eslam Gamal Ahmed","year":"2009"},{"key":"ref42:hadvzic2025efficient","doi-asserted-by":"publisher","first-page":"656","DOI":"10.46586\/TCHES.V2025.I1.656-683","article-title":"Efficient and Composable Masked AES S-Box Designs Using\n  Optimized Inverters","volume":"2025","author":"Vedad Hadzic","year":"2025","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref43:DBLP:conf\/cardis\/DingZDSF17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"105","DOI":"10.1007\/978-3-319-75208-2_7","article-title":"Towards Sound and Optimal Leakage Detection Procedure","author":"A. Adam Ding","year":"2017"},{"key":"ref44:DBLP:conf\/ccs\/SheltonCS0BY21","doi-asserted-by":"publisher","first-page":"685","DOI":"10.1145\/3460120.3485380","article-title":"Rosita++: Automatic Higher-Order Leakage Elimination from\n  Cryptographic Code","author":"Madura A. Shelton","year":"2021"},{"key":"ref45:DBLP:conf\/cardis\/BalaschGGRS14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"64","DOI":"10.1007\/978-3-319-16763-3_5","article-title":"On the Cost of Lazy Engineering for Masked Software\n  Implementations","author":"Josep Balasch","year":"2014"},{"key":"ref46:avanzi2019crystals","first-page":"1","article-title":"CRYSTALS-Kyber algorithm specifications and supporting\n  documentation","volume":"2","author":"Roberto Avanzi","year":"2019","journal-title":"NIST PQC Round"},{"key":"ref47:fouque2018falcon","first-page":"1","article-title":"Falcon: Fast-Fourier lattice-based compact signatures over\n  NTRU","volume":"36","author":"Pierre-Alain Fouque","year":"2018","journal-title":"Submission to the NIST\u2019s post-quantum cryptography\n  standardization process"},{"key":"ref48:vercauteren2020saber","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"282","DOI":"10.1007\/978-3-319-89339-6_16","article-title":"Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption\n  and CCA-Secure KEM","author":"Jan-Pieter D'Anvers","year":"2018"},{"key":"ref49:alkim2020frodokem","first-page":"10","article-title":"FrodoKEM learning with errors key encapsulation","volume":"3","author":"Erdem Alkim","year":"2020","journal-title":"NIST PQC standardization: Round"},{"key":"ref50:chen2019algorithm","article-title":"Algorithm specifications and supporting documentation","author":"Cong Chen","year":"2019","journal-title":"Brown University and Onboard security company, Wilmington\n  USA"},{"key":"ref51:ntruprime-round3","volume-title":"NTRU Prime: Round 3","author":"Daniel J. Bernstein","year":"2020"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:03:42Z","timestamp":1778040222000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/3\/1\/27"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,4]]},"references-count":51,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,5,4]]}},"URL":"https:\/\/doi.org\/10.62056\/ana69qdja","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,4]]},"assertion":[{"value":"2026-02-03","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-04-28","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc3-1-81"}}