• Publicly known
• Important to evaluate effectiveness (CI/CD is beneficial)
• Compiler/synthesis tool can destroy effectiveness of CM
• Chaining CM can make it harder for attacker
• See whitepaper

Implementing CM

• Want cost of attack to be higher than attackers budget
• Balance cost, power, performance, security, debug- gability, development complexity etc.
• CM can be leaky.
• Break attack assumption (SCA, DPA etc). Cat/mouse game
• Hard to patch HW vulnerability. Some SW patches might mitigate
• Give lifespan of product from launch until fault is found

Non-correlating/Constant time

• Decorrelate timing between operation and secret. Add time constant or time randomization
• Timing attacks on hash-based message authentication code (HMAC) (See Xbox 360 timing attack)
• Timing attacks on conditional branches on sensitive values
• Branchless code
  • Execute both sides of branch, store results separately
  • Mask results based on “if-statement”, pick side based on all ones/all zeros
  • Compiler might replace our code with conditional code
• Time randomization
  • Spread leak over many clock cycles
  • Fault Injection: Attacker has to be lucky with timing
  • Some randomization with PLL
  • Add random time before sensitive operations (easily seen in side-channel, acts as big arrow to sensitive operation)

Non-correlating/Constant Power Consumption

• Add noise by running SW or HW in parallel