Paper 2026/123

Masking Out of Order: Side-Channel Leaks from Software-Masked Cryptography on Out-of-Order Processors

Abstract

Masking, the primary countermeasure against differential power attacks, guarantees formal security under abstract execution models that are violated in modern micro-architectures. Meanwhile, processors with out-of-order micro-architectures are increasingly used for high-assurance tasks, yet their physical side-channel leakage remains poorly characterized, hindering side-channel security on such platforms. In this work, we present the first empirical study of physical power side-channel leakage on out-of-order cores. Through practical lab experiments, we identify and validate multiple micro-architectural leakage sources that undermine software masking: register renaming reintroduces register overwrites beyond software control; forwarding leaks through the common data bus, with less impact on security order than in-order forwarding; and concurrent instructions leaks through coupling, with affected instructions determined at runtime. We demonstrate that runtime scheduling and dynamic resource allocation undermine software-only mitigations. To address this, we propose countermeasures that shift part of the responsibility to hardware and require security by design. We further demonstrate that these effects are exploitable in practice by breaking the security of a theoretically secure software-masked lattice-based post-quantum implementation on an out-of-order core. Finally, we find that clock frequency significantly affects leakage of software-masked implementations. This makes security unstable across frequencies and suggests that cryptographic software should be constrained to verified frequencies.