1-Probing Leakage Models Overview

Updated 15 December 2025

The 1-probing leakage model is a mathematical framework that quantifies information leakage when an adversary probes a single internal node in a digital system.
It employs formal definitions, parity equations, and combinatorial evaluations to ensure that secret shares remain statistically independent from observed values.
The model supports compositional synthesis and formal verification techniques, providing practical security guarantees against first-order side-channel attacks.

The 1-probing leakage model, also referred to as the 1-threshold-probing, random-probing, or first-order side-channel model, is a mathematically rigorous framework for quantifying information leakage in hardware, software, and cryptographic implementations. It defines the maximum information that can be recovered by an adversary who probes a single internal intermediate value (or a small, fixed number t of values) of a computation, under well-specified adversarial and encoding assumptions. This model is foundational to rigorous leakage-resilient synthesis, formal verification, security evaluation, and side-channel-resistance assessment for a broad spectrum of digital systems. The following sections detail the formal underpinnings, mathematical consequences, synthesis methodologies, efficient evaluation strategies, and practical implications of the 1-probing leakage model.

1. Formal Definition: The 1-Probing/1-Threshold-Probing Model

Let $P$ be a Boolean circuit or program, with inputs partitioned as secret $(k_1, ..., k_x) \in \{0,1\}^x$ , public $p \in \{0,1\}^{|p|}$ , and fresh random bits $r \in \{0,1\}^{|r|}$ . The $n$ -threshold-probing model introduces an input encoder per secret bit that splits each $k_i$ into $n+1$ shares using $n$ random bits and one correlated share, ensuring that each share is statistically independent of $k_i$ given $r$ .

In the 1-probing case ( $n=1$ ), the security criterion (1-leakage-resilience) is: $\forall\,p,\,k,\,k',\,\ell\in\text{Nodes}(P):\quad \mathrm{Dist}\bigl(P(p,k,r)_\ell\bigr) = \mathrm{Dist}\bigl(P(p,k',r)_\ell\bigr)$ where the probability distribution is over $r$ , and $\ell$ is any observable wire/gate label outside the encoder/decoder. Informally, any probe of a single node in the circuit leaks no information about the secret, regardless of its concrete value (Blot et al., 2016).

In the random-probing variant, the adversary selects a random subset $R$ of $t$ internal wires to probe (non-adaptively) and observes their values. Information recovery is typically modeled via the linear relations among probed values, secret shares, and masking variables (Jahandideh et al., 2020).

Security Criterion Table

Model Variant	Adversary Probes	Security Condition
1-probing	1 node/wire	$\forall \ell:$ probed value statistically independent of $k$ (Blot et al., 2016)
Random-probing	$t$ nodes/wires	$t$ probe set sufficient only if linear system on secret shares is full rank (Jahandideh et al., 2020)

2. Parity Equation, Secret Recovery Probability, and Combinatorial Evaluation

Masked implementations are generally modeled by expressing each internal wire $w$ as a parity (linear) equation over the secret and mask bits: $v_w = \sum_{i=1}^s a_{w,i}X_i \oplus \sum_{j=1}^r b_{w,j}M_j$ where $X$ denotes the secret bits, $M$ the randomized masks, and $(a_{w,i}, b_{w,j})$ are Boolean coefficients (Jahandideh et al., 2020).

Given a set $R$ of $t$ randomly probed wires, the adversary collects $t$ linear equations. The key metric is the secret-recovery-probability (SRP): $\text{SRP}(t) = \Pr_{R}\left[\mathrm{rank}(E_R)-\mathrm{rank}(M_R) = s\right]$ where $E_R$ is the collection of parity equations for $R$ and $M_R$ denotes the mask components. SRP captures the probability that the adversary can uniquely recover all $s$ secrets after eliminating masks.

The exact SRP can be computed via inclusion–exclusion: $\text{SRP}(t) = 1 - \sum_{\emptyset\neq U\subseteq[s]} (-1)^{|U|+1} \frac{\binom{C_U}{t}}{\binom{n}{t}}$ where $C_U$ counts wires not involving any secret in $U$ (Jahandideh et al., 2020).

3. Compositional Security and Synthesis for 1-Probing Resilience

A fundamental result is the compositionality theorem: parallel or sequential composition of individually 1-probing-resilient circuits, with independent randomness, always yields a new 1-probing-resilient circuit (Blot et al., 2016). The synthesis of 1-probing-resilient implementations proceeds as follows:

Decompose the circuit into manageable subcircuits (public-only, shared sub-expressions, parallelizable outputs).
Mask and encode using standard $1$-split encoders and decoders.
Constraint synthesis enforces two properties: IO-equivalence to the unmasked circuit and 1-leakage-resilience of each internal node, expressed as quantified constraints over Boolean control variables (gate assignments).
Compositional assembly recombines masked subcircuits using separate random bits.

This procedure supports automated, modular synthesis and masks the secret against any single-probe adversary with formal guarantees (Blot et al., 2016).

4. Advances: Formal Verification and Robust 1-Probing Models

Recent tools (e.g., aLEAKator (Amiot et al., 8 Dec 2025)) extend probing-based verification to hardware description languages and include diverse variants:

(g,t)-d-probing model: Considers wire value, transition, glitch, and robust-glitch leakage domains.
Relaxed-robust 1-sw-probing: Security for one probe per signal/bus, pruning glitches on stable bits via explicit HDL simulation.
Automated verification: Each probe set is symbolically checked for independence from secrets via mask-cancellation and enumeration.
Lookup-table support: Symbolic propagation supports S-boxes or indexed memory accesses as in cryptographic primitives.

Empirical validation aligns first-order probe findings with side-channel t-tests and enables per-wire, per-cycle localization of leaks (Amiot et al., 8 Dec 2025).

5. Random-Probing: Efficiency, Scaling, and Application

The random-probing (or “probabilistic $t$ -probe”) model more closely matches practical constraints on physical adversaries. Computing SRP for realistically sized circuits (e.g., AES S-boxes) is achieved by:

Parity-equation extraction from netlists.
Inclusion–exclusion or covering-based SRP computation for $t$ up to hundreds with $n$ in the thousands.
Monte-Carlo sampling for large $t$ or $s$ values.

Empirical results show that for first- or second-order masking, the required $t$ for non-negligible SRP is very high (often $t > 2n/3$ ). Thus, practical random-probe-resilience can be assured for large internal widths (Jahandideh et al., 2020).

6. Practical Implications, Strengths, and Limitations

Guarantees: The 1-probing model assures that any adversary with access to a single (or $t$ random) internal node learns nothing about secret data, assuming fresh independent randomness per computation.
Compositionality: Enables modular hardware/software design and verification.
Limitations: Only bounds single-probe (or $t$ -random-probe) adversaries; higher-order (adaptive multi-probe) attacks require $n>1$ models with combinatorially higher synthesis and verification complexity.
Randomness requirements: Each secret bit requires independent mask bits per probe order; secure generation and management of these bits is critical.
Overhead: Masked implementations incur area/depth and randomness overhead, though local and compositional optimizations mitigate scaling.

First-order probing security underpins practical masked cryptographic hardware, embedded systems, and side-channel-resilient software for smart-card and IoT deployments. Advances in symbolic simulation and robust verification have enabled scaling of these techniques to full cryptographic cores (Blot et al., 2016, Jahandideh et al., 2020, Amiot et al., 8 Dec 2025).

7. Outlook and Open Problems

Scaling efficient formal synthesis and verification to higher-order ( $d>1$ ) probing models remains a significant challenge due to combinatorial explosion in probe set enumeration. Ongoing work in symbolic pruning, dynamic-programming analysis, and integration with physical leakage models continues to push the boundaries for securing next-generation cryptographic and safety-critical hardware (Amiot et al., 8 Dec 2025, Jahandideh et al., 2020). Relaxations (e.g., robust, bus-wide, or transition/glitch-aware probing) further bridge the gap between formal models and real-world threats.

References:

"Compositional Synthesis of Leakage Resilient Programs" (Blot et al., 2016)
"Concrete Evaluation of the Random Probing Security" (Jahandideh et al., 2020)
"aLEAKator: HDL Mixed-Domain Simulation for Masked Hardware & Software Formal Verification" (Amiot et al., 8 Dec 2025)