Skip to main content
SpringerLink
Log in

Simulation-based evaluation of bit-interaction side-channel leakage on RISC-V: extended version

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

Masking is a promising countermeasure against side-channel attacks, and share slicing is a masking technique that stores all shares in a single register to exploit the parallelism of Boolean instructions. However, the security of share slicing relies on the assumption of bit-independent leakage. Gao et al. recently discovered that bit-interaction leakage causes security degradation by experimentally evaluating ARM processors. However, its causality remains an open question because of the black box nature of the target processors. In this study, we approach this problem with simulation-based side-channel leakage evaluation using a RISC-V processor. More specifically, we use Western Digital’s open-source SweRV EH1 core as a target platform and measure its side-channel traces by running logic simulation and counting the number of signal transitions in the synthesized netlist. We successfully replicate the bit-interaction leakage from a shifter using the simulated traces. By exploiting the flexibility of simulation-based analysis, we positively verify Gao et al.’s hypothesis on how the shifter causes the leakage. Moreover, we discover a bit-interaction leakage from an arithmetic adder caused by carry propagation. Further, we discuss hardware and software countermeasures against bit-interaction leakage.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17

Similar content being viewed by others

Data availability

The datasets generated during and/or analyzed during the current study are available from the corresponding author upon reasonable request.

Notes

  1. The Comb_shifters submodule consists of the left-logical, right-logical, and right-arithmetic shifts expressed with SystemVerilog’s operators, \({<<}, {>>},\) and \({>>>}\).

  2. The target is design/swerv.sv in the SweRV EH1’s source code, which does not include an instruction cache or Data Closed Coupled Memory (DCCM).

  3. We use the immediate (I-type) instructions for simplicity. The leakage from the register (R-type) instructions should be the same because they use the same ALU.

  4. We omit the Comb_bitwise in Fig. 4a and c because we observe no switching activity in the target component; thus, the corresponding t-statistics are meaningless. Comb_bitwise is inactive when executing non-bitwise instructions because there are AND gates controlled by opcode to supply operands only in bitwise instructions.

  5. We also conduct the same experiment with the \({>>}\) and \({>>>}\) (arithmetic right shift) operators and confirm that the results are similar to those with the \({<<}\) operator.

  6. We confirm that the arithmetic adder of the SweRV EH1’s ALU is also written by the + operator and synthesized into a simple ripple carry adder.

  7. We omit the Comb_shifter in Fig. 17a because we observe constant toggles, and the corresponding t-statistic is meaningless.

References

  1. Mangard, S., Oswald, E., Popp, T.: Power analysis attacks - revealing the secrets of smart cards, Springer (2007)

  2. Roche, T., Lomné, V., Mutschler, C., Imbert, L.A.: Side journey to Titan, pp. 231–248. USENIX Association (2021)

  3. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis, Vol. 1666 of Lecture Notes in Computer Science, pp. 388–397, Springer (1999)

  4. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks, Vol. 1666 of Lecture Notes in Computer Science, pp. 398–412. Springer (1999)

  5. Barthe, G. et al.: Parallel implementations of masking schemes and the bounded moment leakage model, Vol. 10210 of Lecture Notes in Computer Science, pp. 535–566. (2017)

  6. Goudarzi, D., Journault, A., Rivain, M., Standaert, F.-X.: Secure multiplication for bitslice higher-order masking: Optimisation and comparison, pp. 3–22. Springer (2018)

  7. Journault, A., Standaert, F.: Very high order masking: Efficient implementation and security evaluation, Vol. 10529 of Lecture Notes in Computer Science, pp. 623–643. Springer (2017)

  8. Gao, S., Marshall, B., Page, D., Oswald, E.: Share-slicing: Friend or foe? IACR Trans. Cryptogr. Hardw. Embedded Syst. 152–174 (2020)

  9. Matsuda, S., Moriai, S.: Lightweight cryptography for the cloud: exploit the power of bitslice implementation, Vol. 7428 of Lecture Notes in Computer Science, pp. 408–425. Springer (2012)

  10. Benadjila, R., Guo, J., Lomné, V., Peyrin, T.: Implementing lightweight block ciphers on x86 architectures, Vol. 8282 of Lecture Notes in Computer Science, pp. 324–351. Springer (2013)

  11. McCann, D., Oswald, E., Whitnall, C.: Towards practical tools for side channel aware software engineering: ‘grey box’ modelling for instruction leakages, pp. 199–216. USENIX Association, Vancouver, BC (2017) https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/mccann

  12. Levi, I., Bellizia, D., Standaert, F.: Reducing a masked implementation’s effective security order with setup manipulations and an explanation based on externally-amplified couplings. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 293–317 (2019)

    Article  Google Scholar 

  13. CHIPS Alliance. EH1 SweRV RISC-V Core™1.7 from Western Digital. https://github.com/chipsalliance/Cores-SweRV

  14. Tiri, K., Verbauwhede, I.: Simulation models for side-channel information leaks, pp. 228–233. ACM, (2005)

  15. Asano, T., Sugawara, T.: Simulation based evaluation of bit-interaction side-channel leakage on risc-v processor (2021). https://www.proofs-workshop.org/2021/papers/paper3.pdf

  16. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: Securing hardware against probing attacks, pp. 463–481. Springer (2003)

  17. Goudarzi, D., Rivain, M.: How fast can higher-order masking be in software?, Vol. 10210 of Lecture Notes in Computer Science, pp. 567–597. (2017)

  18. Harris, S., Harris, D.: Digital Design and Computer Architecture: ARM Edition, 1st edn. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA (2015)

    Google Scholar 

  19. RISC-V International. https://riscv.org

  20. Asanović, K. et al.: The rocket chip generator. Tech. Rep. UCB/EECS-2016-17, EECS Department, University of California, Berkeley (2016). http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-17.html

  21. Zhao, J., Korpan, B., Gonzalez, A., Asanovic, K.: Sonicboom: The 3rd generation Berkeley out-of-order machine (2020)

  22. Patterson, D.A., Hennessy, J.L.: Computer Organization and Design, Fifth Edition: The Hardware/Software Interface, 5th edn., Morgan Kaufmann Publishers Inc. (2013)

  23. Moos, T., Moradi, A., Schneider, T., Standaert, F.: Glitch-resistant masking revisited or why proofs in the robust probing model are needed. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 256–292 (2019)

    Article  Google Scholar 

  24. Cnudde, T.D. et al.: Does coupling affect the security of masked implementations?, Vol. 10348 of Lecture Notes in Computer Science, pp. 1–18. Springer, (2017)

  25. NanGate. Nangate 45 nm Open Cell Library. https://si2.org/open-cell-library

  26. Dawson, C., Pattanam, S., Roberts, D.: The Verilog Procedural Interface for The Verilog Hardware Description Language, pp. 17–23. (1996)

  27. Meyer, S.: Verilog plus C language modeling with pli 2.0: The next generation simulation language, pp. 98–105. (1998)

  28. Goodwill, G., Jun, B., Jaffe, J., Rohatgi, P.: A testing methodology for side-channel resistance validation 7, pp. 115–136. (2011)

  29. Gigerl, B., Hadzic, V., Primas, R., Mangard, S., Bloem, R.: Coco: Co-Design and Co-Verification of masked software implementations on CPUs, pp. 1469–1468, USENIX Association, (2021). https://www.usenix.org/conference/usenixsecurity21/presentation/gigerl

  30. Gigerl, B., Primas, R., Mangard, S. Tibouchi, M., Wang, H.: Secure and efficient software masking on superscalar pipelined processors. In: Tibouchi, M., Wang, H. (eds) Advances in Cryptology - ASIACRYPT 2021 - 27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 6-10, 2021, Proceedings, Part II, Vol. 13091 of Lecture Notes in Computer Science, pp. 3–32. Springer, (2021)

  31. Buhan, I., Batina, L., Yarom, Y., Schaumont, P.: Sok: Design tools for side-channel-aware implementations. IACR Cryptol. ePrint Arch. 497 (2021). https://eprint.iacr.org/2021/497

  32. Wolf, C.: yosys – yosys open synthesis suite. https://github.com/YosysHQ/yosys

  33. Snyder, W.: Verilator. https://github.com/verilator/verilator

  34. lowRISC. Ibex RISC-V Core. https://github.com/lowRISC/ibex

Download references

Acknowledgements

We would like to thank the anonymous reviewers at PROOFS 2021 and JCEN for their valuable and helpful comments. The study is supported by JSPS KAKENHI Grant Number JP18H05289. The CAD tools used in the study are supported by VLSI Design and Education Center (VDEC), the University of Tokyo, with the collaboration of CADENCE Corporation and SYNOPSYS Corporation.

Author information

Authors and Affiliations

  1. Department of Informatics, The University of Electro-Communications, 1-5-1 Chofugaoka, Chofu, Tokyo, 182-8585, Japan

    Tamon Asano & Takeshi Sugawara

Authors
  1. Tamon Asano
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Takeshi Sugawara
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tamon Asano.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Asano, T., Sugawara, T. Simulation-based evaluation of bit-interaction side-channel leakage on RISC-V: extended version. J Cryptogr Eng 14, 165–180 (2024). https://doi.org/10.1007/s13389-023-00319-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-023-00319-z

Keywords

Search

Navigation