Abstract
Masking is a promising countermeasure against side-channel attacks, and share slicing is a masking technique that stores all shares in a single register to exploit the parallelism of Boolean instructions. However, the security of share slicing relies on the assumption of bit-independent leakage. Gao et al. recently discovered that bit-interaction leakage causes security degradation by experimentally evaluating ARM processors. However, its causality remains an open question because of the black box nature of the target processors. In this study, we approach this problem with simulation-based side-channel leakage evaluation using a RISC-V processor. More specifically, we use Western Digital’s open-source SweRV EH1 core as a target platform and measure its side-channel traces by running logic simulation and counting the number of signal transitions in the synthesized netlist. We successfully replicate the bit-interaction leakage from a shifter using the simulated traces. By exploiting the flexibility of simulation-based analysis, we positively verify Gao et al.’s hypothesis on how the shifter causes the leakage. Moreover, we discover a bit-interaction leakage from an arithmetic adder caused by carry propagation. Further, we discuss hardware and software countermeasures against bit-interaction leakage.
Similar content being viewed by others
Data availability
The datasets generated during and/or analyzed during the current study are available from the corresponding author upon reasonable request.
Notes
The Comb_shifters submodule consists of the left-logical, right-logical, and right-arithmetic shifts expressed with SystemVerilog’s operators, \({<<}, {>>},\) and \({>>>}\).
The target is design/swerv.sv in the SweRV EH1’s source code, which does not include an instruction cache or Data Closed Coupled Memory (DCCM).
We use the immediate (I-type) instructions for simplicity. The leakage from the register (R-type) instructions should be the same because they use the same ALU.
We omit the Comb_bitwise in Fig. 4a and c because we observe no switching activity in the target component; thus, the corresponding t-statistics are meaningless. Comb_bitwise is inactive when executing non-bitwise instructions because there are AND gates controlled by opcode to supply operands only in bitwise instructions.
We also conduct the same experiment with the \({>>}\) and \({>>>}\) (arithmetic right shift) operators and confirm that the results are similar to those with the \({<<}\) operator.
We confirm that the arithmetic adder of the SweRV EH1’s ALU is also written by the + operator and synthesized into a simple ripple carry adder.
We omit the Comb_shifter in Fig. 17a because we observe constant toggles, and the corresponding t-statistic is meaningless.
References
Mangard, S., Oswald, E., Popp, T.: Power analysis attacks - revealing the secrets of smart cards, Springer (2007)
Roche, T., Lomné, V., Mutschler, C., Imbert, L.A.: Side journey to Titan, pp. 231–248. USENIX Association (2021)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis, Vol. 1666 of Lecture Notes in Computer Science, pp. 388–397, Springer (1999)
Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks, Vol. 1666 of Lecture Notes in Computer Science, pp. 398–412. Springer (1999)
Barthe, G. et al.: Parallel implementations of masking schemes and the bounded moment leakage model, Vol. 10210 of Lecture Notes in Computer Science, pp. 535–566. (2017)
Goudarzi, D., Journault, A., Rivain, M., Standaert, F.-X.: Secure multiplication for bitslice higher-order masking: Optimisation and comparison, pp. 3–22. Springer (2018)
Journault, A., Standaert, F.: Very high order masking: Efficient implementation and security evaluation, Vol. 10529 of Lecture Notes in Computer Science, pp. 623–643. Springer (2017)
Gao, S., Marshall, B., Page, D., Oswald, E.: Share-slicing: Friend or foe? IACR Trans. Cryptogr. Hardw. Embedded Syst. 152–174 (2020)
Matsuda, S., Moriai, S.: Lightweight cryptography for the cloud: exploit the power of bitslice implementation, Vol. 7428 of Lecture Notes in Computer Science, pp. 408–425. Springer (2012)
Benadjila, R., Guo, J., Lomné, V., Peyrin, T.: Implementing lightweight block ciphers on x86 architectures, Vol. 8282 of Lecture Notes in Computer Science, pp. 324–351. Springer (2013)
McCann, D., Oswald, E., Whitnall, C.: Towards practical tools for side channel aware software engineering: ‘grey box’ modelling for instruction leakages, pp. 199–216. USENIX Association, Vancouver, BC (2017) https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/mccann
Levi, I., Bellizia, D., Standaert, F.: Reducing a masked implementation’s effective security order with setup manipulations and an explanation based on externally-amplified couplings. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 293–317 (2019)
CHIPS Alliance. EH1 SweRV RISC-V Core™1.7 from Western Digital. https://github.com/chipsalliance/Cores-SweRV
Tiri, K., Verbauwhede, I.: Simulation models for side-channel information leaks, pp. 228–233. ACM, (2005)
Asano, T., Sugawara, T.: Simulation based evaluation of bit-interaction side-channel leakage on risc-v processor (2021). https://www.proofs-workshop.org/2021/papers/paper3.pdf
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: Securing hardware against probing attacks, pp. 463–481. Springer (2003)
Goudarzi, D., Rivain, M.: How fast can higher-order masking be in software?, Vol. 10210 of Lecture Notes in Computer Science, pp. 567–597. (2017)
Harris, S., Harris, D.: Digital Design and Computer Architecture: ARM Edition, 1st edn. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA (2015)
RISC-V International. https://riscv.org
Asanović, K. et al.: The rocket chip generator. Tech. Rep. UCB/EECS-2016-17, EECS Department, University of California, Berkeley (2016). http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-17.html
Zhao, J., Korpan, B., Gonzalez, A., Asanovic, K.: Sonicboom: The 3rd generation Berkeley out-of-order machine (2020)
Patterson, D.A., Hennessy, J.L.: Computer Organization and Design, Fifth Edition: The Hardware/Software Interface, 5th edn., Morgan Kaufmann Publishers Inc. (2013)
Moos, T., Moradi, A., Schneider, T., Standaert, F.: Glitch-resistant masking revisited or why proofs in the robust probing model are needed. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 256–292 (2019)
Cnudde, T.D. et al.: Does coupling affect the security of masked implementations?, Vol. 10348 of Lecture Notes in Computer Science, pp. 1–18. Springer, (2017)
NanGate. Nangate 45 nm Open Cell Library. https://si2.org/open-cell-library
Dawson, C., Pattanam, S., Roberts, D.: The Verilog Procedural Interface for The Verilog Hardware Description Language, pp. 17–23. (1996)
Meyer, S.: Verilog plus C language modeling with pli 2.0: The next generation simulation language, pp. 98–105. (1998)
Goodwill, G., Jun, B., Jaffe, J., Rohatgi, P.: A testing methodology for side-channel resistance validation 7, pp. 115–136. (2011)
Gigerl, B., Hadzic, V., Primas, R., Mangard, S., Bloem, R.: Coco: Co-Design and Co-Verification of masked software implementations on CPUs, pp. 1469–1468, USENIX Association, (2021). https://www.usenix.org/conference/usenixsecurity21/presentation/gigerl
Gigerl, B., Primas, R., Mangard, S. Tibouchi, M., Wang, H.: Secure and efficient software masking on superscalar pipelined processors. In: Tibouchi, M., Wang, H. (eds) Advances in Cryptology - ASIACRYPT 2021 - 27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 6-10, 2021, Proceedings, Part II, Vol. 13091 of Lecture Notes in Computer Science, pp. 3–32. Springer, (2021)
Buhan, I., Batina, L., Yarom, Y., Schaumont, P.: Sok: Design tools for side-channel-aware implementations. IACR Cryptol. ePrint Arch. 497 (2021). https://eprint.iacr.org/2021/497
Wolf, C.: yosys – yosys open synthesis suite. https://github.com/YosysHQ/yosys
Snyder, W.: Verilator. https://github.com/verilator/verilator
lowRISC. Ibex RISC-V Core. https://github.com/lowRISC/ibex
Acknowledgements
We would like to thank the anonymous reviewers at PROOFS 2021 and JCEN for their valuable and helpful comments. The study is supported by JSPS KAKENHI Grant Number JP18H05289. The CAD tools used in the study are supported by VLSI Design and Education Center (VDEC), the University of Tokyo, with the collaboration of CADENCE Corporation and SYNOPSYS Corporation.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Asano, T., Sugawara, T. Simulation-based evaluation of bit-interaction side-channel leakage on RISC-V: extended version. J Cryptogr Eng 14, 165–180 (2024). https://doi.org/10.1007/s13389-023-00319-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-023-00319-z