1. Introduction

2. Preliminaries

2.3. Side Channel Analysis on Implementations of CDT Sampling

A substantial body of research on single trace analysis has focused on various implementations of CDT sampling [7,8,9]. CDT sampling operates by generating a random value, $rnd$, which is then compared to values in a pre-stored table. The result of these cumulative comparisons is returned as the sampled value. Algorithms 1–3 present different implementation approaches. Algorithm 1 employs a while loop, terminating the comparison operation when $rnd$ is smaller than a value in the table. In this case, not all values in the table are compared. In other words, Algorithm 1 operates in non-constant time, rendering it vulnerable to timing attacks. Algorithm 2 is a constant-time algorithm in which all elements of the stored table are compared. However, it is also a weak algorithm for single trace analysis. Kim et al. proposed a single trace analysis of Algorithm 2 based on subtraction operations. The power consumption in this method differs depending on whether the resulting value is negative or positive. Zhang et al. further investigated the side-channel vulnerabilities of rejection sampling following CDT sampling in Mitaka.

Algorithm 3 illustrates the comparison operation-based CDT sampling used in Mitaka, with its actual implementation provided in Listing 1. While this approach mitigates vulnerabilities associated with traditional subtraction-based operations. However, it has not been studied whether this is a potential vulnerability.

Algorithm 1 The while-loop based CDT sampling

Require:  CDT table $\mathsf{\Psi }$, $\sigma$, $\tau$   Ensure:  Sampled value S  1: $rnd\leftarrow [0,\tau \sigma )\cap \mathbb{Z}$ uniformly at random  2: $\mathrm{sign}\leftarrow [0,1]\cap \mathbb{Z}$ uniformly at random  3: $i\leftarrow 0$  4: while $(rnd>\mathsf{\Psi }[i\left]\right)$ do  5:    $i\leftarrow i+1$  6: end while  7: $S\leftarrow \left(\right(-\mathrm{sign})\wedge i)+\mathrm{sign}$  8: return  S

Algorithm 2 The subtraction operation based CDT sampling

Require:  CDT table $\mathsf{\Psi }$ of length ℓ, $\sigma$, $\tau$  Ensure:  Sampled value S  1: $rnd\leftarrow [0,\tau \sigma )$ uniformly at random  2: $\mathrm{sign}\leftarrow [0,1]\cap \mathbb{Z}$ uniformly at random  3: $S\leftarrow 0$  4: for $i=0$ to $\ell -1$ do  5:    $S+=\left(\mathsf{\Psi }\right[i]-rnd)\gg wordsize$  6: end for  7: $S\leftarrow \left(\right(-\mathrm{sign})\wedge S)+\mathrm{sign}$  8: return S

Algorithm 3 Comparison-based CDT Sampling

Require:  CDT Table $\mathsf{\Psi }$, $\sigma$, $\tau$, and Table length l  Ensure:  Sampled value S  1: $rnd\leftarrow [0,\tau \sigma )$ uniformly at random  2: $\mathrm{sign}\leftarrow [0,1]\cap \mathbb{Z}$ uniformly at random  3: $S\leftarrow 0$  4: for $i=0$ to $\ell -1$ do  5:    $S+=(rnd\ge \mathsf{\Psi }[i\left]\right)$  6: end for  7: $S\leftarrow \left(\right(-\mathrm{sign})\wedge S)+\mathrm{sign}$  8: return S

Listing 1. base_sampler() C code.

3. Experiments Setup

4. Single Trace Analysis Using Visible Leakage in 8-Bit AVR

4.1. Comparison Operation Based CDT on 8-Bit AVR

The following is how AVR works in situations where the operands used in comparison operations are larger than 8 bits. In this case, 8 bits refers to the word size of the AVR. Mitaka’s CDT uses 64-bit operands. Therefore, it is stored in eight blocks, as shown in Figure 3. Assuming a comparison of two numbers, we have $A_i$ and $B_i$, each divided into eight blocks where i is 0 through 7.

Various methods can be employed to compare these numbers. AVR’s approach is to initiate the comparison with the most significant words. Compare A and B as follows:

• Check if $A_0$ is greater than $B_0$. If so, $A>B$.
• Check if $A_0$ is less than $B_0$. If true, $A<B$.
• Check if $A_0$ and $B_0$ are equal. If true, continue to compare the next word until the comparison ends.

This implementation is vulnerable to side channel analysis. For instance, let’s consider two scenarios: (1) $A_0>B_0$ and (2) $A_0=B_0,A_1<B_1$. In these situations, the execution time of the comparison operations may differ. As a result, timing vulnerabilities arise, which can be exploited through STA to distinguish between the two scenarios. This paper investigates this process by performing reverse engineering on code that works in a real AVR.

The assembly code depicted in Listing 2 illustrates the part of $BaseSampler$ function for the optimized s-level. It is evident that the comparisons are performed sequentially, word by word. Notably, vulnerabilities in the word based comparison method are evident. The process of performing comparison operations for each optimization level follows a similar pattern as shown in Listing 2. Subsequent instructions are dependent on the results of the word comparisons, leading to variations in executed operations and resulting in distinct power consumption patterns manifested as differences in power traces.

Listing 2. CDT Sampling Assembly Code in 8-bit AVR.

In more detail, the first word is compared in lines 252, 254, and the next operation varies depending on the result. First, calculate $r25-r24$. If a carry occurred, then branch to line 2a0. This indicates that $r24$ was a greater number than $r25$. If no carry has occurred, go to lines 256, 258. Then, calculate $r24-r25$. If the values are not the same between $r24$ and $r25$, branch to line 29c. This means that $r25$ was a greater number than $r24$. If the values were the same, compare the next two words by executing the following lines. Repeat this process until the comparison operation is finally completed. In other words, the vulnerability appears in the fact that the processing method in the branch statement varies depending on the result of the comparison operation.

4.3. Countermeasure

The cause of vulnerability mentioned in this paper was attributed to the varying number of clock cycles depending on the branch statement in the 8-bit AVR environment. Hence, the countermeasure proposed an implementation method that eliminates the number of clock cycles discrepancy. This paper’s proposed secure CDT sampling algorithm is denoted as Algorithm STA-Resistant CDT sampling. The algorithm processes the r and the CDT table in word-sized blocks, corresponding to the processing units of the processor. The values in r, CDT table that exceed the word size are divided into n word blocks. Comparison operations are performed identically for each block. However, if the outcome of a comparison operation is determined in the previous block, subsequent operations are only performed, i.e., it does not affect the result. Due to the inherent nature of comparison operations, methods employing them may result in branching. Branching commands such as ’brne’ and ’brcc’ are commonly used. In AVR instruction sets, ’brne’ and ’brcc’ differ by only 1 concerning true and false conditions, allowing for an equal adjustment in the number of clock cycles for the operation. However, this implementation approach can be considered risky. Therefore, this paper introduces an assembly code that eliminates the need for branch commands while implementing algorithm STA-Resistant CDT sampling.

Algorithm 4 Countermeasure for satisfying constant time operating

Require:  -   Ensure:  Sampled value z  1: $z\leftarrow 0$  2: $r_i\stackrel{\$}{\leftarrow }[0,2^{wordsize})$ uniformly random with $i=0$ to n  3: for $i=0$ to $Table\_size-1$ do  4:    $gt\leftarrow 0,lt\leftarrow 0$  5:    for $j=0$ to $n-1$ do  6:      $gt\mid =(\neg (gt\mid lt))\&(r_j>CD{T}_{i,j})$  7:      $lt\mid =(\neg (gt\mid lt))\&(r_j<CD{T}_{i,j})$  8:    end for  9:    $z+=1\oplus lt$  10: end for  11: return  z

Listing 3 is part of the assembly code, representing the comparison operation in the proposed countermeasure. The blue and red lines in Listing 3 correspond to the comparison operations in Algorithm STA-Resistant CDT sampling. Lines 278 and 288 initialize the value of register r18, where the result of the comparison operation will be stored to zero. Lines 27a and 28a compare registers r22 and r23 using ’cp’ commands, respectively and store the results in the carry flag. Lines 27c and 28c execute an addition operation on the initialized r18 using the ’adc’ (add with carry) instruction. During this operation, the stored carry values are combined, storing the comparison operation’s result within r18. This approach allowed me to eliminate the need for branching instructions, thus removing previously mentioned vulnerabilities.

Listing 3. The comparison operation of assembly implementation code of countermeasure.

Figure 5 illustrates the power consumption traces of 3 different types of the Listing 3 operating in the 8-bit AVR MCU. This figure is fully examined by overlapping with all results to represent the corresponding power consumption traces. The trace reveals no discernible variations in the comparison time across different values. This serves as compelling evidence that CDT sampling demonstrates resistance against STA.

5. Single Trace Analysis of Invisible Leakage in 32-Bit Arm Cortex-M4

5.1. Comparison Operation Based CDT on 32-Bit Arm Cortex

This study investigates vulnerabilities by analyzing the assembly code. Listing 4 presents the comparison operation section of CDT sampling on the Cortex-M4. The two 32-bit comparisons are performed to handle 64-bit operands, utilizing Z-registers to ensure constant time execution. The operands are stored in registers r7, r6, and CDT in MSB(Most Significant Bit) order, with one table value loaded into registers r1 and r0. The Arm Cortex-M4 stores the result of the operation in its N, Z, C, and V flags. Specifically, Z is set to 1 if the two values are equal, and C is set to 1 if the left-hand side is greater than or equal to the right-hand side. Line 27e checks whether r7 and r1 are equal, executing line 282 if they match and line 284 if not. At this point, the it instruction is folded with the 16-bit Thumb instruction, ensuring that no additional cycles are consumed or, at most, 1 cycle is used [18]. Consequently, CDT sampling on the Arm Cortex-M4 achieves constant-time execution. However, the values stored in registers r1 and r4, which hold the results of comparison operations on lines 286, 288, and 28c, vary depending on the outcome of the comparison. These variations could potentially expose the results of the comparison operations.

Listing 4. base_sampler() assembly code in Arm Cortex-M4.

5.2. Analyzing the Security of CDTs

Power consumption varies due to differences in Hamming weight [19]. We employ profiling analysis, a deep learning-based side-channel analysis technique, to evaluate the security of CDT sampling for comparison operations that adhere to constant-time execution. Profiling analysis involves extracting secret information by utilizing a model trained on a profiled device and applying it to data from the attacked device. This method allows for predicting the attack target value from a single power trace. Figure 7 illustrates the procedure for applying profiling analysis to CDT sampling. The proposed model labels 14 distinct CDT result types and learns the corresponding power consumption traces collected from the profiling device. The trained model then analyzes power traces from the device under attack during CDT sampling and predicts the output values.

5.2.1. Attacker Assuming

Adversary Model: The adversary has physical access to the target device and can measure its power consumption. Additionally, the adversary possesses physical access to the same profiling target device as the attacker, with full control over it, including the ability to acquire output values from CDT sampling. This scenario closely mirrors the experimental setup described in Section 3. The attacker can also measure the power consumption of the base_sampler() function while Mitaka is running. In our experiments, we directly triggered base_sampler(). However, in practical scenarios, it could be collected by activating base_sampler() during Mitaka’s execution or through physical manipulation [20,21].

5.2.2. Profiling Phase

The power consumed by the device satisfies the following Equation (1). Therefore, the power consumption is proportional to the Hamming weight information of the data used in the computation [19]. $P_{total}$ is power consumption, $P_{op}$ power consumption by operation, $P_{data}$ is power consumption based on data, and $P_{noise},P_{const}$ refer to the noise inherent in the device and the constant power consumption independent of computation and data, respectively.

$$P_{\mathrm{total}}=P_{\mathrm{op}}+P_{\mathrm{data}}+P_{\mathrm{noise}}+P_{\mathrm{const}}$$

(1)

This paper analyzes power consumption to recover the values used in CDT sampling. However, signal noise can interfere with the accuracy of the analysis [8]. For effective evaluation of CDT sampling, it is crucial to distinguish differences in the Hamming weights of operations by a value of 1. Consequently, an analysis method highly sensitive to the data change rate is required. Furthermore, since CDT sampling generates a random value with each execution, the recovery of the sampled value from a single execution’s power consumption should be achievable. To address this, we propose a single-trace analysis using deep learning-based side-channel analysis to assess the security of CDT sampling.

The training data for the profiling analysis consists of power consumption traces obtained by repeatedly executing CDT sampling on random inputs and the corresponding output values for each execution. Specifically, we define a set X of multiple collected power consumption traces and a set Y of sampled values obtained for each run. Each $X_i$ leaks information about its corresponding $Y_i$. Therefore, this study trains a model using pairs $(X_i,Y_i)$$\in (X,Y)$, where $X_i$ serves as the input data and $Y_i$ serves as the label. 10,000 data sets were collected for each label, with the ratio of training data to validation data at 80:20, resulting in the training set of 112,000 traces and a validation set of 28,000 traces. The test dataset comprises 10,000 $(X_i,Y_i)$ pairs generated from random inputs. The model designed to evaluate the security of CDT sampling is a MLP(Multi-Layer Perceptron), with hyperparameters specified in Table 6. The MLP architecture includes an input layer, one hidden layer, and an output layer comprising multiple nodes. The training was conducted with an epoch count of 10 and a batch size of 512, utilizing the ReLU activation function and the Adam optimization algorithm (learning rate = $1\times {10}^{-4}$).

Table 1. MLP structure.

Table 1. MLP structure.

Layer Type	(In, Out) shape	# Parameters
Batch Normalization	(736, 736)	2944
Dense	(736, 512)	377344
Batch Normalization	(512, 512)	2048
Dense	(512, 256)	131328
Batch Normalization	(256, 256)	1024
Dense	(256, 14)	3598

5.2.3. Evaluating Model Performance

The training results of the model are presented in Figure 8. Model Accuracy reflects the accuracy of both the training and validation phases, while Model Loss represents the corresponding loss during these phases. The model converged to 1 for training and validation accuracy and to 0 for both training and validation loss. As shown in Figure 9, the accuracy on the test dataset is 99.97%. The test dataset consists of 10,000 traces, representing each trace’s classification accuracy. The F1-score for both micro and macro averages is 1.0, indicating that the proposed model can accurately predict the CDT sampling output from a single trace of a comparison operation executed on the Cortex-M4.

5.2.4. Leak Point Analysis Through Weight Analysis

As described in 5.1, the difference in Hamming weights during the CDT sampling process results from comparisons between 32-bit words. By examining the weights of the trained model, it is possible to identify the moments when the model successfully classified the sampled value. Figure 10 illustrates the sum of the weights for each node in the first layer of the trained model. The red line represents the sum of the weights, while the gray line shows the average across the entire waveform, normalized for visualization purposes. It demonstrates that the model makes its classification decision when comparing random and table values.

6. Conclusion and Future Works

References

1. Shor, P.W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 1999, 41, 303–332. [Google Scholar] [CrossRef]
2. Mosca, M. Cybersecurity in an era with quantum computers: Will we be ready? IEEE Secur. Priv. 2018, 16, 38–41. [Google Scholar]
3. Fouque, P.-A.; Hoffstein, J.; Kirchner, P.; Lyubashevsky, V.; Pornin, T.; Prest, T.; Ricosset, T.; Seiler, G.; Whyte, W.; Zhang, Z. Falcon: Fast-Fourier lattice-based compact signatures over NTRU. Submission to NIST’s Post-Quantum Cryptography Standardization Process 2018, 36, 1–75. [Google Scholar]
4. Espitau, T.; Fouque, P.-A.; Gérard, F.; Rossi, M.; Takahashi, A.; Tibouchi, M.; Wallet, A.; Yu, Y. Mitaka: A simpler, parallelizable, maskable variant of Falcon. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Trondheim, Norway, 30 May–3 June 2022; pp. 222–253. [Google Scholar]
5. Espitau, T.; Nguyen, T.T.Q.; Sun, C.; Tibouchi, M.; Wallet, A. Antrag: Annular NTRU Trapdoor Generation: Making Mitaka as Secure as Falcon. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Yokohama, Japan, 3–6 December 2023; pp. 3–36. [Google Scholar]
6. Kim, K.; Tibouchi, M.; Wallet, A.; Espitau, T.; Takahashi, A.; Yu, Y.; Guilley, S.; SOLMAE Algorithm Specifications. KpqC: Korean Post-Quantum Cryptography 2020. Available online: https://kpqc.or.kr/1 (accessed on 16 October 2024).
7. Kim, S.; Hong, S. Single trace analysis on constant time CDT sampler and its countermeasure. Appl. Sci. 2018, 8, 1809. [Google Scholar] [CrossRef]
8. Marzougui, S.; Kabin, I.; Krämer, J.; Aulbach, T.; Seifert, J.-P. On the feasibility of single-trace attacks on the Gaussian sampler using a CDT. In Proceedings of the International Workshop on Constructive Side-Channel Analysis and Secure Design, Leuven, Belgium, 17–19 April 2023; pp. 149–169. [Google Scholar]
9. Zhang, S.; Lin, X.; Yu, Y.; Wang, W. Improved power analysis attacks on Falcon. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Trondheim, Norway, 30 May–3 June 2023; pp. 565–595. [Google Scholar]
10. Choi, K.-H.; Kim, J.-H.; Han, J.; Huh, J.-W.; Han, D.-G. Single Trace Analysis of Comparison Operation Based Constant-Time CDT Sampling and Its Countermeasure. In Proceedings of the International Conference on Information Security and Cryptology, Seoul, South Korea, 13–15 December 2023; pp. 185–201. [Google Scholar]
11. Cheon, J.H.; Kim, D.; Lee, J.; Song, Y. Lizard: Cut off the tail! A practical post-quantum public-key encryption from LWE and LWR. In Proceedings of the International Conference on Security and Cryptography for Networks, Amalfi, Italy, 5–7 September 2018; pp. 160–177. [Google Scholar]
12. Bos, J.; Costello, C.; Ducas, L.; Mironov, I.; Naehrig, M.; Nikolaenko, V.; Raghunathan, A.; Stebila, D. Frodo: Take off the ring! Practical, quantum-secure key exchange from LWE. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016; pp. 1006–1018. [Google Scholar]
13. Ajtai, M.; Dwork, C. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the Twenty-Ninth Annual ACM Symposium on Theory of Computing, El Paso, TX, USA, 4–6 May 1997; pp. 284–293. [Google Scholar]
14. Hoffstein, J. NTRU: A Ring Based Public Key Cryptosystem. Algorithmic Number Theory (ANTS III) 1998. [Google Scholar]
15. Hülsing, A.; Rijneveld, J.; Schanck, J.; Schwabe, P. High-speed key encapsulation from NTRU. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems, Taipei, Taiwan, 25–28 September 2017; pp. 232–252. [Google Scholar]
16. NewAE Technology Inc. ChipWhisperer API. Available online: https://github.com/newaetech/chipwhisperer (accessed on 16 October 2024).
17. Microchip Technology. AVR Instruction Set Manual. Available online: https://ww1.microchip.com/downloads/en/devicedoc/atmel-0856-avr-instruction-set-manual.pdf (accessed on 16 October 2024).
18. Arm Developer. Cortex-M4 instructions. Available online: https://developer.arm.com/documentation/ddi0439/b/CHDDIGAC (accessed on 16 October 2024).
19. Kocher, P. Differential power analysis. In Proceedings of the Advances in Cryptology (CRYPTO’99), Santa Barbara, CA, USA, 15–19 August 1999. [Google Scholar]
20. Inci, M.S.; Gulmezoglu, B.; Irazoqui, G.; Eisenbarth, T.; Sunar, B. Cache attacks enable bulk key recovery on the cloud. In Proceedings of the Cryptographic Hardware and Embedded Systems–CHES 2016, Santa Barbara, CA, USA, 17–19 August 2016; pp. 368–388. [Google Scholar]
21. Chen, Z.; Oswald, D. PMFault: Faulting and Bricking Server CPUs through Management Interfaces. arXiv Preprint 2023. Available online: https://arxiv.org/abs/2301.05538. [CrossRef]
22. Schneider, T.; Paglialonga, C.; Oder, T.; Güneysu, T. Efficiently masking binomial sampling at arbitrary orders for lattice-based crypto. In Proceedings of the Public-Key Cryptography–PKC 2019, Beijing, China, 14–17 April 2019; pp. 534–564. [Google Scholar]
23. Fisher, R.A.; Yates, F. Statistical tables for biological, agricultural and medical research, 6th ed.; Oliver and Boyd: Edinburgh, UK, 1963. [Google Scholar]