Systematic Use of Random Self-Reducibility against Physical Attacks

It is a well-known fact that the power consumption during certain stages of a cryptographic algorithm exhibits a strong correlation with the Hamming weight of its underlying variables, i.e., Hamming weight leakage model [49, 22, 69]. This phenomenon has been widely exploited in the cryptographic literature in various attacks targeting a broad range of schemes, particularly post-quantum cryptographic implementations [45, 91, 71, 85, 4, 70, 5, 86, 39, 14, 43]. Therefore, we use the Hamming weight leakage model in the evaluation of the robustness of the countermeasure.

The Hamming weight leakage model assumes that the Hamming weight of the operands is strongly correlated with the power consumption. Each bit flip requires one or more voltage transitions from 0 to high (or vice versa). Different data values typically entail differing numbers of bit flips and therefore produce distinct power traces [23]. Therefore, any circuit not explicitly designed to be resistant to power attacks has data-dependent power consumption. However, in a complex circuit, the differences can be so slight that they are difficult to distinguish from a single trace, particularly if an attacker’s sampling rate is limited [49, 94]. Therefore, it is necessary to use statistical techniques across multiple power traces [49].

Test Vector Leakage Assessment (TVLA). [40] identifies if two sets of side channel measurements are distinguishable by computing the Welch’s t-test for the two sets of measurements. It is being used in the literature to confirm the presence or absence of side-channel leakages for power traces, and has become the de facto standard in the evaluation of side-channel measurements [69, 81, 56, 90, 76]. In side-channel analysis, the recommended thresholds for t-values are specifically tailored to detect potential information leakage in cryptographic systems. A t-value threshold of $\pm 4.5$ or $\pm 5$ is often considered in side-channel analysis. This threshold corresponds to a very high confidence level, rejecting the null hypothesis with a confidence greater than 99.999% for a significantly large number of measurements. The null hypothesis typically being that all samples are drawn from the same distribution, a t-value outside this range indicates distinguishable distributions of the two sets and thus the existence of side-channel leakage [88]. The choice of these thresholds is influenced by the need to balance the risk of false positives (incorrectly identifying information leakage when there is none) against the risk of false negatives (failing to detect actual information leakage).

The Sum of Squared pairwise T-differences (SOST) [24] is a technique for identifying Points of Interest (PoIs) in side-channel analysis. It is particularly useful in scenarios where there are many data points (like traces in a cryptographic system), and you want to identify specific points in these traces that show significant variation based on different conditions or inputs.

In the real world, there is a possibility that the devices will malfunction or be damaged, resulting in generating the error output, and we may ignore it. However, if the attacker intentionally induced the fault during the device operation, e.g., cryptographic calculation, he or she can recover the secret by analyzing the original and fault outputs. Most of the classical cryptographic algorithms can be attacked by fault injection attacks. For instance, the first fault attack research [18] was on the RSA implementation using the Chinese Remainder Theorem (CRT), which is the most common implementation of RAS used to secure communication. In this case, the attacker can recover the secret with only one faulty RSA-CRT signature. Moreover, in [62], Mus et al. provide the fault attack method, which can attack El-Gamal or elliptic-curve (ECC) based signature, such as Schnorr signature and ECDSA, via Rowhammer (a software technique used to induce the fault in memory). Not only the public key cryptosystem but also the symmetric key cryptosystem are vulnerable to fault injection attacks. In [66], Piret et al. develop the fault attack method against substitution-permutation network (SPN) structures cryptographic algorithm, such as AES or KHAZAD. Even the post-quantum cryptographic algorithms [73], which can protect against quantum computing, can be vulnerable to fault attacks. Therefore, it is necessary to have efficient FI attack protections that can be easily deployed.

The injected fault can, in principle, have an impact on any stage of the fetch-decode-execute cycle performed for each instruction [48, 99]. Additionally, any optimizations implemented by the CPU, such as pipelining [98], add to the complexity of executing a single instruction. Therefore, it is typically unknown what exactly goes wrong within the CPU when its behavior is changed due to fault injection, whereas the modified behavior itself is easier to measure. We consider a generic fault model, likely applicable to a wide range of targets, where a variable amount of bits in the instruction are flipped as a result of fault injection. Two types of behavior are possible using this fault model: 1. Instruction corruption: the original instruction is modified into an instruction that has an impact on the behavior of the device. In practice, it may modify the instruction to any other instruction supported by the architecture. 2. Instruction skipping: effectively a subset of instruction corruption. The original instruction is corrupted into an instruction that does not have an impact on the behavior of the device. The resulting instruction does not change the execution flow or any state that is used later on.

Invocation of specific behavior is not a trivial task, as the low level control required to do this is often limited. However, it is possible to identify the more probable results while assuming that bit flips affecting single or all bits are more likely than complex patterns of bit flips [92].

On embedded processors, a fault model in which an attacker can skip an assembly instruction or equivalently replace it by a nop has been observed on several architectures and for several fault injection means [61]. Moro et al. in [60] assume that the effect of the injected fault on a 32-bit microcontroller leads to an instruction skip. Moro et al. [61] and Barenghi et al. [9] have proposed implementations of the Instruction Redundancy technique as a countermeasure against this fault model. Instruction skips correspond to specific cases of instruction replacements: replacing an instruction with another one that does not affect any useful register has the same effect as a nop replacement and so is equivalent to an instruction skip.

The $\tilde{x}$ notation is used to represent a specific realization of a random variable (i.e., a specific value that the random variable takes on). Let $\Pr_{x\in X}[\cdot]$ denote the probability of the event in the enclosed expression when $x$ is uniformly chosen from $X$. We assume the domain and range of the function are the same set, usually named as $\mathbb{D}$, but the formalization can be expanded to accommodate multivariate functions and heterogeneous domains and ranges.

Let $q$ be a prime number, and the field of integers modulo $q$ be denoted as $\mathbb{Z}_{q}$. Schemes such as Kyber and Dilithium operate over polynomials in polynomial rings. The polynomial ring $\mathbb{Z}_{q}[x]/\phi(x)$ is denoted as $R_{q}$ where $\phi(x)=x^{n}+1$ is a cyclotomic polynomial with $n$ being a power of 2. Multiplication of polynomials $a,b\in R_{q}$ is denoted as $c=a\cdot b\in R_{q}$. Pointwise/Coefficientwise multiplication of two polynomials $a,b\in R_{q}$ is denoted as $c=a\circ b\in R_{q}$, which means that each of the coefficients of polynomial $a$ multiplies the coefficients of $b$ with the same index. The NTT representation of a polynomial $a\in R_{q}$ is denoted as $\hat{a}\in R_{q}$.

Informally, a function $f$ is random-self-reducible if the evaluation of $f$ at any given instance $x$ can be reduced in polynomial time to the evaluation of $f$ at one or more random instances.

Another similar definition was made by Lipton [50]. Suppose that we wish to compute the trivial identity function $f(x)=x$, and let $P$ be a program that computes $f(x)$. We can construct from $P$ another program $P^{\prime}$ with the property that it can compute $f(x)$ correctly at an arbitrary point $x$ provided that one can compute it at a number of random points. Consider the following program $P^{\prime}(x)\stackrel{{\scriptstyle\Delta}}{{=}}\tilde{r}:=\text{random}();\text{return }P(x+\tilde{r})-P(\tilde{r})$. $P^{\prime}$ can compute $P(x)$ with inputs $x+\tilde{r}$ and $\tilde{r}$.

It is shown by Blum et al. [16] that self-correctors exist for any function that is random self-reducible. A self-corrector for $f$ takes a program $P$ that is correct on most inputs and turns it into a program that is correct on every input with high probability.

Privacy-preserving computing allows multiple parties to evaluate a function while keeping the inputs private and revealing only the output of the function and nothing else. One popular approach to outsourcing sensitive workloads to untrusted workers is to use arithmetic secret sharing [31, 58]. It splits a secret into multiple shares, distributing them across various workers. Each worker processes their respective share locally. Assuming the workers will not collude, it is information-theoretically impossible for each worker to recover the secret from its share [96].

In standard arithmetic secret sharing, the client aims to compute $f(x,y)=ax+by=z$, with the property that $f(x,y)=f(x_{1},y_{1})+f(x_{2},y_{2})$, where $x_{1}$ and $y_{1}$ are randomly chosen. Let $\mathbb{Z}\left(2^{w_{e}}\right)$ denote the integer ring of size $2^{w_{e}}$. The shares are constructed such that the sum of all shares is equal to the original secret value $x\in$ $\mathbb{Z}\left(2^{w_{e}}\right)$. The client then delegates the computation to workers (untrusted entities). These workers independently calculate $f(x_{1},y_{1})$ and $f(x_{2},y_{2})$, then relay their results back to the client. The client derives $f(x,y)$ using these partial results from the untrusted workers. The randomness in the shares is crucial for our power side-channel countermeasure. While arithmetic secret sharing is based on the linearity of addition and multiplication over integers, our approach utilizes Random Self-Reducible properties, some of which may not necessarily be linear. Moreover, to counteract fault injection attacks, our algorithm must produce accurate results despite faults. We achieve this in our countermeasure by repeating the computation $n$ times and choosing the majority of the responses.