[aes, prim_lfsr, sca] Verification of the masked AES with PRNG

[AeinRezaeiShahmirzadi]

Description

The high bandwidth random number generator for the masked AES core seems highly unconventional as it uses a single 32-bit LFSR (with nonlinear filter function) to re-mask four masked S-box which is calculated over five cycles. Moreover, the entire state of LFSRs is used as fresh randomness every cycle. This might result in non-uniform distributions of the masks in later cycles of the AES S-box operation and potentially cause side-channel leakage. It would be beneficial if the entire masked AES is verified by verification tools (such as PROLEAD which is able to verify the entire design) together with the PRNG to make sure that there is no vulnerability in the design.

[cassiersg]

As an additional issue, the state of the LFSRs is only 32-bits, therefore it can be brute-forced.

[cassiersg]

CC'ing LowRISC people who might be interested: @vogelpi @moidx @johannheyszl

[vogelpi]

Thanks @AeinRezaeiShahmirzadi for reaching out.

For visibility, Aein and I have been communicating about this. I will prepare a testbench that will allow Aein to kick off the verification process.

Edit by @vogelpi - Jan 26, 2024:

Summary of what has been done as part of this issue:

• We've been working together with @AeinRezaeiShahmirzadi to enable analyzing the LFSR-based PRNG implementation together with the AES cipher core using the PROLEAD tool in July 2023. After reporting and fixing a tooling issue in the open-source synthesis setup, it was possible to evaluate the design using PROLEAD. The tool did find a couple of -log10(p) values greater than the threshold for fewer traces (< 1.5 Mio). But for more traces, all -log10(p) values were below the threshold. This indicates that the LFSR-based PRNG can produce randomness of sufficient quality for the masking implementation in our AES cipher core. But we weren't sure whether we were just lucky or if potential non-uniformity issues (as raised by @AeinRezaeiShahmirzadi ) are avoided in this design using the linear- and non-linear layers following the actual LFSR. A meeting was held to feed these results back on Dec 12, 2023. With [aes, pre_sca] Enable masking evaluation of AES with PROLEAD #20765, the PROLEAD setup and a howto to repeat these results have been merged on Jan 8, 2024.
• What remaind was the issue around the brute forcing the 32-bit LFSRs as noted by @cassiersg . Therefore, we've implemented and verified Trivium/Bivium stream cipher primitives as proposed by @cassiersg in [prim] Add Trivium/Bivium stream cipher primitives #20653 (merged Dec 23, 2023). On top of the reseeding mechanisms discussed in the paper, these implementations contain an additional, new reseeding mechanism directly injecting 32-bit words as received from the entropy complex without additional buffering. This is mainly enabled by the strong diffusion characteristics of unrolled Trivium/Bivium implementations and in our view a big plus compared to PRNG based on LFSRs with more than 32 bits of state. This information was fed back to @cassiersg on Dec 12, 2023.
• We've switched the PRNG implementation inside AES to use Bivium instead of 32-bit LFSRs with [aes,rtl] Switch to Bivium-based masking PRNG implementation #20852, re-ran all experiments and also adjusted the PROLEAD setup / howto in the tree to allow repeating some of the results (merged Jan 26, 2024). From an area perspective, the overall AES area increases slightly due to this change (+1.81 kGE or +1.1% based on Yosys + nangate45) but we thought this is definitely acceptable given the better security posture of the new PRNG design.

[vogelpi]

@AeinRezaeiShahmirzadi , I've pushed the testbench to this PR here: #19216.

[vogelpi]

Hi @AeinRezaeiShahmirzadi ,
it has been a while and I was wondering if you managed to set up the verification environment with your tool. Or is there anything I can assist you with? I would be interested to leverage your tool flow for some upcoming design work for the project.

Related to the original question about brute-forcing 32-bit LFSRs: I think we could switch to 64-bit LFSRs. If we do in a smart way we can avoid massively inflating area. Do you think this would be advisable?

[cassiersg]

@vogelpi About brute-forcing the LFSRs: moving from 4x 32-bit to 2x 64-bit (or even 1x 128-bit) should avoid that attack, and should not lead to significantly increased costs (you may even want shift a bit faster the LFSR to get more fresh bits per clock cycle). This will however not solve the non-uniformity issues pointed out by @AeinRezaeiShahmirzadi.

Your might be interested in our recent paper on the topic https://eprint.iacr.org/2023/1134, although our proposition is likely more expensive than your current solution.

[vrozic]

A good alternative might be to replace the PRNG with XoShiRo256++ PRNG. It has a 256 bit state and we already have the implementation. It passes NIST 800-22 statistical tests, so it is not likely to cause non-uniformity issues.

[vogelpi]

Update: We did have a good and constructive discussion today and agreed on the following: @AeinRezaeiShahmirzadi will share the PROLEAD configuration file with us allowing us to reproduce the discussed experiments. Our plan is to do an investigation on whether we can work out some relatively minor changes to the current PRNG design to avoid potential non-uniformity issues or whether it would be better to redesign the PRNG using a different approach.

Personally, I think it will be challenging to come up with an efficient reseeding mechanism, to do the DV integration and the actual SCA evaluation - independent on the approach we take. If we decide to go through that, I am more in favor of a doing a PRNG redesign.

[vogelpi]

Update: we came together last TUE to discuss the results of the investigation I have been doing over the last couple of weeks. The main discussion points were:

1. After reporting a tooling issue in sv2v and getting that fixed, I was able to analyze the netlist of our AES cipher core produced with sv2v and Yosys with PROLEAD. There were a couple of -log10(p) values greater than the threshold for fewer traces (< 1.5 Mio). But for more traces, all -log10(p) values were below the threshold. This indicates that the current LFSR-based PRNG can produce randomness of sufficient quality for the masking implementation in our AES cipher core. We weren't quite sure whether we were just lucky or if potential non-uniformity issues and problems around using the entire LFSR state as randomness (as raised by @AeinRezaeiShahmirzadi ) are avoided in this design using the linear- and non-linear layers following the actual LFSR. What definitely remains is the issue around the brute forcing as noted by @cassiersg .
2. I have been implementing the Trivium/Bivium stream cipher primitives (see draft PR [prim] Add Trivium/Bivium stream cipher primitives #20653) as proposed in the mentioned paper, verified them, integrated Bivium into our AES cipher core and reran the analysis using PROLEAD. SCA-wise, the result is very similar to the LFSR-based PRNG. Area-wise the design is slightly bigger (+2.22 kGE, +1.8%). The big advantage is the larger internal state which renders brute-forcing infeasible. While doing this, I also made some interesting findings regarding the reseeding. Trivium/Bivium have much stronger diffusion properties compared to LFSRs producing similar number of output bits from similar state size. This means it's possible to feed fresh entropy into the state as it's received from EDN while keeping updating the primitives to produce randomness. This allows reducing area for buffering incoming entropy (similar to when using 32-bit LFSRs with 32-bit EDN input). This implemented primitive in the PR supports this way of reseeding as well as reseeding key + IV (following the initialization) or reseeding the full state. The mechanism can be selected using a design-time Verilog parameter.

On my end, I will now do more experiments with Bivium/Trivium and check if we can definitely integrate them into AES on the master branch.

[vogelpi]

Happy New Year! The PR adding the Trivium/Bivium primitives has been merged and I've now done a PR adding the support files for evaluating the AES cipher core using PROLEAD here #20765. This allows repeating the analysis and reproducing the results mentioned above. Thanks again @AeinRezaeiShahmirzadi for the collaboration on this.

Next up is to kick off some more experiments (FPGA) and take a look at DV.

[vogelpi]

FYI the PR changing the PRNG implementation in OpenTitan AES is finally here: #20852

In the meantime, we've done additional experiments (including FPGA evaluation) and everything looked good so far. :-) The PR is currently under review but I hope to merge this soon.

[vogelpi]

Update: the PRNG implementation on master has now been switched to an unrolled Bivium implementation. I am now updating my first comment in this thread to summarize what has been done and what the findings were. Afterwards, I will close this issue, feel free to re-open in case further questions / inputs related to this come up.

Thanks again @AeinRezaeiShahmirzadi and @cassiersg for all your input on this!

[vogelpi]

And here is the summary: #19091 (comment)