RevEAL: Single-Trace Side-Channel Leakage of the SEAL Homomorphic Encryption Library

This paper demonstrates the first side-channel attack on homomorphic encryption (HE), which allows computing on encrypted data. We reveal a power-based side-channel leakage of Microsoft SEAL prior to v3.6 that implements the Brakerski/Fan-Vercauteren (BFV) protocol. Our proposed attack targets the Gaussian sampling in the SEAL’s encryption phase and can extract the entire message with a single power measurement. Our attack works by (1) identifying each coefficient index being sampled, (2) extracting the sign value of the coefficients from control-flow variations, (3) recovering the coefficients with a high probability from data-flow variations, and (4) using a Blockwise Korkine-Zolotarev (BKZ) algorithm to efficiently explore and estimate the remaining search space. Using real power measurements, the results on a RISC-V FPGA implementation of the SEAL (v3.2) show that the proposed attack can reduce the plaintext encryption security level from 2ˆ128 to 2ˆ4.4. Therefore, as HE gears toward real-world applications, such attacks and related defenses should be considered

SeqL+: Secure Scan-Obfuscation with Theoretical and Empirical Validation

Existing logic-locking attacks are known to successfully decrypt a functionally correct key of a locked combinational circuit. Extensions of these attacks to real-world Intellectual Properties (IPs, which are sequential circuits) have been demonstrated through the scan-chain by selectively initializing the combinational logic and analyzing the responses. In this paper, we propose SeqL+ to mitigate a broad class of such attacks. The key idea is to lock selective functional-input/scan-output pairs of flip-flops without feedback to cause attackers to decrypt an incorrect key, and to scramble flip-flops with feedback to increase key length without introducing further vulnerabilities. We conduct a formal study of the scan-locking and scan-scrambling problems and demonstrate automating our proposed defense on any given IP. This study reveals the first formulation and complexity analysis of Boolean Satisfiability (SAT)-based attack on scan-scrambling. We formulate the attack as a conjunctive normal form (CNF) using a worst-case O(n^3) reduction in terms of scramble-graph size n, making SAT-based attack applicable and show that scramble equivalence classes are equi-sized and of cardinality 1. In order to defeat SAT-based attack, we propose an iterative swapping-based scan-cell scrambling algorithm that has linear implementation time-complexity and exponential SAT-decryption time-complexity in terms of a user-configurable cost constraint. We empirically validate that SeqL+ hides functionally correct keys from the attacker, thereby increasing the likelihood of the decrypted key being functionally incorrect. When tested on pipelined combinational benchmarks (ISCAS, MCNC), sequential benchmarks (ITC), and a fully-fledged RISC-V CPU, SeqL+ gave 100% resilience to a broad range of state-of-the-art attacks including SAT [1], Double-DIP [2], HackTest [3], SMT [4], FALL [5], Shift-and-Leak [6], Multi-cycle [7], Scan-flushing [8], and Removal [9] attacks

Optimal Don’t Care Filling for Minimizing Peak Toggles During At-Speed Stuck-At Testing

Due to the increase in manufacturing/environmental uncertainties in the nanometer regime, testing digital chips under different operating conditions becomes mandatory. Traditionally, stuck-at tests were applied at slow speed to detect structural defects and transition fault tests were applied at-speed to detect delay defects. Recently, it was shown that certain cell-internal defects can only be detected using at-speed stuck-at testing. Stuck-at test patterns are power hungry, thereby causing excessive voltage droop on the power grid, delaying the test response, and finally leading to false delay failures on the tester. This motivates the need for peak power minimization during at-speed stuck-at testing. In this article, we use input toggle minimization as a means to minimize a circuit’s power dissipation during at-speed stuck-at testing under the Combinational State Preservation scan (CSP-scan) Design-For-Testability (DFT) scheme. For circuits whose test sets are dominated by don’t cares, this article maps the problem of optimal X-filling for peak input toggle minimization to a variant of the interval coloring problem and proposes a Dynamic Programming (DP) algorithm (DP-fill) for the same along with a theoretical proof for its optimality. For circuits whose test sets are not dominated by don’t cares, we propose a max scatter Hamiltonian path algorithm, which ensures that the ordering is done such that the don’t cares are evenly distributed in the final ordering of test cubes, thereby leading to better input toggle savings than DP-fill. The proposed algorithms, when experimented on ITC99 benchmarks, produced peak power savings of up to 48% over the best-known algorithms in literature. We have also pruned the solutions thus obtained using Greedy and Simulated Annealing strategies with iterative 1-bit neighborhood to validate our idea of optimal input toggle minimization as an effective technique for minimizing peak power dissipation during at-speed stuck-at testing

RevEAL: Single-Trace Side-Channel Leakage of the SEAL Homomorphic Encryption Library

This paper demonstrates the first side-channel attack on homomorphic encryption (HE), which allows computing on encrypted data. We reveal a power-based side-channel leakage of Microsoft SEAL prior to v3.6 that implements the Brakerski/FanVercauteren (BFV) protocol. Our proposed attack targets the Gaussian sampling in the SEAL's encryption phase and can extract the entire message with a single power measurement