🔸 Paper Information
Title:Pre-Silicon Evaluation and Security Enhancement of RISC-V AES Extensions
Authors:Zhao Yiqiang, Wei Xin, Li Yao, He Jiajie
First Author Affiliation:Tianjin University, School of Microelectronics
Abstract:
In response to the potential side-channel leakage risks introduced by instruction set architecture (ISA) extensions for cryptographic algorithm acceleration, a pre-silicon side-channel security assessment method is proposed, which can accurately locate the moments and microarchitecture components that pose side-channel leakage risks during processor operation. Based on a 32-bit sequential RISC-V processor architecture, two representative Advanced Encryption Standard (AES) extension instructions and corresponding hardware circuits were implemented, followed by applying the proposed assessment method to conduct a side-channel security evaluation. Based on the evaluation results, a hybrid protection strategy of dynamic masking for extended ports and randomization of operation unit power consumption was proposed, and pre-silicon security verification was conducted, ultimately achieving a highly secure AES instruction set architecture extension against side-channel attacks. Experimental results show that the proposed hybrid protection strategy can enhance the side-channel security of the AES extension by over 1,886 times with an area overhead of 4.9%.
Citation Format:
Zhao Yiqiang, Wei Xin, Li Yao, et al. Pre-Silicon Evaluation and Security Enhancement of RISC-V AES Extensions [J]. Journal of Huazhong University of Science and Technology (Natural Science Edition), 2024, 52(03): 7-13.

Scan the QR code to read the full text

As the core of computation and control in embedded systems, the security design of processors is crucial for information security. However, side-channel attacks pose significant security challenges to data encryption in processors due to their non-invasive nature that does not require breaking cryptographic primitives or damaging circuits. During the encryption and decryption operations, processors inevitably leak side-channel information such as power consumption, electromagnetic emissions, and timing, which are inherently linked to the data being processed and the operations being executed. Side-channel attacks exploit these leaked information to reverse-engineer the logical states of circuits, capturing the potential connections between cryptographic principles and physical implementations, ultimately breaching the security defenses of processors from a hardware perspective. Nowadays, there is a trend towards implementing dedicated encryption circuits at the hardware level to significantly enhance data throughput and performance. Common strategies include ISA extensions, coprocessors, and reconfigurable encryption. ISA extension refers to adding an extended instruction set and corresponding extended hardware to the original architecture of the processor to accelerate specific computations. AES, as one of the most widely used symmetric encryption algorithms, has many industrial-grade standards of ISA extensions, such as Intel x86’s AES-NI and ARMv8-A’s AES extension, commonly found in high-end consumer products. A large body of research indicates that while ISA extensions for cryptographic algorithms bring dramatic performance improvements, they also introduce risks of side-channel attacks. Literature has shown that the AES-NI full key attack on Intel Haswell CPUs was completed using a fraction-based key enumeration algorithm (SKEA). Another study used Intel’s RAPL interface to monitor CPU and DRAM power consumption, successfully breaking the AES-NI key of the Core i9-9990K. In the face of increasingly sophisticated side-channel attacks, processors and ISA extensions must possess robust side-channel defense capabilities. The evaluation and enhancement of side-channel security for processor chips can be divided into pre-silicon and post-silicon phases. Traditional evaluations focus on the post-silicon phase, analyzing real side-channel data, which makes it difficult to accurately locate the source of leakage, and once leakage is detected, the chip must be redesigned. The emerging pre-silicon evaluation utilizes simulation to analyze side-channel information of processors, making security enhancement more targeted and cost-effective compared to the post-silicon phase, attracting attention from researchers. Existing studies have proposed optimization strategies for commonly used instruction benchmarks based on pre-silicon power analysis methods, but there is a lack of scientific methods guiding the design of ISA extensions in the pre-silicon phase. To achieve high side-channel security for cryptographic algorithm ISA extensions, we propose a pre-silicon side-channel security assessment method, implementing two representative AES extension circuits under the RISC-V architecture. This assessment method analyzes the correlation between side-channel leakage and the processor’s extended instruction sequences and microarchitecture components, pinpointing the moments and sources of leakage, and proposing targeted hybrid protection strategies of dynamic masking for extended ports and randomization of operation unit power consumption. Ultimately, under area overheads of 4.9% and power consumption overheads of 1.7%, the first AES extension achieved over 1,886 times enhancement in side-channel security, while the second AES extension achieved over 4,000 times enhancement with area overheads of 8.0% and power consumption overheads of 2.6%.

1 Pre-Silicon Side-Channel Security Assessment Method
1.1 Power Side-Channel Information Simulation
Power side-channel information is closely related to the logical states of the underlying circuit and is easier for attackers to obtain compared to electromagnetic and timing side-channel information. Therefore, power side-channel is chosen as the focus of the assessment. In the pre-silicon phase, mature digital tools can accurately simulate and analyze power information of circuits. The simulation process is shown in Figure 1. First, the RTL-level design code of the processor is synthesized into a gate-level netlist file using Design Compiler (DC). When compiling the instruction sequence, a fixed number of dummy instructions must be inserted between the normal load instruction sequence (loading different plaintext stimuli) and the extended instruction sequence as time tags. Then, the Verilog Compiled Simulator (VCS) is used to simulate and obtain the switching waveforms and switching activity of internal signals during the processor’s operation. Finally, PrimeTime PX (PTPX) calculates the time-domain power consumption curves for the entire circuit and individual component modules.

Figure 1 Digital Circuit Power Simulation Process
Based on the simulated power data, the power consumption curves during the execution interval of the extended instruction sequence are extracted and aligned according to the time tags, serving as sample data for the side-channel security assessment.
1.2 Side-Channel Leakage Model Construction
Hardware-related side-channel assessments typically have two leakage models: the Hamming Distance (HD) model and the Hamming Weight (HW) model. The HD model assumes that the theoretical power consumption of the circuit is related to the number of node transitions at previous and current moments, while the HW model assumes that the theoretical power consumption is related to the number of ‘1’s in the current circuit nodes. During processor operation, intermediate values are usually stored in registers between pipeline stages. If an out-of-order execution strategy is employed, the relationship between the original values of these registers at different moments is completely disrupted. Therefore, the HW model, which reflects the current logical state, is more suitable as a general side-channel leakage model for processors. Modeling first requires selecting reasonable intermediate points for cryptographic operations, calculating the corresponding intermediate values under different key assumptions, and then mapping them to the HW model. For an n-bit wide data A, the HW model ηHW(A) assumes that the circuit’s power consumption is proportional to the number of ‘1’s in the data, represented as follows:
where ai∈{0,1} is the logical value of the i-th bit of data A.
1.3 Side-Channel Vulnerability Assessment
Correlation Power Analysis (CPA) evaluates the side-channel security level of a circuit by calculating the correlation coefficients between intermediate data during cryptographic operations and a large amount of power data. The power curve data is represented as matrix X, while the side-channel leakage model is represented as matrix Y. The Pearson correlation coefficient between the two variables is given by:
where Cov(X,Y) is the covariance of X and Y; σX and σY are the standard deviations of X and Y, respectively; X¯ and Y¯ are the expectations of X and Y, respectively. Through the above statistical calculations, the correlation curves between the leakage models for different assumed keys and the power curves can be obtained. If the correlation coefficient for the correct assumed key is higher than that for the incorrect assumed key, it indicates the presence of a side-channel leakage risk.
First, a CPA analysis is performed on the overall processor and extended circuit to determine the overall side-channel security level and the main leakage moments. Then, independent CPA analyses are conducted for each individual component module to determine the side-channel leakage distribution of different components. By using preset time tags, the pipeline states of instruction sequences at various moments can be determined, thereby inferring the instructions and corresponding microarchitecture components that primarily contribute to the leakage. By combining the overall and individual component analysis results, the contributions of each instruction and component to the leakage can be comprehensively compared, ultimately locating the key leakage sources.

2 Implementation and Security Assessment of Processor AES Extensions
2.1 RISC-V Architecture AES Extension Instruction Implementation
The overall architecture of the RISC-V processor is shown in Figure 2, which includes five pipeline stages: instruction fetch, decode, execute, memory access, and write-back.

Figure 2 Overall Architecture of RISC-V Processor
In addition to the standard general-purpose instruction set, the RISC-V architecture reserves instruction encoding space for user-defined extensions. Based on various AES extension principles summarized in prior literature, two representative AES operation extension instructions were designed and implemented, with the encoding format as follows: bits 31-30 are 00, bits 29-25 are the identifier fn, bits 24-20 are the source register 2 address r2, bits 19-15 are the source register 1 address r1, bits 14-12 are 000, bits 11-7 are the destination register address rd, and bits 6-0 are the instruction identifier 0001011. The first AES extension (referred to as SAES.V1) is a traditional separated extension. The second AES extension (referred to as SAES.V2) is a novel lightweight integrated extension.
The SAES.V1 extension includes byte substitution and column mixing instructions. Row shifting is implemented by calling different source registers in a specific order based on the extended instructions. The round key addition is completed by the XOR instructions in the standard instruction set. A total of 8 extended instructions and 4 XOR instructions are required to complete one round of 128-bit AES operations. The instruction execution principle is as follows:

where αsbox is the 8-bit byte substitution function, γrotl32 is the 32-bit rotate left function, and θgfmul is the finite field multiplication function.
The SAES.V2 extension includes ordinary round encryption and final round encryption instructions. The byte substitution requires only one 8-bit S-box structure. Column mixing is achieved by performing independent finite field multiplication on individual 8-bit elements followed by XOR with the previous stage, iteratively implemented with 4 extended instructions to complete the entire column mixing operation. The hardware overhead of SAES.V2 is less than that of SAES.V1, as a single instruction integrates the encryption steps for individual elements, requiring a total of 16 extended instructions to complete one round of 128-bit AES operations. The instruction execution principle is as follows:

where γrotr32 is the 32-bit rotate right function, and b is the byte bit.
2.2 Implementation of Pre-Silicon Side-Channel Security Assessment
Using SMIC’s 180 nm CMOS process, the gate-level netlist of the RISC-V processor and AES extension hardware circuits was generated. The clock cycle for power simulation was set to 100 MHz. Considering the actual simulation effects and speed, 1/2 of a clock cycle was chosen as the simulation time base. Before executing the extended instruction sequence, the plaintext is stored in general-purpose registers x1~x4, and the round keys are stored in general-purpose registers x5~x8. Figures 3 and 4 capture the pipeline states of part of the extended instruction sequence during the first round of encryption. When constructing the leakage model, the byte substitution value of the first byte during the first round of AES encryption is chosen to establish the HW model. According to the principles of correlation power analysis, the correlation between the overall power curves and the power models of each microarchitecture component at various moments is calculated. Figure 5 presents the Pearson correlation curve results for the overall processor and components that exhibited leakage under 1,000 plaintext stimuli.

Figure 3 Pipeline State of SAES.V1 First Round Encryption

Figure 4 Pipeline State of SAES.V2 First Round Encryption

Figure 5 Pearson Correlation Curves of SAES.V1 and SAES.V2 Overall and Leakage Components
For the SAES.V1 extension, the Pearson correlation curve of the overall processor shows prominent peaks at moments 14-17, with a peak value of 0.52, indicating the main moments of leakage. From the individual component Pearson correlation curves, it can be seen that the primary contributing components to leakage at moments 14-17 are the ID-EX pipeline register area and ALU. Combining the pipeline states in Figure 5(a), it is known that at this time, the instruction [v1.mix x1, x9, x10] is in the ID and EX stages. During this phase, this instruction will input the byte substitution value from the previous stage into the ALU. At moments 14-17, the leakage coefficient of the ALU exceeds that of the ID-EX pipeline register area, but only appears at moment 16. The leakage coefficient of the ID-EX pipeline register area is slightly lower, but its leakage interval is wider, having a deeper overall impact. In addition to moments 14-17, the Pearson correlation curves of various components show local peaks at moments 6-9 and 21, but these moments do not prominently reflect on the overall curve, indicating they are secondary moments contributing to leakage.
For the SAES.V2 extension, the overall Pearson correlation curve of the processor shows a prominent peak at moment 6, with a peak value of 0.81, indicating the main moment of leakage. From the individual component Pearson correlation curves, it can be seen that the primary contributing components to leakage at moment 6 are the ID-EX pipeline register area, EX-MEM pipeline register area, and ALU. Combining the pipeline states in Figure 5(b), it is known that at this time, the instruction [v2.enc x5, x1, x5, 0] is transitioning between the EX and MEM stages, and the instruction [v2.enc x5, x2, x5, 1] is transitioning between the ID and EX stages. According to the extension principles, the instruction [v2.enc x5, x1, x5, 0] at this stage controls the ALU to complete the extension operation for the first byte and passes the result value to the EX-MEM pipeline register area. Since the instruction [v2.enc x5, x2, x5, 1] has a contextual relationship with the previous instruction, its controlled ID-EX pipeline register area will directly obtain the result value without going through the WB stage. At moment 6, the leakage coefficients of all pipeline register areas are higher than that of the ALU.
In addition to moment 6, the Pearson correlation curves of various components show local peaks at moments 8-9, but these moments do not prominently reflect on the overall curve, indicating they are secondary moments contributing to leakage. Moment 8 corresponds to the transition of the instruction [v2.enc x5, x2, x5, 1] between the EX and MEM stages, while moment 9 corresponds to the WB stage of the instruction [v2.enc x5, x2, x5, 1], involving components such as the EX-MEM pipeline register area and general-purpose register file. The results indicate that during the execution of the AES extension instruction sequence, side-channel leakage originates from the data path components related to the extended operation hardware and the transmission and storage of critical intermediate values within the processor. Overall, the contributions of data path components to leakage impact surpass those of the extended hardware, as they are relatively simple in structure and less susceptible to noise interference, making them more sensitive to variations in side-channel information.

3 Security Protection Strategies and Effect Verification
3.1 Dynamic Masking for Extended Ports
For the data path and related components of the processor, the security protection strategies include encrypting or masking information flows, establishing pseudo-information channels, etc. From the perspective of data masking, a dynamic extended port masking strategy is implemented to obscure the data flows of the extended hardware’s external interaction ports. The principle is shown in Figure 6, where a masking control module performs masking operations on the output signals of the extended operation unit and reversely decodes the input signals. Since a single masking can be easily attacked through higher-order side-channel attacks, the masking will be dynamically updated according to the extended mode at a certain instruction cycle. The dynamic update period for SAES.V1 is 8 extended instructions, while for SAES.V2 it is 4 extended instructions, determined by the minimum independent cycle of the extended operation. This strategy can protect the external interaction information flow of the extended hardware, fundamentally addressing the side-channel leakage caused by the external data path and related components.

Figure 6 Dynamic Masking for Extended Ports
3.2 Randomization of Operation Unit Power Consumption
For the extended hardware circuit, security protection strategies include optimizing the underlying logic, implanting algorithm masks, and random interference. From the perspective of random interference, a power consumption randomization strategy for the operation unit is implemented, as shown in Figure 7. During the execution of extended instructions, idle operation units within the ALU will perform random logical operations. By configuring the registers, the frequency of random operations can be flexibly controlled, thus generating dynamic power consumption interference, which reduces the signal-to-noise ratio of the extended hardware’s power consumption. Compared to directly optimizing the internal logic structure of the extended hardware circuit or implanting algorithm masks, the advantage of the power consumption randomization strategy lies in its parallel random logical operations, which do not introduce additional timing overhead and only require a small amount of control logic to complete the reuse of idle resources.

Figure 7 Randomization of Operation Unit Power Consumption
3.3 Verification of Protection Strategies
To quantitatively compare the side-channel security levels before and after protection, a re-evaluation of the pre-silicon side-channel security of the processor was conducted, testing with 100,000 plaintexts. At the main leakage moments, the minimum number of curves required to crack the key (measurements to disclosure, MTD) was calculated, as shown in Figure 8. For the SAES.V1 extension, without protection, the correlation coefficient for the correct assumed key separates from that of the incorrect key at the 53rd curve, indicating leakage, with an MTD of 53. After protection, the correlation coefficient for the correct assumed key also does not separate from that of the incorrect key at 100,000 curves, indicating that the MTD of the protected circuit is greater than 100,000, achieving a security improvement of over 1,886 times. For the SAES.V2 extension, without protection, the MTD is 12, while after protection, the MTD exceeds 100,000, achieving a security improvement of over 4,000 times. Table 1 summarizes the overhead and security performance of the AES extension circuit after protection and compares it with other literature, demonstrating that the protection strategy of this study can achieve significantly enhanced security performance with relatively low area and power overheads.

Figure 8 MTD Values Before and After Protection for SAES.V1 and SAES.V2 Extensions
Table 1 Comparison of Performance Parameters of AES Circuit After Protection


4 Conclusion
Aiming at the field of pre-silicon processor side-channel security, an efficient and accurate pre-silicon side-channel security assessment method is proposed, and this method is implemented based on the RISC-V processor architecture. The sources of side-channel leakage in the two representative AES algorithm instruction set architecture extensions are analyzed. According to the experimental results, it can be seen that the side-channel leakage caused by the propagation of intermediate values in the data path exceeds that of the extended hardware circuit itself. Targeted hybrid protection strategies of dynamic masking for extended ports and randomization of operation unit power consumption were adopted, and security verification was conducted in the pre-silicon phase. Future work will continue to optimize and improve the pre-silicon side-channel security assessment method, achieving side-channel protection for different processor architectures and different cryptographic algorithm instruction set architecture extensions, forming a complete pre-silicon analysis, leakage tracing, and security verification technology system.
END
Journal Introduction
Official Website: xb.hust.edu.cn
Phone: +27 87543916
Email:

Submission Link:
https://mc03.manuscriptcentral.com/hustxb
The Journal of Huazhong University of Science and Technology (Natural Science Edition) is a comprehensive academic journal supervised by the Ministry of Education and sponsored by Huazhong University of Science and Technology, mainly publishing the latest research results in disciplines such as mechanical engineering, materials, computer science, artificial intelligence and automation, electronics and power, energy and power engineering, marine engineering, civil engineering, environmental science, and life sciences. It is a core journal in comprehensive scientific and technological fields in Chinese and indexed in EI, having won multiple awards such as “Top 100 National Scientific Journals,” “Top 100 Scientific Journals of Chinese Universities,” and the “Hubei Publishing Government Award,” and was selected for the “Excellent Action Plan for Science and Technology Journals in China” in 2019.

Scan to Follow Us
Journal of Huazhong University of Science and Technology (Natural Science Edition)
WeChat Official Account | hustxbs