Security Architecture
Side-channel countermeasures including Boolean/arithmetic masking, operation shuffling, dummy operations, constant-time execution guarantees, and key zeroization procedures implemented in the QCORE-C1 chiplet. These protections target FIPS 140-3 Level 2 physical security requirements and defend against power analysis, electromagnetic emanation, and timing attacks.
Threat Model #
The QCORE-C1 security architecture addresses the following attack classes relevant to post-quantum cryptographic implementations:
| Attack Class | Technique | Target | Countermeasure |
|---|---|---|---|
| Simple Power Analysis (SPA) | Single-trace power measurement | NTT butterfly operations, branch-dependent control flow | Constant-time execution, balanced operations |
| Differential Power Analysis (DPA) | Statistical analysis of many traces | Secret key-dependent intermediate values | Boolean masking (1st-order), shuffled execution |
| Correlation Power Analysis (CPA) | Hamming weight/distance modeling | Coefficient values in NTT domain | Arithmetic masking of polynomial coefficients |
| Electromagnetic Analysis (EMA) | EM probe measurements | Localized current loops in NTT array | Spatial shuffling of NTT engine assignments |
| Timing Attacks | Execution time measurement | Decapsulation success/failure, rejection sampling | Constant-time all operations, implicit rejection |
| Fault Injection | Voltage glitch, clock glitch, laser | Decapsulation comparison, key material | Redundant computation, glitch detectors, error checks |
Constant-Time Execution #
All QCORE-C1 operations execute in constant time regardless of input data values. This is the fundamental defense against timing attacks and is enforced at the hardware level — the Kyber FSM follows deterministic state sequences with fixed cycle counts for every ML-KEM parameter set.
Constant-Time Guarantees
| Operation | Property | Implementation |
|---|---|---|
| NTT butterfly | Fixed pipeline depth regardless of coefficient values | No early termination, no data-dependent branching |
| Barrett reduction | Always performs multiply-shift-subtract | No conditional subtraction shortcut |
| CBD sampling | Fixed cycle count per polynomial | All bits consumed regardless of coefficient range |
| Decapsulation | Same execution time for valid and invalid ciphertexts | Implicit rejection via constant-time conditional select |
| Polynomial comparison | Always compares all coefficients | No early-exit on mismatch |
| SRAM access | Fixed access pattern regardless of address | Round-robin bank access with dummy reads |
Implicit Rejection
ML-KEM decapsulation implements implicit rejection as required by FIPS 203: if the re-encrypted ciphertext does not match the received ciphertext, the QCORE-C1 outputs a pseudorandom shared secret derived from H(z || c) where z is a secret value stored during key generation and c is the received ciphertext. The selection between the real shared secret and the pseudorandom replacement uses a hardware constant-time multiplexer — a bitwise AND-XOR network that reveals no timing or power signature of which path was selected.
Masking Countermeasures #
Boolean Masking
First-order Boolean masking is applied to all secret-dependent computations in the Keccak core and comparison logic. Each sensitive value x is split into two shares (xâ‚€, xâ‚) where x = xâ‚€ ⊕ xâ‚, with xâ‚ generated from the on-chip PRNG. All logical operations (AND, OR, XOR) are performed on shares using the Ishai-Sahai-Wagner (ISW) composition, ensuring that no intermediate value correlates with the unmasked secret.
Arithmetic Masking
Polynomial coefficients in the NTT domain are protected by first-order arithmetic masking. Each coefficient a is represented as (aâ‚€, aâ‚) where a = aâ‚€ + aâ‚ mod q. The NTT butterfly operations, pointwise multiplications, and polynomial additions/subtractions are all performed on masked shares. A Boolean-to-arithmetic and arithmetic-to-Boolean mask conversion module handles transitions between the two domains (e.g., when feeding NTT output to the Keccak core for hashing).
| Module | Masking Type | Order | Protected Values |
|---|---|---|---|
| NTT Array | Arithmetic | 1st order | Polynomial coefficients of secret key s, noise e |
| Poly Arithmetic | Arithmetic | 1st order | Intermediate products, partial sums |
| Keccak Core | Boolean | 1st order | Hash state containing secret-derived values |
| CBD Sampler | Boolean | 1st order | Random bits before coefficient conversion |
| Comparison Logic | Boolean | 1st order | Re-encryption match result |
| Mask Converter | Boolean ↔ Arithmetic | 1st order | Domain transitions (constant-time) |
Operation Shuffling #
The 8-way NTT array enables spatial shuffling: the assignment of polynomial coefficients to specific NTT engines is randomized for each operation. This prevents an attacker from correlating a specific power trace position with a known coefficient index, requiring the attacker to simultaneously identify which engine processed which coefficient — exponentially increasing the number of traces needed for a successful attack.
Additionally, the order of independent operations within the Kyber FSM is shuffled where the protocol allows. For example, during key generation, the k noise polynomial samples (CBD operations) are generated in a random permutation order rather than sequentially. The scheduler maintains a permutation register refreshed from the on-chip PRNG before each top-level operation.
Dummy Operations #
To further obscure the power profile, the QCORE-C1 inserts random dummy NTT butterfly and SRAM access operations between real computation steps. Dummy operations are indistinguishable from real operations at the power trace level — they use the same datapath, access the same SRAM banks, and consume the same number of clock cycles. The dummy operation rate is configurable (0%, 10%, 25%, 50%) via the security configuration register at offset 0x0700.
Tamper Detection & Response #
| Detector | Trigger | Response |
|---|---|---|
| Voltage glitch detector | VDD_CORE excursion >±10% within 10ns | Immediate SRAM zeroization + ERROR assertion |
| Clock frequency monitor | Clock period deviation >±20% | Operation abort + error flag |
| Temperature sensor | Junction temperature >105°C (warning) or >120°C (critical) | Warning: throttle clock. Critical: zeroize + shutdown |
| SRAM parity check | ECC double-bit error | Bank isolation + error interrupt |
| QLI integrity failure | 3+ consecutive CRC errors or MAC failure | Link shutdown + error interrupt |
Key Zeroization #
The QCORE-C1 provides hardware-accelerated key material zeroization that overwrites all 64KB of SRAM in 64 clock cycles (640 ns at 100MHz). Zeroization can be triggered by three mechanisms:
Software command: Write 0xFF to the KYBER_CMD register (0x0404). Tamper response: Automatically triggered by voltage glitch or critical temperature detection. External pin: The ZEROIZE input (active-low, directly bonded to pad ring) provides a physical emergency zeroization path that bypasses all digital logic.
The zeroization sequence writes a pattern of all-zeros followed by all-ones followed by all-zeros to each SRAM word, then verifies the final zero state. The SRAM controller reports zeroization completion via the CHIP_STATUS register (bit 7) and optionally generates an interrupt.
Standards Compliance #
| Standard | Requirement | QCORE-C1 Status |
|---|---|---|
| FIPS 203 (ML-KEM) | Correct algorithm implementation, implicit rejection | ✓ Validated against NIST ACVP test vectors |
| FIPS 140-3 Level 2 | Physical tamper evidence, role-based authentication | IUT — atsec (design review in progress) |
| CNSA 2.0 | Post-quantum algorithm transition timeline | ✓ ML-KEM-768/1024 supported |
| Common Criteria (EAL4+) | Formal security target, vulnerability analysis | Planned for GF22FDX production |
| ISO/IEC 19790 | Cryptographic module security requirements | Aligned — documentation in preparation |