{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T07:35:43Z","timestamp":1767339343962,"version":"3.41.0"},"reference-count":47,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2024,3,27]],"date-time":"2024-03-27T00:00:00Z","timestamp":1711497600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Embed. Comput. Syst."],"published-print":{"date-parts":[[2024,3,31]]},"abstract":"\n Bitslicing is a software implementation technique that treats an\n N<\/jats:italic>\n -bit processor datapath as\n N<\/jats:italic>\n parallel single-bit datapaths. Bitslicing is particularly useful to implement data-parallel algorithms, algorithms that apply the same operation sequence to every element of a vector. Indeed, a bit-wise processor instruction applies the same logical operation to every single-bit slice. A second benefit of bitsliced execution is that the natural spatial redundancy of bitsliced software can support countermeasures against fault attacks. A\n k<\/jats:italic>\n -redundant program on an\n N<\/jats:italic>\n -bit processor then runs as\n N\/k<\/jats:italic>\n parallel redundant slices. In this contribution, we combine these two benefits of bitslicing to implement a fault countermeasure for the\n number-theoretic transform (NTT)<\/jats:bold>\n . The NTT efficiently implements a polynomial multiplication. The internal symmetry of the NTT algorithm lends itself to a data-parallel implementation, and hence it is a good candidate for the redundantly bitsliced implementation. We implement a redundantly bitsliced NTT on an advanced 667MHz ARM Cortex-A9 processor, and study the fault coverage for the protected NTT under optimized\n electromagnetic fault injection (EMFI)<\/jats:bold>\n . Our work brings two major contributions. First, we show for the first time how to develop a redundantly bitsliced version of the NTT. We integrate the protected NTT into a full Dilithium signature sequence. Second, we demonstrate an EMFI analysis on a prototype implementation of the Dilithium signature sequence on ARM Cortex-M9. We perform a detailed EM fault-injection parameter search to optimize the location, intensity and timing of injected EM pulses. We demonstrate that, under optimized fault injection parameters, about 10% of the injected faults become potentially exploitable. However, the redundantly bitsliced NTT design is able to catch the majority of these potentially exploitable faults, even when the remainder of the Dilithium algorithm as well as the control flow is left unprotected. To our knowledge, this is the first demonstration of a bitslice-redundant design of the NTT that offers distributed fault detection throughout the execution of the algorithm.\n <\/jats:p>","DOI":"10.1145\/3583757","type":"journal-article","created":{"date-parts":[[2023,3,31]],"date-time":"2023-03-31T12:21:32Z","timestamp":1680265292000},"page":"1-27","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Analysis of EM Fault Injection on Bit-sliced Number Theoretic Transform Software in Dilithium"],"prefix":"10.1145","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3802-0061","authenticated-orcid":false,"given":"Richa","family":"Singh","sequence":"first","affiliation":[{"name":"Worcester Polytechnic Institute, Worcester, Massachusetts, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2910-2380","authenticated-orcid":false,"given":"Saad","family":"Islam","sequence":"additional","affiliation":[{"name":"Worcester Polytechnic Institute, Worcester, Massachusetts, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5404-5368","authenticated-orcid":false,"given":"Berk","family":"Sunar","sequence":"additional","affiliation":[{"name":"Worcester Polytechnic Institute, Worcester, Massachusetts, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4586-5476","authenticated-orcid":false,"given":"Patrick","family":"Schaumont","sequence":"additional","affiliation":[{"name":"Worcester Polytechnic Institute, Worcester, Massachusetts, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,3,27]]},"reference":[{"key":"e_1_3_3_2_2","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2021.i1.402-425"},{"key":"e_1_3_3_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2019.2948617"},{"key":"e_1_3_3_4_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-12510-2_13"},{"key":"e_1_3_3_5_2","doi-asserted-by":"crossref","unstructured":"Gorjan Alagic Daniel Apon David Cooper Quynh Dang Thinh Dang John Kelsey Jacob Lichtinger Carl Miller Dustin Moody Rene Peralta Angela Robinson Ray Perlner Daniel Smith-Tone and Yi-Kai Liu. 2022. Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process.","DOI":"10.6028\/NIST.IR.8413"},{"key":"e_1_3_3_6_2","doi-asserted-by":"publisher","DOI":"10.1007\/s13389-016-0138-1"},{"key":"e_1_3_3_7_2","doi-asserted-by":"publisher","DOI":"10.13154\/tches.v2019.i4.17-61"},{"key":"e_1_3_3_8_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66787-4_16"},{"key":"e_1_3_3_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2005.862424"},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/1873548.1873555"},{"key":"e_1_3_3_11_2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-47721-7_24"},{"key":"e_1_3_3_12_2","first-page":"610","article-title":"McBits: Fast constant-time code-based cryptography","author":"Bernstein Daniel J.","year":"2015","unstructured":"Daniel J. Bernstein, Tung Chou, and Peter Schwabe. 2015. McBits: Fast constant-time code-based cryptography. IACR Cryptol. ePrint Arch. (2015), 610. http:\/\/eprint.iacr.org\/2015\/610.","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"e_1_3_3_13_2","doi-asserted-by":"publisher","DOI":"10.1007\/BFb0052352"},{"key":"e_1_3_3_14_2","doi-asserted-by":"publisher","DOI":"10.1007\/BFb0052259"},{"key":"e_1_3_3_15_2","doi-asserted-by":"crossref","first-page":"63","DOI":"10.1109\/FDTC.2016.11","volume-title":"2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC\u201916)","author":"Bindel Nina","year":"2016","unstructured":"Nina Bindel, Johannes Buchmann, and Juliane Kr\u00e4mer. 2016. Lattice-based signature schemes and their sensitivity to fault attacks. In 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC\u201916). IEEE, 63\u201377."},{"key":"e_1_3_3_16_2","doi-asserted-by":"crossref","first-page":"21","DOI":"10.46586\/tches.v2018.i3.21-43","article-title":"Differential fault attacks on deterministic lattice signatures","author":"Bruinderink Leon Groot","year":"2018","unstructured":"Leon Groot Bruinderink and Peter Pessl. 2018. Differential fault attacks on deterministic lattice signatures. IACR Transactions on Cryptographic Hardware and Embedded Systems (2018), 21\u201343.","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded Systems"},{"key":"e_1_3_3_17_2","unstructured":"Mathieu Ciet and Marc Joye. 2005. Practical fault countermeasures for Chinese remaindering based RSA (extended abstract)."},{"key":"e_1_3_3_18_2","volume-title":"11th USENIX Workshop on Offensive Technologies (WOOT\u201917)","author":"Cui Ang","year":"2017","unstructured":"Ang Cui and Rick Housley. 2017. BADFET: Defeating modern secure boot using second-order pulsed electromagnetic fault injection. In 11th USENIX Workshop on Offensive Technologies (WOOT\u201917). USENIX Association, Vancouver, BC. https:\/\/www.usenix.org\/conference\/woot17\/workshop-program\/presentation\/cui."},{"key":"e_1_3_3_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/FDTC.2012.15"},{"key":"e_1_3_3_20_2","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2018.i1.238-268"},{"key":"e_1_3_3_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISQED48828.2020.9137051"},{"key":"e_1_3_3_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/WIFS49906.2020.9360902"},{"key":"e_1_3_3_23_2","first-page":"190","article-title":"The temperature side channel and heating fault attacks","author":"Hutter Michael","year":"2014","unstructured":"Michael Hutter and J\u00f6rn-Marc Schmidt. 2014. The temperature side channel and heating fault attacks. IACR Cryptol. ePrint Arch. (2014), 190. http:\/\/eprint.iacr.org\/2014\/190.","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"e_1_3_3_24_2","first-page":"129","article-title":"Faster and timing-attack resistant AES-GCM","author":"K\u00e4sper Emilia","year":"2009","unstructured":"Emilia K\u00e4sper and Peter Schwabe. 2009. Faster and timing-attack resistant AES-GCM. IACR Cryptol. ePrint Arch. (2009), 129. http:\/\/eprint.iacr.org\/2009\/129.","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"e_1_3_3_25_2","first-page":"1236","article-title":"Architecture support for bitslicing","author":"Kiaei Pantea","year":"2021","unstructured":"Pantea Kiaei, Tom Conroy, and Patrick Schaumont. 2021. Architecture support for bitslicing. IACR Cryptol. ePrint Arch. (2021), 1236. https:\/\/eprint.iacr.org\/2021\/1236.","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"e_1_3_3_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/LES.2020.2992051"},{"key":"e_1_3_3_27_2","doi-asserted-by":"publisher","DOI":"10.1155\/2022\/5226390"},{"key":"e_1_3_3_28_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-79263-5_12"},{"key":"e_1_3_3_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/FDTC.2019.00009"},{"key":"e_1_3_3_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/FDTC.2013.9"},{"key":"e_1_3_3_31_2","first-page":"1071","volume-title":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","author":"Mus Koksal","year":"2020","unstructured":"Koksal Mus, Saad Islam, and Berk Sunar. 2020. QuantumHammer: A practical hybrid attack on the LUOV signature scheme. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1071\u20131084."},{"key":"e_1_3_3_32_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCAD.2019.2915318"},{"key":"e_1_3_3_33_2","doi-asserted-by":"publisher","DOI":"10.1007\/s13389-016-0128-3"},{"key":"e_1_3_3_34_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-69453-5_13"},{"key":"e_1_3_3_35_2","doi-asserted-by":"crossref","first-page":"427","DOI":"10.1145\/3321705.3329821","volume-title":"Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security","author":"Ravi Prasanna","year":"2019","unstructured":"Prasanna Ravi, Mahabir Prasad Jhanwar, James Howe, Anupam Chattopadhyay, and Shivam Bhasin. 2019. Exploiting determinism in lattice-based signatures: Practical fault attacks on pqm4 implementations of NIST candidates. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. 427\u2013440."},{"key":"e_1_3_3_36_2","doi-asserted-by":"crossref","first-page":"232","DOI":"10.1007\/978-3-030-16350-1_13","volume-title":"International Workshop on Constructive Side-Channel Analysis and Secure Design","author":"Ravi Prasanna","year":"2019","unstructured":"Prasanna Ravi, Debapriya Basu Roy, Shivam Bhasin, Anupam Chattopadhyay, and Debdeep Mukhopadhyay. 2019. Number \u201cnot used\u201d once-practical fault attack on pqm4 implementations of NIST candidates. In International Workshop on Constructive Side-Channel Analysis and Secure Design. Springer, 232\u2013250."},{"key":"e_1_3_3_37_2","first-page":"296","article-title":"Revisiting fault adversary models - hardware faults in theory and practice","author":"Richter-Brockmann Jan","year":"2021","unstructured":"Jan Richter-Brockmann, Pascal Sasdrich, and Tim G\u00fcneysu. 2021. Revisiting fault adversary models - hardware faults in theory and practice. IACR Cryptol. ePrint Arch. (2021), 296. https:\/\/eprint.iacr.org\/2021\/296.","journal-title":"IACR Cryptol. ePrint Arch."},{"volume-title":"Inspector FI.","year":"2001","key":"e_1_3_3_38_2","unstructured":"Riscure. 2001. Inspector FI.Retrieved March 25, 2022 from https:\/\/www.riscure.com\/security-tools\/inspector-fi."},{"key":"e_1_3_3_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/HST.2015.7140238"},{"key":"e_1_3_3_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/FDTC.2013.17"},{"key":"e_1_3_3_41_2","first-page":"61","volume-title":"Austrochip 2007, 15th Austrian Workhop on Microelectronics, 11 October 2007, Graz, Austria, Proceedings","author":"Schmidt J\u00f6rn-Marc","year":"2007","unstructured":"J\u00f6rn-Marc Schmidt and Michael Hutter. 2007. Optical and EM fault-attacks on CRT-based RSA: Concrete results. In Austrochip 2007, 15th Austrian Workhop on Microelectronics, 11 October 2007, Graz, Austria, Proceedings. Verlag der Technischen Universit\u00e4t Graz, 61\u201367. Austrochip 2007; Conference date: 11-10-2007 Through 11-10-2007."},{"key":"e_1_3_3_42_2","first-page":"73","volume-title":"Countermeasures for Symmetric Key Ciphers (1 ed.)","author":"Schmidt J\u00f6rn-Marc","year":"2012","unstructured":"J\u00f6rn-Marc Schmidt and Marcel Medwed. 2012. Countermeasures for Symmetric Key Ciphers (1 ed.). Springer, 73\u201388."},{"key":"e_1_3_3_43_2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-58691-1_68"},{"key":"e_1_3_3_44_2","doi-asserted-by":"publisher","DOI":"10.1109\/HPEC43674.2020.9286170"},{"key":"e_1_3_3_45_2","first-page":"1057","volume-title":"26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16\u201318, 2017","author":"Tang Adrian","year":"2017","unstructured":"Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo. 2017. CLKSCREW: Exposing the perils of security-oblivious energy management. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16\u201318, 2017, Engin Kirda and Thomas Ristenpart (Eds.). USENIX Association, 1057\u20131074. https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/tang."},{"key":"e_1_3_3_46_2","doi-asserted-by":"publisher","unstructured":"Keita Xagawa Akira Ito Rei Ueno Junko Takahashi and Naofumi Homma. 2021. Fault-injection attacks against NIST\u2019s post-quantum cryptography round 3 KEM candidates. Springer-Verlag. DOI:10.1007\/978-3-030-92075-3_2","DOI":"10.1007\/978-3-030-92075-3_2"},{"key":"e_1_3_3_47_2","doi-asserted-by":"publisher","DOI":"10.13154\/tches.v2020.i2.49-72"},{"key":"e_1_3_3_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/IOLTS.2013.6604060"}],"container-title":["ACM Transactions on Embedded Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3583757","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3583757","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:46:29Z","timestamp":1750178789000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3583757"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,3,27]]},"references-count":47,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2024,3,31]]}},"alternative-id":["10.1145\/3583757"],"URL":"https:\/\/doi.org\/10.1145\/3583757","relation":{},"ISSN":["1539-9087","1558-3465"],"issn-type":[{"type":"print","value":"1539-9087"},{"type":"electronic","value":"1558-3465"}],"subject":[],"published":{"date-parts":[[2024,3,27]]},"assertion":[{"value":"2022-04-05","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-01-25","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-03-27","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}