Data-Oblivious and Performant: On Designing Security-Conscious Hardware

Over the last years, we have witnessed an ever increasing concern regarding security in digital hardware design. More sophisticated exploits of microarchitectural timing channels force designers to rethink system architecture for security. Most countermeasures rely on the data-obliviousness of certain elementary hardware operations. And while there are many approaches to create such primitives by hardening hardware operations against data-dependent timing effects, they are often overly conservative, resulting in a significant performance loss.In this paper, we propose the combination of formally proven security with performance-enhancing optimizations to create security-conscious hardware. We discuss how an accelerator can dynamically adjust its latency to allow for optimizations tailored to the security level of its input operands. In addition, we extend a recent formal verification methodology to exhaustively verify the confidentiality of sensitive data in such a design. The effectiveness of the proposed approach is demonstrated by redesigning two open-source hardware implementations: The serial division unit of the CVA6 RISC-V processor and an accelerator for the RSA cryptosystem. Both case studies show that small changes in the implementations of the underlying algorithms can result in significant performance gains when compared to previous security countermeasures.