Bitslicing is a software implementation technique that treats an N-bit processor datapath as N parallel single-bit datapaths. Bitslicing is particularly useful to implement data-parallel algorithms, algorithms that apply the same operation sequence to every element of a vector. Indeed, a bit-wise processor instruction applies the same logical operation to every single-bit slice. A second benefit of bitsliced execution is that the natural spatial redundancy of bitsliced software can support countermeasures against fault attacks. A k-redundant program on an N-bit processor then runs as N/k parallel redundant slices. In this contribution, we combine these two benefits of bitslicing to implement a fault countermeasure for the number-theoretic transform (NTT). The NTT efficiently implements a polynomial multiplication. The internal symmetry of the NTT algorithm lends itself to a data-parallel implementation, and hence it is a good candidate for the redundantly bitsliced implementation. We implement a redundantly bitsliced NTT on an advanced 667MHz ARM Cortex-A9 processor, and study the fault coverage for the protected NTT under optimized electromagnetic fault injection (EMFI). Our work brings two major contributions. First, we show for the first time how to develop a redundantly bitsliced version of the NTT. We integrate the protected NTT into a full Dilithium signature sequence. Second, we demonstrate an EMFI analysis on a prototype implementation of the Dilithium signature sequence on ARM Cortex-M9. We perform a detailed EM fault-injection parameter search to optimize the location, intensity and timing of injected EM pulses. We demonstrate that, under optimized fault injection parameters, about 10% of the injected faults become potentially exploitable. However, the redundantly bitsliced NTT design is able to catch the majority of these potentially exploitable faults, even when the remainder of the Dilithium algorithm as well as the control flow is left unprotected. To our knowledge, this is the first demonstration of a bitslice-redundant design of the NTT that offers distributed fault detection throughout the execution of the algorithm.

位切片是一种软件实现技术，它将N位处理器数据路径视为N 个并行单位数据路径。位切片对于实现数据并行算法特别有用，这些算法将相同的操作序列应用于向量的每个元素。事实上，逐位处理器指令将相同的逻辑运算应用于每个单位片。位片执行的第二个好处是位片软件的自然空间冗余可以支持针对故障攻击的对策。然后，N位处理器上的k冗余程序作为N/k并行冗余片运行。在这篇文章中，我们结合了位切片的这两个优点来实现数论变换（NTT）的故障对策。 NTT 有效地实现了多项式乘法。 NTT 算法的内部对称性适合于数据并行实现，因此它是冗余位切片实现的良好候选者。我们在先进的 667MHz ARM Cortex-A9 处理器上实现了冗余位片 NTT，并研究了优化电磁故障注入 (EMFI)下受保护 NTT 的故障覆盖率。我们的工作带来了两大贡献。首先，我们首次展示如何开发 NTT 的冗余位片版本。我们将受保护的 NTT 集成到完整的 Dilithium 签名序列中。其次，我们演示了对 ARM Cortex-M9 上 Dilithium 签名序列原型实现的 EMFI 分析。我们执行详细的电磁断层注入参数搜索，以优化注入电磁脉冲的位置、强度和时间。我们证明，在优化的断层注入参数下，大约 10% 的注入断层具有潜在的可利用性。然而，即使 Dilithium 算法的其余部分以及控制流未受到保护，冗余位片 NTT 设计也能够捕获大部分潜在的可利用故障。据我们所知，这是 NTT 位片冗余设计的首次演示，该设计在整个算法的执行过程中提供分布式故障检测。