Threat model
This chapter enumerates the side-channel threats that arcana is
designed to resist, describes how each attack works in principle, and
gives an order-of-magnitude estimate of the attacker effort — in
elapsed time and equipment cost — needed to mount it against an
unprotected implementation running on a typical embedded target
(ARM Cortex-M, RISC-V MCU, or entry-level secure element).
The cost estimates are decision support, not a precise evaluation: they let a reader judge which countermeasures are load-bearing for a given deployment. A lab willing to invest more in equipment or time can always overcome defences tuned to a weaker profile; the numbers below correspond to the published state-of-the-art as of early 2026.
Most of the threat-model machinery (attacker axes, generic SPA / DPA / template / timing / DFA cost ranges) is shared with quantica since the underlying physics and economics do not depend on the algorithm family. The critical differences for the arcana side are called out in dedicated sub-sections at the end of each threat chapter (“Where it bites classical primitives”).
Attacker model
The overall attacker model has three axes, identical to the quantica side:
- Access to the device.
level 1 — Black-box: the attacker queries the API only.
level 2 — Observational: adds passive physical measurement (power, electromagnetic emanations, timing via a direct probe, remote network timing).
level 3 — Intrusive: adds active fault injection (clock / voltage glitches, laser, electromagnetic pulses) or chip-level inspection (decapping, FIB probing).
- Number of traces / queries.
From a handful (SPA, template matching, single-fault Bellcore on RSA-CRT) to millions (DPA on noisy traces, CDPA on HMAC-SHA-2 in parallel hardware [BDT+23]).
- Knowledge of the key schedule.
Some attacks assume the attacker can build a profile on an identical open device (template attacks); others rely only on statistical assumptions about the secret (DPA, CPA).
arcana targets threat levels 1 and 2 at minimum for the
intended evaluation. Level 3 (single-fault) coverage is required for
RSA-CRT (Bellcore is a one-fault total break) and for deterministic
ECDSA / EdDSA (one fault → key recovery
[RP17], [CLLW20]).
Threat: Simple Power Analysis (SPA)
Principle
The attacker observes a single (or very few) power or EM traces of a
cryptographic operation and reads the secret off the trace directly,
either because the code path depends on the secret (e.g. a
if (key_bit) ... compiles to a jump visible in the power
profile) or because each secret-dependent basic block has a
distinctive power signature.
Where it bites classical primitives
ECDSA / ECDH scalar multiplication — the textbook SPA target. A naive double-and-add reveals the bit pattern of the scalar in one trace because “double” and “double + add” have visibly different power envelopes [Cor99a]. Montgomery / Joye ladders are the standard answer (see ECDSA / ECDH — countermeasures).
RSA-CRT decryption — modular exponentiation has the same problem; “square” and “square + multiply” are distinguishable. Bare square-and-multiply RSA without windowing or square-always-multiply is a one-trace break.
AES key schedule and round function — a single-trace template attack on the first round’s S-box output recovers the key byte-by-byte if the S-box is implemented as a memory lookup with data-dependent cache lines.
Modular reduction in BigInt — variable-iteration loops (e.g. early-exit comparisons) leak the bit-length of intermediates.
Cost against an unprotected implementation
Axis |
Against embedded MCU |
Against secure element |
|---|---|---|
Equipment |
Entry-level USB oscilloscope (≥ 250 MSa/s) + EM H-field probe + preamp: ~1 500 € total. |
Chipwhisperer Husky or Lecroy scope + near-field probe + power interposer / decap: 10 000 – 30 000 €. |
Traces |
1 – 100 (SPA by definition). |
1 – 1 000 (the SE’s own jitter + noise may need trace averaging). |
Elapsed time (skilled operator) |
1 – 5 days from setup to key recovery against a naive double-and-add ECDSA. |
2 – 6 weeks including chip reverse-engineering. |
Coverage in arcana
Constant-time scalar multiplication in
ecc::curve::scalar_mul_point— Montgomery ladder withct_swapbetween two accumulator points;point_doubleandpoint_add_ctproduce z=0 outputs without explicit branches; the release-asm count of secret-dependent branches is 0 (single remaining branch is the loop counter). See ECDSA / ECDH — countermeasures.AES table-based S-box —
cipher::aesships the textbook table-based AES today. This is a known SPA / cache-timing leak surface; replacement by a fixsliced bitsliced AES ([AP21]) is itemT1-Ain the hardening roadmap (AES — countermeasures).RSA modular exponentiation — currently uses
rsa::bigint::pow_modwith a left-to-right square-always + CT-multiply pattern. Audit pending under itemT1-E(RSA — countermeasures).
Threat: Differential / Correlation Power Analysis (DPA / CPA)
Principle
The attacker records 10³ – 10⁶ traces with varied public inputs, forms a hypothesis about an intermediate value depending on a small chunk of the secret (typically 8 or 16 bits), predicts its Hamming weight or distance across traces, and statistically correlates the prediction with the measured power at each time sample. Correct key hypotheses peak above noise; wrong guesses average down.
Where it bites classical primitives
AES — the round-1 SubBytes output is the canonical CPA target; even bitsliced AES leaks if the input is processed byte-at-a-time before bit-slicing. The ANSSI’s reference protected AES on ARM Cortex-M was broken end-to-end with deep-learning DPA in [MS23].
HMAC-SHA-2 — the Carry-based DPA (CDPA) of [BDT+23] (TCHES 2023/3) breaks any implementation of HMAC-SHA-2, even pure parallel hardware, in 30 K to 275 K traces. No deployed unmasked HMAC-SHA-2 is safe in a level-2 (observational) threat model. This is a stricter boundary than the literature acknowledged before 2023.
RSA / ECC scalar multiplication — secret-dependent intermediates inside the modular operations leak by Hamming weight; the Montgomery ladder by itself does not stop CPA on the field operations of each iteration.
HMAC, CMAC, GMAC — modular polynomial / GF(2^128) multiplications used inside GMAC have a CPA surface analogous to AES SubBytes if the multiplier is table-based.
Cost against an unprotected implementation
Axis |
Against embedded MCU |
Against secure element |
|---|---|---|
Equipment |
Chipwhisperer-Lite or Husky (~**1 000 €**) + laptop + target board (~**100 €**). |
High-end oscilloscope (~**40 000 €**) + EM probe setup + chip carrier / depackaging. |
Traces |
30 K – 1 M depending on the algorithm and which intermediate is targeted (CDPA on HMAC-SHA-2 needs as little as 30 K). AES first-round CPA: 5 K – 50 K traces. |
≥ 10 M once jitter and shielding are factored in. |
Elapsed time (skilled operator) |
1 – 4 weeks of trace acquisition + analysis. |
6 – 18 months end-to-end, often a multi-engineer effort. |
Coverage in arcana
None today. Boolean / arithmetic masking of the secret-handling primitives is on the tier-2 hardening roadmap (item
T2-Dfor HMAC-SHA-2,T1-Afor AES via fixslicing — fixslicing is not masking but is the prerequisite for any future masked AES).The scalar-multiplication path has a Tier-2 plan for scalar blinding ([Cor99a],
T2-B) and Z-coordinate randomization ([BJ02],T2-A) which are the standard DPA defences for ECC over Weierstrass curves.
Threat: Template attacks
Principle
The attacker has a clone of the target device and builds a template — a multivariate Gaussian model — of the power/EM signature of each secret value, then matches a single trace from the real target against the profile. Template attacks are the strongest passive side-channel; a single trace can be enough once a good profile exists. Classical reference: [CRR02].
Where it bites classical primitives
Curve25519 / X25519 — [WPB21] shows that machine-learning template attacks on a Cortex-M0 Curve25519 implementation succeed even against typical countered designs (random delays, dummy operations); only a fully masked Montgomery ladder resists.
AES — first-round template + multi-task learning is the SOTA attack on the ANSSI protected AES [MS23].
ECDSA — template attacks on the modular inverse of the nonce (computing \(k^{-1} \bmod n\)) leak partial nonce bits, which combined with lattice attacks on the resulting bias breaks the scheme [JSSS20].
Cost against an unprotected implementation
Axis |
Against embedded MCU |
Against secure element |
|---|---|---|
Equipment |
Two identical MCUs (clone + target), same tooling as DPA. |
Two decapsulated SE + high-end scope + precision positioning. |
Traces |
Profiling: 10 000 – 100 000; attack: 1 – 10 traces suffice. |
Profiling: 1 000 000; attack: 10 – 1 000 traces. |
Elapsed time |
2 – 6 weeks once the clone profile exists. |
3 – 9 months, dominated by the profiling phase. |
Prerequisite |
Access to an open clone, which is usually realistic for commercial-off-the-shelf MCUs and harder for certified SE. |
Usually requires an internal agreement or reverse-engineered debug access. |
Coverage in arcana
None today beyond the always-on CT primitives. Template attacks specifically motivate the tier-2
T2-AZ-coordinate randomization (which destroys profile-trace alignment for ECC) andT2-DHMAC masking. The fixsliced AES (T1-A) is itself an enabler — once the round function operates on bit-sliced state there is no per-byte SubBytes intermediate to template.
Threat: Software timing / cache-timing
Principle
A software attacker co-resident with the cryptographic process measures its execution time, the eviction pattern of its cache lines, or the contention of shared microarchitectural resources, and correlates these observations with secret inputs. Classical publication [Koc96].
Where it bites classical primitives
AES table-based S-box — [Ber05], [OST06]. Different cache lines for different S-box bytes leak the round-1 key on a co-resident attacker.
ECDSA scalar multiplication — Minerva ([JSSS20]) shows that even a bit-length leak on the nonce — let alone the scalar value — recovers the key with a few hundred to a few thousand signatures via lattice attack. The Minerva class is alive: CVE-2024-23342 (python-ecdsa) and CVE-2024-13176 (OpenSSL P-521) were both Minerva-pattern timing leaks fixed in 2024.
LadderLeak ([ANT+20]) takes Minerva further: less than one bit of nonce leakage per signature is enough for full key recovery, broken on OpenSSL 1.0.2 / 1.1.0.
RSA-CRT — Brumley-Boneh remote timing ([BB03]) extracted RSA private keys over a network from OpenSSL.
HMAC tag comparison — non-CT comparison of the received tag vs the computed tag is a textbook bytewise oracle (early forgery-detection helpers in OpenSSL/PolarSSL had this leak).
Cost against an unprotected implementation
Axis |
Local process attacker |
Remote network attacker |
|---|---|---|
Equipment |
None beyond a standard user account on the target host. |
Depends on the target protocol; often a network capture + a latency budget of microseconds. |
Queries / observations |
10⁴ – 10⁸ depending on the secret entropy and the timing gap the attack relies on. |
10⁶ – 10⁹ (network jitter dominates). |
Elapsed time |
Hours to days for a local attacker (e.g. cache-timing AES, Minerva ECDSA). |
Weeks to months for a remote attacker on a bare public API. |
Coverage in arcana
Constant-time tag comparison in
cipher::*::decrypt,mac::ctx::Mac::verify, ECDSA verify — usessilentops::ct_eq.CT scalar multiplication in
ecc::curve::scalar_mul_point— see ECDSA / ECDH — countermeasures. Release-asm verification of the post-2026-04-21 hardening: 0 secret-dependent branches in the ladder; 0 inpoint_double;field_add/field_sub/reduce_wideusecore::hint::black_boxto keep LLVM from re-introducing branches over the bit-mask selects.Cache-timing on AES — not yet defended; see
T1-Ain AES — countermeasures.ctgrind continuous verification — the workspace
ctgrindinfrastructure (built for quantica) is designed to extend to arcana. The harness driver lives inquantica_bench/src/bin/ ctgrind.rstoday; anarcana_benchmirror is itemT3-A.
Threat: Differential Fault Analysis (DFA), Bellcore, SIFA
Principle
The attacker perturbs the target while it runs the cryptographic operation — clock glitch, voltage glitch, laser pulse, EM fault injection — so an instruction is skipped, a value is corrupted, or a loop count is changed. They compare the faulty output with an unfaulted one; depending on the algorithm a single useful fault can leak the whole secret [BDL97].
A more recent variant, Statistical Ineffective Fault Analysis (SIFA, [DEG+18]) statistically correlates the fault injection with the operation’s success (not the faulted value): it does not need the faulted output, only whether the operation aborted.
Where it bites classical primitives
RSA-CRT (Bellcore attack, [BDL97] ) — a single fault on either of the two CRT half-exponentiations
S_p = m^{d_p} mod porS_q = m^{d_q} mod qproduces a faulted signatureS'such thatgcd(N, S - S')reveals one of the prime factors. One fault → factorization → total break. The standard countermeasures (Aumüller [ABF+02], Vigilant 2008, Joye-Tunstall infective computation) are the classical answer; recent formal verification work ([RG13], [RGN16]) shows that most published countermeasures are vulnerable to richer fault models but Aumüller’s resists all single-fault attacks.Deterministic ECDSA / EdDSA — [RP17] and [CLLW20] show that the deterministic nonce derivation (RFC 6979 / RFC 8032) makes the schemes fragile under fault: signing the same message twice with one of the two faulted produces two different signatures with the same nonce, enabling lattice-based key recovery. The standard answer is hedged signatures ([MTR24]) — deterministic derivation + 32 bytes of additional randomness mixed in.
AES — DFA on the last AES round is the textbook attack; infective countermeasures ([BG15]) and redundancy are the standard answers, but neither is implemented in arcana yet.
Cost against an unprotected implementation
Axis |
Embedded MCU |
Secure element |
|---|---|---|
Equipment |
Chipwhisperer with voltage/clock-glitch board (~1 000 €). EMFI setup with pulse generator + XY stage: 10 000 – 30 000 €. |
Laser bench with precision positioning: 100 000 – 300 000 €. SE decapsulation often required. |
Faults needed |
One for Bellcore RSA-CRT. One per signature for deterministic ECDSA/EdDSA fault attacks. 1 – 100 for AES last- round DFA. |
Same ballpark but with far more parameter sweeping. |
Elapsed time |
Days to weeks for MCU-level targets. |
6 – 18 months for a certified SE. |
Coverage in arcana
None today. RSA-CRT decrypt path (
rsa::rsa::rsa_decrypt_raw) is unprotected against Bellcore; this is itemT1-Cand is the highest-priority classical- side hardening for the evaluation. Aumüller’s algorithm and the formally verified variants of [RG13] are the intended approach.Deterministic-signature fault recovery is item
T1-D: ahedgedflavour mirroring the CFRG draft [MTR24] will be added behind a feature flag.
Threat: Electromagnetic side-channels (SEMA / DEMA / CEMA)
Principle
Near-field electromagnetic emanations from a working chip carry the same information as its power trace, with better spatial resolution. A positioning stage can aim a probe at a specific cryptographic peripheral or a specific memory bus to bypass the averaging effect of a shared power supply. EM attacks follow the same analytical framework as power attacks (SEMA / DEMA / CEMA mirror SPA / DPA / CPA).
Cost against an unprotected implementation
EM attacks trade a higher equipment bill (near-field probe, XY stage, extra amplification) for fewer traces at equal security level. An EM attacker typically needs 10× – 100× fewer traces than a power attacker at equal distance to the secret.
Coverage in arcana
Same as for power attacks — at the software level there is no physical distinction. Hardware shielding of a deployed product is an integrator responsibility; the arcana code is the same against SEMA and SPA, against DEMA and DPA.
Summary table
Threat |
Typical entry-level cost (MCU / SE) |
Coverage in |
|---|---|---|
SPA / SEMA on ECDSA scalar mul |
1 500 € / 10 – 30 k€ |
Implemented — CT Montgomery ladder, branchless point_add_ct,
commit |
SPA on AES key recovery |
1 500 € / 10 – 30 k€ |
Vulnerable — table-based S-box. Plan |
DPA / DEMA / CDPA on HMAC-SHA-2 |
1 100 € / ~40 k€ |
Vulnerable — [BDT+23] breaks
any HMAC-SHA-2 in 30 K – 275 K traces. Plan |
DPA / CPA on AES, ECDSA scalar mul intermediates |
1 100 € / ~40 k€ |
Vulnerable — no masking on classical side. Plans |
Template attacks on ECDSA modular inverse / Curve25519 ladder |
~2 500 € / chip-revered SE |
Vulnerable. Plan |
Software / remote timing on ECDSA, RSA, MAC compare |
none / network access |
ECDSA scalar mul CT-verified at release-asm level.
MAC compare uses |
Bellcore single-fault on RSA-CRT |
1 k€ / up to 300 k€ |
Vulnerable — no CRT countermeasure. Highest-priority
gap: |
Single-fault on deterministic ECDSA / EdDSA |
1 k€ / up to 300 k€ |
Vulnerable — pure RFC 6979 / RFC 8032 deterministic. Plan
|
Cost numbers are indicative and quickly dated; see the cited
literature for the full table of published attacks and their
parameters. The roadmap items (T1-* / T2-* / T3-* /
T4-*) are detailed in the per-algorithm chapters that follow.