Solver-Aided Constant-Time Circuit Verification
This addresses the critical security problem of timing side-channel vulnerabilities in hardware for chip designers and security engineers, representing a substantial scaling advance rather than an incremental improvement.
The paper tackles the problem of formally verifying constant-time execution in Verilog hardware designs, presenting Xenon which reduces AES-256 verification from six hours to under three seconds and scales to designs an order of magnitude larger than previously verified.
We present Xenon, a solver-aided method for formally verifying that Verilog hardware executes in constant-time. Xenon scales to realistic hardware designs by drastically reducing the effort needed to localize the root cause of verification failures via a new notion of constant-time counterexamples, which Xenon uses to automatically synthesize a minimal set of secrecy assumptions. Xenon further exploits modularity in Verilog code via a notion of module summaries, thereby avoiding duplicate work across multiple module instantiations. We show how Xenon's assumption synthesis and summaries enable the verification of a variety of circuits including AES, a highly modular AES-256 implementation where modularity cuts verification from six hours to under three seconds, and ScarV, a timing channel hardened RISC-V micro-controller whose size exceeds previously verified designs by an order of magnitude.