Power Side-Channel Analysis of the CVA6 RISC-V Core at the RTL Level Using VeriSide

Abstract

This paper investigates the security of the CVA6 RISC-V core against power side-channel attacks by employing an RTL-level power profiling framework called VeriSide. The analysis targeted a software-based AES encryption implementation and utilized Correlation Power Analysis (CPA). The research successfully demonstrated significant power leakage, enabling key recovery, thereby highlighting the critical need for early-stage RTL security assessment in RISC-V designs.

Report

Key Highlights

• The CVA6 RISC-V core was subjected to power side-channel analysis (SCA) to assess its security vulnerabilities.
• The assessment was performed at the Register-Transfer Level (RTL), enabling early-stage design validation before physical tape-out.
• The specialized RTL-level power profiling framework, VeriSide, was the primary tool used for simulation and measurement.
• Correlation Power Analysis (CPA) was successfully applied against a software-based AES encryption implementation running on the core.
• The analysis revealed significant power leakage, resulting in successful cryptographic key recovery.

Technical Details

• Target Architecture: CVA6 RISC-V core (a common open-source processor design).
• Evaluation Level: RTL (Register-Transfer Level) simulation.
• Profiling Tool: VeriSide, characterized as an RTL-level power profiling framework.
• Cryptographic Target: Software-based AES encryption running on the CVA6 core.
• Attack Methodology: Correlation Power Analysis (CPA), a statistical technique used to exploit the correlation between monitored power traces and hypothesized intermediate cryptographic values.
• Result: The findings confirm that the core exhibits side-channel leakage sufficient to fully compromise the secret key.

Implications

• Shift-Left Security: This work validates the necessity of moving security verification earlier in the design flow (RTL level), allowing vulnerabilities to be addressed before costly synthesis or fabrication.
• RISC-V Ecosystem Integrity: Demonstrating exploitable leakage in a widely used core like CVA6 emphasizes that security hardening is not inherent to RISC-V architecture and must be actively engineered into open-source designs.
• Tool Validation: The successful use of VeriSide confirms the viability and importance of specialized RTL simulation tools for accurately modeling and predicting physical attacks like power side-channel analysis in a pre-silicon environment.
• Holistic Processor Security: The research underscores the fact that achieving security requires resilience not just to software bugs, but also to physical side-channel exploitation.