The fair evaluation of side-channel attacks is an important challenge for the certification of cryptographic products. In this talk, I will tackle the question of the best methods and tools for the objective
evaluation of leaking devices, and discuss their limitations. For this purpose, I will first attempt to define a side-channel adversary in function of different ingredients, e.g.
a. Measurement context, i.e. can the adversary characterize the leakage distribution of his target device (in a profiled attack) or not (in a non-profiled attack)?
b. I/O control of the device, i.e. are the target device's inputs and outputs unknown to the adversary, known to the adversary or chosen by the adversary.
c. Adversarial power, i.e. what are the data complexity, time complexity, memory complexity and number of measurements that can be exploited to perform the attack? Next, I will identify a number of target implementations according to two main criteria:
a. Type of design, e.g. unprotected implementation, implementation protected with data randomizations (aka masking), implementations protected with time randomizations (including shuffling of the operations and random process interrupts), implementations protected with hiding based on dual-rail logic styles, ...
b. Type of leakage function, according to the following features:
- Linearity, i.e. does the leakage function's deterministic part have dominating linear dependencies in the manipulated data (or strong non-linear dependencies)?
- Noise distribution, i.e. does the leakage function's non deterministic part follow a known (e.g. normal or multivariate normal) distribution?
- Variability, i.e. do cryptographic devices designed in the same technology, from the same manufacturer, have identical leakage functions?
I will then discuss which metrics are best suited for the comparison of different leaking devices. Doing so, I will try to extract simple messages for the evaluators, related to (i) the need of profiled attacks in
security evaluations, (ii) the strong intuition about the type of leakage provided by an implementation that can be extracted from an information theoretic analysis, and (iii) the importance of considering adversaries with sufficient time complexities. I will end this survey with a brief discussion of the tools that can be used to estimate evaluation metrics, in different scenarios. Doing so, I will also emphasize the relatively good understanding of so-called “univariate side-channel attacks" (in which the evaluation tools essentially exploit univariate statistics), and the more challenging nature of multivariate side-channel attacks, in particular in a non-profiled adversarial scenario. As an open problem, I will finally suggest the evaluation of combined attacks mixing physical leakage and mathematical cryptanalysis, i.e. going beyond a divide-and-conquer strategy.
Francois-Xavier Standaert was born in Brussels (Belgium) in 1978. He received the Electrical Engineering degree and PhD degree from the Universite catholique de Louvain, respectively in June 2001 and June 2004. In 2004-2005, he was a Fulbright visiting researcher at the Network Security Lab of Columbia University, and the MIT Medialab, Center for Bits and Atoms. In March 2006, he was a founding member of IntoPix s.a. From 2005 to 2008, he was a post-doctoral researcher of the UCL Crypto Group and a regular visitor of the two aforementioned laboratories. Since September 2008, he is associate researcher of the Belgian Fund for Scientific Research (F.R.S.-FNRS) and professor at the UCL Institute of Information and Communication Technologies, Electronics and Applied Mathematics (ICTEAM). He has served on the Steering Committee of CHES, and on the Program Committees of many flagship conferences in cryptography and information security, such as CRYPTO 2011-2012, CCS 2011, Asiacrypt 2009-2010. In June 2011, he has been awarded a Starting Independent Research Grant by the European Research Council. His research interests include digital electronics, FPGAs and cryptographic hardware, low power implementations for constrained environments (RFIDs, sensor networks, ...), the design and cryptanalysis of symmetric cryptographic primitives, physical security isssues in general and side-channel analysis.